April 30, 2010
Healthcare facilities and hospitals are faced with unusual challenges when it comes to security, with their staffing and sheer volume of traffic rivaling any campus environment.
Whether the need is to restrict access to authorized personnel-only areas or to protect private patient information in electronic and paper formats, a multi-faceted approach to security in the healthcare industry is becoming ever more critical in meeting the evolving regulatory requirements around patient privacy.
Effective security requires a forward-looking approach to addressing both current and future physical and logical access requirements, along with a firm understanding of the changes in privacy standards and compliance regulations that are impacting today’s healthcare institutions and their business partners.
New Privacy Standards Give HIPAA Muscle
One of the most important set of changes in privacy standards was brought about in the Health Information Technology for Economic and Clinical Health Act, or HITECH Act, which was signed into law as part of the American Recovery and Reinvestment Act of 2009 (ARRA).
The HITECH Act, which began being enforced in February, adds notification requirements for healthcare-related information security breaches; implements new data security standards for electronic health records; and expands security and privacy provisions beyond the Health Insurance Portability and Accountability Act (HIPAA).
While HIPAA addresses health information security and privacy issues, the HITECH Act extends the HIPAA security and privacy rules to non-HIPAA covered entities, holding them to the same privacy and security standards as covered entities. For example, under HITECH, healthcare providers, pharmacies, and other business associates of a covered entity (as defined in HIPAA), will be now subject to privacy and security provisions in HIPPA. This extends beyond the healthcare provider to include even the vendors of personal health records, according to the U.S. Department of Health and Human Services.
HITECH thus includes provisions that are designed to protect patient health information by calling for healthcare organizations, their business associates and service providers to fully disclose breaches, including a description of the incident, when it occurred, what was discovered, what types of information were involved, and a description of what was done to investigate and prevent future incidents.
Needless to say, the HITECH Act finally adds the muscle that HIPAA lacked. It will likely force healthcare providers, vendors and care givers to implement stronger access security to truly protect patient data and avoid multi-million dollar fines similar to those levied against many large corporations for noncompliance.
Physical, Logical Disconnect Hinders Compliance
For years, healthcare institutions have used a variety of methods to secure access to facilities and data stored on network computers. For many organizations, building access and IT security technology have traditionally been purchased and managed by different departments with different security policies, goals and objectives. As a result, healthcare staff have been forced to carry multiple access cards and remember multiple personal identification numbers (PINs) or multiple passwords to access various networks, applications and areas of a facility.
These practices have resulted in fragmented security systems that are cumbersome for employees, not to mention difficult and costly for the organization to maintain.
This typical environment poses a significant risk to healthcare organizations meeting security standards for HIPAA and HITECH requirements, elevating the need for security administrators to evaluate how their physical access control and data security technology will impact an institution’s ability to achieve regulatory compliance. Healthcare security administrators are thus looking to implement a higher level of security that can leverage their existing investment and ensure a high level of adoption by hospital staff and employees within other regulated organizations.
Smart Cards Bridge Gap, Provide More Security
Portable and secure, smart cards are becoming an increasingly popular tool for safeguarding physical security and ensuring the privacy of sensitive electronic information in hospitals and other companies seeking heightened security. Contact or contactless smart card technologies provide an opportunity for security administrators to implement one badge that serves as a workplace ID, physical security access card and strong authentication token for network access.
For example, a single smart card could ensure secure doctor, nurse or staff access to the emergency room and networked computers, visual identification verification and even enable contactless purchases in the hospital cafeteria.
There are several different types of smart card technologies, each offering its own level of security and complexity. The easiest way for a healthcare organization to adopt this technology is for it to use the current physical access card that most employees already carry to enter a building or a secured area.