Healthcare Security Fundamentals


Published on

Challenges, trends and best practices for hospital security management.

Published in: Technology, Business
  • Application of Near Field Communication for Health Monitoring in
    Daily Life+ppt+report
    Are you sure you want to  Yes  No
    Your message goes here

Healthcare Security Fundamentals

  1. 1. Healthcare & SecurityFundamentalsSteve Nibbelink, CHPAApril, 2013
  2. 2. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 2Our Agenda● The Hospital Basics● The Healthcare Security Environment● Impact Organisations in Healthcare Security● The Healthcare Security Management Plan● Real World Examples● A Security Leader’s Perspective● The Healthcare Security Director’s World
  3. 3. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 3Healthcare & Security –The Hospital Basics
  4. 4. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 4Healthcare & Security –The HospitalThe Hospital’s Responsibility and MissionThe # 1 responsibility and mission of thehealthcare organisation is patient care!
  5. 5. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 5Healthcare & Security –The HospitalThe Security & Safety Department Mission StatementThe corporate security & safety department is committedto providing a secure and safe environment for allits clients, visitors and staff – through mutual respect andcooperation, through all departments, by supporting thesecurity and safety needs of the individual as well asthose of the organisation itself.
  6. 6. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 6Definitions of Healthcare Security● Healthcare Security is defined as a system of safeguards designed toprotect the physical property of the facility and to achieve relativesafety for all people interacting with the organisation and its environment● Security is not static and is often regarded as a state or condition thatfluctuates (continually)● Protection or Security programs are designed to reduce incidents andprobability, they do not eliminate all risk● A Customer Service Organization – where knowing your customeris the first step in providing flawless customer service
  7. 7. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 7Knowing Your Customers!Security can have a positive or a negative effectSecurity often sets the tone for the external customer’s entirevisit and the internal customer’s (employee’s) acceptanceand participation in a safe and secure environmentThe way a security officer interacts with a customer influencesthat person’s opinion of your healthcare institutionSecurity. . . . . . .relationships, communication and collaborationThe Customer Experience
  8. 8. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 8Healthcare & Security –The Healthcare Security Environment
  9. 9. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 9Healthcare & Security – The EnvironmentInternal Environmental FactorsInternal CustomersSecurity Program ResourcesSecurity Related EducationProfessional Development of StaffExternal Environmental FactorsExternal Customers3rd Party Risk AssessmentsCrime Statistics and TrendsRegulatory Surveys and ReviewsIndustry Environmental FactorsHealthcare Security Best PracticesRegulatory RequirementsParticipation in Professional Groups,Conferences and SeminarsThe Factorsthat create yourSecurity Environment
  10. 10. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 10Knowing Your Customers – InternalInternal CustomersCo-WorkersDirect ReportsOther EmployeesCEO, COO, CNO, CMONursing StaffSocial WorkBehavioral MedicinePsychology StaffDepartment Directors
  11. 11. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 11Knowing Your Customers – ExternalInpatientsOutpatientsThe VIP PatientThe Infectious PatientThe Combative PatientThe Forensic PatientThe Wandering PatientThe Missing PatientThe Infant PatientThe Pediatric PatientThe Psychiatric (BH) PatientThe Handicapped PatientExternal CustomersPatients & FamiliesVisitorsContractorsOutside GuestsRegulatory Agencies
  12. 12. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 12Knowing the Customers…….and the RisksHealthcare is usually provided 24 hours per day and hospitalsare required to be publicly accessibleHealthcare staff are predominately female (in most locations)Workplace Violence is an increasing problemDrugs are used and stored in the facilityMoney is handled throughout many healthcare facilitiesHealthcare facilities can be considered targets for acts of terrorismIssues of Risk
  13. 13. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 13The Healthcare & Security EnvironmentRisk BasedIncident Driven
