HID

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the United States fosters health insurance coverage for workers and their families, and requires national standards for electronic health care transactions.

 

The law’s privacy provisions include protection of information related to any individual’s health status, provision of health care, or payment for health care. There are also additional health privacy laws specific to California. Internationally, there is a patchwork of health privacy laws around the world, from Argentina to Uruguay, including laws throughout Europe, Central Asia and Australia.  

Role of physical security in safeguarding data 

Physical security systems can play a big role in helping to keep patient information safe and private, as required by various laws. For example, AMAG has developed new capabilities within its Symmetry family of products that allow healthcare institutes to demonstrate their compliance with HIPAA. Compliance reporting is a key area and has been a focus for AMAG, says Dave Ella, Vice President of Product Marketing, AMAG Technology. 

Hospitals and healthcare facilities install AMAG’s Symmetry access control system and Symmetry CompleteView Video Management to manage and control access and provide HIPAA compliance throughout their buildings and campuses. Security plan policies and procedures need to protect a healthcare facility, says Ella. Automatically reviewing access permissions for employees, contractors and visitors on a regular basis is a key aspect of the plan, and AMAG’s Symmetry CONNECT product is designed for that purpose. Also, capabilities within the system make documentation of adds and changes to the security system more straightforward. They include the ability to add drawings, documents and notes to any device within the system.  
Demanding regulatory environment

Legislation like HIPAA, which establishes U.S. standards for privacy and security, impacts hospital access control policies and procedures, says Sheila Loy, Director Healthcare Strategies, North America, HID Global. In fact, HIPAA is just one element in a demanding regulatory environment. The need to comply is complicated in hospitals by security threats in an environment with high traffic volumes and complex staffing requirements, Loy adds. For instance, in California, hospitals must report any security breach event, after which the California Department of Public Health (CDPH) checks policies, practices and audit trails, and executes inspections and assesses fines. 

Today’s access control
platforms enable hospitals to
improve risk management and
comply with new legislation
or regulatory requirements

Often, hospital administrators must also follow federal guidelines established by the Centers for Medicare and Medicaid Services (CMS) that, at times, conflict with state rules and result in fines.

Other entities that set security guidelines include the Joint Commission accreditation and certification body, which has oversight for physical building security, water, safety, fire, and other security processes; and the Det Norske Veritas (DNV), an independent foundation that works with healthcare authorities and providers to manage risk and improve healthcare delivery. Today’s access control platforms enable hospitals to improve risk management and comply with new legislation or regulatory requirements. For instance, HIPAA imposes strict requirements for accessing medical records, which may necessitate the use of a smart card to enter secure areas or to access IT networks that store patient information.  

HID Global offers comprehensive healthcare security solutions to create a safe, compliant environment for patients and employees. The company’s solutions: provide secure access to healthcare facilities and supplies; enable hospitals to identify and manage hospital visitors; provide electronic audit trails to protect patients and staff; ensure HIPAA compliance for patient records; and enable organisations to leverage existing access control cards for additional services to offer convenience and create operational efficiencies. 

Need for versatile authentication platform 

Health data is at least as valuable as financial data in the online banking industry, where a layered system approach is used to ensure that appropriate risk mitigation levels can be applied, says Loy. Even though patients don’t access healthcare information as frequently as do online banking customers, and aren’t protected by the same regulatory compliance requirements, they can benefit from the same multi-layered authentication mechanisms, both inside and outside the hospital. Healthcare organisations need a versatile authentication platform with real-time threat detection capabilities in order to effectively implement the critical five layers of security including user authentication, device authentication, transaction authentication with pattern-based intelligence, browser protection, and application security, says Loy.  

 Hospital CCTV system
With video surveillance, cameras must be positioned in such a way that they don't violate HIPAA laws

Access control systems can be used to help protect access to patient records and other controlled materials, adds Robert Laughlin, President, Galaxy Control Systems. By using higher-security credentials for access control readers, such as biometrics, medical facilities can increase their confidence levels that they are only providing access to authorised individuals and creating an audit trail for reporting or review. Galaxy access control systems can be integrated with a wide range of readers, including high security biometric readers.  

Ensuring privacy with video surveillance 

Video systems are also impacted by HIPAA in the United States and by similar privacy legislation around the world. When a physical security system is installed in a healthcare environment, patients’ privacy must be protected according to HIPAA’s specific rules, says Jason Ouellette, Product Line Director – Access Control, Tyco Security Products. A patient’s PII – or personally identifiable information – must be protected. PII is any information that can be used to uniquely identify, contact or locate an individual, or that can be used with other sources to uniquely identify a person.  

With video surveillance, cameras must be positioned in such a way that they don’t violate HIPAA laws, says Ouellette. If a camera is pointed to a computer screen or something else that contains a patient’s PII, there must be an option to draw a privacy window within the frame so that a patient’s sensitive information isn’t easily accessed or compromised. 

