Unravelling the Complexities of Healthcare Access Control
To borrow from Jay-Z: Hospital security directors have 99 problems, and access control is involved in nearly every single one.
Just a quick, highly abridged list of things a hospital access control system must account for: critical emergency access that is open to the public, securing potent narcotics, dealing with hazardous waste, adhering to some of the most sensitive and punitive privacy regulations in existence, protecting quarantine areas, and that doesn’t even touch the challenge of keeping track of patients, friends and family of patients, and caregivers who are often in chaotic or intense emotional conditions.
Security Management called on two members of the ASIS Healthcare Security Community Steering Committee to discuss the latest in hospital access management.
William Marcisz, CPP, president and chief consultant for Strategic Security Management Consulting, was in law enforcement before transitioning into private security at a hospital. He has 40 years of healthcare experience—32 years in security administration and consulting, and eight years practicing law. Dan Yaross, CPP, is the director, protective services, at a pediatric hospital in Ohio. Yaross retired from the U.S. Army Military Police in 1995 and launched a 20-plus year career in pediatric health facility security.
The questions and answers below have been edited for length and clarity.
Controlling access in a hospital would seem to be incredibly complex with all of the different layers of protection needed and constituencies that need to be accounted for. Yet the more complex an access control system is, the harder it is to monitor and the harder it is for employees to respect and follow those procedures. How can hospitals reconcile these two aspects?
Marcisz: It’s quite challenging. Certainly, you run into a lot of folks, department heads, or administrators who feel that hospital access control should resemble something you’d see in the Pentagon. If you have a very large hospital with 5,000 employees in it, many of those employees need access to the departments that those administrators would like to see locked down—folks like food service tray passers, phlebotomists going up to draw blood, environmental services folks, they all need access to areas. For individual departments that want a high level of access control, the system can and will keep people out. However, to ensure the desired level of service and continuity of care is administered, the department should have a dedicated person to serve as the gatekeeper for employees and visitors who have been excluded from the list of team members who require access.
I try to counsel clients to think about it like this: you’ve hired employees, you have to have a certain level of trust. I think having more of an open access for employees is a good idea, while limiting the number of areas with tight access control to areas that absolutely need it.
Yaross: In our case, as a pediatric facility, we were granted a variance from the fire code so we are able to secure both sides of in-patient units. The auditing department thought almost all of our hospital should be treated as security-sensitive and tightly controlled. But looking at who needs access, as Bill said, from foodservice to pharmacy to people bringing supplies, there’s a lot of people that have access needs.
We labeled four security-sensitive areas with our security management plan based on the joint commission requirements and IAHSS [International Association for Healthcare Security and Safety] guidelines. For those we have very restrictive access control. We audit those names with the head of those departments, including pharmacy, NICU [neonatal intensive care unit], emergency, and behavior health, just to ensure that the staff who are granted access truly need it.
The pandemic caused most hospitals to severely limit or even eliminate visitors to prevent the spread of COVID-19. Now that we’re on the other side of the severe restrictions, how have you seen hospital access control change?
Marcisz: During the last couple of years, hospitals secured their perimeters and only allow access through one or two or sometimes three doors, all of which have screening points. To make hospital operations flow smoother and make it easier for patients and visitors to come into facilities, some hospitals moved service points closer to those entrances. Some hospitals took advantage of the new entry design and implemented 24/7 visitor management.
There's always a tension between convenience and security. Throwing open those doors and returning to the hospital’s prepandemic, open-perimeter access design may not be a good idea. Many have discovered there is no need to do so and the new perimeter and screening designs create a safer environment. While some physicians and employees may want certain doors to be open to make it easier to walk to their car, for example, if an adverse incident occurred and the wrongdoer entered through that door, there might be some type of liability that can attach if the decision to open up the hospital was done without a security assessment.
Do you have an example of an access control change that a hospital made as a result of that convenience factor or because a security gap was identified?
Yaross: We are constantly looking at this issue. Being a children’s hospital, we have a significantly larger scope of restrictions for visitors. We implemented a visitor management system years ago. However, I noticed when I got up here that we weren’t doing what I thought was the right thing to do, which is vetting all visitors to the inpatient units on campus. We have many parents or guardians who cannot stay overnight with their kids, and the kids are left alone. Nursing, especially nowadays, is sometimes critically low. They don’t have the time to watch every patient room to ensure unauthorized visitors do not enter.
One step we took as a result is that every visitor to the inpatient side is checked against the Federal Sex Offender Registry. I got pushback from a number of departments, saying it was too intrusive, that it wasn’t family-centered care, and we shouldn’t be asking or getting involved in checking out the backgrounds of patients’ visitors.
Sometimes it takes some careful explanation to show why a security measure is important. In this case, I asked, “Let’s say your child was here alone overnight because you needed to go home to care for another child. Would you feel better knowing that we were screening against the registry so we know the offender status of other visitors in the hospital?”
We do the same thing with our guest workers, volunteers, students, and interns.
What do you do when a parent or guardian comes back positive on the registry screening? You don’t bar them from seeing their kid?
Yaross: No, we don’t. First, only 24 percent of the registry matches we get are confirmed. Seventy-six percent are false matches for a variety of reasons: names are close or there’s a data entry error. When there’s a match, the information desk calls one of our protective service officers. We have a discrete conversation with the individual, and most mix-ups are cleared up then. And if it’s truly a confirmed sexual offender who is a parent or guardian, we will create a safety plan the nursing unit and social work. If it’s a Tier II or III offender, that plan will include an officer escort for the individual.
