Printer Friendly

Technology treats hospital's ailments: new CCTV and access control systems help one Ohio hospital increase security while addressing time-and-attendance needs and privacy requirements.

When Jim Bigam was hired as security director at Medina Hospital Center in Medina, Ohio, three years ago, he faced several challenges. Homeland security concerns, protecting the open campus environment of the hospital, and dealing with privacy regulations were all priorities. After up-grading communications devices and installing a new digital CCTV system, Bigam concentrated on implementing an access control program. The result is a program that addresses time and attendance and privacy requirements while controlling access to critical areas.


Medina Hospital has 118 beds, 950 employees, and 36 departments that provide numerous services. The facility includes a 24-hour emergency department, serving more than 25,000 people a year, and a full-service family birthing center, where more than 900 babies are born annually.

When Bigam inherited the security department, it had only a handful of black-and-white CCTV cameras in the birthing area. These cameras fed into a VCR and were also monitored in a central station. The hospital was in the process of upgrading to a color analog CCTV system when Bigam was hired.

After reviewing the plan, Bigam decided to install digital color cameras instead and to expand their coverage. As part of the installation, 37 CCTV cameras were placed on the property. Six of these cameras are now trained on areas outside the hospital building and the rest are inside.

The access control system at that time consisted of keypad-controlled electronic locks on doors to certain sensitive areas, such as the pharmacy. Each keypad had a different numeric code that had to be entered to open the door. For an employee to enter that door, he or she would have to be given the code by security. However, security found that employees were giving the door codes to colleagues, even though such behavior was explicitly forbidden.

In addition, whenever an employee transferred out of the department, it created an administrative burden on security, because the code had to be changed and then each employee who used that door had to be informed of the new code.

System selection. To address these problems, Bigam began researching access control systems with Gary Linden, assistant director of MIS. The hospital had several criteria in mind as it began the search two years ago. First, security wanted to be able to track employee access, so the system had to be able to produce logs and audit trails. Also, security wanted a second layer of access controls at certain locations.

To hold down costs during the upgrade, the department also wanted to integrate the existing keypads into the new system. For that reason, it also sought systems that were compatible with the keypads. In addition, security wanted to schedule specific access control readers individually so that certain doors could be locked and unlocked automatically.

With these features in mind, the security team began looking for a system. Bigam conducted some product research, gathered general information, and discussed best practices with colleagues. As the security team analyzed the information, another crucial component stood out: The system had to be integrated with the hospital's existing employee time-and-attendance database so that security would not have to create duplicate entries.

Several systems that Bigam investigated would have allowed security to integrate a new access control system with the hospital's existing time-and-attendance program and keypads. However, in all but one case, the products could not produce a real-time interface. The two systems could talk to each other, but they required that a user run a separate computer program once or twice a day to integrate the time-and-attendance information with the access control data. Such a system would not provide the high level of security needed at the hospital.

The only system that met this need was one made by the same company that provided the hospital's time and attendance program. Called the Secure-ALL system, it included access control software and card readers, and it worked with the existing mag stripe cards that served as time-and-attendance cards. It had an automated system that could update the access control database on a daily basis. If there were a situation that required immediate attention, such as when an employee was terminated and escorted off of the premises, the database could be updated immediately, and the person's access privileges would automatically be revoked.

The system also allowed access privileges to be assigned at either the department or employee level. It used personal identification numbers (PINs) to add a layer of security, and it worked with the CCTV system's plug-and-play feature.

Installation. Security began the upgrade by installing 19 access control readers on certain perimeter doors and in five critical areas of the hospital: the emergency department, the birthing clinic, the intensive care unit, the medical records department, and the pharmacy. Other readers will be added as the budget permits.

Emergency department. The ER is open around-the-clock and is considered a high-risk environment because it deals with patients, friends, and relatives who are in a highly emotional state. The emergency department is also subject to violence arising from the altercations that led patients to the ER in the first place. For example, in one incident, two brothers had been fighting, resulting in serious injury to one of them. The injured brother was rushed to the emergency department and admitted. However, his brother was not far behind and rushed into the treatment area to finish the fight. Several security officers were needed to subdue the aggressor.

There are four entrances to the ER. One is a door that leads directly from the ambulance parking area into the ER. Another door leads from the emergency waiting room where patients walk in or are dropped off. The remaining two doors are located in a back hallway of the hospital and are for hospital staff.

