By JULIE CARR SMYTH (AP)
COLUMBUS, Ohio — Emergency room nurse Erin Riley suffered bruises, scratches and a chipped tooth last year from trying to pull the clamped jaws of a psychotic patient off the hand of a doctor at a suburban Cleveland hospital……
The law requires, after July 1, 2010, all licensed GACHs, APHs, and SHs to conduct, not less than annually, a security and safety assessment and, using the assessment, develop, and annually update based on the assessment, a security plan with measures to protect personnel, patients, and visitors from aggressive or violent behavior. The security and safety assessment must examine trends of aggressive or violent behavior at the facility. These hospitals must track incidents of aggressive or violent behavior as part of the quality assessment and improvement program and for the purposes of developing a security plan to deter and manage further aggressive or violent acts of a similar nature. The plan may include, but must not be limited to, security considerations relating to all of the following:
(1) Physical layout
(2) Staffing
(3) Security personnel availability
(4) Policy and training related to appropriate responses to violent acts
(5) Efforts to cooperate with local law enforcement regarding violent acts in the facility
A mother who was attacked after giving birth at a Milwaukee hospital is calling for increased security at the facility. Kimball Lewis, 22, was attacked last Thursday at Aurora Sinai Hospital. She claims she warned hospital staff trouble was coming and that they should have done a better job to protect her.
This incident reinforces the need to create a pre-denial list which identifies people who are not authorized to visit a patient.
The National Center for Missing and Exploited Children updated their statistics for 2009 and which date back to 1983. Infant abductions, committed by non-family members, totaled 270 incidents. Of those, 47% were committed in a healthcare facility.
On the heals of Joint Commission’s alert on hospital violence, the Cleveland Clinic experienced two shootings, one self inflicted, one not so much.
“Once considered safe havens, health care institutions today are confronting steadily increasing rates of crime, including violent crimes such as assault, rape and homicide. As criminal activity spills over from the streets onto the campuses and through the doors, providing for the safety and security of all patients, visitors and staff within the walls of a health care institution, as well as on the grounds, requires increasing vigilant attention and action by safety and security personnel as well as all health care staff and providers.”
The Center for Biosecurity at UPMC recently released a Preparedness Report that proposes the following key elements of a national strategy for healthcare preparedness and response:
There are clear implications for hospital security directors, emergency managers, and those who advise hospitals on security and emergency management.
Vulnerabilities are opportunities, opportunities for crime, opportunities for rule breaking violations, opportunities for loss. By definition, a vulnerability is a weakness or gap in a security program that can be exploited by threats to gain unauthorized access to an asset. Vulnerabilities include structural, procedural, electronic, human and other elements which provide opportunities to attack assets.[1] While healthcare security professionals continue to update and expand their threat assessments with events such as natural disasters, avian flu, and terrorism, the primary threats that continue to impact hospital assets include ordinary crimes, workplace violence, unauthorized access, and patient abduction. For all of these threats and others, the vulnerability assessment’s objectives are to maximize life safety, protect assets, and maintain continuity of operations. To meet these objectives, a comprehensive and robust security program must be in place to address the known and unknown threats that exist both outside the hospital’s facilities, and also inside. The Joint Commission’s standards[2] require that hospitals identify and manage security risks. A key component of that identification process is a vulnerability assessment.
Vulnerability Assessments
A vulnerability assessment is a systematic approach used to assess a hospital’s security posture, analyze the effectiveness of the existing security program, and identify security weaknesses. The basic process of a vulnerability assessment first determines what assets are in need of protection by the facility’s security program, then identifies the protection measures already in place to secure those assets and what gaps in protection exist. Finally, the assessment measures the security program’s effectiveness against valid security metrics and provides recommendations to security decision makers for improvements. In essence, the vulnerability assessment assists hospital security decision makers in determining the need for additional security systems, equipment upgrades, policy and procedure revisions, training opportunities, and manpower needs.
Vulnerability assessments identify security weaknesses that can be exploited by an adversary to gain access to the healthcare organization’s assets. For example, a vulnerability assessment may reveal an egress path that could be exploited by an infant abductor or it may identify a lack of patrols by security personnel in sensitive areas of the hospital. The goal of vulnerability assessments is to ensure life safety, protect assets, and the continuity of operations. The driving forces behind vulnerability assessments include new legislation or regulatory requirements, Joint Commission guidelines, revised threat assessments with new or emerging threats, increased criticality of assets, and the construction of new facilities on a hospital campus. For example, the recent infant abduction from a Lubbock, Texas hospital or the sexual assault of a patient in a California hospital prompted other hospitals to perform a vulnerability assessment of their own hospital to ensure adequate security in these areas.
