Access Control Solutions for Hospital

By Bernhard Mehl
December 14, 2018

Key Aspects Affecting Hospital Security

In terms of the amount of sensitive data medical facilities work with, hospital security is subject to strict regulatory compliance standards, specialized security staff training, clear policies and procedures, and installation of functional access control equipment which must meet the needs of patients and medical staff and observe the values of life and health characteristic to hospital work.

Data Security

Since hospitals deal with protected health information (PHI) and personally identifiable information (PII) their security systems must guard both types of data at all costs. Think of situations when a hospital data breach hits the headlines—it generates a huge hype among patients who are naturally concerned about what happened to their medical records, patient histories, and payment information. Therefore, people in charge of protecting sensitive medical information have an important task of keeping due care to meet all data regulatory requirements. It’s an almost a “no-choice” scenario as hospital security is not something that can be taken lightly with a great freedom of how to implement access control measures.

‍Patient safety and security is of utmost importance for the hospital reputation

Physical Security

However, some aspects of hospital security are more flexible than others, and this is where most mistakes are made. For instance, in order to give as much attention to protecting sensitive personal data, hospitals fail on giving due attention to physical security, such as electronic medical equipment, dangerous medicine or visitor access control levels. Consequently, security systems at medical facilities must take physical security as a priority, one that must be given as much attention to as to data protection.

Discover how to secure your hospital or clinic with Kisi

Security Policies and Procedures  

Due to new technologies, hospital security standards can be changed abruptly. The implemented security systems must follow suit as soon as possible. So, each hospital must design and implement comprehensive policies and procedures which include clear guidelines about access control levels, segregating access control for visitors, staff, patients, and medical staff with specific access control authorizations. 

Hospital security policies should explicitly describe what each person is set to do and how, defining role-based access control and making crystally clear about the authorizations of everyone that gets into the physical area of a hospital. When there is an internal security framework, it’s easier to adapt to technological novelties and regulatory changes.

Hospital Security Staff Training

Security personnel employed in a hospital must get appropriate training to be able to perform duties with success. The job of a hospital security guard also includes continuous on the job education, as well as the ability to deal with people with tact and sensitivity. Therefore, security staff should have their hands free from too much technical security aspects. Instead, they should be able to focus on people and leave manual work to advanced access control technologies.    

Available Security And Access Control Options

Despite the need for strong security systems and abiding the law, hospitals still have some leeway about how they handle access control. After all, many medical facilities have different wards, patient units, and physical layouts, so, they must invest in an individually designed hospital security system. There are a number of access control options available to health care, which, as a general rule, depend on the hospital specialization, architecture, and, of course - budget.     

Some hospitals still rely heavily on manual security checks by staff, placing a lot into the hands of the security team members, while implementing physical barriers to the outside world that are placed on multiple touchpoints. For instance, a member of staff checks the visitor’s ID and buzzes him or her in manually. Visitor’s data must be entered into a computer log manually. In addition, physical barriers may be connected to standalone access control units distributed across the hospital and not provide the option to monitor them simultaneously. However, these options are increasingly fading into the past as hospital security systems now rely on advanced electronic access control solutions, such as:

Electromagnetic doors with swipe card access

Staff, visitors, and patients get access cards that allow movement around the hospital where the relevant card is granted access. In this way, it’s easier to control who gets where only by programming the card and linking it to a person’s identity. However, there are certain risks because whoever owns the card, for instance, by “borrowing” it can pass the associated barrier. Yes, access cards are versatile and cheap, so hospitals use them a lot.  

Keypad readers with passcodes

This security option enables entry by typing a code into a reader. Readers can be standalone or integrated into an access control system. Typing a passcode delivers a different risk than cards. Users must share it knowingly in order to be used against the rules, but it can be shared an unlimited number of times, so there is no way to identify who made the unauthorized entry - it can be anyone.

Biometric access control

Certain hospital sections must adhere to strict access control rules. For example, medical research labs or surgery rooms deal with highly sensitive values, and people allowed to get in must be clearly identified. Therefore, hospitals deploy biometrics, using fingerprint or iris readers to allow entry into the restricted area. Biometric access control, though, is more expensive, and can pose risks in emergencies, such as a fire occurrence, and the authorized person is not present to provide access.  

