Keying into Better Control
MOUNDVIEW MEMORIAL in Friendship, Wisconsin, is a small, 25-bed critical-access hospital with a staff of about 140. Established in 1959, the facility includes a primary care clinic, an emergency room, and a specialty clinic with consulting physicians from Madison, Wisconsin, and other larger cities. With the hospital about to begin futuristic teleconsulting that links patients and medical specialists all over the world, management recognized that it also had to bring its access control from the Stone Age into the 21st century.
Like any hospital, Moundview contains areas requiring access restrictions, and like many smaller facilities, it must watch its budget when purchasing technology. Until January of last year, the hospital relied mostly on old-school manual locks to keep people out of places they weren’t supposed to go.
“There were keys everywhere,” says Moundview’s director of information technology, Jim Franckowiak.
These were installed and maintained by the hospital’s maintenance department. When a new employee came to the hospital, HR sent a paper form to the maintenance department telling it to give the employees keys to the areas indicated. No one compiled this information in a centralized database. When employees left, keys were supposed to be collected and noted on a check sheet for returned items, but this often did not happen. “There was no real knowing who had what key to what, and when they left, whether they actually gave it back or not,” says Franckowiak. “We found ourselves having to… replace not only keys but locks as well, if keys were lost or an employee left and forgot to turn them in.”
For some of the most sensitive areas of the hospital, the maintenance department had installed standalone pushbutton combination locks, but it provided no real security because of the lack of protocols. “There was no reporting mechanism, and no way to audit who came and went,” states Franckowiak, “And of course, there was one code for everyone.”
The hospital’s pharmacy was one area that had a combination lock. “Off hours, we have nurses who have to get into the pharmacy in the middle of the night when it’s not staffed to retrieve medicines for patients,” Franckowiak explains.
Once inside the pharmacy, the nurses were supposed to sign a logbook and note what they had taken. But when missing drugs could not be reconciled with the log, footage from the CCTV cameras in the pharmacy had to be pored over to discover who took the drugs and when. “It was very labor intensive,” he says.
In November 2010, Franckowiak and the hospital’s maintenance director decided that it was time to do something about the lack of access control. They began a hunt for an electronic lock system that would tie to proximity card ID badges.
The hospital had card readers on three exterior doors but these were tied to barcode readers for time and attendance tracking, not security. Franckowiak and the maintenance director considered the hospital’s needs to come up with a list of requirements it sought from any new system.
First, it had to be installable and maintainable by in-house staff. “I don’t know if we are different from a lot of other facilities, but we like to do as much of it ourselves as possible,” Franckowiak says.
Second, it had to have auditing capabilities. Additionally, it had to be user-friendly, scalable, and reasonably priced, because the technology would be phased in over time, so no bulk discount purchasing would be possible.
After interviewing prospective technology vendors, they narrowed their choices down to four contenders. Three were rejected because they did not allow IT and maintenance to install the components or self-manage the system, had a user interface that was too complex, or because the cost was prohibitive.
Moundview finally chose the ISONAS IP-at-the-Door access control system, by ISONAS Security Systems of Boulder, Colorado. Franckowiak says that it was neither the least expensive nor most expensive option. “It was $150 per door more than the cheapest option and about one half the cost of the most expensive, so it was very cost competitive,” he states.
The components of the ISONAS system are reader-controllers, management software called Crystal Matrix, proximity cards, and electronic door strikes. It can be installed at one door or a dozen, with no scalability restrictions. “With ISONAS, we can grow to any level we want,” Franckowiak states.
Franckowiak installed the management software on Moundview’s server in January 2011. They have been using the system for about a year and have expanded the system since it was installed, placing controller/ readers at 10 internal and external doors, including the pharmacy, a main supply storeroom, the mail room, the main server room, and the ER.
The IT and maintenance departments were able to do all of the system installation themselves. “We ran Ethernet cables to the locks at the door frames and changed out the old door strikes. Maintenance mounted the readers to the walls… and that was a huge cost savings,” says Franckowiak. “It was so easy to set up that I can’t even recall if I looked at the manual,” he adds.
Before employees were issued proximity badges, HR undertook a role review of each type of employee and decided on access rights for each group. Now, when changes need to be made to the ISONAS software database, such as new employees being added, former employees being removed, name changes, or access rights modified, HR comes to Franckowiak, who administers it. Using a Wi-Fi connection, he can also remotely effect changes.
For example, he explains, “we can unlock a single door or all doors with a mouse click, or cause a total lockdown. With a couple of clicks we can lock all doors and disable all badges.”
The audit capacity of the system also pleases Franckowiak. “I can drill down and find out who came and went through what door at any time,” he says. He can also print query reports as needed.
Hospital employees quickly adapted to the new system. If an employee is having problems with their proximity badge, says Franckowiak, “I can watch a real-time status screen to see if the badge is being rejected or is not even recognized as a badge.” This led to catching problems such as employees placing decorative pins on their badges that prevented them from being read, as well as employees trimming their badges because they thought they were too big, causing damage to the electronics inside.
Feedback from the ER, where electronically locked doors keep out both outsiders and hospital staffers who had been using the ER as a cut-through, has been especially positive. “Several people said ‘thanks for making us feel more secure’—both from a security standpoint and because of HIPAA…. We don’t want people in the ER area overhearing something they shouldn’t.”
Moundview will be adding more doors to the system this year. “We will probably put in three or four more in the next few months, with the medical records storage area as one. I’d like to put it on most or all of the doors—anyone that had a key worth tracking,” Franckowiak says, “It would be nice to be able to say that from this point forward, we know who has access [to] and who has tried to access” each door.