The vulnerability of an asset is determined by the potential weaknesses in operational processes and procedures, physical security weaknesses, and technical gaps which can be exploited to attack an asset. Vulnerability assessments are used to identify these weaknesses by way of a security survey. A security survey is a fact-finding process whereby the assessment team gathers data that reflects the who, what, how, where, when, and why of a hospital’s existing security operations[3]. The purpose of a security survey is to measure the vulnerabilities at a facility or to specific assets by determining what opportunities exist to exploit current security policies and procedures, physical security equipment, and security personnel.
Security surveys are simply questions and checklists that must be completed by the assessment team during off-site preparations and on-site inspections of the facility. Surveys may range from a few basic questions to highly detailed lists comprising thousands of questions. A typical security survey contains general information about a site and evaluates the geographic characteristics of the hospital’s facilities, physical layout of each facility and it’s unique characteristics, security personnel and deployment schedules, operational requirements, security equipment capability, and other items that impact security. Security surveys are designed to meet the unique needs of a facility or type of facility. Even within similar types of hospitals, unique characteristics must be considered and included in the security survey. General information normally captured in a security survey includes:
The security survey checklist should also consider specific information such organizational issues such as the hospital’s culture, visitor management practices, security force utilization, and emergency preparedness. Life safety practices and systems must also be considered in context with existing and conceptual threats, particularly those that affect patient safety. Asset specific vulnerabilities are also included in the security survey. For example, if the hospital has research labs, protection systems and personnel are typically employed for lab and information protection. Likewise, emergency centers create many opportunities for crime and rule violations and require special attention. Threat types and frequency in the emergency center may be different from the rest of the hospital’s facilities.
Office area security and loading docks are also at the forefront of most security directors and managers. Administrative offices are likely to experience wandering people, purse thefts, and loss of business equipment. In this regard, it is important to consider the culture and practices of administrative personnel. Are doors locked when an office is unoccupied? Are purses stores in locked drawers? Recurring security awareness training is often an effective and inexpensive solution for office area security problems.
Loading docks serve as a primary gateway for would-be offenders as they are often left open and unattended. Valuable assets, such as computers, are sometimes stored on the dock for extended periods of time. The problem is compounded when dock personnel are short staffed or inattentive. Worse yet, dock personnel may be complicit in theft of hospital property. Penetration tests of loading docks often yield surprising results about the vulnerability of hospital assets. Properly securing the loading docks is a critical element of an effective security program.
Notable security survey areas to consider for each building include:
Once all areas of the buildings have been surveyed by the vulnerability assessment team, outside areas should be assessed. These areas may include small parks or courtyards, smoking areas, and parking facilities. For each of these areas, the survey should address access control, personnel (security, parking attendants), lighting, physical security measures and systems, and architectural design. As one of the few objective areas of a vulnerability assessment, lighting in particular is often found to be a measure in need of enhancement to improve the overall strength of the security program and reduce the fear of crime.
Asset-Based and Threat-Based Vulnerability Assessments
As stated above, vulnerability assessments is a process used to identify weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset. While vulnerability assessments are generally conducted using the same general process, the manner in which they are conducted may change based on the focus of the vulnerability assessment team. For example, the vulnerability assessment team may focus on specific assets, such as people (patients, employees, etc) when conducting the assessment. On the other hand, the team may focus on specific threats, such as patient abduction or workplace violence, when walking through the security survey. The focus of the team determines whether the vulnerability assessment is asset-based or threat-based.
Asset-based vulnerability assessments are broad evaluations of assets and the threats that impact those assets. For example, an asset-based assessment at a hospital’s research lab will focus on the information developed by the researchers, both from a physical security and information security perspective. In this instance, the primary asset in need of protection is the information in both its physical form (computers, paper, etc) and its electronic form (software, files, etc). Asset-based assessments assume that every scenario cannot be imagined or those that are, are too speculative to consider. By in large, asset-based scenarios are the most common type of assessment utilized by security practitioners today.
Threat-based vulnerability assessments, on the other hand, focus on the various types of threats that challenge hospital security practitioners. More often than not, the threats considered are those that are low frequency, high impact, such as infant abduction, patient sexual assaults, and city- and region-wide emergencies such as hurricanes or terrorist acts. The threat-based assessment evaluates vulnerability by asking how a patient may be abducted, how prepared the hospital if supply chains are cut off for an extended period of time, or how the loss of utilities will impact patient care. This type of assessment requires a knowledgeable assessment team who has an understanding of historical events at hospitals and has the ability to foresee future events, especially conceptual threats. While history is a primary indicator, not all future threats can be anticipated based on the past attack modes. Conceptual threats should not be underestimated. Scenario-based assessments are advantageous in that they are better suited for assessing high value assets and high consequence threats. Unfortunately, this advantage also creates a problem whereby lesser threats may be ignored and security measures not implemented.
