A healthcare facility or hospital is unlike any other organization. It’s generally open 24 hours a day, sevendays a week and is open to the public. There is expensive equipment in many areas, patient records and confidentiality that needs constant protection, parking and door access control needs and medicines that need to be kept safe. A hospital or healthcare facility can challenge any security professional and present unique security challenges. On top of that, security professional stress the need to balance keeping everything and everyone safe and secure, while being unobtrusive for hospital patients and visitors.
Bonnie S. Michelman, director of Police, Security and Outside Services at Massachusetts General Hospital, in Boston, added being unobtrusive is a daily goal. “Our standard practice is excellence everyday. We strive to have a secure environment without making it too scary [for patients and visitors]. You want it to look like Fort Knox but not feel like Fort Knox.”
Michelman has a multi-million integrated system in place that has grown over 15 years and is one of the most sophisticated systems in the country, she said. “It’s not just one system, but it’s a large integrated system that links many different systems to each other.” But she adds that it’s also flexible and large enough for expansion, if needed.
Bryan Warren, CHPA, CPO-I, and director, Carolinas HealthCare System Corporate Security, said that managing a hospital and healthcare facilities’ security system is “a unique challenge because of the need for balancing convenience with security while protecting clients and visitors whose thoughts are often on their loved ones and not on their own protection. This, coupled with the significant regulatory requirements and healthcare specific directives (such as the Centers for Medicaid and Medicare Services’ Conditions of Participation and the EMTALA rule), makes for a very complicated environment in which to provide security.”
Operating with smaller budgets is a concern as well, Warren said. “As is the case with practically every industry, we are trying to do more with less and be innovative in our approaches to problem solving. The days of simply throwing manpower and overtime at a security issue to solve it are gone, and we are now becoming more reliant on technology to solve some of these issues (such as a one time capital expense versus a recurring operational expense). That being said, the best CCTV or access control system in the world can’t grab the bad guy or comfort the victim of a crime,” he said. “Investment in technology is great, but an investment in your staff and their training is crucial for the security of any facility. Quality, not quantity is the new paradigm and we are relying more and more on our security force to be creative problem solvers.”
One solution at Carolinas HealthCare System in Warren is proud is the Public Safety Resource Office concept. “After the opening of a newly constructed Rehabilitation facility in a neighboring county, it was decided that there would be no on-site security, but that security would instruct the existing plant operations personnel in certain aspects of the security function, and these individuals would serve the security needs of the facility,” he said. Thus, a special training program was created to instruct “hybrid” personnel the basics of proper report writing and documenting of security-related incidents, patrol techniques, civil liability and constitutional law and a variety of other important topics.
To supplement these employees, an existing office space in the facility was converted into a Public Safety Resource office for local law enforcement use. “After crafting a Memorandum of Understanding and vetting this document through all appropriate legal channels with each agency that was to use this office space (two city police departments with adjacent jurisdictions to the facility and the local Sheriffs department) special customized identification cards were created for each agency that would allow their personnel access into this office area,” he said. “By encouraging local law enforcements to come on site by offering this area for their officers to do reports, make personal calls and use the computer, we effectively increased a preventative presence at no cost to our department or organization while strengthening our community relationships with our neighboring county and its police officers.”
Bonnie S. Michelman, director of Police, Security and Outside Services at Massachusetts General Hospital, in Boston, added being unobtrusive is a daily goal. “Our standard practice is excellence everyday. We strive to have a secure environment without making it too scary [for patients and visitors]. You want it to look like Fort Knox but not feel like Fort Knox.”
Michelman has a multi-million integrated system in place that has grown over 15 years and is one of the most sophisticated systems in the country, she said. “It’s not just one system, but it’s a large integrated system that links many different systems to each other.” But she adds that it’s also flexible and large enough for expansion, if needed.