Before the upgrade there was no access control and no CCTV surveillance. A security officer was posted in the lobby area. After the upgrade, the back hallway doors and the door into the emergency room were protected by the card access control system. The ambulance entry is protected by a key fob system discussed later.

To ensure the safety of patients and employees, security now monitors the emergency department's lobby with CCTV cameras at all times. The images are also downloaded to a hard drive around the clock and retained for several months. Patients who walk in for service must be escorted into the treatment area by a nurse, who must swipe his or her access control card to enter.

As a backup measure, a telephone has been installed next to the card reader. If a staff member needs to enter but does not have a card or cannot get to a card because of an unruly patient, the staff member can pick up the phone. The phone automatically dials through to the emergency treatment area, where the nurse can explain the situation. If emergency room personnel want to admit the individual, they can hit a button on the phone marked "door." This action unlocks the door.


The emergency department and the intensive care unit (discussed later) are equipped with readers that have standalone badge files. If the network goes down, authorized users can still enter the area because the badge files for that door are stored locally. If someone swipes a card at this reader and there is no network response in two seconds, the reader accesses the local badge file and either allows or refuses entry. The locally stored file is automatically updated every day.

To ensure that service is as fast as possible during an emergency, each ambulance team that services the hospital is given a key fob device to take the place of an access control card. This key fob, which is attached to a standalone proximity reader, allows the ambulance team to walk in with victims without delay. This technique is becoming more prevalent in hospitals, according to Bigam. The standalone system is not attached to the overall access control system, but does feed into the same database so that security can tell what ambulance squads arrived at the hospital, what time they came, and when they left.

Birthing clinic. The family birthing clinic is on the second floor and is only accessible to visitors and patients by elevator. (Stairwells are automatically opened in case of an emergency.) As visitors and patients come off the elevator, they walk into a waiting area, which is monitored via CCTV at all times. Then, visitors can approach the receptionist's window to gain entry. After checking the identification, the receptionist will allow the visitor into the clinic. There are four cameras inside, which are used to watch each of the stairwells.

Before the new access control system, the hospital only had a security system to monitor when a baby was moved. Transponders attached to the baby's belly button would trigger an alarm in the security center if the baby was carried too far down a hallway. (An alarm in the birthing center is a "code white," meaning the hospital is locked down, security is dispatched to the clinic, and the CCTV system within the clinic is activated.) Though no baby abductions have been attempted, the system was often tested as nurses and moms accidentally triggered alarms by walking too far down a hallway carrying a baby.

As a part of the new access control system, access control readers were placed in all ingress and egress areas including the stairwells. Only hospital staff members who work in the clinic are given access privileges. The main entrance doors to the birthing center have a sliding glass window, enabling staff to see visitors before deciding whether to buzz them in. Visitors must have some sort of proof that they belong on that ward. They must be preapproved by the patient they are visiting or, in the case of dads, they must be wearing their bracelet, which contains printed information linking them to a mom and baby.

ICU. The issues in the intensive care unit (ICU) are similar to those of the emergency department. Patients in the ICU are more critically ill than other hospital patients, and there are restrictions on the number of visitors that can be present at one time.

As a part of the upgrade, all entrances to the ICU were protected with card readers. But given the urgency when doctors need to render assistance in the ICU, security decided that doctors should not be required to enter a PIN with these readers.

Outside the ICU is a waiting room. There is no access control on the door of the waiting room, but the connecting door from the waiting room to the ICU is protected by the access control system. A family member can telephone the ICU from the waiting room and ask for permission to visit a patient. If ICU personnel approve the visit, someone will come out to the waiting area and escort the visitor in.

Hospital security has had to deal with several incidents in which visitors who were denied access turned violent or set up camp in the waiting room and refused to leave. Family members have also attempted to have celebrations with their sick loved ones--a practice that is not allowed in the ICU. In each of these cases, the visitors had to be escorted out of the hospital. The hospital's in-house law enforcement team receives special training on how to deal with angry visitors. (Medina uses proprietary, armed law enforcement officers and unarmed contract security guards.)

Medical records. The medical records department has taken on new importance since the passage of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA requires that health service organizations use layers of security to protect documents relating to a patient's healthcare. Also, under HIPAA, security must be able to track the movement of employees who work around medical records.