While the vulnerability assessment team’s goal is to select a low frequency threat for the assessment, the scenario must be sufficiently realistic. A fair assessment of the asset’s attractiveness, from the adversary’s (threat) perspective, is critical to accurately evaluate the strengths and weaknesses of each asset and the security program. The next step is to evaluate the ability of the existing security program to deter, detect, and delay an attack. Typically, an outside – in approach is used whereby the vulnerability assessment team identifies the outer most layer of protection and works their way inside toward the assets, passing thru each security layer in the same order that an adversary would do so. The training, skills, and equipment of the theoretical adversary should be considered as each protection layer is breached. Finally, the assessment team analyzes the consequences of the threat reaching its target and assigns a vulnerability rating.
An example of a scenario-based vulnerability assessment is where the assessment team selects a low grade explosion outside a patient care building as an attack scenario. They postulate that the explosion occurs immediately outside the building during daytime hours. What are the characteristics of the building and its assets (patients, families, employees) that may contribute to the loss, damage, or destruction. How would an attacker detonate a bomb in close proximity to the building? Would any element of the current security system be able to deter, detect or delay the attack? Would the closed circuit television (CCTV) system detect the adversaries? Is the CCTV system monitored with direct communications to the security response force? Would the building survive a low grade explosive attack?
As seen in this example, a downside to scenario-based assessments is evident, in that these types of assessments force the team to focus on protecting against particular threats and potentially ignoring other threats. Nevertheless, both asset-based and threat-based vulnerability assessments are beneficial exercises that should be undertaken on a regular basis. The results often yield relevant solutions and also identify opportunities for training emergency responders and security personnel.
Vulnerability Assessment Results
The outcome of a vulnerability assessment and security survey is set of recommendations geared toward closing gaps, mitigating risks, and improving the security program. In large hospitals, the recommendations may be phased or prioritized based on cost and mitigation strength, the ability for the recommendation to reduce risk. Risk reduction recommendations typically fall into one of three areas: policies and procedures, physical security measures, and personnel. Policies and procedures may include revising the hospital’s security management plan, security awareness training, or revising procedures that reduce crime opportunities, such as implementing a buddy system. Policies and procedures also define how the hospital responds to sentinel events and the methods use to reduce the adverse impact to the hospital and it’s assets. Physical security improvements may include such things as redesigning facilities or areas to increase pedestrian or vehicular traffic, installing an electronic visitor management and access control system, or connecting duress alarms to a central station. Because many hospital security departments are in a constant state of improvement, electronic security measures must be scalable and expandable in anticipation of future growth. Security personnel recommendations may include additional training, better equipment, or stronger supervision. Hospitals which utilize a security force be it proprietary, contractual, or comprised of law enforcement officers, know that some of the greatest areas for security program improvement lie with the security force.
The Decision Maker’s Challenge – Post Risk Assessment
Once the vulnerability assessment is complete and coupled with the threat assessment, the final risk assessment report is ready for action. The challenge for the security decision maker is to assimilate the data into a meaningful security plan that will address the weaknesses and exemplify the strengths of the organization.
The initial review of the risk assessment report is critical. The security management team must thoroughly review the risk assessment report and validate the findings and recommendations. This procedure focuses on actual observations, data, and other available material to clearly understand the intent and magnitude of each finding and recommendation. During the process, the modification of a finding or recommendation could possibly reveal other opportunities. Adding or deleting certain information helps to clarify the specific problem and strengthen the recommendation. The intent is not to hide or delude the finding but to ensure that the identified measure, process, or program receives appropriate attention and implementation if required. For example, a particular finding might address inadequate staffing at a point entry after hours. The subsequent recommendation states that the post requires a security officer at the entry point between the hours of 7:00 p.m. and 6:00 a.m. seven days per week. Subsequent analysis discloses the door is secure during those hours and observed by a camera. However, while analyzing the problem further management recognizes a need for an officer during normal business hours. Consequently, the modification of the finding and recommendation better identifies and addresses the actual security shortcoming. This example is more elaborate than most modifications, which generally entails wordsmithing or adding more detail to the finding and recommendation. It is imperative that weaknesses are clarified and validated in order to appropriately apply solutions for the short- and long-term. Further, weaknesses need to be categorized, prioritized, and analyzed to determine criticality, economic considerations, implementation timelines, and to what extent.