  14. 14. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 14Healthcare & Security –Impact Organisations and DesignConsiderations in Healthcare Security
  15. 15. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 15Impact Organisations in Healthcare & Security
  16. 16. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 16Impact Organisations in Healthcare & Security
  17. 17. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 17Crime, Workplace Violence, Security & RiskOccupational Fraud is a major problem – as the typical organization losesan estimated 5% of its annual revenue to occupational fraud, according tothe 2012 Global Fraud Study (by the Association of Certified Fraud Examiners)Fraud is discovered / detected most by a “tip” --- 43.3%Workplace Violence is a major problem – as the Joint Commission issuedin June 2010, Sentinel Event Alert 45.....Preventing Violence in the Healthcare SettingSecurity & Risk is a major problem – “impenetrable hospital security inan open society represents a particular challenge, and zero risk is notachievable” (according to JHU Hospital report on shootings in the healthcare setting, 2012)What is the “Risk Appetite” of your Healthcare Organization
  18. 18. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 18Healthcare & Security –The Security Management Plan
  19. 19. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 19The Security Management PlanThe “Security of the Healthcare Organisation” – is a collaborative effort,as the security department is seldom responsible for all the componentsof the protection program and security management planCourtesy of “Hospital & Healthcare Security”,5th Edition, Russ Colling & Tony York
  20. 20. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 20The Security Management PlanThe Security Management Plan should include, but not be limited to:Security Program Mission StatementStatement of Program Authority (i.e. facility organisation chart)Identification of Security Sensitive AreasAn Overview of Security Program Duties and ActivitiesThe Documentation System in Place (i.e. records and reports)Training Program for the Security Staff and all other StaffPlanned Liaison Activity with Local Public Safety AgenciesSecurity Organisational ChartCopy of the Most Recent SMP Annual Program Evaluation ReportCopy of the Most Recent SMP Annual Program Improvement Plan
  21. 21. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 21Guidelines & Best Practices
  22. 22. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 22The Security AssessmentTo ensure adequate risk protection measures are in place tomitigate risk to patients, employees, staff, visitors and assets+ risk management, policies and governance, businesscontinuity, asset protection, physical and fireprotection, brand reputationTo find ways the existing security measures could be improvedto increase security efficiency+ total cost of ownership, security CAPEX, OPEX,productivity, technology master planTo find the business impact beyond security+ increase revenue / profit, reduce loses / claims,reduce operating expenses
  23. 23. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 23Recommendations & Mitigation TrackingSCHNEIDER ELECTRIC HOSPITAL -- SECURITY HAZARD AND VULNERABILITY ASSESSMENT TOOLRECOMMENDATIONS AND MITIGATION TRACKING Tracking Sheet Page 1ISSUE / CONCERN PRIORITY SECURITY RECOMMENDATIONRESPONSIBLEPARTYTARGET FORMITIGATIONCOMMENTSDoors Propped Open LowMeet with Dept. Heads on Importanceof Door SecuritySecurityDepartmentManagersFeb.2013Continue education on the importance ofhaving a secure area with management andstaffEntry into departments occurs withoutadequate screeningMediumMeet with Administration to develop aprocedure to properly screenindividuals entering department units.Administration,Security, DepartmentManagersMar. 2013Continue education on the importance ofhaving a secure area with management andstaff. Research visitor management optionsEducate Staff on when to call Security forIncidents/AssistanceMediumMeet with Administration , Safetyrepresentative and Department headsto educate staff as to Security role andwhen to call them.Security Supervisor,Administration,Safety, andDepartment MngrsMar. 