Healthcare providers face threats to both their IT infrastructure and their facilities, each of which is the responsibility of different departments with different roles and focus areas.
Both groups must ensure the institution’s reputation and the safety of its physicians, staff, patients and visitors. These challenges grow in complexity as the Internet of Things (IoT) creates more connected hospitals. Administrators must adopt new ways of thinking about trust in smart environments and how they use trusted identities across the healthcare continuum with both mobile devices and the latest smart card technologies. There is a shift in the use of trusted identities that is transforming how institutions operate. Hospitals are employing a combination of strong authentication and new IoT applications to address their challenges. As they do, they have the opportunity to simplify all aspects of healthcare operations, from opening hospital doors, accessing healthcare records and e-prescribing to how healthcare professionals interact with patients and log their activities. This also creates opportunities to improve billing accuracy without compromising the quality of care, from hospital to home.
The Four “Cs”
Healthcare institutions are increasingly moving to integrated solutions so they can achieve the four “Cs” of operational effectiveness: compliance and convenience using comprehensive and connected systems. Meeting these imperatives requires that multi-factor authentication extend across the entire identity and access management lifecycle. On top of this foundation, institutions should also incorporate One Time Password (OTP) tokens, Public Key Infrastructure (PKI) encryption and biometrics to comply with the DEA and HIPAA for Electronic Prescription of Controlled Substances (EPCS). To prove their identity and authorization status with this approach, users simply tap an ID badge to generate and transmit an OTP that enables them to access cloud applications.
This approach also enables institutions to protect patient records and data, and to implement secure access to facilities. Users can authenticate remotely to VPNs using mobile devices. Institutions can deploy new IoT use cases. And visitor management can move to a web-based, policy-driven physical identity and access management approach to more effectively manage the visitor identity lifecycle while delivering security and compliance in an open environment.
Pulling all of these capabilities into a unified platform enables institutions to automate manual workflows and achieve an end-to-end physical identity and access management solution that integrates with access control systems, logical identity and other internal applications. Healthcare organizations can manage all types of physical identities and their details, and leverage cloud technologies to transform credential printing and issuance for physical ID cards using managed service models, many healthcare institutions will also explore opportunities to use trusted identities for applications like emergency mustering when it is critical to know who is in the facility, among a variety of new and emerging capabilities.
New E-Prescribing Choices
EPCS will play a particularly important role in driving access control decisions. The best way to comply with privacy protection requirements is to use a multi-layered security strategy. Software applications must conform to regulatory standards, and institutions should employ identity proofing and credentialing for two-factor authentication. This can be based on unique physical information such as a fingerprint or iris scan.
One way to meet compliance requirements is to use a FIPS 140-2 certified cryptographic key, hard token or card. If PKI encryption is used on-site or via cloud-based validation services between all relying parties, it will need to meet whatever identity level of assurance is required for the application’s cross certification. The use of PKI digital certificates is becoming increasingly popular, ensuring that individuals, systems or applications are who they claim to be. Certificates can have different assurance levels and they can be validated/checked for authenticity in real time.
Hospitals can also use their e-prescribing architectures for other applications. This might include secure, remote access using credentials, key fobs, mobile smartphones or other smart devices and OTP tokens. Similarly, digital certificates can be used for more than e-prescribing, including authentication to networks or applications, and for digital signatures for on-line transactions or digitally signing or encrypting documents and email. PKI security elevates trust in these transactions.
The PKI infrastructure will also facilitate the concept of Federated ID systems for an urban medical community, enabling an identity to be trusted and used throughout disparate facilities.
Ensuring the Internet of Trusted Things (IoTT)
To more efficiently connect, monitor and manage patients, mobile clinicians and staff, healthcare institutions and their affiliated departments will embrace trusted identities, Bluetooth Low Energy (BLE) technology, predictive analytics and emerging IoT solutions that use real-time and proximity-based location technologies. The same solutions will also make it easier to manage physical assets, and help organizations to quickly locate critical medical equipment and assets.