Following the review process, security management should coordinate with risk management, safety, and possibly with emergency management, providing them a copy of the risk assessment report. A thorough review and discussion of the findings and recommendations with these departments is not only appropriate, but will prove to be extremely beneficial. The security risk assessment is a process that examines the health care organization from a holistic perspective and the findings and recommendations have a broad application throughout the organization. Sharing the security risk assessment with risk management, safety, and emergency management actually puts security management in the driver’s seat when presenting the findings and recommendations to senior management. The support of these departments is critical should funding be required to implement some of the recommendations. Risk management coordination assists in alleviating legal issues associated with some of the recommendations, which is prudent and crucial for the maintaining a viable security program. Safety, on the other hand, assists with recommendations requiring special knowledge of sophisticated medical applications and procedures that are associated with one or more of the security recommendations. The emergency management coordination and review offers valuable insight into how emergency incidents and events might require a different approach to one or more recommendations. Coordination with the aforementioned departments may be obvious. However, there are many others to coordinate with, such as Information Services (IS). Recommendations that require the implementation of sophisticated technology hardware and software definitely requires IS coordination. Another example, is nursing operations. The impact on patient care areas, resulting from a risk assessment, such as waiting areas, surgery areas, pharmacies, and specialized clinics, is common. Coordination with the nursing leadership assists in a assuring a smooth implementation process. The examples given are just a few of the considerations that must take place while preparing to implement the recommendations. Nonetheless, once the security risk assessment review and analysis process is complete, briefing senior management is the next challenge.
Senior Leadership Briefing and Capital Funding
Security management has the inherent responsibility to provide an accurate and timely report to senior management. The security team’s thorough analysis and the presentation of sound recommendations is the next step. Preparing for this task begins the day the assessment is completed. All the coordination and analysis must produce a sound plan and timetable for implementing the recommendations. Additionally, a cost analysis must clearly depict the potential cost associated with recommendations requiring funding for implementation. The presentation must be an executive summary, with enough detail to support the recommendations and the implementation plan. However, it is vitally important for the senior security manager to be prepared to answer questions in greater detail if required. Once the plan is approved, partially or in full, the next step is acquiring the necessary funding.
Coordination with business services immediately following approval is paramount to acquiring capital funding in a timely manner. The organization’s financial services group assists with preparing the capital funding request and the method of presentation to the Capital Projects Committee (CPC).
Implementation of Recommendations
Following the security risk assessment presentation to the executives, and while preparing the capital-funding request, the implementation of the remaining approved recommendations, in accordance with the implementation plan, begins. It is imperative not to delay the implementation of the recommendations, because the organization remains at risk.
The security risk assessment is an extremely valuable process. The security manager can use the assessment to leverage support for the security program, acquire crucial funding, and have the ability to implement timely improvements to bolster the organization’s security posture. Furthermore, the security manager has a perfect opportunity to emphasize the strengths of the security department and promote the risk assessment as a proactive approach to enhance the organization’s security posture.
ABOUT THE AUTHORS
Robert E. Owles, Jr. is the Director, Security Services, at Texas Children’s Hospital, where he is responsible for a large, diversified security operation that keeps pace with the hospital’s challenging strategic objectives, in a dynamic health care industry. He is a member of the American Society for Industrial Security (ASIS-International), the Association of Certified Fraud Examiners (ACFE), and the International Association of Healthcare Security and Safety (IAHSS), serving currently as the Chair of the Houston IAHSS Chapter. Bob holds a Bachelor of Science degree in Business Management from LeTourneau University, a Master of Arts degree in Organizational Management from University of Phoenix, and is currently pursuing a second master’s degree, an MBA in Health Care Administration.
Karim H. Vellani, CPP, CSC is the President of Threat Analysis Group, LLC, an independent security consulting firm. He is Board Certified in Security Management and a Certified Independent Security Consultant. Karim is a member of the International Association for Healthcare Security & Safety, the American Society for Industrial Security (ASIS-International), and the International Association of Professional Security Consultants, serving currently as the Vice President. As an independent security consultant, Karim has extensive experience in risk and security management in the healthcare industry and has written extensively on the subject. He has also authored two books, Applied Crime Analysis and Strategic Security Management. Karim can be reached via email at kv@threatanalysis.com or via phone at (281) 494-1515.
[2] Joint Commission on Accreditation of Healthcare Organizations (2005). Environment of Care Standard 2.10.
[3] Sennewald, Charles A. (2003). Effective Security Management, 4th Edition. Woburn: Butterworth-Heinemann.
For assistance in assessing your hospital’s security, please feel free to contact us.
You’re a very busy hospital security manager. At 2 pm on one of your normal busy days, you receive a call from a man saying he represents a security consulting firm. He explains that one of the company’s specialties is technical expertise in electronic security design. He asks if you have any upcoming projects or concerns and if you would like to meet with a company representative. Why should you not just politely say no and end the call? What could this firm do for you that you cannot do yourself? After all, you understand how to perform a risk assessment, have your hard earned certifications, and no one is more familiar with the electronic security needs of your facility than you are. While this may be true, the use of a security design consultant can be an extremely valuable tool to help you do your job.
