The vast majority of hospital access control systems deployed before 2015 use 125 kHz proximity cards — a credential technology that is fundamentally insecure by modern standards. These cards transmit their credential data in the clear, without encryption, and can be cloned using readily available equipment for as little as $30. A bad actor with a brief, casual proximity to a staff member can clone their access credential without the staff member’s knowledge.

Healthcare organizations that have not yet migrated from 125 kHz to encrypted smart card credentials are carrying a credential security risk that directly affects physical access to clinical areas, pharmacies, and data centers. Understanding the migration path and the available smart card technologies helps facility directors and security managers make the right long-term infrastructure decisions.

Why 125 kHz Cards Must Be Retired

125 kHz proximity card technology (most commonly EM4100 or similar) was the standard access control credential from the 1980s through the early 2010s. It remains widely deployed because it works — cards read reliably, readers are durable, and the infrastructure is already in place.

The security problem: the card transmits a fixed binary string representing the card’s credential ID. There is no encryption, no authentication handshake, and no way for the reader to verify that the card is genuine. A cloning device reads the transmission and writes an identical credential to a blank card. The cloned card is indistinguishable from the original.

In 2023, this is not an exotic attack. Cloning equipment is commercially available, the attack takes seconds, and the cloned credential provides full access to every door the original card was authorized to open.

Smart Card Technologies for Healthcare

Modern encrypted credentials use high-frequency (13.56 MHz) smart card technology with mutual authentication between card and reader:

MIFARE Classic — An older 13.56 MHz technology that offered basic encryption but has known cryptographic vulnerabilities. MIFARE Classic should not be used for new deployments and should be replaced in existing systems.

MIFARE DESFire EV2/EV3 — The current standard for access control applications. AES-128 encryption, mutual authentication, and diversified keys per card. Resists cloning and replay attacks. Widely supported by access control panel manufacturers.

HID iCLASS SE/Elite — HID’s proprietary encrypted credential technology. Uses AES or DES encryption with key diversification. HID iCLASS SE is widely deployed in healthcare and is supported by a large installed base of compatible readers.

HID SEOS (Secure Element OS) — HID’s most current credential technology. Supports both physical smart cards and mobile credentials using the same underlying cryptographic framework. SEOS credentials on iPhone and Android devices provide the same security as physical cards.

FIPS 201 / PIV compliance — Federal facilities and those with federal funding requirements may need credentials compliant with FIPS 201 (Personal Identity Verification) standards. PIV-compatible credentials require specific card, reader, and backend infrastructure. Not typically required in non-federal healthcare settings but relevant for VA hospitals and federally-funded facilities.

Mobile Credential Integration

Mobile credentials — using a smartphone as the access card — are increasingly adopted in healthcare for their convenience and security advantages over physical cards:

Convenience — Staff who commute via multiple transportation modes (driving, transit, cycling) no longer need to carry a physical badge that can be lost. The phone is already in their pocket.

Security — A mobile credential on a locked phone with biometric authentication provides two-factor access control (something you have + something you are) without any additional hardware.

Provisioning and deactivation — Mobile credentials can be provisioned and deactivated remotely through the credential management portal, without requiring the user to be physically present at a security office.

Lost credential response — When a physical card is lost, the replacement process takes time. A mobile credential on a lost or stolen phone can be remotely deactivated immediately while the staff member can access the facility through a supervisor escort until a new credential is provisioned.

Infection control — Touchless mobile credential presentation (phone in pocket activates the reader via BLE) eliminates the touch requirement entirely.

Migration Planning for Legacy Systems

Migrating a large healthcare campus from 125 kHz to encrypted smart card or mobile credentials requires careful planning:

Reader replacement — 125 kHz readers cannot read encrypted smart cards. Every reader on the campus must be replaced or upgraded to multi-technology readers that support both the legacy technology (for a transition period) and the new encrypted technology.

Dual-technology transition period — Issue new encrypted credentials to staff during the transition period while legacy readers remain active. Once all staff have been issued and are using new credentials, transition all readers to the new technology and disable legacy credential capability.

Credential provisioning workflow — Define the provisioning process for new credentials: who is authorized to request credentials, what verification is required, how credentials are physically or digitally delivered, and how legacy credentials are collected and deactivated.

Backend infrastructure — Encrypted smart card systems require backend key management infrastructure. For iCLASS SE and SEOS, this is provided through HID’s credential management services. For DESFire, your access control panel manufacturer typically provides key management tools. Confirm the backend requirements with your access control vendor before selecting card technology.

Cost Considerations

Credential technology migration is a significant capital investment. Cost components include:

  • Reader replacement — Multi-technology readers that support both legacy and new technology during transition: $150–$400 per reader. A 500-reader campus = $75,000–$200,000 for readers alone.
  • Card issuance — New smart card blanks for all employees: $5–$15 per card, plus printing and encoding.
  • Backend infrastructure — Key management server/service licensing: varies by vendor and scale.
  • Integration and programming — Access control panel firmware updates, credential database migration, and testing.

Plan for a 2–4 year budget cycle for a large campus credential migration, recognizing that the security benefit is ongoing and immediate upon deployment.

Frequently Asked Questions

Can we mix technologies — keep 125 kHz in low-security areas and migrate only high-security areas? Yes — a tiered migration is reasonable. Prioritize encrypted credentials for pharmacy, controlled substance storage, server rooms, infant care areas, and other high-security locations. Staff already issued for high-security areas can be issued encrypted credentials that continue to work at lower-security doors if multi-technology readers are installed. Complete the campus migration over time rather than leaving low-security areas on legacy technology indefinitely.

What is the difference between card-based and cloud-based credential management? Card-based management stores the credential data on the card itself; the reader makes the access decision without a server query. Cloud-based management stores credential data in a cloud system; the reader queries the cloud for each access decision. Card-based is more resilient to network outages but less flexible for real-time credential updates. Cloud-based allows instant deactivation from anywhere but requires reliable network connectivity. Most healthcare deployments use card-based or hybrid approaches.

Do encrypted smart cards prevent all credential fraud? Encrypted smart cards prevent the simple cloning attacks that compromise 125 kHz cards. However, no credential technology eliminates all social engineering risks (e.g., a staff member sharing their card with a non-credentialed individual). Physical credential security policies — requiring badges to be worn, prohibiting sharing, reporting lost credentials immediately — must complement the technical credential security.

Is mobile credential technology ready for healthcare environments with infection control concerns? Yes — touchless BLE mobile credentials allow hands-free access that is actually better from an infection control perspective than both traditional card (touch required) and smartphone-tap credentials. Modern BLE readers activate when the credentialed phone is within a configured proximity (1–3 feet), allowing access without any device handling.