2013Plan to attend staff meetings and educatenew hires during orientation as well ascontinuing education for existing staffAdmin door, while equipped with accesscontrol, remains propped openHighKeep door closed to prevent entry ofuninvited patients or visitorsAdministration,Security,Feb.2013Door already has necessary hardware, justneed to close doorPonds are not fenced to prevent accidentalor deliberate entryHighResearch fencing and additionalbarriers or warning signsFacility Management Feb.2013Research potential barriers and / or warningsignagePediatric Unit on 3rd floor HighConsider patient management systemor moving pediatric rooms so allpersonnel would have to pass by unitsecretaryPhysical Security,Administration, andFacility MgmtFeb.2013Nursing triage desk is not facing elevators /line of sight issue which might requireelectronic systemWalking trail not covered by existing CCTVand needs lighting upgradesHighConsider CCTV and lighting upgradesplus increased patrolsPhysical Security,Administration, andFacility MgmtFeb.2013Research potential upgrades to CCTV andlightingH - High Priority; Immediate Mitigation RequiredM - Medium Priority, Mitigation RequiredL - Low Priority; Non-Urgent Issue
  24. 24. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 24Healthcare & Security – What We Can FixAdministration Door should be closed,propping the door open defeats thepurpose of the card reader
  25. 25. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 25Healthcare & Security – What We Can FixPatient Management Alarm should be considered for3rd Floor – Pediatric Area, since the doors are notvisible, not in the line of sight, from the nursing station
  26. 26. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 26Healthcare & Security – Equipment ReportHelpful Tool?Schneider Electric Hospital Video Surveillance - Equipment Report April 25th, 2013Camera Number 46Camera Name Emergency WardCamera Manufacturer PelcoCamera Model Number Sarix IXAsset Management Tag Number Ekahau - 83V1565How is it Wired / Connected Network - IP Address - is it Viewed Security Command & Control, Emergency Ward Visitors Desk and Nurse Managers OfficeWhere is it Recorded Security Command & Control, DVR 7Integrated with ?? Asset Management, Access Control, Emergency Ward Zone, Building Management, Fire Alarm Control SystemCamera Location Emergency Ward - Entrance Doors / LobbyCamera View Looking at the Entrance Doors and Lobby (glass door entrance from parking area)Installation Date August, 2009Installation Company Schneider ElectricService Company Schneider ElectricLast Service Date October, 2012Last Service Performed Adjusted Camera Lense, Cleaned Housing, Network TestPicture of Camera
  27. 27. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 27Healthcare & Security – FTE PredictorDuring an informal poll of several hospital security administrators the question was asked:“What do you consider to be the major mistake that you have seen in the stages of securityprogram development in hospitals?” The consensus of opinion was that all too oftenorganizations decide how many security officers they need or want before they determine thefunctions of the security department.AN OPINION – IAHS Newsletter, 1968Healthcare Security - FTE PredictorTotal Total Security Total Total Trauma Center HealthcareInpatient Care Area Calls / Responses Research Area Hospital 1 = Yes SecuritySquare Meters Per Year Square Meters Beds 2 = No FTEs250,000 1,500 20,000 800 1 18.08
  28. 28. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 28Healthcare & Security - ResponsibilitiesThe first association meeting was held June 3rd, 1968 – at the New York Hilton.This list represents the consensus of those present as to what the responsibilitiesof the hospital security department were.1) Uniform Patrol2) Elevator Operators3) Information Desk4) Lost and Found5) Key Control6) Identification7) Fingerprinting8) Education of Employees (with regard to safety and fire prevention)9) Accident Reports on Hospital Grounds10) Manual of Procedures11) Disaster Procedures12) Training Security Officers13) Alarm Systems14) Maintaining Good Relations with Official Police15) Transportation16) Deceased Patients Property
  29. 29. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 29Security in Hospitals – Needs / SafeguardsSignageSign-In LogsMarking / LabelingAggressive Incident InvestigationPolicy of ProsecutionConditions of EmploymentEnforced Disciplinary SystemGreeting / Staff AcknowledgementWay Finding & GuidanceLandscape Design / ArchitectureCommunity OutreachPsychologicalAccess ControlVideo SurveillanceVisitor ManagementFire SafetyIntrusionInfant & Patient ProtectionIdentification BadgesBarriersGlazingCommunication DevicesPanic – Fixed & PersonalPhysicalEncryption and theProtection of Patient DataSecuring Network SystemsID Security andPassword ManagementAsset Management / RTLSLogicalLightingFundamental
  30. 30. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 30Healthcare & Security –Real World Examples…..
