How Inadequate Key Control Puts Hospital Patients at Risk

From rising ransomware attacks to increased workplace violence, ensuring hospital security is more challenging than ever. 

You likely mitigate external cybersecurity threats by backing up your data and improving your network security. You’ve probably also invested in physical security measures like cameras, metal detectors, public safety officers, and training.

But how well do these tactics prevent internal threats involving employee and vendor access? Let’s take a look at how inadequate key control intensifies three major risks to your facility and your patients.

 

Major Hospital Risks

 

 

As the opioid epidemic intensifies, more medical professionals are diverting drugs. According to DEA data, employee pilferage accounts for 22% of drug thefts or losses. In separate cases in Colorado, two nurses were charged with stealing controlled substances from hospital patients. On three or four occasions, one of the nurses used a key to open a machine used to administer medication and removed some of the drug.

 

When medical professionals abuse their access privileges to steal narcotics, the CDC warns that patients suffer substandard care and infection risks. Since 2012, there have been five separate infection outbreaks caused by healthcare workers contaminating injection equipment and supplies that were then used on patients.

In light of these risks, the DEA does not take drug diversion lightly. Healthcare systems that have been investigated by the DEA for recurrent problems with drug diversion due to lax controls and lack of reporting have faced settlements for millions of dollars. For example, a healthcare corporation in Michigan reached a record-breaking settlement of $7.75 million, a medical center in Texas agreed to pay $4.5 million, and a medical center in Kentucky settled for $4.39 million. Consider how well your controls could withstand an investigation in a similar situation.

 

Theft of devices or supplies is another risk that could affect patients' well-being and increase your liability. When a device containing personally identifying information is stolen, the cost is steep. IBM’s Cost of a Data Breach Report 2023 found that the healthcare industry’s average cost of a data breach is $10.93 million. And accidental data loss/lost device, a malicious insider, or a physical security compromise cumulatively account for 20% of breaches.

 

It’s not just data at risk, however. For example, two hospital employees and a medical supply distributor put the public’s health at risk when they conspired to steal medical devices and supplies from the hospital and sold them online. One of the employees used their access to the medical supply and the cleaning and disinfecting rooms at the hospital to steal the items. Some of the supplies had been used in surgical procedures and hadn’t been disinfected.

All of these examples demonstrate that employee accountability is critical to protecting patients.

Staffing Shortages and Burnout

Turnover and burnout has reached critical levels in the healthcare industry, with hospitals averaging 100% turnover every five years. Meanwhile, as staff struggle to cover essential patient care, other processes suffer. In a Campus Safety report, 76% of respondents said they don’t have enough staff to operate access control system(s) and/or locks. 

Further Reading  Don’t Let Employee Turnover Sabotage Your Key Control

At best, this issue makes staff’s jobs harder when they don’t have access to areas or supplies they need to do their jobs. At worst, it leaves the door open for staff, contractors, or visitors to exploit key and access control vulnerabilities.

 

Mitigating Risks With Key Control

Some employees do have a legitimate need to access keys for areas where narcotics, sensitive data, or other sensitive assets are stored. But are you certain employees always use their keys for the authorized purpose? Can other employees gain access to those keys? Do you have a reliable process for retrieving keys when an employee resigns?

To protect your facility from liability and protect patients’ well-being, it’s critical to maintain employee accountability. The best way to do so is to create an automatic audit trail of key use that’s not vulnerable to human error or manipulation. Electronic key control systems help you meet this objective.

Unlike traditional key storage methods such as desk drawers or pegboards, electronic key control systems typically consist of a metal drawer or wall-mounted panel that physically locks down keys. Some even allow you to set up access levels to ensure that people are only retrieving the keys they need to perform their job duties.

In addition, if someone checks out a key outside their shift hours when they have no need to do so, or if they have a key checked out for longer than they should, you can be immediately alerted by text or email. The system is fully automated, so if a security incident occurs, the automatic audit trail can aid in an investigation by providing a report of who checked out keys and when.

If employees abuse their access privileges and you don’t have adequate key control measures in place, are you prepared to answer to patients whose health or privacy has been compromised? Can you absorb the cost of compliance fines, rising insurance costs, and more?