What are ways to ensure that your access control systems and processes are working properly and being followed?
Marcisz: There are different types of auditing you can do. Most access control systems are pretty sophisticated, and you can see who is going through card and multifactor access doors in real time if you really want to track that in a finite level. I think what Dan was saying earlier is just go through card-group access lists with department heads periodically. It doesn't have to be every month, but you should do it periodically, and determine who needs to be in that department or building.
Also, consider the design of your card groups. One tendency is to start from a perspective that is the most restrictive, where you identify the people you think need access and grant only them access. When you do this in a hospital, you end up being too restrictive—you’re going to find out quickly that there are many more folks needing regular access to a space than you think. I advise the opposite. When looking at an area, decide who needs to be restricted, know why you are restricting them, and then restrict access. This approach will cut down the number of times you have to go back and reprogram your card groups.
Yaross: We’ll get alerts. It's all about collaboration because we keep stressing to our employee population that we only have so many protective services officers. We need all your eyes and ears to alert us quickly. Don’t be afraid that you're going to be embarrassed or that you’re bothering us. If there’s an issue with door readers or you think people are getting in your space that shouldn’t be there, we get alerted. Many times, we find out there is an issue with a card reader or the door mechanism might not be functioning properly. We find out a lot about access control issues just through our employees being alert and letting us know when things do not seem right.
What advice do you have for auditing access control technology itself? Is it a best practice to review the technology you use annually, or do you just wait for a need to arise before looking at adding or replacing your technology?
Marcisz: I recommend having an annual service agreement with your security vendor—either the manufacturer or your integrator who installed the platform. With a service agreement, they'll come in and do those health checks for you. Most systems, the higher-end systems, they're able to sustain for 10 to 20 years sometimes, depending upon which platform you're using. The manufacturers make sure that they're upgrading and revising their platforms, adding interfaces and compatibility with your network and other security systems. In many cases, the fail point is with the hospitals themselves and whoever is managing those systems—they fail to keep up with upgrades and ongoing maintenance.
Yaross: Our facility got to a point where we were trying without success to integrate our video management system with our access control system. Our visitor management system, as well as the electronic medical record system we use, were already integrated with our access control system. I was trying to get video into the mix—this is the 21st century, there shouldn’t be a reason why you can’t do that. But we could not do that with our video management company and our access control company, which was closed architecture. At that point, we decided we needed to migrate to a different video management system.
We were starting to make progress with that full integration, and then our access control system was coming to end of life. We went to the capital budget, and we got approval to upgrade to the next level of access control program. Even that was an over-$700,000 project. Once we get that completed, then we’ll do the full integration. I would say if you have a system that’s not integrable, it’s time to look for a new system. I think it’s critical that everything should integrate.
Marcisz: If you look at the trend now for technology platforms, we started off 15 or 20 years ago with vendors who had designed closed-end platforms so their product couldn't talk to the competition. But that's not what the customer wanted. Now we're in this integration phase where vendors and manufacturers are making sure that their systems can communicate with other systems and other vendors' products so that they can uniquely position themselves in a multilayered or multiplatform security environment.
The industry is now in the beginning of the next curve where manufacturers are attempting to create all-in-one systems. They want their access control system, their camera system, their duress system all in one big bundle—while still being able to integrate with other types of systems and platforms.
During the pandemic, I began seeing this with thermal cameras and health screening and other technology combining with vendor management platforms and visitor management systems. Coming out of the pandemic, a lot of these systems are what customers want. Access systems have had an interesting evolution over the last 20 years.
When making changes to access control technology or procedures, how do you find the unintended negative consequences you may be introducing?
Yaross: I don’t know if you ever find 100 percent of the unintended consequences because as much investigation and piloting we did, we still had issues with trying to integrate that new video management system with our current access control system, even though it looked like through the pilot it would work.
There’s no real secret to it—you do pilot testing, you investigate as many possibilities as you can. We used a third-party consultant who’s really experienced in technology and has a wealth of experience of a lot of different types of manufacturers.
What about unintended consequences not related to technology, such as an access control policy or procedure update?
Yaross: A good way to approach this is to do a root cause analysis. As security professionals, we think we probably know what the problem is, and we know what the solution is. A lot of times that is not the case at all.
Think about a salesperson: they’re going to ask the potential client what problems they are having. A good salesperson won’t take that first answer and try to make the sale. They’re going to continue digging deeper with the client to understand the real problem, and that digging often uncovers much deeper issues—issues that require a different solution than the original problem. That’s a root cause analysis. It gives you a more comprehensive understanding of what is going on and lets you address the root cause, which may be causing all kinds of troublesome issues.
What advice would you give to a hospital security director when comes to taking a strategic look at his or her facility’s access control?
Marcisz: Going back to my security director days, I had a CEO who used a hockey metaphor that has always stuck with me: “We as a leadership team need to skate to where the puck is going to be.”
It’s on the player to anticipate where the puck is going to be and gain position on the ice. The point is to be strategic in your decision making. If you’re looking at a technology solution, don’t just look at solving the problems or issues immediately in front of you. Security professionals should consider the risk factors they’ve identified and how technology addresses those factors in both the short and long term The same goes for security processes and procedures. Don’t make narrow decisions. Think about decisions strategically and how they fit in the bigger picture.
Scott Briscoe is the content development director at ASIS International.