Creating a standardized national security platform that meets strict compliance requirements.
Situation: A Spin-Off Loses Corporate Security Protection
Recent changes at one of the nation’s largest providers of home and alternate treatment site infusion services resulted in the company becoming a new, independently owned organization. Prior to its spin-off, the company was part of a major corporation.
With a staff of nearly 2,000 clinical experts—including specially trained infusion nurses, infusion pharmacists and registered dietitians—the company treats patients of all ages with a wide range of acute and chronic conditions. It operates hundreds of infusion pharmacies and alternate treatment sites across the country.
Previously as part of the larger organization, all of its security was handled by the corporate security staff, including the monitoring of its facilities. With the spin-off the company was faced with the reality of creating its own security program. Compounding the situation was the fact that its past growth was attributed, in large part, to acquisitions which resulted in no common footprint for the security it had in place.
To further complicate the matter, security and regulatory compliance are constantly evolving for the pharmaceutical industry. For example, the USP Chapter 797, which provides procedures and requirements for compounding sterile preparations to prevent harm to patients that could result from contamination, is now adding more security-related requirements. Providers must be aware of these procedures and requirements to maintain compliance at their facilities. Security systems today must provide an audit trail that shows a secure environment is being maintained. Other considerations that the company needed to address included:
- State Board of Pharmacy specifications that can vary from state to state
- HIPAA requirements
- Miscellaneous USP and Federal guidelines
Solution: Access Control
With an October 1, 2015 deadline approaching when the retailer would no longer monitor its facilities, the company engaged Protection 1 to help it design and implement a comprehensive, integrated security program.
As part of the design phase, Protection 1 did in-depth surveys of the organization’s facilities to better understand the current security situation and found, in many cases, that some facilities were operating with the bare minimum intrusion detection systems.
Keeping in mind the strict regulatory compliance issues facing this industry, the Protection 1 proposal included:
- A security-only network that would segregate the security systems and information from the business networks which Protection 1 would design, implement and monitor
- An integrated electronic access control and state-of-the-art intrusion system
- IP-based video solutions coupled with remote monitoring capabilities
All of the components to the security system would be hosted by Protection 1 and housed at its Network Operations Center. Protection 1’s Network Operations Center (NOC) is part of its Integrated Solutions Group. The center employs a team of Cisco Certified, Meraki Certified and Sonicwall Certified professionals. This team also holds the Cisco Cloud and Managed Services Express Partner certification, making Protection 1 the only security system integrator to hold this designation and uniquely qualified to perform this type of work.
At the heart of the new security platform is an electronic access control system. Protection 1 team members act as the administrators of the system and have been specially trained in the customer’s policies and procedures. Protection 1 operators perform tasks that include:
- Issuing access control cards that include specific credentials based on the job responsibilities of the individual
- Supplying PIN numbers and keypad codes for arming and disarming the intrusion system
- Running reports for audit and compliance
- Accessing live or recorded video footage as required
This remote network connectivity provides several significant benefits:
- It allows Protection 1 to oversee the access control and intrusion systems
- It provides a more secure environment by isolating the company’s data network from the security network
- It permits remote reporting and access of incidents regarding personnel and drugs in protected areas
- Importantly, it empowers the Protection 1 24/7 Network Operations Center to take action on the company’s behalf in the event that a security incident occurs
Protection 1 also monitors and adds or removes authorized company employees from the system based on criteria established by the customer. The administration of the system and the credentials are done through a secure portal that only specific personnel have access to. Any changes made are approved by a company area vice president.
The three primary components of the new security platform are the electronic access control system, an intrusion system and IP video components.
The access control system delivers a high level of security. It only allows authorized card holders to enter protected areas of the facility and tracks who enters these areas, and when. Integration with the burglar alarm or intrusion detection system allows only valid card holders to arm or disarm the system. The system keeps a database of all activity for reporting and auditing purposes.
The burglar alarm system sends an alarm to Protection 1 if unauthorized access is attempted when the system is armed. Protection 1 integrated the burglar system with the electronic access control system requiring authorized users to present a card to the reader and then enter a unique 4-digit code into a keypad to disarm the system in order to gain access to the facility or to a room within the facility. The same code is used to arm the system at the end of the day.
The dual authentication was a new procedure implemented by Protection 1 when entering critical areas of the workplace such as a prep room, clean room, anti-room, or anywhere drug or drug compounds are stored or handled. The process— presentation of an access card and entering of a PIN number—allows the electronic access control system to help enforce procedures such as a pharmacist needing to be present for other employees to enter certain protected areas.
The IP video system serves many functions including monitoring of sensitive areas within the facility. The Protection 1 team also has the ability to remotely access video to verify alarm status should they receive a signal from the burglar alarm system once it is armed.
Aside from standard monitoring of the facilities for alarm activity, Protection 1 also performs specialized services for this customer such as monitoring temperatures in sensitive areas where drugs or drug components are stored and identifying when or where doors may have been propped or forced open. All of this information is important to help keep the company compliant with current and future regulations. The monitoring and associated reporting helps the organization meet the strict auditing standards established for the industry.
- Temperature monitoring is a critical function, as even the slightest deviation in temperature could cause potential life-threatening situations should drugs or drug components be adversely affected. Furthermore, these drugs or drug components represent millions of dollars in inventory that could represent significant losses to the company should there be a problem. In the past, temperature sensors would send a signal to a call center indicating a change in temperature range but did not provide specific information as to what changed. With the advanced technology that Protection 1 has deployed, its special operations center receives an alarm signal when monitored drug cabinets or safes are out of allowable temperature range, along with door status, power and any possible refrigerant leaks. An operator will then contact the pharmacist, repeatedly if necessary, with this information so they can make an informed decision as to the proper course of action or until the temperature sensors are re-set and stay within the allowable range.
- A couple of problems that plague most companies are employees propping open secure doors or doors that are forced open. Protection 1 receives signals if a door is propped open after a pre-specified time period after or even during working hours, or if a door is forced open instead of opened with proper access credentials. For those areas where a video camera is present, the operator can remotely view the situation causing the alarm and take appropriate action. The operator will initiate a response by contacting those individuals identified on the site contact list and will request dispatch of authorities, if necessary.
- Should a system or panel go offline or lose power, Protection 1 will also perform remote diagnostics to remedy the situation or send a service technician when authorized.
- Other functions that may be performed by Protection 1 operators may include the following:
- Upon receipt of an alarm signal, Protection 1 can connect to the on-site cameras, visually verify a crime in progress and dispatch authorities
- Remotely arm or disarm the alarm system in an emergency situation only and this is usually requested by company management
Results: Standardized Security
Within five months of embarking on the security upgrade, Protection 1 has deployed security-only networks in 98% of the customer’s facilities completing over 92 network drops. The burglar alarm system, along with new temperature sensing technology, has been deployed along with integrated electronic access control and IP video technology.
For the first time in its history, this company has a standardized security platform that allows it to comply with strict regulations, including a documented audit trail and reporting. All information is kept in a secure database at the Protection 1 Network Operations Center for any future investigations that may arise, helping this company and the various agencies with industry oversight access information immediately upon request.