Trusted identities are also at the core of new electronic visit verification (EVV) solutions that help streamline in-home patient visits and eliminate billing fraud. These EVV solutions use “proof of presence” applications to make it easier to document the time, location and accurate delivery of prescribed care. Solutions that combine trusted RFID tags, mobile apps and web applications will add trust to these proof-of-presence applications.
Using Biometrics to Increase Trust
Biometrics better associate a user’s identity with his or her digital IDs. It will be used to increase trust levels by ensuring that only authorized patients receive the care and benefits they are entitled to and only authorized providers view and update their confidential medical records. Biometrics will also be used to authenticate the issuer, pharmacy staff and/or the recipient in EPCS applications.
To maximize ease of use, the fingerprint modality will continue to grow in adoption while providing superior performance in the demanding healthcare environment, along with interoperability, low cost, and ability to combat fraud. Multispectral imaging with liveness detection will be an increasingly important capability for protecting user identities while preventing the use of fake or stolen biometric data.
Best Practices
Facility security and IT security teams must work together to employ best practices for both physical and logical access control.
On the physical access control side, institutions must use an open and expandable infrastructure that supports ongoing improvements. As requirements on this side of the house converge with information security needs converge, hospitals must also explore how to maximize ROI by ensuring that users can do more with their ID cards than simply opening doors. They should also be able to use them for applications ranging from cashless payment to accessing EPCS systems and IT resources.
Today’s PACS solutions already support many access control applications on the same smart card, including accessing the parking lot, main entry, emergency room and pharmacy. They also can also be used for visual ID verification, logging in to time-and- attendance and other computer applications, and executing payroll transactions. Storing biometrics on the smart card brings strong, multi-factor authentication to laboratories, research centers and other sensitive hospital areas.
Many institutions also want a path to IP-based PACS solutions for networked access control to streamline infrastructure enhancements and modifications. IP-based solutions also provide a single, integrated system for combining security, access control, video surveillance and incident response, perimeter detection and alarm monitoring systems. Hospitals can invest in a single, unified IP network, and logically control multiple technologies that previously co-existed only on a physical level. Plus, they can leverage their existing credential investment to seamlessly add logical access control for network log-on, and achieve a fully interoperable, multi-layered security solution across company networks, systems and facilities.
There is also the opportunity to integrate a hospital’s access control systems into a Physical Identity and Access Management (PIAM) software solution that provides the common bridge between disparate physical and IT security systems. This delivers a variety of convenient, unified access control capabilities along with a more comprehensive view across otherwise disparate physical access control and visitor management systems, while also providing predictive risk analytics capabilities. It also creates a streamlined user experience while extending strong authentication throughout the healthcare enterprise, from the desktop to the door, improving the overall security posture while consolidating physical and IT security.
Moving Forward
Hospitals have many tools for achieving a strong and versatile PACS solution while also solving strong authentication challenges for information security and patient information privacy. Converged solutions can be used to secure access to everything from the hospital’s doors to its computers, data, applications, and cloud-based services, while tying smart hospitals to the IoT.
In the future, hospitals will have a single security policy, credential and audit log as part of a fully interoperable, multi-layered security infrastructure based on a flexible and adaptable platform. This will enable hospital administrators to preserve their investments as they grow, evolve, and continually improve their security capabilities. Institutions will deliver an improved patient experience, more comprehensive security view, and more coordinated approach to protecting privacy while controlling access to patient data, electronic prescriptions, equipment and facilities.
###
Sheila Loy,
Director of Healthcare Solutions and Strategies, Identity & Access Management, HID Global
Sheila Loy is the Director of Healthcare Strategies for North America at HID Global. She is responsible to elevate the visibility of trends, innovations, and compliance drivers as it pertains to identity and access management and physical security solutions within the environments of healthcare providers, payers and pharmaceuticals. Sheila has B.A in Business Administration and over 25 years of technology solutions experience. She has been with the company since 2004.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.