Organizing a Team -- Campus Security Today

Organizing a Team

Identity management systems are centralized within mobile platforms

By Brandon Arcment
April 01, 2016

Now that mobile identities can be carried on phones for physical security applications, they are merging with smart cards into centralized identity management systems. Organizations can use either or both to secure access to the door, data and cloud applications. The goal is a unified system that enables strong authentication and card management capabilities for computer and network logon, while also ensuring that physical and logical identities can be managed on a combination of plastic cards, smartphones and other mobile devices.

This trend is having a big impact on physical and IT security departments at hospitals and other large facilities and campuses. CIOs and CSOs have both gotten much more involved with each other in deployment decisions, creating new opportunities to maximize security and efficiency.

Evolving Roles for CIOs and CSOs

It is increasingly important that facility and information security teams work together to gain a better mutual understanding of today’s threats, and how best to combat them, while also coordinating system workflow and security enhancements. The two departments should collaborate closely on all aspects of designing, implementing and maintaining robust security capabilities. Both teams also must understand and follow best practices that extend across physical and logical access control.

The physical security market has been at the front lines of security convergence since the transition from analog video surveillance cameras to networked solutions. IT staff now heavily influences technology purchasing and daily oversight in this area. There also has been a push to integrate video, access control, intrusion detection and other system components into Physical Security Information Management (PSIM) and other unified systems.

Now, this convergence trend is accelerating with the move to ID cards and mobile phones used together for physical and logical access. The same card used to open a door can now also have “tap” authentication capabilities for logical access control. It can be tapped to a laptop, tablet, phone or other NFC-enabled device to access data, cloud apps and web-based services, replacing dedicated one time password (OTP) solutions. And that same device can be turned into a trusted credential that can be used to unlock doors and open gates.

Issues at the Intersection

As physical and logical access requirements intersect, only platforms based on open standards will enable the move to mobile access control, converged solutions, and web-based credential provisioning. Solutions can be deployed all at once, or gradually and selectively as needed. For instance, not everyone in a hospital will need mobile access on smartphones for opening doors. Visual identification enabled by traditional ID badges remains very important in the hospital setting, so cards will need to coexist with mobile IDs. Another decision is whether to provide mobile access only to company-issued devices, or to support a Bring Your Own Device (BYOD) model, and how to do that.

Regardless of the chosen mobility strategy, the access control platform will need to support the broadest possible range of devices without the need for additional sleeves or other accessories. Today’s most versatile solutions support various read ranges and enable phones to open doors not just by tapping them to a reader but also by twisting them from a distance as a user drives or walks up to it. Hospitals will need to determine the types of doors to be mobile-enabled, what kinds of features to incorporate, and which entry points will benefit most from various capabilities.

Using the same access control platform, the hospital also can assess its logical access needs. This includes looking at tap authentication as a more secure and convenient way for users to access network resources, cloud apps and web-based services using the same ID card that opens doors. Tap authentication is particularly attractive for mobile device users. In today’s mobile-first world, employees expect access to corporate cloud applications, data and services anywhere, at any time, from their preferred mobile device. This anywhere, anytime access can potentially make networks more vulnerable to security breaches. Tap authentication solves these security problems while also providing greater user convenience.

Implementation

Policy development is an important area, including updating old procedures to address new capabilities, and writing procedures to address new technologies. Organizations also need a robust process for managing users and the entire life cycle of mobile identities. This can be handled internally, or outsourced through offerings like HID Global’s Secure Identity Services. HID Global’s offering is used to manage the entire process of how an employee is on-boarded and issued a mobile identity, how to issue an additional mobile identity when visiting remote offices, and how to remove a digital key from a device if an employee reports it lost or stolen.

Mobile identities can also be configured to only engage with readers when the mobile device is unlocked. This means that an unauthorized user would have to get around the device PIN or biometric authentication to be able to use it to open doors and access the building.

For logical access control, a hospital can employ the same access control system to implement and manage a simple process for using ID cards and mobile devices to access data and cloud services. After users tap their card to their device, the OTP is unusable. There are no additional tokens to deploy and manage, and users have only one item to carry, their smart card, and no longer must remember or type a complex password.

As physical and on-line access applications merge onto a combination of cards and phones, a hospitals physical and information security teams will learn how to manage multiple ID numbers for multiple applications on multiple devices. The identity management system will need to support multiple application identities with different lifecycles, while also enabling different groups within an organization to independently take responsibility for their own application and identity lifecycle needs.

Special Healthcare Considerations

Threats to hospitals and other healthcare facilities can be divided into those to the safety of staff, patients and visitors, and those to the security of patient information and other data. Physical security threats can be difficult to combat because of the modern hospital’s typically large campus size and often geographically dispersed nature of many facilities. There is also the need to ensure emergency preparedness for natural disasters.

Another challenge is supporting secure access from affiliated doctors who may work with many different institutions, requiring them to carry multiple badges for all the locations they visit. Visitors are also a challenge. Some may pose a threat, all must be protected, and doing so is more difficult during “after hours” periods and in critical areas such as labor and delivery floors and pediatric wards.

