HID's Kerry Brock: Identifying healthcare hurdles with digitization and integration

Healthcare facilities occupy a challenging space in security. Securing a hospital perimeter is relatively easy with high numbers of unvetted visitors in constant circulation and multiple entry points. These unvetted visitors, often burdened by the stress of a hospital visit, contribute to the rising number of attacks on healthcare workers, a statistic already perpetuated by the patients themselves.

SIW: What factors have driven the increase in cyber and physical security attacks in healthcare, and how has this impacted healthcare facilities?

Brock: Security has always been a problem in this industry, but the COVID-19 pandemic really shone a light on the fissures in our system. Procedures had to be cut, and many healthcare entities were consolidated. When merging entities with disparate technology systems, you put a lot of strain on the people managing your networks.

The breach at UHS was a catastrophic wake-up call, and the wave of ransomware and cyberattacks that followed really kicked the healthcare industry when it was down. Healthcare data is extremely sensitive, and hospitals have rich stores of personal information, like addresses, dates of birth, and finance-related details, all in one convenient place.

On the physical side, securing hospitals is a real challenge—it’s very difficult to lock them down 24/7. People are always coming and going, and there are many entrances and exits, so having a constant layer of physical security around the perimeter of the building is difficult.

Workplace violence is also a huge issue. People aren’t vetted, and the environment is very high stress; people don’t come to the hospital on their best days. We’re seeing a shortage of healthcare workers and other challenges of an aging population. It’s like a tsunami, in a way—staff shortages become compounded by people leaving because they don’t feel safe, or they get sick, and that all impacts patient care.

SIW: HID reported that 77% of respondents stressed the need for integrated digital and physical security in the 2024 State of Healthcare Security survey. What challenges do healthcare facilities face in achieving this integration?

Brock: Hospitals decide on many security enhancements. New technologies could make facilities safer, but there are always budget constraints. Managing tech as it ages can be very expensive, especially when it isn’t all aging simultaneously.

Consolidation during the pandemic brought many disparate technology systems together. One hospital might buy a video management solution from one vendor to pair with an access control system from a smaller provider, and that smaller provider might not be very stable or offer additional use cases for its technology.

Compliance is also part of the challenge. Healthcare workers tend to be very patient-focused, so they do not always consider wearing badges or staying compliant with security protocols. Many veteran nurses will take physical incidents on the chin as part of the job without considering the systems that could have kept them safe.

SIW: Could you discuss the shift towards digital identity management in healthcare? How are mobile and biometric authentication systems transforming security practices?

Brock: We’re seeing a shift because physical badges present many challenges. Issuing visitor badges in this setting is difficult, for one. There’s also always a chance that an employee will forget theirs at home, and there’s no way to verify identity if one gets stolen or badges get switched.

Biometrics offers that certainty. You can’t mistake identity for something like fingerprint recognition. In Iowa, for example, a man posing as a nurse could enter the NICU and feed a baby. The breach could have been prevented if there had been an additional layer of biometric security.

With mobile credentials and digital access management, access can be easily revoked or changed based on privileges or employee/visitor status. Retrieving physical badges from patients and former employees becomes less of an issue. Someone might forget their wallet at home, but nobody goes anywhere without their phone.

In the future, we will see more digitalized visitor access management, visitor pre-registration, and improved tracking of those visitors.

SIW: Budget constraints are a significant barrier to adopting advanced security technology. What strategies could healthcare facilities consider to balance budget limitations with the need for enhanced security?

Brock: Hospitals must make smart purchasing decisions. Bringing multiple hospitals to the negotiating table instead of having one individual facility decide. Organizations like The Health Network or the IDN can help hospitals implement solutions, offer support, and even absorb some of the costs at the corporate level.

Another consideration is the length of time they expect to use a new solution. If you know how long the system will be in place, you can spread the cost of maintaining it over however many years you use it.

Before any purchasing decisions are made, though, you need to build a culture around security and have a plan. Start small: You don’t have to do everything all at once. Identify what’s on fire and make sure you put that out first. Map out the most dangerous place in the facility and secure it. Diagnose what behavior triggers security incidents.

Businesses are a lot like people—they’re reactive. They have competing priorities, and they really want to stretch a dollar as far as they can. But they must take a few steps back, investigate their issues, and mitigate them proactively.