With hospitals and health organizations implementing a myriad of new technology systems - mobile devices, medical carts and telemedicine solutions - they must understand how to effectively integrate these into their workflow processes. Perhaps more importantly, they must also ensure the devices are secure and protected against unauthorized use or access. A PIN code security system is one proven way to ensure safety with minimal impact on day-to-day operations. Without deliberate forethought, however, this type of system can disrupt workflow and not fully address all security risks. By Steve Torbett
By Steve Torbett
With hospitals and health organizations implementing a myriad of new technology systems - mobile devices, medical carts, and telemedicine solutions - they must understand how to effectively integrate these into their workflow processes. Perhaps more importantly, they must also ensure the devices are secure and protected against unauthorized use or access.
A PIN code security system is one proven way to ensure safety with minimal impact on day-to-day operations. Without deliberate forethought, however, this type of system can disrupt workflow and not fully address all security risks.
Healthcare organizations need to consider numerous factors when implementing a PIN code security system, including the construction, assignment, and protection of the codes, as well as auditing user activity. After thorough analysis and careful deployment of PIN code security, organizations can realize simple and relatively inexpensive protection of their patients, data, and reputation.
Implementing codes with extra security
The cornerstone of a PIN code security system is the construction of the codes themselves, including their length and whether or not they are randomly generated.
Many organizations use four-digit PIN codes. Although easier to remember than longer codes, four-digit codes may be limiting because there are only 10,000 unique codes for the entire organization. While this may seem like a lot, an organization with hundreds of medication carts, and devices for thousands of users may quickly run out of unique numeric codes. Instead, organizations should consider systems that require five- or six-digit PIN codes, exponentially increasing the number of potential combinations.
In addition to PIN code length, organizations need to evaluate the average number of guesses it would take to unlock a device. For example, if an organization uses four-digit codes and has one thousand codes currently assigned, then one out of every ten guesses, on average, would be correct. A good security practice is to implement a lockout period, where the cart or device cannot be accessed for a certain period of time after too many incorrect attempts.
Assigning codes ensures accountability
While essential for patient care, if medication carts or devices containing patient information are not properly protected they present a security risk for organizations and patients.
To ensure optimal security, authorized individuals should each have their own PIN code. This approach discourages PIN code sharing and allows an organization to track potential issues to the individual level. When choosing how to assign log-in information, organizations will have to balance staff convenience and administrative burden with heightened security to see which approach is appropriate for their specific situation.
To further improve security, organizations can also assign users to specific carts or devices instead of enabling access to all technology in the facility. If users frequently move between units and departments, however, this may be challenging. One solution is to have an administration system with the ability to manage users in customizable groups, making it easier to manage cart and device assignments, and monitor access.
Securing PIN codes requires oversight
Displaying PIN codes can present a security risk. On the other hand, completely masking the numbers may make it difficult for users to double check whether he or she is entering their code correctly. To address this, users should be able to enter their PIN codes and see a digit briefly before it is masked with a symbol. This system would show the last number entered only, so anyone walking past could not see the code in its entirety.
Similarly, organizations should consider using a system that automatically clears the code after a brief period of time if it is not fully entered. This way if a nurse has to leave the cart or device, no one else can easily gain access to its contents. An automatic relocking function to prevent access when a provider does not remember to lock the cart or log-out, controlled by either a timer set for a specific interval or a sensor, is also a good idea.
Because PIN code systems involve technology, organizations should have a plan for accessing medication carts, such as a key or override, in the event that technology fails. The use of physical keys should be minimized, especially if there is no ability to record access for auditing purposes. It is also good to backup a central PIN code database and be sure there are redundancies for management from a central server.
Auditing prevents errors
Organizations should be prepared to respond with an investigation in the event of a security breach or medication theft from a cart. Medication carts and IT systems that support auditing - the ability to analyze who has accessed a cart or device and when - can help uncover potential issues or track problems back to specific users. It is important to ensure that any PIN code system can be easily audited. It may take a while to get to the bottom of a drug diversion or other security problem, so an organization should allow for a long historical view of access.
In conjunction with auditing, a system should also be able to monitor usage for unusual activity, such as repeated PIN code denials tied to the same cart or device, or in a certain area or unit. The system should send an alert to security administrators, highlighting trends that warrant attention and identifying potential security problems early on.
Deploying PIN codes slowly and monitoring for effectiveness
When selecting a PIN code security system it is important to involve users in the design, evaluation, and testing of a security system to fully understand what may enhance or detract from their patient care efforts. Testing the system on a limited scale can also identify potential workflow issues early to prevent disruptions in a larger scale deployment. When issues have been identified and solutions put in place, the facility can begin to implement PIN codes across the organization with the assurance that their patients and data will be better protected.
About the author
Steve Torbett is the Senior Product Manager for software, services and integrated technology at Rubbermaid Healthcare.
