Guest Article By Mac McMillan, CEO of CynergisTek, Inc
Healthcare today cannot afford the inefficient practices of the past in managing its many security responsibilities. It is not unusual to find healthcare organizations with multiple service providers for similar monitoring services or disparate services that could be managed by one provider.
The overhead and inefficiencies can be better managed…For instance multiple alarm companies for different facilities within their system as opposed to one provider servicing, maintaining and monitoring all alarm systems. Even in situations where organizations have grown through acquisition and all alarms systems are not similar this is still possible. Integrating all physical security controls alone would accrue cost savings for many organizations. However the real savings and benefits are gained when we integrate both the physical with the logical security programs.
This is exactly what healthcare needs in today’s regulated environment where costs also need to be managed smartly. For today’s security means protecting buildings and equipment as well as protecting networks, dealing with privacy issues, and managing risks. These issues are all interrelated. This is not a new concept. We were well on our way down this path before I retired from the federal government, and the finance sector, energy sector and large corporations have plowed this ground before. Which means healthcare has the opportunity of using their lessons learned and achieving this with even more efficacy.
In most organizations physical and logical security systems and controls operate as two independent sets of programs and are managed by completely separate departments. Logical security (information) which manages access to the IT infrastructure such as the internet, mail servers, web servers, applications and databases is run by IT. Physical security (facilities/systems) which includes employee badging systems, alarms, ingress and egress routes in/out of facilities, and life support systems like HVAC, fire and CCTVs is run by the facilities department. What is interesting though is that both information security systems and physical security systems generally use the same infrastructure services.
Why Convergence for Healthcare?
Being able to manage and track individuals, assets and information is a critical component of risk management in any hospital today. Physical access makes compromising the security of IT systems and privacy of patients and their information easier. Individuals with access can steal assets and information, compromise network security and undermine patient safety and privacy. Combining IT and physical security controls, commonly referred to as convergence, provides a proactive and comprehensive view of potential intrusions and aids in reaction and forensic analysis. Imagine one of the worst feeling situations imaginable in a healthcare setting – an infant that traverses a barrier that sets off their tracking system. Now imagine a fully integrated system where every alarm, camera, electronic lock, etc. receives and transmits feeds from all others and is centrally managed. The minute that first alarm is tripped, every camera along every possible pathway from that spot begins recording, doors lock down, and those monitoring instantly are redirected to that area, and all other security personnel throughout the facility are alerted immediately and images are pushed to their smart devices aiding in recognition and apprehension. Now imagine that situation where those systems don’t work together in an integrated fashion, where different groups monitor different systems, and where security personnel and others rely on announcements, phone calls and email.
The second big reason for considering convergence is substantially reducing the total cost of ownership of these systems. According to research the integration of budgets for physical and IT security can provide substantial efficiency. Healthcare cannot avoid the cost of security, and the regulatory mandates of HIPAA, HITECH, PCI, Red Flags and other laws have substantially increased that cost and has created the need for more efficient models.
Efficiency is the next reason healthcare entities should seriously consider convergence of their IT and physical security systems. The efficiencies come in many forms from reducing the number of contracts/vendors managed, to the numbers of staff required to manage/monitor, to the simplifications and accuracy accrued from the use of common data bases for identity, credentialing, provisioning, etc. This permits for common administration of both users and systems, and reduces the chances of mistakes.
Another good reason for considering convergence is the fact that it aids audit and investigation of events and incidents. The use of comprehensive and automated logging capabilities significantly aids in the investigation of security events and increases accuracy, while reducing time spent chasing false positives. Consider someone discovered logging into a critical system or information that they are not authorized to, and instantly being able to see that the individual who’s user credentials are involved has not entered the building according to the physical access logs, and then being able to review video of that system and seeing exactly who was on the system at the time the access was attempted or occured.
Is Healthcare Ready For Convergence Now?
Unfortunately in most instances the answer is no, but it is achievable. Meaning almost every healthcare system has some or most of the building blocks needed to achieve an integrated environment, but not all systems are optimized or ready for this level of integration. That means some amount of effort is required to integrate their existing systems, implement new capabilities to fill gaps, and a need to work within budget and contracting constraints. The exception to this of course is new construction where integration is absolutely achievable and should be the rule rather than the exception. Any time we have the opportunity to start with a clean slate we should strive for total integration of physical and logical security and a single provider to manage, maintain and help monitor the environment.
For existing healthcare facilities the journey as we said will require smart choices and patient implementation, but is absolutely achievable over a period of years along a structured road map, characterized by discrete phases and budgetary fiscal responsibility. Meaning the goal is possible, and its possible through smart management of costs and contract administration. The process begins by baselining what is currently available, designing the end state, identifying the gaps in controls and technologies, and then documenting a roadmap for phased implementation and integration of systems as the budget will permit and as contracts come up for renewal. Depending on the system this may take 2, 3 maybe 5 years, but if done correctly the cost of new systems and capabilities will be offset by the reductions in costs of ownership and long term it will continue to return fiscal benefits.
What Are Some of the Benefits?
The common element that makes convergence possible in many instances is centralized management and shared identities. Often this results in the ability to use a single access control device to permit multiple secure operations by a user thereby simplifying their workflow. There are many examples, but a few are listed here:
• Utilization of single smart card, badging or other technology to permit facility and system access based on a user profile eliminating the need for some user initiated authentication.
• Enablement of user access while mobile, moving from building to building, floor to floor, using their single access control device to access their desktop, and access mail, the intranet and other common applications.
• Controlling the printing or copying of sensitive data such that the user prints a document, but it does not print until the user is at the printer and presents their access control device so that others could not gain unauthorized access inadvertently.
• Permitting two-factor authentication for remote access options. The user not only has to initiate a VPN, but must have their access control device validate their identity and permit entity authentication as well. The same device that enables all other access.
• Enabling the real time tracking of individuals and assets throughout the facility with the ability to monitor, interdict, restrict and react in real time to inappropriate movement or access. Improved location of critical systems and individuals in needed operationally.
• Enhanced enforcement and investigative capabilities through behavior based controls, alerts and incident management processes.
• Reductions in the contracting, administration, maintenance and monitoring costs associated with security.
• Enhanced early warning and detection of potentially harmful or non-compliant behaviors and events.
So What is Holding Us Back?
In most cases the thing that is holding us back is cost and a lack of understanding. Many of our healthcare entities do not have the right person managing security, some have no one dedicated to the responsibility, and few resource security in a manner consistent with other regulated industries. Combining logical and physical security is no trivial undertaking, however the cost savings down stream and the enhanced security benefits can make it worthwhile. This is a big hurdle though for many healthcare organizations who do not appreciate the real cost of security and do not have someone in house who can articulate the right vision and benefits that can be achieved to get over.
Get over it though we must, because the regulatory and complex environment healthcare will operate in going forward will demand more efficacy and efficiency. The first step forward is to learn more about the convergence of logical and physical security and performing a baseline survey of where your organization is with respect to what it would take to become a more intelligent hospital.
Mac McMillan is co-founder and CEO of CynergisTek, Inc., a firm specializing in the areas of information security and regulatory compliance for healthcare.
More HIPAA HITECH Resources:
The complete HIPAA Privacy, Security and Breach regulations are here.
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.