HIPAA and similar
requirements can indirectly
impact video systems in
ways not thought of before
the advent of megapixel
surveillance cameras

Challenge of megapixel cameras 

Furthermore, the use of megapixel cameras can increase the challenge. HIPAA and similar requirements can indirectly impact video systems in ways not thought of before the advent of megapixel surveillance cameras, says Jeff Whitney, Arecont Vision’s Vice President of Marketing. On one hand, video surveillance systems are more effective than ever at protecting medical records storage and access to other confidential information.  

On the other hand, it is now equally important to consider the field of view of a high-megapixel camera, says Whitney. A camera placed over a cashier may yield images with discernible credit card numbers of a screen within the field of view, of documents, or of the credit card itself. Medical records may similarly be picked up in detail by a high megapixel camera. Therefore, it is necessary to ensure that the integrator selected to install a video surveillance system understand the objective of each area of coverage, and what should not be included.  

Integrated security systems aid faster compliance 

Faced with a number of local, state and national regulatory guidelines, security directors within healthcare facilities must be able to improve hospital security and insulate the organisation from potential liability claims, says Kyle Cusson, Business Development Manager, Healthcare, Pelco by Schneider Electric. “That means implementing a surveillance system that allows multiagency cooperation and response,” he says. “Keeping all of this in mind, having a video surveillance system that integrates with the necessary emergency and fire alarm systems, access control and other systems can promote an institution’s compliance with regulatory agencies by providing proof that the organisation’s assets are safe and secured.”  

Finally, there is the issue of access to video. In today’s regulation-focused market, healthcare organisations must strictly control who has access to video, says Brandon Reich, Senior Director of Surveillance Solutions, Pivot3. Servers and storage are typically easier to secure because these devices are traditionally deployed in controlled locations, sometimes on closed networks and often under the supervision of IT. Client access is more difficult to control – security personnel, management and even first responders need access to video, and their devices are typically unsecured. This can translate into a potential HIPAA violation, especially if data is access by unauthorised people. 

Read Part 10 of our Security in Healthcare series here

Save

Save

Save

Download PDF version Download PDF version

HID news

HID integrates with Microsoft Entra ID for MFA solutions

HID®, a worldwide pioneer in trusted identity solutions announces a new integration with Microsoft Entra ID to enable employees to use their existing physical access cards as a multi-factor authentication (MFA) method to access resources such as Entra ID and Microsoft 365. This enables organisations to take the next step on their journey to passwordless by simplifying MFA deployment and enabling faster end-user adoption for Entra ID users. MFA requirements The integration significantly ex...

Highlights from GSX 2024 include cutting-edge innovation

An attention-grabbing exhibit at GSX 2024 in Orlando involved a robot dog that could open a door.  Boston Dynamics robot dog ASSA ABLOY impressed attendees with the robotics demonstration, featuring the Boston Dynamics robot dog that could open a door using either an HID credential or a mechanical grip. This innovation represents a shift toward more autonomous security solutions and is suitable for environments where human access may be limited. ASSA ABLOY impressed attendee...

HID announces FARGO HDP5000e for superior ID card printing

HID®, a worldwide pioneer in trusted identity solutions announces the launch of the next-generation FARGO® HDP5000e designed to deliver vibrant, high definition cards and IDs. HID's Isaac Young, VP & Head of FARGO, stated, "The HDP5000e is where unparalleled reliability meets exceptional usability and performance setting a new standard for the everyday retransfer card printing experience." FARGO HDP5000e ID card printer Built on the rock-solid foundation of the renowned HDP5000 pr...

HID case studies

HID helps in automating the access control management at Żabka

Enhancing enterprise security is high on the list of priorities for businesses across sectors. Within the retail industry, there is an additional focus on enabling new ways of working through management tools. Integrated solutions and applications help to create a robust security landscape and ensure a future-ready posture as organisations look to address emerging risks and create better experiences for next-gen employees. Physical access control (i.e., the readers on the door and the credentia...

Avolon selects HID mobile access® to upgrade headquarter security

Founded in 2010, Avolon is the third-largest aircraft leasing company in the world with 824 aircraft and 145 customers in 62 countries. Its new global headquarters in Dublin is comprised of 6,967 sq m (75,000 sq ft) of secure office space across six floors that houses its IT, catering, legal, and communications departments. Need for a centralised monitoring solution Avolon’s new premises in the upmarket Ballsbridge area of Dublin provided an opportunity for the company to rethink its app...

HID's biometric breakthrough in São Paulo Police

For years, the Civil Police of the State of São Paulo, Brazil’s largest state police force faced significant challenges with criminal bookings and identification, including: A Fragmented Identity System - Each of Brazil’s 27 states has its own siloed programme that does not interconnect. This not only hinders statewide criminal booking but also undermines the community’s confidence in the criminal justice system. Identity Fraud With Multiple IDs - Imagine having 43 i...