Evolving Uses for Smart Cards

Albert Einstein Healthcare Network's Strategy
Evolving Uses for Smart Cards
When Albert Einstein Health Network had to replace employee ID cards as a result of renaming the network following a reorganization, it replaced older technology with smart cards to improve security, says Russ Jones, network director for protective services.

The three-hospital delivery system, which is constructing a fourth hospital, plans to expand the applications of smart cards over time, Jones says. For example, the cards, from HID Global, eventually may be used to provide clinicians with access to the network's new electronic health records system, from Cerner Corp., once implementation is complete.

In an interview (transcript below), Jones:

  • Describes how the cards are now used instead of user name and password to securely sign on to computers. Although the cards are not yet used as part of a two-factor authentication strategy, the organization may eventually take that step.
  • Outlines other uses, such as to open doors to restricted areas and record information for a time and attendance system.
  • Describes how the network will use smart cards for patients at its newest hospital to provide clinicians with easier access to electronic health records.
  • Explains the benefits of smart cards. For example, the cards provide a higher level of security because they are more difficult to compromise or counterfeit than magnetic stripe cards. Plus, the network no longer spends $10,000 a year to replace worn-out magnetic stripe cards.

Jones is responsible for security at Albert Einstein Healthcare Network. He has more than 25 years of security experience. He has a doctorate in business administration from Century University and is a Certified Protection Professional (CPP) and a Certified Healthcare Protection Administrator (CHPA).

HOWARD ANDERSON: Tell us a about the size and scope of Albert Einstein Healthcare Network.

RUSS JONES: Well, we're a large teaching institution in Philadelphia with three hospitals, currently building our fourth. We have 7,500 employees and over 80 practices spread around three states. So we're a large network that's centralized in one major facility in Philadelphia, from a security perspective.

ANDERSON: Tell us what led you to the decision to adopt smart card proximity badges as part of your broader security strategy.

JONES: ... We were in the process of changing the name of our facility. We actually separated from another health system in Philadelphia, so we needed to actually change the name of the ID. So with that, I seized the opportunity to go from a swipe card to a proximity reader card. It was a major undertaking primarily because of those multiple locations that I mentioned, and then, ultimately, how were we going to reproduce the badges -- whether we were going to do it in-house, or whether we were going to hire temporary staff to perform this function, or whether we were going to actually outsource it. So we made a decision to outsource it. But primarily, we wanted to upgrade the technology that we had, go to a higher security level card and be able to be user-friendly and have the capabilities of expanding the system as we needed.

Selecting Smart Cards

ANDERSON: How did you go about selecting which smart cards to use?

JONES: We actually partnered with our integrator, Siemens, to look at HID Global cards. The challenge, however, was how we were going to actually produce the cards and then roll them out to those multiple locations. Since we had swipe cards, we decided to go with a dual proximity card for the first 7,000 IDs that we purchased, primarily because that gave us time to actually change all the card readers, and we had over 400 card readers at the time. ...

So with the decision of going to a dual proximity card, when we did the distribution of the cards out to our employees, they really only had to make a decision when they came to a card reader whether to swipe it or to hold it next to the card reader.

There was an education piece as well; we had marketing involved very heavily. There was a lot of education for our staff, and then we were able to get human resources involved to distribute the cards, particularly for the off-site practices.

So it was a major team effort, and that's one of the things that I stressed when we went into this: It needed to be as seamless as possible, but we also needed to make sure that we had all the players involved in the beginning and to plan it out. Siemens ... put the worksheet together for me and assessed the different avenues of whether we were going to outsource, and it turned out that it was cost-effective to have HID Global do it (handle everything).

Smart Card Uses

ANDERSON: So tell us how you're using the smart cards now. You're putting them to multiple uses, right?

JONES: We currently use them for the basic card access to get into doors, but we also use them for time and attendance. As you can imagine, we needed to make sure that was perfect 100 percent of the time, because, obviously, our employees are being paid from these cards, and if there was an issue there, it would have caused us a lot of headaches. So we tested the smart cards with our Kronos time and attendance system for four or five pay cycles, through primarily the security department and some other key players. We tested other locations as well to make sure the cards were actually working with the time and attendance system.

We also use the cards for are food purchases in our cafeterias, which are tied directly to our payroll system. You go through and you pay for your food, and it's automatically deducted from your paycheck. We also use the cards for single sign-on to computers, so that when our employees arrive ... instead of logging in manually through the keypad, they just hit their card against the proximity reader and it automatically logs them into the computer. And then when ... they go away from their computer and they come back again, they just re-hit the reader with their ID and it reinitializes their password and it brings their screens back up.

We also use the cards with our PPD (tuberculosis) testing and some of our safety testing and regulatory compliance testing that we have to do on a yearly basis. So ... we use the IDs for those tracking systems as well.

Authentication

ANDERSON: Eventually, will you be using the cards to authenticate users before they access an electronic health record system?

JONES: ... With the new hospital that we're building, one of the applications that we're going to use is when a patient actually drives onto campus, by the time they even get into their physician's office or the emergency room, their ID will automatically be picked up through a wireless network, and then their records and information will be already brought up, to make it a little bit more user friendly for our patients as they walk in the door.

So we are looking at different applications of how we're using our ID cards. ... We look at our ID card as the gatekeeper, as the major master key, and then allow other departments to actually piggyback on, just using their systems with our security card. (Note: The organization is implementing an EHR system from Cerner Corp. at all sites and may eventually use the smart cards for clinician access to the system).

ANDERSON: So you'll be issuing smart cards to some of your patients soon?

JONES: That's correct.

Improving Security

ANDERSON: For your current applications of smart cards, how is it helping you improve security?

JONES: Well, from a perspective of cost savings, we used to spend over $10,000 a year just in reproducing cards, because as employees swipe their card, particularly if they're heavy users, the cards would get worn or their names or information would be worn off as they swiped. That has now been eliminated totally with the proximity reader where there is no more swiping involved. So there has definitely been a return on investment from a cost perspective.

The smart cards are a higher security card; they're very difficult to compromise and counterfeit. We are able to produce cards and ship them out quicker, and the fact that we're only using one card now has been a major ease for our staff to get into certain doors or buildings where no lines are being formed.

ANDERSON: Are the smart cards part of a two-factor authentication strategy now, or could they be eventually?

JONES: They could be. We currently don't use them for two-factor at this point, but they could be. ...

ANDERSON: So what other uses for the smart cards might be on the horizon over the long term?

JONES: ... You know, any time a department comes to me or I'm out at a meeting or educating our staff ... we constantly come back to the card. ... I don't have anything right on the horizon today, but I know that ... we can use these cards for multiple applications.


About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.