Delivering the correct medicine to healthcare patients – the holes in the checks

administering medicine

Drugs and medicines administered to patients in hospitals, care homes and psychiatric wards need to be done according to the instructions issued by the doctor or consultant in charge of the patient. These medicines are issued by the nurse(s) in charge and there is a heavy reliance and trust based on them to dispense the correct drug(s) and in the correct dosage, according to the instructions given. Situations can arise where the wrong medicine is administration, the medicine is given in the wrong dosage (either too little or too much), the medicine is given at the wrong time (either earlier or later than the scheduled time) or it is missed completely. These situations can be for any reason, including unusually busy times on the ward, changes in shift or simply because of general complacency or lack of knowledge of the nurse. These inconsistencies in receiving medicine(s) can be extremely harmful to the patient, especially if they are children, elderly or in intensive care units. When a medicine is administered, it is simply recorded on the patients chart (usually attached to the patient’s bed) with the time of administering and the signature of nurse. The time put down is not necessarily correct.

A biometrics solution, such as palm vein can help to eliminate the inconsistencies with administering medicines to patients, ensuring that patients receive the medicine that they need at the right time. Using a palm scanner, a nurse can ‘check-in’ at a patient’s bedside. This can then be recorded as the time at which the medicine(s) were given to the patient. The palm vein technology will detect whether the nurse who has ‘checked-in’ has the authority to give this patient his medicine. If the scanner has recorded a reading of another non-authorised nurse, this will be flagged up immediately. On successfully checking-in, a nurse is able to see a list of the medicine(s), the times at which they should be administered and the correct dosage that should be given to the patient. If the palm vein reading is false, i.e. is a reading of a person that is not authorised or does not exist in the database, details of the medication, including dosages will not be revealed. This method of administrating medicine makes it virtually impossible for the nurse to make any accidental errors or for unauthorised persons to have access to the patient’s records. Alerts are triggered in the solution to alert the nurse’s station if the time is approaching for the next dose to be given to the patient or if the next dose has been missed. Nurses are able to them immediately correct the oversight.

The palm vein technology is a highly secure and contactless biometric solution that works by reading the vascular pattern of the palm. These patterns are unique to each individual and exists underneath the skin layer so they cannot be forged thereby making it more secure than any other biometric device. Being contactless and technologically advanced, it is extremely appropriate for places like hospitals, care homes and psychiatric wards where security and hygiene cannot be compromised.

WCT is in the business of Compliance, Identity & Security assurance. For more information, you can reach us on (


Trust of Hospital workers – how security can be breached


surgical equipment


This blog addresses the issues that arise with employee access to confidential data, medicines and surgical equipment, and restricted areas

When patients are admitted in to hospitals, they put the trust of their lives in to the hands of the medical team who are there to help and treat them. The patients believe that no intentional harm should come to them while in the hospital care. Details of their treatments and personal information should be kept private and confidential, and in accordance to data protection acts.

A case in the USA was reported where a nurse had tampered with the patients IV bags. These IV bags contained painkillers which the nurse wanted for her own use. However, in taking small amounts of this painkiller from multiple bags using a syringe, she was transferring bacteria to each patient that was then given these bags. The nurse tampered with these bags in a storage room and not by the patient’s bedside. This act of tampering with the IV bags resulted in 23 patients being infected.

A case in Canada was reported where it was found that surgical equipment had been tampered with. In this case, the item was found before it was used; however, it could have had disastrous implications if it had been used. Sterilizing of medical equipment is carried out by more than 60 people at this particular hospital, so identifying the person responsible would be an extremely difficult task.

Several audits have been carried out on hospital devices, with the results finding that they are vulnerable to security threats, including the uncontrolled distribution of passwords, disabled passwords, hard-coded passwords for software intended for privileged device access. A password in the wrong hands can have catastrophic implications, including patients being left vulnerable to their medical records being accessed.

Each of the cases and audit mentioned above identify different ways in which harm can be caused to a hospital patient. A biometric access control solution such as palm vein can be implemented to prevent and eliminates such cases from occurring. By using a palm vein technology solution, a hospital employee is tracked when accessing highly secure areas such medical cabinets, surgery room, surgery instrument cupboards, patient rooms, and hospital computers and networks. By attaching devices to these areas, hospitals can ensure that the correct medication is getting to patients at the right time and without being tampered with. Unauthorized people will no longer have access to hospital computers; a palm scanner connected to a computer acts as the sign-on mechanism for the user, without any password required. This method for logging into a computer can also be extended to applications on the computer or hospital network.

The use of fingerprint authentication is not a suitable or reliable form of authentication for use within hospital environments. Fingerprints are worn away over time or can be damaged by cuts or burns. Unlike palm vein technology, fingerprint authentication is not a contactless form of authentication. Hospital workers would be required to touch a glass panel in order for the reading to be made. This makes it possible for viruses and bacteria to be transferred.

The palm vein solution is a highly secure and contactless biometric solution that works by reading the vascular pattern of the palm. These patterns are unique to each individual and exists underneath the skin layer so they cannot be forged thereby making it more secure than any other biometric device. Being contactless and technologically advanced, it is extremely appropriate government workers, authorised personnel and third-party contractors where security cannot be compromised.

WCT is in the business of Compliance, Identity & Security assurance. For more information, you can reach us on


HIPAA and Data Breaches

Data security breaches - laptop firewall

This blog will address the many law suits that occurred because of HIPAA violations due to data security breaches. It will also take a look at the methods used by those who breach the data.

