SIA takes on health care security space
08 August, 2016
category: Government, Health, Smart Cards
By Kelly Vlahos, Contributing Writer, Security Industry Association
A man, possibly high on methamphetamine, had a singular intention: to steal his infant child from the maternity ward before the state could take her away.
Jason Matthew Bristol took the two-day old baby, wrapped her in a blanket and plastic bag and attempted to leave Thunderbird Hospital in Glendale, Arizona, on Jan. 21, 2015. But a bracelet affixed to the infant immediately set off alarms and locked down hospital doors before he could get away. It turned out to be a lifesaver in more ways than one, as officials say the blanket was placed on the tiny infant in such a way that it would have led to her suffocation.
Hospitals can be fragile and violent places. According to the Bureau of Labor Statistics, of all workplace assaults from 2011 to 2013 upwards of 74% occurred in medical or social service settings. In addition, there are patients who escape – including prisoners, mental health patients – and raising the specter of recent mass shootings, people who come into the hospital setting who generally aren’t supposed to be there.
As a result, the health care field is ramping up its security services to meet the threat. The video surveillance cameras, ID badges and bracelets outfitted with radio frequency identification (RFID) or other smart technology for patients and staff, the integrated alarm systems, mass notifications, license plate readers, and smart card-enabled access control, all combine for the kind of convergent security architecture that the country’s 5,627 registered hospitals, big and small, are reaching for today. The infant tags, for example, are already ubiquitous, and as a result infant abductions today are rare, according to the FBI.
Meanwhile, moving a health care institution’s access control systems to Internet Protocols (IP) and the improvement of cellular networks have improved physical security capabilities tenfold. Also, the Internet of Things (IoT) expands the universe of possibilities requiring full-time management and proactive cybersecurity to keep enterprising hackers at bay.
Health care spending is all about medical equipment. access control Systems tend to be old and there isn’t a strong understanding that they need to do more.
All this is what the Security Industry Association (SIA) Health Care Security Interest Group is hoping to tackle in the coming year. Launched in late 2015, the group is made up of a range of professionals and SIA members directly involved in the health care space, from hospital security directors to industry vendors and consultants.
The group’s mission is to assess the current landscape in order to bring better understanding and solutions to SIA members and the health care security industry as a whole, says Jim Stankevich, global manager for health security at Tyco Security Products. Stankevich is taking the lead as chair of the health care group, with Bonnie Michelman, director of security services at Massachusetts General Hospital and Partners Health Care, serving as co-chair.
Focusing on electronic physical security – as well as the role of IT and cybersecurity – the group’s goal will be to explore emerging health care technology for health care providers and patients, as well as figure out what works now, what the possibilities are and what the future holds, says Stankevich.
Aside from identifying the challenges facing health care facilities – the rise of violence being a top concern – the group will track emerging technologies and not just the hardware. The group wants to wrap their arms around the role of metrics and analytics in making the most of current systems and in developing capabilities for new customers. They will also talk about securing those systems. Finally, the group will also serve as an information-sharing hub for members, and work toward developing best practices across the vertical. While these may seem like lofty goals, all of the group’s work will keep in mind today’s shrinking budgets and return on investment.
“There is a lot of hospital consolidation, and budget constraints, and I think hospitals in general are looking at ways to buy better, consolidate and improve inefficiencies,” says Stankevich, noting that for fiscally challenged hospitals, investing in new physical security systems is a hard sell. “Certainly security is not a revenue generator, it’s an expense.”
There are health care facilities that can’t see beyond those financial hurdles, notes working group member Ben Scaglione, director of Health Care Security Solutions at G4S Secure Solutions. “Health care spending is all about medical equipment. They all have card readers, access control and the CCTV seems to be good. But the integration and the advanced technology isn’t really there – all their systems are five to 10 years old,” he explains. “There isn’t a strong understanding that systems need to do other things.”
Strategic integration is key for security systems. All elements of the security apparatus need to be connected to form a protective and preventative web around hospital patients and staff. For example, license plate readers and video surveillance not only need to be in HD resolution and accessible by mobile devices and web-enabled platforms, but should be programmed with analytics that need to trigger alarms and lockdowns based on that facility’s risk factors.
But that’s not all. The move toward IP-connectivity brings traditional security solutions into the 21st Century and enables them to communicate, according to Lauris Freidenfelds, director of security services at Rush University Medical Center.
That includes all video and access control systems, wireless voice radio communications and panic devices at each PC workstation, which are transmitted via the network to the campus command center, Freidenfelds says. Nurses and other staff also wear these devices as they move through the buildings. Wireless connectivity also enables mass emergency notifications, which are critical to campus-wide alerts.
Integration is also vital to the working group, says Freidenfelds. As technology becomes more complex, it’s created a need for more data driven analytics and management to harness and utilize it. “We do not have enough manpower to accomplish what is needed to keep hospitals safe without technology,” he adds.
But with all this technology comes new risk. In February, Hollywood Presbyterian Hospital paid $17,000 in Bitcoin as ransom for its electronic medical records, which had been seized and locked with an encryption key by hackers. And it wasn’t the first institution to pay untraceable ransom for critical records and network access. At least two New England police departments have paid Bitcoin ransoms to retrieve hacked files. Experts estimate that paid ransoms have reached $1 billion annually.
While it looks like the Los Angeles hospital fell victim to a phishing expedition – an unwitting employee may have opened an email file that launched the malware that made the attack possible – there are vulnerabilities in physical security networks that can act like “ramps” over to the IT networks of hospitals, where sensitive patient and employee records live, says Michael Chipley, a building security expert with the PMC Group.
As the IoT expands, marked by the expanded use of data generated in the cloud and mobile computing, cybersecurity will be critical to any institution where individuals’ private data – or even their lives – are at stake. Some hospitals are still making those first steps to integrating their systems and all this will come into play as the working group seeks to provide an educational component to practitioners and the vendors who work with them.