Bryan Warren, CHPA, CPO-I, and director, Carolinas HealthCare System Corporate Security, said that managing a hospital and healthcare facilities’ security system is “a unique challenge because of the need for balancing convenience with security while protecting clients and visitors whose thoughts are often on their loved ones and not on their own protection. This, coupled with the significant regulatory requirements and healthcare specific directives (such as the Centers for Medicaid and Medicare Services’ Conditions of Participation and the EMTALA rule), makes for a very complicated environment in which to provide security.”
Operating with smaller budgets is a concern as well, Warren said. “As is the case with practically every industry, we are trying to do more with less and be innovative in our approaches to problem solving. The days of simply throwing manpower and overtime at a security issue to solve it are gone, and we are now becoming more reliant on technology to solve some of these issues (such as a one time capital expense versus a recurring operational expense). That being said, the best CCTV or access control system in the world can’t grab the bad guy or comfort the victim of a crime,” he said. “Investment in technology is great, but an investment in your staff and their training is crucial for the security of any facility. Quality, not quantity is the new paradigm and we are relying more and more on our security force to be creative problem solvers.”
One solution at Carolinas HealthCare System in Warren is proud is the Public Safety Resource Office concept. “After the opening of a newly constructed Rehabilitation facility in a neighboring county, it was decided that there would be no on-site security, but that security would instruct the existing plant operations personnel in certain aspects of the security function, and these individuals would serve the security needs of the facility,” he said. Thus, a special training program was created to instruct “hybrid” personnel the basics of proper report writing and documenting of security-related incidents, patrol techniques, civil liability and constitutional law and a variety of other important topics.
To supplement these employees, an existing office space in the facility was converted into a Public Safety Resource office for local law enforcement use. “After crafting a Memorandum of Understanding and vetting this document through all appropriate legal channels with each agency that was to use this office space (two city police departments with adjacent jurisdictions to the facility and the local Sheriffs department) special customized identification cards were created for each agency that would allow their personnel access into this office area,” he said. “By encouraging local law enforcements to come on site by offering this area for their officers to do reports, make personal calls and use the computer, we effectively increased a preventative presence at no cost to our department or organization while strengthening our community relationships with our neighboring county and its police officers.”
HealthCare Regulations Challenges
Since the introduction of the Health Insurance Portability and Accountability Act (HIPAA) and the Joint Commission standards, healthcare organizations have invested money, time and energy into ensuring that healthcare data is safe and that standards are met and even succeeded.
Michelman said that “regulations affect everything that we do,” adding that her security system has been modified in terms of data center security and information security protocols in response to recent HIPAA regulations. “We look at it as a balance of state of the art technology that fits the risks, protocols and procedures with awareness and education program that harden our targets.”
Additional security system changes, she said, have included forcing every device that has patient health information to be password protected, engraving systems on devices, and low jack systems on some equipment.
Warren said that, “In addition to the universal predicament of securing PHI (both in its physical and electronic forms) and meeting the new Joint Commission standards, one interesting issue that has arisen with HIPAA is that of interactions with law enforcement and the response to legitimate requests for information about patients.” He said that while there are sections of HIPAA that allow such sharing of information under very specific conditions, many clinicians have been educated that they cannot share PHI (Protected Health Information) under any circumstance, and such refusals can at times create a rift between the hospital and local police. “We have been working diligently on creating a process by which local police bring with them a recognized “request for information” form to our clinical staff, who would then be educated to contact hospital security for direction and assistance on any such information requests involving a client or patent,” he said. “By working with our corporate compliance, legal and risk management departments, the inception of this process will hopefully alleviate much of the misinformation about HIPAA and make for a smoother process for complying with such regulations.”
Michelman said that “regulations affect everything that we do,” adding that her security system has been modified in terms of data center security and information security protocols in response to recent HIPAA regulations. “We look at it as a balance of state of the art technology that fits the risks, protocols and procedures with awareness and education program that harden our targets.”
Additional security system changes, she said, have included forcing every device that has patient health information to be password protected, engraving systems on devices, and low jack systems on some equipment.