Due to the August 2009 Breach Notification Rule included in the Health Information Technology for Economic and Clinical Health Act, HIPAA-covered entities and associated businesses are required to provide notification following a data breach of protected health information. Groups reporting breaches that compromised the protected health information of 500 individuals or more must be posted by the Department of Health and Human Services. Since the 2009 rule, 489 HIPAA-covered entities have reported breaches involving 500 individuals or more.

New York Presbyterian Hospital (NYP) and Columbia University (CU) have recently agreed to settle charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients’ electronic protected health information held on their network.  The monetary payments of $4,800,000 include the largest HIPAA settlement to date. It appears that with this judgment, many healthcare organizations are beginning to take patient identity management and security more seriously.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) initiated its investigation of New York Presbyterian Hospital (NYP) and Columbia University (CU) following their submission of a joint breach report, dated September 27, 2010, regarding the disclosure of the protected health information of 6,800 individuals, including patient identity, status, vital signs, medications, and laboratory results. 

NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP.  The entities generally refer to their affiliation as “New York Presbyterian Hospital/Columbia University Medical Center.”  NYP and CU operate a shared data network and a shared network firewall that is administered by employees of both entities. The shared network links to NYP patient information systems containing protected health information.

The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient protected health information.  Because of a lack of technical safeguards, deactivation of the server resulted in the information being accessible on internet search engines.  The entities learned of the breach after receiving a complaint by an individual who found the information of the individual’s deceased partner, a former patient of NYP, on the internet.

In addition to the impermissible disclosure of protected health information on the internet, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections.  Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP health information.  As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of patients’ protected health information.  Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.

NYP has paid OCR a monetary settlement of $3,300,000 and CU $1,500,000, with both entities agreeing to a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports.

WCT is in the business of Compliance, Identity & Security assurance. For more information, you can reach us on (


U.S. Department of Health and Human Services. (2014, May 7). Data breach results in $4.8 million HIPAA settlements. Retrieved from

Patient safety and Identity Management

Identity & Security in Healthcare

Identity & Security in Healthcare

This blog will address patient safety issues in healthcare and the importance of ID management. Issues regarding wrong distribution of medications, etc. have been a growing concern in healthcare facilities because providers to do not properly identify the patient first. This blog will also provide suggested methods to improve these issues.


According to various studies, over 195,000 deaths in the United States occur annually because of medical errors. Of those medical errors, about 60 percent were attributed to a failure to correctly identify the patient. Accurately identifying patients and linking them with their medical records are significant challenges today for hospitals, healthcare providers and payers, with the government representing one of the largest stakeholders in this industry. Improper patient identification can occur for many different reasons and cause errors in patient identity. Some of these reasons include common names, misspellings, numeric transpositions, fraud, as well as patient language barriers. These identity errors result in adverse financial and clinical issues for the hospital, provider, and patients.

In addition to the issue of misidentification, there is also the problem of “incomplete” patient medical records. Studies have shown that a considerable amount of duplicate medical records are created in hospitals. This means that portions of a patient’s complete medical record are spread across multiple records leading to continuity of care issues, potential delays in treatment and/or medical errors. Duplicate records can also lead to redundant or unnecessary testing, medical and billing errors, and bad claims. In smaller institutions (with patient databases of less than one million records), the duplication rate is typically between 5%–10%, and for larger institutions (with patient database greater than four million records), duplication rates can range from 15 to 40%. Correcting patient database records can be a substantial expense; for large hospitals this can add up to millions of dollars per cleanup every few years. Database record cleanup is a flawed approach since it addresses the problem only after it has occurred rather than dealing with the root cause of the problem, which is inadequate patient identification and record matching. Unfortunately, this problem grows exponentially as the number of institutions and medical providers for a single patient increases.

Patient identity management is also a critical function for healthcare-related federal and state government agencies. Federal and state government agencies pay over half of U.S. formal health-care costs as employers and through Medicare, Medicaid and state-level programs. Through policies, regulation, direct involvement and budget allocation, government agencies increasingly shape the U.S. health-care system. Central to all government agency healthcare activities are patients and the requirement to accurately and appropriately identify, handle, treat and track them. To accomplish this, patient identity management is critical to agencies’ ability to link all patient-related information within and across systems and the healthcare network. As the U.S. moves away from paper-based medical records that are controlled by physical access to buildings, rooms, and files, there is a need to have an infrastructure that supports strong identity and security controls. The issues with establishing identity are compounded as electronic medical records are used by many different organizations at the regional, state, and national levels.

A solid patient identity management foundation produces a range of benefits to patients, healthcare providers, payers, regulators and other stakeholders. These benefits include reducing the risk of medical errors, lowering healthcare costs, reducing fraud and limiting healthcare identity theft. For these reasons, a patient identity management infrastructure needs to become a foundational element of every patient-related information system.

WCT is in the business of Compliance, Identity & Security assurance. For more information, you can reach us on (


AHIMA. (2009, July). Managing the integrity of patient identity in health information exchange. Journal of AHIMA, 80(7), 62-69.

Rand. (2008). Identity crisis: An examination of the costs and benefits of a unique patient identifier for the U.S. healthcare system. Retrieved from

Smart Card Alliance. (n.d.). Healthcare identity management: The foundation for a secure and trusted national health information network. Retrieved from