HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > HIPAA/SECURE: Security Q/A Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

HIPAA/SECURE: Security Q/A
October 2003

"Should My Organization Consider Access Control Systems?"

by Clyde Hewitt, Principal, Phoenix Health Systems

BACKGROUND

Implementing physical safeguards requires careful evaluation of what is being protected. Just as all doors don't require a lock and key, all areas don't require the same level of protection. The HIPAA Security Rule requires covered entities to implement measures to control and limit access to facilities and systems. Access must be granted to members of the workforce based on the role or function they may perform. Selecting appropriate doors to secure and the method should take into account the assets being protected, the degree of auditing required, and the number and turnover rate of the workforce.

The use of lock and keys may provide an adequate physical barrier; however, these devices don't allow for auditing of who has gained access. They also don't limit access to authorized individuals during their duty periods. Additionally, in locations where many people require access and the access privileges frequently change, the lock-and-key approach may be impractical. Non-return of one key or loss of a 'master' or 'grand master' key will require "rekeying" a lock and reissuing new keys. This could potentially cost a large organization many thousands of direct dollars, as well as major productivity disruption. Considering these risks, installing an access control system may be a cost-effective solution.

OPTIONS

"Access control systems" describe a family of electronic physical barriers used to limit access to sensitive areas. These systems provide the same functionality as a lock and key; however, they also provide additional security features that are sometimes required to protect more sensitive access and information. For example, most access control systems provide the ability to differentiate various users either through uniquely coded badges or through some form of biometrics. The primary advantage of an access control system is that it is logistically easier to remove the access of one person's badge rather than to rekey a lock. A secondary advantage is that access control systems can provide auditing of successful and unsuccessful entries to sensitive areas.

Access control systems fall into two basic categories: decentralized and centralized control systems. Decentralized systems are best used where there are a smaller number of doors to protect and where the workforce turnover is low. In this environment, card readers work in a standalone mode and are totally self-contained. Programming must be performed at each door, normally with a notebook computer. All 'authorized' badges are stored in a computer program and 'uploaded' into each device. Since security best practices dictate that access is removed as soon as possible for workforce members when they no longer need access, it is a logistical challenge to change several doors.

There are advantages to a decentralized system, with cost being the primary factor. Existing doors with panic devices can be retrofitted for approximately $1,000 per door. Auditing is performed by many vendor models via notebook computer connection.

Centralized access control systems offer the same features as decentralized systems, plus the ability to program all the entry control points from a central location. Several vendors provide integrated solutions that provide central management, plus automated auditing, time of day access control, and group management. An important feature is an alarm to notify of unauthorized access attempts.

Centralized access control systems work best for larger, more fluid work environments where the workforce turnover prohibits the use of standalone devices. They also have the ability to limit access for 'authorized' workforce members to certain times of the day or days of the week. For budgeting purposes, organizations should consider about a $15,000 initial investment for two doors, plus an additional $2,000 - 4,000 per door, depending on the existing exit hardware. Additional features, such as badge printers with a photo option, will add another $8,000 - 10,000 to the cost. Communications between the central control station and the individual door controllers and card readers may utilize an existing LAN or require dedicated circuits.

Badges come in two different styles: proximity, swipe, or a combination of both technologies. The readers can be combined with a keypad for added security. The proximity badges initially cost about 25% more than the swipe badges (about $2.50 each), but the reduced maintenance cost to the readers and the convenience to the workforce generally justify the cost of the proximity option. Security can be increased by requiring presentation of a badge and entrance of a Personal Identification Number, or PIN, for sensitive areas or during unusual work times. An alternative to badges are biometric devices. This technology is starting to become cost-effective; however, biometric devices do not offer significantly more protection than a badge and PIN combination. They are generally more expensive to implement and maintain.

DECISION PROCESS

Organizations considering access control systems should develop a risk model to determine if the requirement for added protection justifies the cost of an access control system. There are a few variables that would tilt the decision model in favor of installing an access control system instead of the traditional lock and key. These are:

  • Covered entities (and business associates) with a large workforce
  • Multiple secured areas requiring frequent access by different workforce members
  • An auditing requirement for the assets requiring protection (e.g., most data centers)
  • High value assets or assets critical to health care operations (e.g., computer operations or central medical records)
  • A remotely monitored alarm requirement (internal or external to the organization)
  • Organizations with a high workforce turnover rate
  • An organizational history of lost or stolen keys

The presence of any three of the above variables should trigger a formal risk analysis by the security officer. Five or more variables should be enough to convince even the toughest critics.

Read past HIPAA / SECURE Q/A articles.

Clyde Hewitt, M.S., is a Principal at Phoenix Health Systems where he is responsible for consulting in program management, strategic planning and systems implementation, and HIPAA compliance services, and security remediation.

Go to TOP