Warren said that, “In addition to the universal predicament of securing PHI (both in its physical and electronic forms) and meeting the new Joint Commission standards, one interesting issue that has arisen with HIPAA is that of interactions with law enforcement and the response to legitimate requests for information about patients.” He said that while there are sections of HIPAA that allow such sharing of information under very specific conditions, many clinicians have been educated that they cannot share PHI (Protected Health Information) under any circumstance, and such refusals can at times create a rift between the hospital and local police. “We have been working diligently on creating a process by which local police bring with them a recognized “request for information” form to our clinical staff, who would then be educated to contact hospital security for direction and assistance on any such information requests involving a client or patent,” he said. “By working with our corporate compliance, legal and risk management departments, the inception of this process will hopefully alleviate much of the misinformation about HIPAA and make for a smoother process for complying with such regulations.”
THE RENAISSANCE PROJECT
Another example of combining a high level of security without compromising patient care and making patients feel comfortable is the Toledo Hospital and Toledo Children’s Hospital in Toledo, Ohio. The facility’s “Renaissance Project” was a large construction project for ProMedica Health System, a northwest Ohio not-for-profit health care organization that operates the facilities. The hospitals’ 10-level, 500,000-square-foot facility has redefined what it means to provide a patient- and visitor-friendly environment. The facility also employs a digital video surveillance system from Panasonic System Solutions Company.
The new facility provides 289 private adult and pediatric patient rooms, and also houses clinical areas such as a surgical intensive care unit, adult intermediate care unit, newborn intensive care unit and general pediatrics and pediatric hematology/oncology, including the Debbie Brass Children’s Cancer Center.
When hospital personnel were planning the expansion in 2004, a new security system quickly became part of the plans. The hospital’s existing security command center near the north entrance had outgrown its location and outlasted its capabilities. The center would have to be enlarged, modernized and relocated near the north entrance to accommodate 160 video surveillance cameras that would provide security for the new addition. Camera locations, intercom stations and panic buttons were all planned to provide maximum security protection for the new building expansion. In addition, changes needed to be made to the control center to accommodate the new technology.
The plan was to have a camera covering every stairwell, every elevator alcove, and all entrance and exit points – plus three cameras in the new parking lot. Since the hospital’s Emergency Room is a hot spot, security personnel wanted to keep a close eye on the images from cameras covering that area.
Personnel at The Toledo Hospital and Toledo Children’s Hospital also wanted to be able to view all the cameras from the security control centers and also from remote sites, since the administrative offices are in a separate building. Using the new system, video can be obtained from any computer on the network by accessing the digital recorders using Panasonic’s management software. “I can do it all from my desk,” said Don Sullivan, Security Technical Specialist at The Toledo Hospital.
Hospital security personnel wanted to capture one or two images per second on every camera, operating 24 hours a day/seven days a week. “With all the cameras we have added and everything digital now, whatever happens throughout any of our monitored locations, we will likely have some video of it. The system also can protect us from a liability standpoint,” said Sullivan.
The new facility provides 289 private adult and pediatric patient rooms, and also houses clinical areas such as a surgical intensive care unit, adult intermediate care unit, newborn intensive care unit and general pediatrics and pediatric hematology/oncology, including the Debbie Brass Children’s Cancer Center.
When hospital personnel were planning the expansion in 2004, a new security system quickly became part of the plans. The hospital’s existing security command center near the north entrance had outgrown its location and outlasted its capabilities. The center would have to be enlarged, modernized and relocated near the north entrance to accommodate 160 video surveillance cameras that would provide security for the new addition. Camera locations, intercom stations and panic buttons were all planned to provide maximum security protection for the new building expansion. In addition, changes needed to be made to the control center to accommodate the new technology.
The plan was to have a camera covering every stairwell, every elevator alcove, and all entrance and exit points – plus three cameras in the new parking lot. Since the hospital’s Emergency Room is a hot spot, security personnel wanted to keep a close eye on the images from cameras covering that area.