While security management consultants deal with the full risk assessment and the entire security program, security design consultants deal with a specific and specialized piece of the assessment and security program, electronic security. Therefore, while the advantages to using a security management consultant are more ‘big picture’, such as budget verification or independent review, the advantages of using a security design consultant are more specific, dealing with issues like access, visual verification, detection, deterrence, and response. That is not to say that security design consultants do not deal with the total electronic security picture or how that fits into the overall security program. In fact, that is exactly what they do. In general, the services of a security design consultant fit into three categories: assessment, design and project management.
Assessment
Assessment services are the services most commonly attempted by the security manager or security department. It is thought, correctly so, that you have the most knowledge about the overall security needs of the facility. However, having that knowledge does not necessarily mean you know what electronic security devices are required to deal with those security needs, where they should be placed to be most effective, how much they will cost, or how they should be integrated with all of the other facets of your security program. Let’s say you have a visitor control issue that you have identified because of certain incidents or just by your observations of your facility. It is necessary to develop a needs assessment report outlining the type of electronic security devices that can help remedy the situation, where they should be located, how much they will cost and how will they be integrated with the rest of your security program such as guard force and existing monitoring capabilities. What do you do?
Unfortunately, what is done a lot of the time is some devices are identified to be placed in locations to deal with the perceived issue at that time. Many times these devices are merely extensions or additions to existing access control or CCTV systems which were not designed at the time to deal with your specific issue. It is easier and more cost effective to add to existing systems in the hope of resolving the problem rather than starting from scratch with a new approach. You may solicit the help of your existing installation firm or even call in a new one to help you place new devices and add them to your existing system. They may even suggest different ideas than you had to deal with your specific issue. The problem is they are in the business of selling you equipment, not coming up with the best solution for your problem. That is not to say they are acting unethically, just that their reason for being there is different than your objective.
Let’s say you make the correct decision and decide to evaluate the problem from scratch and figure out the exact needs of the facility, do you or members of your department have the specific expertise to make those decisions? Do you have a good understanding of all the functions and capabilities available in today’s electronic security systems? Can you evaluate every reasonable option available to determine the best fit for your needs? Do you know how much these systems cost? If any of your answers to these questions is no, what do you do? You have the option of doing the best you can which may or may not be good enough, or finding a professional who can assist you in making the correct decisions when it comes to your electronic security needs.
A security design consultant has the expertise in evaluating the security needs of your facility and determines the best electronic security options to meet those needs. Additionally, the consultant has an understanding of how those options will integrate with all the other elements of your security program. The consultant can determine optimal device placement, deal with regulatory and code issues with the devices (especially with access control systems) and prioritize the importance of system functions and capabilities to make sure the ultimate equipment chosen matches the security needs. Finally, the consultant can provide realistic cost estimates so budgets can be set and no surprises come up during system procurement. All of these evaluations and recommendations from a needs assessment report that can be used to support your claim that a security need exists and should be addressed, ultimately helping you do your job even better.
System Design
Now that you know what types of electronic security devices should go where and what their functions and capabilities should be, the necessary system needs to be designed. Let’s say you have a complete and correct electronic security needs assessment showing all the correct device types, locations and functions. Do you have the expertise to know which products in the marketplace are the best fit for your needs? Do you know the correct things to look for in a product to determine if it fits your need? Do you know what things to avoid? Do you know how competitive the bidding would be based on those product choices? Probably not. This is no slight on you, the industry is just so complicated and fast changing that it would be impossible for you to keep up on all those issues and still do your job. What do you do as the security manager handling this project?
Unfortunately, a lot of the times you call a large installation firm (if they werem’t already called in the assessment phase) that also advertise themselves as ‘security consultants’. If you need specifications written for the project to go out to competitive bid, they may offer to write the specifications for you. And, to your good fortune for budget purposes, they will write the specifications for no charge. While you may think this is a bargain, it probably will cost more money in the long run. What typically happens is that company will write the specifications to make it extremely difficult and sometimes impossible for any products to be used other than their proprietary ones, making them the only company able to competitively bid the project. This creates two major problems: first is the equipment specified is more than likely not the best fit for your needs and second you will pay far more than you should for the installed system because it in effect becomes sole source.