On the information security side, threats to patient privacy take many forms, and safeguards must extend to electronically prescribed medications, as well. In the United States, HIPAA and the HITECH act create the need for process and workflow changes, as well as technology investments in a combination of cybersecurity and privacy protection.

Healthcare institutions also must comply with mandates established by the U.S. Drug Enforcement Agency’s (DEA) Interim Final Rule (IFR) for Electronic Prescriptions for Controlled Substances (EPCS). The EPCS regulation not only creates convenience for practitioners and patients through allowing electronic transmittal of prescriptions for controlled drugs, it also enhances security when implemented in a DEA-compliant fashion. Compliance requires using a software application that conforms to regulatory standards and is identity-proofed and credentialed for two-factor authentication.

To keep up with these and other threats and regulatory requirements, hospitals must take a unified approach to opening doors and gaining secure access to data, patient information and hospital applications.

The latest solutions support many access control applications on the same smart card, from access control for the parking lot, main door, emergency room and pharmacy to visual ID verification, timeand- attendance, payroll transactions and cafeteria purchases. They also enable the integration of visitor management systems to optimize badging efficiency as part of a complete solution that supports real-time patient feeds and Health Level Seven International (HL7) integration.

On the information security side, the access control system must employ strong authentication and adequate security so that patient health information is protected in an increasingly digital world. With the right infrastructure in place, healthcare institutions can meet today’s security and compliance needs while continually improving security and convenience, protecting patient privacy, and increasing the value of their investment.

Tap authentication is particularly valuable for information security in the healthcare environment, reducing the need for complex passwords and diminishing password fatigue for users who might have to log in 20 or more times each day in order to access the facility’s enterprise data and services. Tap authentication helps hospitals align information security and safety, meet compliance needs and ensure that patient privacy is protected.

Finally, the threat of fraud in electronically prescribed medications can be combated through systems that employ unique physical information such as a fingerprint or iris scan, or use physical objects, which, in the United States, can be a FIPS 140-2 certified cryptographic key, hard token or card. Security is improved by leveraging public key infrastructure (PKI) using on-site or cloud-based validation services between all relying parties, elevating the trusted transaction which reduces or eliminates the opportunity for breach.

It has become increasingly important that facility and information security teams work together to fully understand today’s threats and how best to combat them. As they follow a similar path to that of most enterprises, healthcare institutions are adopting converged solutions to secure access to everything from the doors to computers, data, applications and cloud-based services.

This article originally appeared in the April 2016 issue of Campus Security Today.

Shooter Detection Systems Joins Partner Alliance for Safe Schools to Strengthen School Safety Efforts
04/08/2024
Parents are Part of School Security, Too
03/19/2024
Enhancing School Safety
03/15/2024
Access Control Trends
03/14/2024

Featured

California School District Modernizes Surveillance System

i-PRO Co., Ltd. (formerly Panasonic Security), a provider of professional security solutions for surveillance and public safety, recently announced that the Murietta Valley Unified School District (MVUSD) in Riverside County, CA, has undertaken a project to modernize its first-generation surveillance system to new high-resolution i-PRO network cameras, and the i-PRO Video Insight video management system (VMS). Read Now
- Video Surveillance
RAD Makes History with First Robotic Dog Deployed to Taylor Police Department

Robotic Assistance Devices, Inc. (RAD), a subsidiary of Artificial Intelligence Technology Solutions, Inc., recently announced that it has delivered a RADDOG LE to the Taylor, Michigan Police Department. The delivery of RADDOG LE to the Taylor Police Department marks a historic moment in the integration of technology within law enforcement. This milestone underscores RAD’s commitment to revolutionizing the landscape of security and public safety through cutting-edge AI-powered, robotic solutions. Read Now
- Facility Security
Passing the Test

The discussion about secured access and access control for higher education and K-12 is continuously expanding and evolving. That is a good thing. The more knowledge we gain and the more solutions that become available, linked and interoperable, the better and higher the level of security and safety. Read Now
- Access Control
Driving a Major Shift

One of the driving forces for change has been the high demand for unified solutions. Users are asking their vendors for a way to manage all their security systems through a single interface, from a single pane. This has led to a flurry of software development to seamlessly integrate access control systems with video surveillance, intrusion detection, visitor management, health monitoring, analytics with artificial intelligence (AI), and more. Read Now
- Video Surveillance

Webinars

Hanwha Vision (formerly Hanwha Techwin), Salient Systems, Eagle Eye Networks Inc, Evolv Technology

Shooter Detection: The First Line of Defense
Hanwha Techwin, Salient Systems, Evolv Technology, Omnilert, Eagle Eye Networks Inc, Traka ASSA ABLOY, i-PRO Americas Inc., Digital Watchdog, IPVideo Corporation, ProdataKey

Exploring Multiple Facets of Campus Security Summit
SparkCognition

How Visual AI Is Transforming the Conventional School Safety Model

Whitepapers

Metrasens

Case Study | Creating a Welcoming and Safe Experience for School Events
ProVision

Guide to Body Cameras for Campus Security
Omnilert

Guide to Evaluating Gun Detection Technology