Personnel at The Toledo Hospital and Toledo Children’s Hospital also wanted to be able to view all the cameras from the security control centers and also from remote sites, since the administrative offices are in a separate building. Using the new system, video can be obtained from any computer on the network by accessing the digital recorders using Panasonic’s management software. “I can do it all from my desk,” said Don Sullivan, Security Technical Specialist at The Toledo Hospital.
Hospital security personnel wanted to capture one or two images per second on every camera, operating 24 hours a day/seven days a week. “With all the cameras we have added and everything digital now, whatever happens throughout any of our monitored locations, we will likely have some video of it. The system also can protect us from a liability standpoint,” said Sullivan.
The U.S. HealthCare System's Overhaul
The Obama Administration has announced that it will modernize the nation’s healthcare system. Last month, President Obama told a group of members of the American Medical Association that “when it comes to the cost of our healthcare, the status quo is unsustainable.” The Administration said it plans to overhaul the system in terms of privacy, access, and identity. For example, healthcare IT is getting a $19 million funding from the American Recovery and Reinvestment Act
of 2009.
A recent event in Washington, DC by the Smart Card Alliance Healthcare and Identity Councils and the Secure ID Coalition highlighted the urgency of these efforts.
“There is a risk we will focus too much on standards for electronic health records (EHRs) and ways to exchange them at the expense of sound privacy and identity models,” said Randy Vanderhoof, executive director of the Smart Card Alliance, a non-profit association that works to educate the adoption, usage, and application of smart card technology. “The critical issues are getting control over who has access to healthcare information, and correctly tying the right individual to his or her health records. That means identity management and access authentication security have to be baked-in from the start, not tacked on at the end.”
Correctly identifying patients and their records is difficult just within a single hospital, but gets far worse between multiple institutions, according to Paul Contino, vice president, Information Technology, at Mount Sinai Medical Center in New York. At the event, he cautioned that identity management must be addressed correctly up front or “we’re going to have problems with the linkages of electronic medical records” on a regional or even national basis. He said that Mount Sinai has revamped patient registration processes and implemented a smart card-based patient card to more accurately link individuals to their medical and administrative records.
Hospitals and other stakeholders also face significantly stronger privacy and security rules along with new financial penalties for violators, said Richard D. Marks, co-founder and president, Patient Command, Inc. Marks told event attendees that the healthcare “HITECH Act of 2009” provisions in the American Recovery and Reinvestment Act are a direct effort by the new Administration to extend and enforce HIPAA regulations that were largely ignored until now. He said that the new legislation has created health record data breach notification rules, fines for failure to protect personal health information and rights for complainants to share in civil monetary penalties levied on offenders. He also said that any civil and criminal penalties are not limited only to institutions, but also apply to negligent CEOs, CFOs, CIOs and board members.
Whether personal healthcare information is stored centrally or at the place it is created, its security is far more critical than even other types of personal information such as credit card accounts, said Michael Magrath, director, Healthcare and Government for Gemalto. Magrath said that if someone steals your credit card number and starts using it online, the bank will replace your financial losses and just give you a new card; however, there is no single issuer there to protect you in the case of healthcare information. “If my personal healthcare records are compromised there’s no recourse. It’s out there and it’s out there forever,” he said.
of 2009.
A recent event in Washington, DC by the Smart Card Alliance Healthcare and Identity Councils and the Secure ID Coalition highlighted the urgency of these efforts.
“There is a risk we will focus too much on standards for electronic health records (EHRs) and ways to exchange them at the expense of sound privacy and identity models,” said Randy Vanderhoof, executive director of the Smart Card Alliance, a non-profit association that works to educate the adoption, usage, and application of smart card technology. “The critical issues are getting control over who has access to healthcare information, and correctly tying the right individual to his or her health records. That means identity management and access authentication security have to be baked-in from the start, not tacked on at the end.”
