By Daniel Loo

When people think about access control systems, healthcare facilities do not immediately come to mind. But as with other industries, such as the financial sector and government entities, which typically incorporate access control into their facility design, facilities within healthcare are just as vulnerable to security breaches and have their own specific areas of risks and threats that need to be addressed. These risks and threats can run the gamut from workplace violence, pediatric and geriatric security concerns and emergency room issues to pharmacy control and parking lot security.

One caveat to this is that modern healthcare facilities also need to portray a visual sense of compassion for patients who enter and balance that with strict safety, security and privacy policies and procedures. In all, the healthcare industry needs to ensure that industry-best practices are followed by creating a security management system (SMS) that incorporates access controls in order to secure all people, physical assets and data within any given physical location.

This article will speak on those three assets individually and how to properly protect them with an all-encompassing security footprint in terms of proper access control.

People

When it comes to the protection and safety of all people within a healthcare facility, there are various risks that could evolve into actual threats if not properly addressed. One could speak on how or when to choose an access control system and what usually works best in terms of card readers, locks to be used, ingress and egress options, etc.

But not any one site is ever truly the same, and you cannot always use a cookie-cutter approach to the proper application of access control restrictions. Yes, standards must be met, but these must also be adaptable enough to operate in any environment and adhere to possible state statutes and local ordinances. So rather than discussing specific systems, this article will focus on proven access control strategies that can be properly utilized with any piece of equipment or used in any situation.

When speaking on limiting access to a particular site, control measures should be congruent with deterring, detecting, and delaying a possible intruder. This can be addressed by having security personnel, cameras, and access gates on the perimeters of the property. Collapsing in more to the central site location, these security assets could be more specifically allocated based on the needs of specific areas or departments of the building. This approach is known as defense-in-depth and is a pivotal component of access control.  

Another example that comes to mind in its relation to access control is a social engineering term referred to as tailgating or piggy-backing. This is one of the most common and sometimes innocent of breaches, but it is a huge risk for the industry. Tailgating refers to someone who has valid access credentials believing that they are innocently helping another individual by holding a door open or providing some other means of easing access. The problem with this scenario is that the person with authorized access has no knowledge as to the mindset of the individual they are assisting. This person could have nefarious goals in mind, such as physically reaching a patient or an employee in order to inflict harm.

Luckily, this is one issue that can be addressed most of the time with proper training of staff and personnel. By teaching those who work within these facilities to take a sense of ownership of the building they work in, these issues can be drastically mitigated.

In addition, an organization-wide approach needs to be communicated to foster a safer and more secure environment within healthcare. The Broken Windows Theory first coined in criminology can also be utilized within the healthcare sector. Visible signs of dismay and disorder can portray an adverse access control policy and procedure which is lacking across the spectrum.

Physical assets

Dealing with the protection of physical assets, the healthcare industry is not immune to the possibility of theft or possible sabotage of equipment. While the latter might be rare in terms of the overall threats and risks a facility faces, the former is more common than many believe. Not only can the loss of valuable equipment cost a facility or an organization an enormous amount of money, but those costs could also be passed on to future patients.

Hence, access control measures need to be used to counteract the possibility and probability of theft or damage. To help in mitigating loss to any asset, there needs to be proper lockdown procedures and the ability to easily transition from fail-safe to fail-secure, at a moment’s notice. Relevant hospital staff need to have the mobility to ease access, restrict access and change access permissions when the need arises.

Data

In terms of protecting sensitive information and data, those within the healthcare industry must be cognizant of all ways a bad actor can attempt to exploit access vulnerabilities within the overall security posture. When people think about protecting data, most will automatically assume that this is an issue exclusive to the realm of cybersecurity. While adequately securing your digital networks is a high priority, especially with what we have all seen with current events in the media, properly securing data at the local level needs to be of significance as well.

Those individuals who want to take advantage of someone else’s personal information could do so by trying to break into a healthcare facility and physically plug into a company’s network or steal a company laptop or other equipment that may contain sensitive information. A facility could strengthen its access control by utilizing proper identification systems, using other equipment such as cameras and proper training of personnel on actions such as tailgating, previously mentioned. Depending on the sensitivity of a particular area, dual-layered access control issues should be implemented. This could be done by various means such as card access, pin codes, keys, cypher locks and biometrics.

Action items

Those within management of the healthcare facility must always be aware of the employment status of any employee at any time. The most common form of access control vulnerabilities or violations are those due to someone who once had legitimate access and now no longer does. A healthcare facility, whether it be a hospital or a local doctor’s office, can usually be a very dynamic environment. Accountability of all staff needs to always be a priority, so risk to the facility is mitigated. 

Another method of improving a facility’s access control is through the use of analytics, to see who has been where at any given time. Generating reports hourly, daily or even weekly can illustrate to those with administrative oversight of the facility who has been through a particular entrance, department, or section. 

To have a robust access control system in place, it must be multi-faceted and broad. All assets discussed in this article – people, physical assets and data – must be properly protected from harm or loss from malicious actors. It is a healthcare facility’s responsibility to ensure everyone is safe and secure from any potential threat and provide a duty of care. Access control is a prime example of how this can be accomplished.

Daniel Loo serves as Rimkus Consulting Group‘s principal safety and security consultant. He has more than 15 years of experience in military and private sector security experience, in tactical as well as strategic functions. Loo provides enterprise security risk management for the design, direction, development, and procurement of security systems and countermeasures. His experience also includes physical security evaluations and surveys within the restaurant, lodging, hospitality and healthcare industries. He understands security requirement analysis, conceptual design, construction documents, security contractor evaluations, field services, and coordination and project management of security projects. He also provides expert testimony on security-related issues for law firms.