What if, instead of having an installation firm write the specifications, you invite several reputable firms into your facility, explain to them what exactly you are looking for based on your needs assessment, and ask them to give you a proposal with products that will meet those needs and associated costs. Sound better? While it probably is better, it is still inherently flawed. Installation firms usually have certain manufacturers that they use the majority of the time either because they have a comfort level with that manufacturer or they have an actual agreement with that manufacturer to sell a certain amount of its equipment per month. What happens is the equipment is made to fit the needs even if it is not close to the best fit or the most cost effective option. Additionally, do you have the expertise to sift through the proposals to determine which equipment is the best fit for your needs?
A security design consultant is independent of any manufacturer or installation firm. Their product choices are based solely on the needs of the client. They match the product to the need rather than the need to the product. The consultant can prepare design specifications in two specific ways: for a Request for Proposal (RFP) or Invitation to Bid (ITB). A Request for Proposal describes in detail the system and equipment requirements as determined by the needs assessment and gives general criteria that the bidder must fulfill for their bid to be acceptable. The installation firm will then propose equipment to meet those needs and give a cost for the installation. The consultant will then evaluate all the proposals and make a recommendation as to which proposal best meets the needs of the client. An Invitation to Bid actually spells out the exact equipment that will be bid. The consultant will have already made those determinations based on expertise and industry best practices. The installation firm merely bids a cost for what is specified. In either case the product decisions are based solely on the needs of the facility and client rather than any other factors.
A note about using project architects to do the assessment and design work described above. This could be a good or bad thing. You need to ask some questions up front in order to make that determination. Does the architect use their own independent security consultant? If not, if they use an engineer or do it themselves, what expertise do they have in the assessment and design of electronic security systems? Unfortunately you will find that some architects also use security installation companies to do this work for them. While they are getting the services for free, you are being charged. Additionally, you are getting far from the best system for your needs. This is certainly not always the case, there are a lot of excellent architects out there that either have the proper expertise or hire that expertise. You just need to ask the questions to make sure you are getting the best for your money.
Project Management
Once the procurement process is complete and an installation firm has been chosen to install the designed systems, someone must make sure the systems are installed per the specifications and industry best practices. It stands to reason that the best person to provide that oversight is the person who actually wrote the specifications. If the same firm who wrote the specifications is doing the work, that is not very reliable oversight. In many cases you as the security manager can do this project management oversight yourself or through your department with little difficulty. However, if the security design consultant has been involved in the project through the assessment and design phases, he is best able to evaluate the quality and thoroughness of the installation. Also, for more complicated systems and installations, having project management performed by someone with the technical expertise to understand what to look for in the oversight process is a great advantage.
So the nest time you receive that phone call at 2pm on a busy day, perhaps you should consider hearing what they have to say. The consultants’ job is not to upstage the security manager or in any way take away from the overall security program, but rather to enhance the capabilities of the security manager and the department in general by helping you do your job in the best manner possible. No one is expected to know everything, but you are expected to find people with the necessary knowledge when an issue arises. Take advantage of it.
For assistance in designing security for your hospital, please feel free to contact us.
About the author: Brian Gouin, PSP, CSC has over 17 years of experience in the security and fire protection field, first as the owner of a security installation company and then as an independent security design consultant with Threat Analysis Group. Brian has extensive training in system design from a vast number of manufacturers of electronic fire and security equipment. Brian is a member of the American Society for Industrial Security, the International Association of Professional Security Consultants, the National Fire Protection Association and the National Association of Chiefs of Police. Brian can be reached via email at bg@threatanalysis.com or via phone at (281) 494-1515.
Securing the environment of care is a challenging and continual effort for most healthcare security managers, who face unique challenges in balancing the open campus environment with the protection needs of the hospital’s patients, employees, and other assets. No hospital is without risk and effectively managing risk is crucial to maintaining the protection and openness balance. By conducting a comprehensive risk assessment, hospital security managers can prioritize identified risks, develop an effective hospital security program, and reduce risk to a manageable and acceptable level. This article discusses a 5-step risk assessment process that enhances the hospital security program by effectively mitigating risks to the hospital.
Risk management, as the name implies, is the management of risks to an organization. For most healthcare facilities, risk management includes not only security functions, but also insurance, legal issues, and health and safety. The primary component of risk management is the risk assessment process whereby risks are monitored and addressed on a continual basis. This process consists of the identification of threats, vulnerabilities, and risks to the hospital with the end goal of selecting appropriate security measures to reduce identified risks. As seen in the flow chart below, the five steps of the risk assessment process are asset identification, security inventory, threat assessment, vulnerability assessment, and risk assessment.