To meet these requirements, the security department added access control readers to the door leading to the medical records department. This department has one main entrance door. During the day, doctors, secretaries, and other personnel who need to access records can enter using their access control cards. At 8:30 p.m. each night, the doors to the medical records department lock automatically, and employees then need both their card and PIN number for access.

The system helps security meet the tracking requirements of HIPAA by providing a method of accountability. The electronic system logs can tell security which employees entered the area and when. It also helps to ensure that no unauthorized personnel or visitors have access to records.

Pharmacy. The first step security took to protect the hospital's pharmacy was to move it from the ground floor to the second floor to prevent easy access through ground floor windows. Next, security designed an access control system that allows entry only to those with legitimate needs and only during authorized hours, using the card and PIN. For example, during the overnight hours, the night supervisor needs to be able to access the pharmacy night cupboard when the pharmacy is closed. However, this same employee should never be in the pharmacy during the day.

The system can even be programmed to allow employees into the pharmacy only in a specific sequence. For example, the secretary for the pharmacy is not allowed in unless the pharmacist is already there. So, the secretary's access control card will not work unless the pharmacist has already swiped his or her card.

The access control readers are integrated with the digital CCTV cameras trained on the pharmacy doors. Whenever someone swipes a card to enter the pharmacy, the CCTV camera turns on and allows the central station personnel to see the person entering.

Three panic buttons are inside the pharmacy, connected to the central station. If a button is pushed, an alarm is triggered at the central station, and security is dispatched.

Challenges. Security faced several challenges when the new access control system was deployed. One concerned the use of PINs. Security wanted the option of requiring a PIN along with a card for access to some doors, but it did not want the PIN for all doors. When the system was first installed, security could require a PIN systemwide but not for specific doors. Working with the vendor, security was able to get updated software so that PIN assignment could be added only on selected readers.

The access control reader monitoring system has also been upgraded. On the original system, officers in the central monitoring station could view the status of each door. If a door was propped open for a centrain amount of time, an alarm would sound in the central station and a red light on the monitor would indicate which door was propped open. But it was not easy to discover who might have left the door ajar. Since the upgrade, the name and photo of the last person to open the door also pops up on the screen.

Benefits. In addition to the expected benefits from better access controls, the system has yielded unexpected advantages. For example, when reviewing procedures for disaster management and evacuations, security found that the access control system could be used to process the payroll in the event of an emergency or a disaster drill. Once an employee accesses the outside doors of the hospital, he or she is noted in the access control software. So, even if employees are evacuated before they have time to punch in, security will still know the person was on the premises before the evacuation.

While Bigam has not yet begun to compile statistics on how the system is working, feedback from both employees and managers has been positive. ICU workers have said that they like not having to worry about who is coming through the door and where they are going. The security system allows them to concentrate on patients rather than looking out for suspicious persons. The system has also impressed senior managers. Some departments have even put money in their own budgets to further update security in the future, specifically to add more CCTV cameras in their areas. "This is an enviable position for any security department to be in," says Bigam. "By doing this, department heads are making a statement to administrators that they consider security a priority."

Teresa Anderson is a senior editor at Security Management.
COPYRIGHT 2004 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2004 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Hospitals; Medina Hospital Center
Author:Anderson, Teresa
Publication:Security Management
Geographic Code:1U3OH
Date:May 1, 2004
Previous Article:A case of good judgment: here's what companies need to know before conducting investigations into employee conduct.
Next Article:Inoculating against Murphy's Law: this hospital boosted its immunity to crime by layering security practices such as access control, CCTV, pharmacy...

Related Articles
Out of the showroom and into the manufacturing plant.
Birth of a notion.
Returning mirth to birth.
Healthy Prospects for Hospital Security.
A Dose of Reliable Data.
Sick of theft: one hospital resolved to reduce thefts in three years through a combination of technology, training, and design. (Healthcare).
Diagnosis security: how one hospital assessed and improved its physical security and loss prevention programs while it upgraded its supply chain...
Inoculating against Murphy's Law: this hospital boosted its immunity to crime by layering security practices such as access control, CCTV, pharmacy...
How to assess resource allocation: an objective self-assessment can help a facility determine where to allocate precious resources and how to justify...
Putting vendors to the test.

Terms of use | Privacy policy | Copyright © 2021 Farlex, Inc. | Feedback | For webmasters |