By Amanda Venafro, Contributing Writer

While hospital data breaches and ransomware attacks against software systems dominate headlines, another related crisis is looming: the need to simultaneously protect the digital environment and the physical environment where care is delivered. 

More than three-quarters of the 200 security and IT professionals who responded to HID’s October 2024 survey, “Securing the Future of Healthcare,” believe that it is important for their facilities to achieve digital and physical security integration. With 40 percent of these respondents coming from large network hospitals and 13 percent from urban or suburban university hospitals, the results reflect a growing recognition that comprehensive security strategies must address the digital and physical domains.

Firewalls and antivirus software simply are not enough. Also critical are physical security tools that include surveillance cameras, biometric access controls, patient visitor management and real-time location systems (RTLS) that are parts of a unified security framework. Together, they can greatly enhance the ability to safeguard individuals and sensitive data and areas within the hospital.

As with many advanced cybersecurity initiatives, the most significant barrier is cost, cited by 74 percent of survey respondents. But this does not reflect the potentially far greater cost of doing nothing about the threat. Other barriers include lack of executive support — 31 percent — and the perception that physical security ranks low among organizational priorities — 24 percent. As with a cyberattack, a physical security breach can devastate a hospital, resulting in financial and reputational damage that is hard to recover from, not to mention the potential impact on staff and patient safety. Hospitals need a multi-layered security strategy to protect their digital assets and the physical spaces where those assets are used.

Physical and digital protection

Multi-layered security combines visual identification, physical access control and digital credentials to create a more comprehensive and resilient security framework that safeguards physical and digital environments.

Physical security will always be a concern. Hospitals by their nature are open and welcoming environments, with entry points that can be difficult to manage and physical threats that continue to grow and evolve. Imagine unauthorized personnel in emergency department treatment rooms, laboratories and imaging suites, staff areas and administrative offices.

Taking the proper steps to control patient and visitor movement is critical to prevent violence and unauthorized access to restricted areas, according to the International Association for Healthcare Security and Safety. But nearly 40 percent of facilities still manage visitor and vendor access using paper forms and badges, according to the HID survey, and only 30 percent of respondents report implementing access control systems, while 24 percent use electronic patient management applications.

With these kinds of low technology-adoption rates, it is no surprise that nearly one-third of survey respondents were neutral to extremely dissatisfied with their hospital’s current security measures, and another 45 percent reported they were only somewhat satisfied. A clear need exists for comprehensive security policies and integrated physical security systems that include surveillance cameras, biometric access controls and automated alert systems to mitigate threats before they escalate.

Signs of progress

There are some bright spots, however. Traditional access control methods, including physical identification badges and lanyards, still play key roles in hospital security strategies. Providing visual identification for visitors and preventing bad actors from accessing sensitive areas or data helps ensure that healthcare environments remain safe and secure, enhancing the visitor experience while facilitating compliance and reporting needs.

But these approaches are also increasingly being supplemented or even replaced by digital credentials, such as mobile and biometric authentication. Thirty-two percent of healthcare facilities already use biometric authentication, according to the survey, and 11 percent have adopted facial-recognition technologies. This reflects a broader shift toward more secure, scalable and mobile-first identity management solutions, especially in large urban hospitals where operational efficiency is critical.

Also exciting is the integration of facial recognition and artificial intelligence-driven surveillance, which are increasingly being adopted by healthcare facilities to track and manage individuals entering and moving within healthcare facilities. These systems can flag unauthorized individuals, monitor unusual behavior and assist security personnel in responding to potential breaches in real time. There also is growing adoption of automated vs. manual security, with 56 percent of respondents saying their facilities use automated alert systems that can provide real-time notifications of potential threats, triggering a response before an emerging situation can escalate into a full-scale incident.

The duress badge is a valuable addition to this type of automated alert system because it allows workers to discreetly signal distress by pressing a button on their badge. Unlike panic buttons, which are still in use at 58 percent of facilities, distress badges are inconspicuous and can bring a more proactive response from security. When badges are integrated with RTLS, security personnel can pinpoint precisely where assistance is required. Fifty-three percent of survey respondents foresee a move toward automated security responses like these, with 33 percent planning to adopt these solutions in their facilities.

Automated systems that become integrated with cyber and physical security measures can contribute to a more resilient and responsive healthcare security environment. But the challenge of securing physical and digital environments in this way is complicated by the diversity and number of individuals interacting with healthcare systems daily.

Whether these touchpoints involve staff, patients, visitors or contractors, they represent a potential vulnerability that can be exploited if not adequately secured. The need to manage these interactions securely while ensuring the seamless flow of operations places immense pressure on healthcare institutions to transition to comprehensive security strategies that encompass physical and digital control measures.

Making the transition

Healthcare facilities are moving from physical to digital identity management solutions while taking a more integrated approach that blends physical and cyber security measures. Throughout this transition, healthcare facilities managers must carefully balance digital solutions with traditional visual identification methods, such as badges, which remain crucial in many areas. Implemented well, this transition can enhance patient care and experience and improve staff safety so they can perform their best work, efficiently manage visitors and streamline workflows with future-proof solutions. 

The convergence of cyber and physical security also can enable healthcare facilities managers to respond more effectively to a range of threats. For example, integrating cybersecurity systems with physical access control, visitor management solutions and RTLS can prevent unauthorized access to sensitive areas by detecting and responding to potential threats in real time. RTLS further enhances security by allowing managers to track the precise location of assets, staff and visitors in real time, helping to manage security risks more effectively.

A future in which cyber and physical security challenges are tackled at the same time is foreseen by 67 percent of HID’s survey respondents. The goal is to create a comprehensive security framework that can adapt to the complexities of modern healthcare facilities.

As these facilities continue to embrace digital identity solutions, it is essential for managers to integrate these with existing physical security measures to ensure a layered security approach that mitigates potential vulnerabilities in the physical and digital environments. Adopting this layered approach and taking advantage of emerging technologies will help prepare institutions for a safer future that protects people, buildings and data. It will also increase the trust and safety of patients, staff and visitors while building a resilient foundation for further improvements.

Amanda Venafro, PSP, is business development manager, healthcare, with HID.