Before entering into a discussion of the five steps, it might be helpful to identify key security terms and definitions used in this article. Among the more commonly used terms are threats, vulnerabilities, and risks. Generally speaking, threats are acts or conditions that can damage, destroy, or take hospital assets. Examples include natural disasters and criminal perpetrators. Vulnerabilities are weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset. Vulnerabilities are those things that make the hospital more prone to security related problems, such as crime, unauthorized access, and damage from natural disasters. Risk is the result of threats and vulnerabilities. Without the potential for a threat and a vulnerability coming together in time and space, risk is undetermined or non-existent. A simplified example may be a small town hospital which has open access to the facility and limited visitor management (vulnerability), but no historical security incidents (threat), thus the risk to the hospital is low.
Asset Identification
Identifying assets, as seen in the flow chart, is the first step of the risk assessment process. Asset identification is the process of determining what people, property and information are critical to the mission of the hospital. People assets may include doctors, nurses, and patients along with other persons such as visitors and support personnel. A hospital’s property assets consist of both tangible and intangible items. Tangible assets are usually simple to identify, while intangible assets, such as the hospital’s reputation, are more difficult to identify and assign a dollar value. For all hospitals, information assets include medical records. While all assets have value, not all assets are critical to the hospital’s mission. Critical assets, then, are those assets necessary for the hospital to carry out its mission of providing healthcare, for without them functions and processes will fail and cause the hospital’s mission to fail. The higher the consequence from the loss, damage, or destruction of an asset, the more critical the asset is. Depending on the type of care and treatment provided, a hospital’s critical assets invariably include patients, medical professionals, support personnel, medical records, equipment, supplies, and pharmaceuticals. Other critical assets may not be as evident and must be identified during this step of the risk assessment process. One common way of identifying critical assets is to interviews and/or survey the people charged with carrying out the hospital’s mission. Questionnaires of department administrators can also help to identify assets. Regardless of the technique used to identify assets, it is crucial to identify all critical assets to ensure that they are considered during the risk assessment.
Security Inventory
The second step of the risk assessment process is the security inventory. Typically, a hospital has already deployed various security measures throughout the facility or campus to resolve past security problems, thus the risk assessment is measuring mitigated risk, in contrast to raw risk. These security measures may include policies and procedures, physical security equipment, security personnel, or some combination of these measures. Security policies and procedures may include a security management plan, an emergency management plan, workplace violence prevention policy, medical records protection procedures, visitor management policies, and bomb threat procedures. Physical security equipment can include alarm systems, closed circuit television systems, access control systems, perimeter security systems, and lighting. Security personnel include the proprietary security force, contractual security personnel, off-duty law enforcement officers, and other personnel who serve in a protection capacity. Typical physical security measures will depend on the nature of the hospital, however many physical security measures are common across various hospitals. For example, closed circuit television is commonly deployed at most hospitals.
The risk assessment team should identify each component of the security program, what asset(s) it used to protect, and its level of effectiveness. There are two methods for inventorying current security measures, inside-out or outside-in. Using the outside-in approach, the risk assessment team begins at the facility’s perimeter and works their way in toward the identified critical assets through each line of defense. The inside-out approach is the opposite with the team starting at each critical asset and working their way out to the perimeter. In addition to these methods, the inventory process should also include reviewing any available security documentation including security plans, policies and procedures, security officer’s post orders, and physical protection system documentation.
Threat Assessment
The third step in the risk assessment process is the threat assessment. Threats are specific events or conditions that seek to obtain, damage, or destroy a hospital asset. Historical information is the primary source for a threat assessment; however other threats may emerge without a historical context. For example, an Avian Flu outbreak is a potential emerging threat to hospitals. Regardless of whether hospital security decision makers are dealing with an emerging or existing threat, they should share information regarding criminal incidents, security breaches, and other threats with other hospitals in close proximity. While hospitals sharing information is an informal approach to threat assessments, formal threat assessments are more detailed analyses used to evaluate the likelihood of adverse events, such as terrorism, natural disasters, and crimes that may affect hospital operations. The focal points of threat assessments are assets (targets) and the threats that seek to compromise those targets. Threat assessments also ask who the bad guys are by evaluating each threat on the basis of capability, intent, and impact of an attack.
The most common form of threat assessment is crime analysis. Broadly speaking, crime analysis is the logical examination of crimes which have penetrated preventive measures, including the frequency of specific crimes, each incident’s temporal details (time and day), and the risk posed to a property’s inhabitants, as well as the application of revised security standards and preventive measures that, if adhered to and monitored, can be the panacea for a given crime dilemma (Applied Crime Analysis, 2001). While the above definition of crime analysis is holistic, it can be dissected into three basic elements:
Examining crimes perpetrated at the hospital is commonplace in today’s healthcare environment, however it is normally limited to internal security data. External data in the form of crime analysis should also be evaluated to develop a complete picture of threats to the hospital. Crime analysis guides security professionals in the right direction by highlighting the types of crimes perpetrated (crime specific analysis), problem areas on the property (spatial analysis), and when they occur (temporal analysis). Using this information, it is much easier to select appropriate countermeasures aimed directly at the problem. In summary, crime analysis seeks to evaluate actual risk at a company facilities and rank facilities by risk level, reduce crime on the property by aiding in the proper allocation of asset protection resources, justify security budgets, continually monitor effectiveness of the security program, and provide evidence of due diligence and reduce liability exposure.