Correctly identifying patients and their records is difficult just within a single hospital, but gets far worse between multiple institutions, according to Paul Contino, vice president, Information Technology, at Mount Sinai Medical Center in New York. At the event, he cautioned that identity management must be addressed correctly up front or “we’re going to have problems with the linkages of electronic medical records” on a regional or even national basis. He said that Mount Sinai has revamped patient registration processes and implemented a smart card-based patient card to more accurately link individuals to their medical and administrative records.
Hospitals and other stakeholders also face significantly stronger privacy and security rules along with new financial penalties for violators, said Richard D. Marks, co-founder and president, Patient Command, Inc. Marks told event attendees that the healthcare “HITECH Act of 2009” provisions in the American Recovery and Reinvestment Act are a direct effort by the new Administration to extend and enforce HIPAA regulations that were largely ignored until now. He said that the new legislation has created health record data breach notification rules, fines for failure to protect personal health information and rights for complainants to share in civil monetary penalties levied on offenders. He also said that any civil and criminal penalties are not limited only to institutions, but also apply to negligent CEOs, CFOs, CIOs and board members.
Whether personal healthcare information is stored centrally or at the place it is created, its security is far more critical than even other types of personal information such as credit card accounts, said Michael Magrath, director, Healthcare and Government for Gemalto. Magrath said that if someone steals your credit card number and starts using it online, the bank will replace your financial losses and just give you a new card; however, there is no single issuer there to protect you in the case of healthcare information. “If my personal healthcare records are compromised there’s no recourse. It’s out there and it’s out there forever,” he said.
What is the Red Flags Rule?
The Red Flags Rule was developed pursuant to the Fair and Accurate Credit Transactions (FACT) Act of 2003. Under the Rule, which was announced late last year, financial institutions and creditors with covered accounts must have identity theft prevention programs to identify, detect and respond to patterns, practices, or specific activities that could indicate identity theft.
The Rule specifically applies to creditors and financial institutions, but healthcare organizations can be included as well. Federal law defines a creditor to be: any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not, in and of itself, make an entity a creditor. However, the rule says, where non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors.
Under the Red Flags Rule, creditors must develop a written program that identifies and detects the relevant warning signs – or “red flags” – of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees of the financial institution or creditor, include appropriate staff training, and provide for oversight of any service providers.
John Christly, manager of Information Technology Security/MHS HIPAA Security Officer for the Memorial Healthcare System in Miramar, Fla, a public system that operates 41 facilities and five main hospitals, said that he thinks the Red Flags Rule will “do better than HIPAA.”
“It’s a good program to prevent and protect against ID theft,” Christly said. “It includes required elements that one must do if you suspect theft. We implemented an ID theft task force and a committee to enforce it, and now it’s our standard practice…it’s organization wide on how to protect and react to a suspected breach of sensitive information. It involves stronger checks on social security cards and licenses, which we were always doing, it just was not formalized. But now it is.”
The Rule specifically applies to creditors and financial institutions, but healthcare organizations can be included as well. Federal law defines a creditor to be: any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not, in and of itself, make an entity a creditor. However, the rule says, where non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors.
Under the Red Flags Rule, creditors must develop a written program that identifies and detects the relevant warning signs – or “red flags” – of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees of the financial institution or creditor, include appropriate staff training, and provide for oversight of any service providers.
John Christly, manager of Information Technology Security/MHS HIPAA Security Officer for the Memorial Healthcare System in Miramar, Fla, a public system that operates 41 facilities and five main hospitals, said that he thinks the Red Flags Rule will “do better than HIPAA.”
“It’s a good program to prevent and protect against ID theft,” Christly said. “It includes required elements that one must do if you suspect theft. We implemented an ID theft task force and a committee to enforce it, and now it’s our standard practice…it’s organization wide on how to protect and react to a suspected breach of sensitive information. It involves stronger checks on social security cards and licenses, which we were always doing, it just was not formalized. But now it is.”