Friday, June 15, 2018

How Inadequate Key Control Puts Hospital Patients at Risk

Cabinet with pill bottles next to hanging keysFrom cyber attacks to active shooter threats, ensuring hospital security is more challenging than ever. Plus, you have to worry about HIPAA compliance and rising insurance costs that are influenced by treatment outcomes and patient feedback.

To reduce your risk, you need to reduce security threats that could impact patient care and satisfaction. You likely have someone to mitigate external cybersecurity threats, and it’s just as important for you to address internal physical security threats. Your facility has probably invested in physical security measures like cameras, metal detectors, public safety officers and training. But how well do these measures prevent employees from misusing facility keys? Let’s take a look at how poor key control intensifies two major risks to your facility and your patients.

Major Hospital Risks


Drug Diversion

With the rise of the opioid epidemic, more medical professionals are diverting drugs. According to DEA data, employee pilferage accounts for 22 percent of drug thefts or losses. Doctors, nurses and pharmacy staff within the VA’s network of over 160 medical centers and 1,000 clinics allegedly stole controlled substances for personal use or to sell. In some cases, this impacted patient care.

In fact, the CDC warns that when doctors or nurses abuse their access to narcotics, patients suffer due to substandard care and infection risks. Since 2005, there have been five separate infection outbreaks caused by healthcare workers contaminating injection equipment and supplies that were then used on patients.

In light of these risks, the DEA does not take drug diversion lightly. It opened an investigation against Effingham Health System for allegations that the hospital’s lax controls allowed employees to divert controlled substances. The investigation resulted in a settlement of $4.1 million. Consider how well your controls could withstand an investigation in a similar situation.

Device Theft or Loss

Data breaches are another risk that could affect patient satisfaction and increase your liability. Every year, security events cost U.S. hospitals approximately $1.6 billion. Of those, 38 percent are related to physical security. Believe it or not, healthcare is the only industry where more breaches are caused by insiders (56 percent) than by external threats. In 2017, 90 percent of the healthcare physical security incidents were thefts of assets such as laptops, portable devices and paper documents. The thefts took place in work areas such as offices 36 percent of the time.

For example, a former IT employee of Chilton Medical Center stole computer equipment from the hospital, including a hard drive he later sold online. The device contained records for 4,600 patients over the course of nine years. At North Texas Comprehensive Spine and Pain Center, a former employee stole an external hard drive from a doctor’s office, compromising the personal information of around 3,000 victims. Both of these examples demonstrate that employee accountability is critical to protecting patient information.

Mitigating Risks With Key Control


Certain employees do have a legitimate need to access keys for areas where narcotics, sensitive data or other sensitive assets are stored. But are you certain employees always use their keys for the authorized purpose? Can other employees gain access to those keys?

To protect your facility from liability and protect patients’ well-being, it’s critical to maintain employee accountability for key usage. The best way to do so is to create an automatic audit trail of key use that’s not vulnerable to human error or manipulation. Electronic key control systems help meet this objective.

Unlike traditional key storage methods such as desk drawers or pegboards, electronic key control systems typically consist of a metal drawer or wall-mounted panel that physically locks down keys. Some even allow you to set up access levels to ensure that people are only retrieving the keys they need to perform their job duties.

In addition, if someone checks out a key outside their shift hours when they have no need to do so, or if they have a key checked out for longer than they should, you can be immediately alerted by text or email. The system is fully automated, so if a security incident occurs, the automatic audit trail can aid in an investigation by providing a report of who checked out keys and when.

If employees abuse their access privileges and you don’t have adequate key control measures in place, are you prepared to answer to patients whose health or privacy has been compromised? Can you absorb the cost of compliance fines, rising insurance costs and more?