Vulnerability Assessment
Vulnerabilities are weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset. Simply stated, vulnerabilities are opportunities. The fourth step of the risk assessment process is the vulnerability assessment, a systematic approach used to assess a hospital’s security posture and analyze the effectiveness of the existing security program. Vulnerability assessments measure the security programs effectiveness, compare it against valid security metrics, and provide recommendations to hospital security decision makers for improvements. In essence, the vulnerability assessment assists hospital security decision makers in determining the need for additional security measures, security equipment upgrades, changes in policies and procedures, and manpower needs. The primary tool of a vulnerability assessment is the security survey which identifies and measures the vulnerabilities at the hospital by determining what opportunities exist to attack, obtain, or damage the hospital’s assets.
Security surveys are simply questions and checklists that guide the assessment team during off-site preparations and on-site inspections of the facility. Surveys may range from a few basic questions to highly detailed lists comprising thousands of questions. A typical security survey contains general information about the hospital, including geographic characteristics, and physical layout of the facilities. The security survey also evaluates security deployment schedules, operational requirements, security equipment capability, and internal security incidents which have impacted the hospital security. A typical hospital security survey would include the following items for consideration by the risk assessment team:
General Hospital Information
Organizational Issues
General Security
Visitor Management
Security Force
Policies and Procedures
Emergency Management
Human Resources
Building Security Survey
Perimeter Barriers and Controls
Gate Security and Construction
Vehicle Control and Perimeter Entry Point Access
Clear Zones and Signage
Building Exteriors
Access Control
Lock and Key Control
Outdoor Lighting
Closed Circuit Television (CCTV)
Intrusion Alarms
Patient Safety
Emergency Center
Infant/Patient Abduction Prevention Measures
Medical Supply Storage Facilities
Information Services (IS)
JCAHO Security Sensitive Areas
Cash Handling
Parking Facilities
General
Access Control
Personnel
Lighting
Physical Security Measures
Crime Prevention Through Environmental Design (CPTED)
Office Area Security
Loading Docks
Risk Assessment
The actual risk assessment is the fifth and final step in the process and is basically the logical analysis of the previous steps which included asset identification, security inventory, threat assessment, and vulnerability assessment. While assessing risk is more of an art than a science, the risk assessment should be benchmarked against industry standards and guidelines. The purpose of risk assessment step is to identify risk mitigation strategies which can be employed to reduce the hospital’s risk to an acceptable and manageable level. Mitigating risk involves identifying strategies that can reduce threats and vulnerabilities through the implementation of additional security measures or other means.
Given a specific threat, there are five risk mitigation strategies available to the hospital security decision maker. Generally, the five strategies for managing risk include avoidance, reduction, spreading, transfer, and acceptance. Risk avoidance requires the removal of the target (asset) from the equation. Avoidance is an extreme measure since it can hamper the hospital’s operations. Reducing risk involves the deployment of security measures to reduce risk to an acceptable level. Risk reduction is the driving force for a hospital’s security department whose role it is to provide protection for assets. Risk spreading is a strategy to move assets to different geographic areas so if one area is attacked; the consequence is limited to that area. Storing necessary pharmaceuticals and other medical supplies off site is good way to spread the risk, thus if an area of a hospital is attacked or damaged by natural disasters, there is another supply available elsewhere. Risk transfer is a strategy used to remove the risk from the owner to a third party. Insurance is the best example of risk transfer whereby the insurance company assumes the risk for a fee. Risk acceptance is another strategy for mitigating risk. As the name implies, risk acceptance is simply where the hospital assumes the risk to an asset, typically after reducing the risk level to an acceptable level.
In summary, assessing risk is a dynamic process that involves continuous evaluation of assets, threats, and vulnerabilities. Reducing the risk to the hospital is accomplished by decreasing the threat level, blocking vulnerabilities and opportunities through enhanced security, or reducing the consequences if a security event should occur. Without question, the best strategy for mitigating risk is a combination of all three elements, decreasing threats, blocking opportunities and reducing consequences. Remember, no hospital is without risk and some risks can be acceptable. Security is a carefully orchestrated balancing act that ensures an open, functional environment of care that effectively protects assets.
For assistance in assessing your hospital’s security, please feel free to contact us.
