RFID security for hospitals: 6 ways to (reasonably) secure implementation
Now that we’ve put together all of the steps and processes as a baseline to address bringing RFID into an organization, we need to discuss the six steps to a reasonably secure implementation, and what benefits it brings. These steps are mostly non-technical, however they address the disruptive change that RFID brings -- and can be used as a template for other emerging technologies, such as machine learning, that will enter our environments.
Use cases for RFID
The first step is use cases. When you implement RFID, develop documented use cases for the complete data lifecycle of information collected via that method. The reasons why you want to do so is to ensure that you only collect minimum necessary data, and that your processes address the five key process areas we discussed in the last article (Asset Management, Systems Design, Systems Management, Vulnerability Management, and Physical Security). For each of these use cases, you want to develop a security plan to address these key processes. Network and physical security are musts for protecting this data.
Implementing policies and procedures
Next, we need to discuss policies and procedures. These are non-technical guide rails for implementing systems that follow the rules and work well. You need policies for an intake process to manage the process by which new information systems go from idea to implementation, and give that roadmap to your user community so that they understand the rules. From our experience, a lot of Shadow IT comes from team members not understanding processes, expectations or steps required to field a system.
You also need policies covering the governance and approval process for systems, and their expectations. This ties in with intake, and discusses how systems are evaluated for organizational fitness, and who makes those decisions. Maintenance policies cover what tasks are needed to maintain a system, and who is expected to do them. These need to be the same for applications in the cloud, managed by the business, or managed by your IT department. The Access Management and Security Policies define how you provision and de-provision access to systems, and under what parameters this is done. Again, these need to be the same for all applications, no matter who manages them.
Finally, and most important, you need to have a good asset management and disposal policy. What good is a system like RFID which is primarily used to augment asset management if you can’t accurately manage the assets used to facilitate it? This needs to be in clear language and document the processes by which assets are onboarded, maintained, logged, audited and ultimately decommissioned.
Budgeting for an RFID system
While policies and procedures are important, they do you no good without a budget, the third step. When you put in an RFID system, you need to budget for staff to secure and monitor the implementation. One failure that we have seen with many implementations is that vendors claim that there needs to be no IT Involvement. This is the furthest from the truth that you can get. IT, rather, always needs to be involved to continually improve security and resiliency across all systems.
They need staff to address vulnerabilities and continually monitor for anomalous behavior. With RFID, you’re talking about systems used to monitor assets that will end up on a balance sheet or income statement. You need a budget to make sure that these systems stay monitored, protected, and secured. They need care and feeding.
Transparency and user communication plan
Your user communication plan is the fourth step. Every new technology will have privacy and security concerns. RFID, due to the negative press and other connotations, is no exception to the rule. You need to attack the issues head-on by being open about what you are doing, and why. This includes directly addressing customer concerns. Discuss the privacy and security measures you are using to address them. Discuss the physical security methods. Talk about the data elements you are collecting. Demonstrate how you are isolating them from patient or sensitive data and protecting the organization. This is a case when “because security” will not work. We need to address people’s concerns head-on.
For your plan, make sure to involve the medical staff. Find a physician champion. Discuss how RFID, applied with a proper security plan, can positively impact the workflow. Discuss the intake and governance processes, and show how they address security issues at the onset. Address their patient safety concerns.
For patients, be open and communicate with them about what you’re doing. Your training plans for staff should include a privacy and security section that explains minimum necessary data and processes. Explain how you’re protecting patient information and medical records, and how they will not be available over RFID. Explain that you also have implemented multiple levels of countermeasures. Make sure the consent forms include RFID scanning disclosures when necessary. Make sure to use clear language and make it understandable and affirmative.
Invest in staff training
Staffing and training, step number five, are critically important. All employees who use these systems will need very good privacy and security training. They will also need comprehensive training on system usage. The reason for this is because we want to avoid workarounds that can compromise system security or lead to data breaches. We need to train to build engagement and rapport around organizational improvement. You cannot be too heavy-handed on security or use the fire and brimstone approach. The best tactic is to treat security as a business issue and address improving security as part of addressing workflow issues. Your staff training should follow your patient communication plan and be clear, use plain language, and be understandable and affirmative.
Monitor systems and RFID data
The last major step, number six, is monitoring. We need staff to monitor these systems handling RFID data. To attract people who want to work with emerging technologies and innovate, you need excellent career development, employee engagement, and training programs. They need to be doing their jobs as part of a defined job description, not a throw-in with something else. They need good reports and data that can show potential anomalies, or be empowered to create their own. If there is anything that comes close to touching patient data, this is a requirement. You also need to have a good supporting organizational structure for reporting vulnerabilities and issues to the right teams for resolution.
Physical security is also important. Like credit card machines, always inspect and check your RFID readers for tampering. Have good surveillance, physical design, and guards to monitor your storage areas. Most importantly, know who to call if you have an issue or case, and communicate this out extensively. This includes law enforcement and local physical security.
Now that we’ve gone through these steps, we can go over what proper implementation of this technology will allow. Real-time location and inventorying of assets becomes realistic. Checking surgical equipment and supplies for sterilization or maintenance becomes possible. Tracking high-value items such as wheelchairs, carts, beds, mobile workstations, or other patient-related items become easier. Most importantly, this can reduce misplacement and increase efficiency, with less work to maintain inventories and locations of devices. There is also the potential to include smaller devices, such as flash drives, in the near future.
Most importantly, going through the rigor of a structured implementation can put you in compliance with the HIPAA Security Rule by giving you a demonstrable security plan. It can also assist with other applicable privacy and security standards such as GDPR. This approach helps by removing the hype, focusing on defined tasks to complete, and addressing security and privacy in depth with processes, not point solutions.
The goal of this article series is to provide a structured program framework you can use in your organization for not only RFID, but other emerging technologies to avoid reinventing the wheel every time a new disruptive tech comes out and be able to adapt quickly.
Mitchell Parker is Executive Director of Information Security and Compliance for Indiana University Health.