RFID security for hospitals: What are the use cases?
As providers of healthcare, our organizations want to reduce risk as much as possible. Several particular areas of risk are with infection control, physical security, asset management, real-time location services and authentication (tap and go access). We want to streamline our organizations as much as possible and provide the best experience to our patients, families and friends while enabling our care providers to do their jobs without security being in the way.
Many of the current security solutions, while they provide a degree of security, are considered intrusive and there has been a push for contactless security. We also want to reduce the risk of contamination of equipment and make it easier to clean and sterilize it so we can prevent infections. We also need to know where equipment is for better utilization, especially in a fast-paced environment such as a busy practice or hospital. Having a solution that is not line of sight can use radio signals to reduce the need to put sensors in controlled areas, and does not require touch is a net benefit to healthcare organizations.
Radio Frequency Identification, better known as RFID, has been providing these solutions for a number of years. Walmart and the US Department of Defense have been using this technology to track inventory. A number of RFID-based authentication badges and tokens are available already for PCs, and integrate with existing desktop solutions. The MIFARE technology is used for public transportation fare cards across the world. Encryption is supported on RFID and is an ISO standard, ISO 14443-4.
There are several great use cases for this product. The first is for asset management and inventory. Using RFID reduces the time needed to get a proper inventory of tagged devices. This can be expanded to Equipment Tracking, specifically surgical equipment management and tracking. A current use is also for login and authentication, specifically for physical security/door access or computer access. RFID is also used for real-time location services, along with Wi-Fi and other technologies.
For the future, there are three potential use cases that can improve patient engagement and the overall patient experience. Implantable devices, which currently can give just an ID number, will be able to give more sophisticated results when queried. This can save time and be less invasive when checking the status of an implant.
Contactless Payments, such as Apple Pay or Google Pay are increasing. We can see the use of an RFID analog to provide in-house payments either via ID badges or cards given to patients. For in-house patients, we can see the use of tap and go logins, like we have now for logins to workstations, to allow logins for portals, food service or self-service within facilities. This can streamline the patient experience, save money by providing more services automatically and potentially reduce risk by reducing the amount of paperwork and duplication of information across the enterprise.
This is an excellent technology with a number of use cases that can greatly improve multiple areas of any healthcare environment. However, it does not come without risks. In the next article, we’ll discuss the security concerns and what we are guarding against. In the final two articles, we’ll look at what’s needed for a good security baseline, and the six steps to a secure implementation, taking into consideration the expected benefits. We’ll also note that the techniques we utilize here in this series can be genericized to apply to other emerging technologies.
Mitchell Parker is Executive Director of Information Security and Compliance for Indiana University Health.