Brian Uridge is a nationally recognized leader in healthcare security with over 30 years of experience in law enforcement and public safety. He serves as the Deputy Director of Public Safety and Security for the University of Michigan and Director of Security for Michigan Medicine, where he oversees the safety of more than 34,000 staff and 3 million annual patient visits. A former Assistant Chief at the Kalamazoo Department of Public Safety and FBI National Academy graduate, Uridge is known for pioneering community policing strategies and advancing safety standards in healthcare environments.
photo credit: Principal Post
Access control is a security mechanism that regulates access to resources within an environment. Access control is an important aspect of hospital security because it ensures that patients, visitors, and only authorized personnel can access designated areas in the hospital.
Most organizations implement access control measures to minimize operational or business risk. There are two major types of access control: logical and physical. Physical access control limits access to rooms, buildings, and physical IT assets. Logical access control regulates access to system files, data, and computer networks.
Considering the delicate nature of the hospital environment, with its strict data security and patient privacy expectations, hospitals and healthcare facilities are under strict obligation to implement strict access control measures.
Role-Based Access Control (RBAC) is an important access control strategy that hospitals can implement to ensure that unauthorized individuals do not have access to restricted resources and spaces. As the name implies, RBAC ensures that everyone within the hospital is granted access based on their roles. For instance, doctors and access, due to the nature of their duties, should have full access to patients, medical records, and surgical units. Administrative staff, for instance, should be restricted from operating rooms but have limited access to billing systems and patient records. Visitors and patients should be restricted to designated patient rooms and public waiting areas.
Surveillance and monitoring systems are also non-negotiable when setting up access control mechanisms in the hospital. Healthcare facilities should have closed-circuit television (CCTV) to monitor access points, high-risk areas, and hallways. Pharmacies and medication storage units should be under surveillance to prevent theft or any form of unauthorized access. Hospital data centers should be heavily monitored in order to protect sensitive patient data from breaches. Operating rooms and ICUs are very delicate spaces, so only authorized medical personnel should be allowed to enter.
The Health Insurance Portability and Accountability Act (HIPAA) obligates healthcare facilities to take necessary measures to protect a patient’s sensitive health information and data. This means that digital security should be given equal attention as physical security. Hospitals should protect their electronic health records (EHRs) by encrypting and securing logins, protecting them from unauthorized access. Audit logins and monitoring should detect any form of unusual access or activity. Implementing all of these measures also ensures that the healthcare facility is protected from the regulatory risks that come with noncompliance with HIPAA.
Multi-factor authentication (MFA) is a security measure that requires two or more verification methods to grant access, making it significantly harder for unauthorized individuals to gain entry. Common MFA techniques include smart cards or ID badges, where staff scan their credentials to access restricted areas, and biometric authentication, such as fingerprint, retina, or facial recognition scans. Another effective method is one-time passwords (OTPs), which send a temporary code to a registered device for added verification. These extra layers of security help protect patient data and ensure that only authorized personnel can access critical areas.
Hospitals should also implement strict visitor management protocols to maintain security. With a constant flow of visitors, it’s essential to have registration and badge issuance systems in place. Visitors should check in upon arrival and receive a temporary badge indicating their permitted access level. Some sensitive areas, such as intensive care units (ICUs) or surgical wards, may enforce an escort policy, requiring visitors to be accompanied by hospital staff. These measures prevent unauthorized individuals from wandering into restricted zones and help maintain a safe environment for patients and healthcare workers.