‍Medical research labs deal with sensitive data and must be strictly protected

Combined/multifactor security systems

Multifactor access control systems combine several of the above-mentioned technologies. A person must place the fingerprint on the reader, but also type a code, for example. Naturally, such systems are most expensive and can complicate the people flow around the hospital by taking more time.  

Cloud access control systems

Cloud-based access control systems for hospitals can include various components for granting access, many of which are described above. The integrative component of cloud access for hospital security is the capability of using a consolidated admin panel for all access points, storing the data into the cloud without burdening the hospital on-site system, and the possibility to integrate various access control options into an electronic platform that provides precise reporting insights by following what happens in real time around the medical facility.

Modern cloud-based access control apply cabling and/or wireless technologies, bringing together multiple touchpoints without the need of heavy staff reliance or physical barriers. For instance, staff can use passcodes received from a smartphone app which they must type in to get access or use the smartphone’s NFC capability. On the other hand, visitors can get access cards, but also use smartphone codes. Such option is highly secure, as unique codes can be related to a single entry, as well as monitored from the central dashboard. Cloud hospital security is easy-to-install, versatile, and very secure.     


Phone-based systems are not just a small-business solution. CEO of Kisi, Bernhard Mehl, comments: “If you see the average of three doors connected then that might seem low but, in reality, one door relates to around 50 employees—so those are locations with about 150 people on average, including satellite offices. That’s quite significant.”

Mobile Access Control Adoption by Industry

Kisi examined which industries are investing the most in mobile access control technology. To do so, the average size of mobile access control installation projects by industry were measured. Commercial real estate topped the list with 23.5 doors running mobile access per facility. Education management came in last with 1.0 door running mobile access per facility. 

Physical Security Statistics: Mobile Access by Industry

The number of shooting incidents at K-12 schools, according to the CHDS, reached an all-time high at 97 incidents in 2018—compared to 44 in 2017. Cloud-based access control companies, like Kisi, offer a lockdown feature for active shooter situations or emergencies, making it an effective protective layer for places that are targeted, such as religious institutions, which come in near the top of the list with 4.0 doors running mobile access per facility. 

Based on industry size, it makes sense that commercial real estate tops the list, with 23.5 doors running mobile access per facility. Cloud-based access control enables these larger organizations to scale more seamlessly and allows large organizations, like telecommunications, to deploy the most manageable IT solutions available, eliminating the need to create and manage a business’s own IT infrastructure over time.

“Commercial real estate is, of course, the driver of mobile adoption since they have the largest buildings,” Mehl adds. “The key here is to show that mobile-first technologies are not a risk but an innovation that brings positive ROI and allows agencies to reposition their buildings as forward-thinking establishments.”

The scalabelilty and ease of use in onboarding an organization allows many different types of industries and businesses of different sizes to adapt a cloud-based access control system, either using keycard or mobile credentials for access. 

Mobile Access Control by State

Looking specifically at the United States, Kisi analyzed in which states companies are investing the most into upgrading to smartphone-enabled access systems. Of the currently installed base of access control readers, around 20 percent will be mobile capable by 2022, according to a recent IHS report. Cloud-based systems, like Kisi, are future-proof—allowing over-the-air updates in real time and unlimited scalability for users.

“Mobile unlock technology makes you think of the major tech hubs like New York, San Francisco or Los Angeles,” Mehl adds. “Looking at which states have the largest projects, it’s surprising and refreshing that those are not the typical ‘tech cities, and yet that’s where access control technology really makes an impact.” The fact that the largest projects are seen in states outside of the typical tech startup landscape is evidence that mobile access control is highly applicable across industry sectors.

For further questions about this study, reach out to Kait Hobson (

Bernhard Mehl

Bernhard is the co-founder and CEO of Kisi. His philosophy, "security is awesome," is contagious among tech-enabled companies.

Stay updated with Kisi about news and feature releases

Free access to our best guides, industry insights and more

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Access Control Basics
Useful Resources