  31. 31. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 31Vehicle Toyota CorollaYear 2005 – 2008Color Maroon / Dark RedTags MarylandOn Sunday, November 25th, 2012 – two individuals came to our hospitalwith what appears to be the specific intent to steal cash or other itemsfrom our Hospitality Shop.These individuals arrived at 1:18PM and parked in our front parking lot.They go directly to the Hospitality Shop entrance. Suspect 1 (the topphoto) enters the shop and goes to the back of the store. Suspect 2(the second photo) enters the store a minute later and goes to the backof the store and kneels down at a rack pretending to look at items butlooks into the improperly secured and open office area. Suspect 1 goesup to the counter and distracts one of the two clerks by asking to look atpurses. Once the second clerk is busy with other customers, Suspect 2enters the office area and goes directly into another unsecured roomwithin the area. 1 minute and 25 seconds later, Suspect 2 leaves theoffice area with cash. Both of the suspects leave the shop at 1:25PM.They return to their vehicle (bottom photo) and drive off campus.DescriptionsSuspect 1 Black Male, in his 20’sBald, no facial hairThin, possibly 5’ 10” tallSuspect 2 Black Male, in his 20’sShort, Black Hair and MustacheThin, possibly 6’ tall
  32. 32. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 32On Saturday, December 15th, 2012 – just after 4AM, on the 5th floorof the hospital, where the gunman’s wife was a cardiac patient – thesuspect, 38 year-old Jason Letts, became upset over his wife’s care.(The husband -Letts- was ejected from the hospital the previousevening at approximately 8PM.)He returned to the hospital with a gun and forced a security officer totake him up to his wife’s floor. Once there, he began going room toroom, waking up patients and telling them, “get up, they’ve got guns,they’re going to kill us”.When officers arrived on the 5th floor, Letts opened fire on them. One of the police officers was shotin the leg and two hospital employees were wounded. Two police officers returned fire, killing Letts.In the aftermath of the deadly shooting, St. Vincent’s Hospital has beefed up security. The hospitalis reassessing how the hospital is accessed. The hospital has 84 “points of access” and 2,000employees. The hospital employed “perimeter control” with limited access and use of camerasbefore the incident, but is re-examining all of that to see if improvements need to be made after theshooting. The hospital stated “we always review and continually try to improve in order to enhancethe safety for our patients, for our families and for our physicians and employees here on campus.The hospital is adding off-duty police officers and examining the installation of metal detectors (asthey currently have a portable “wanding” device).
  33. 33. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 33In the past two years – 2011 & 2012 – the University of MiamiHospital has had several security challenges…..2011 – Robbery / Thefts…..31 reported events2012 – Robbery / Thefts…..25 reported events (through 3Q12)After the theft of a laptop, wallet and other personal propertyfrom the sports medicine office – security guards reported aman was spotted in the hallways wearing a sweatshirt and hat,before the crime was committed - and that no guards approachedhim and they did not know how he accessed the building or area ofthe crime, and had no photo identification. A security video wasmissing 40 minutes of footage – with no audit trail available.Earlier in the summer, an outside audit of the hospital, led to thediscovery of a large, three year drug heist, by a pharmacy technicianwho stole $14M (usd) worth of drugs and narcotics from the hospitalpharmacy (security and pharmacy controls did not detect the theft).In September, a defibrillator valued at $90K (usd) and three pacemakersvalued at $24K (usd) were stolen from the hospital campus and just amonth before, a patient had jewelry and cash stolen from her hospitalroom when she left for medical tests in another area of the facility.
  34. 34. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 34Healthcare & Security –A Security Leader’s Perspective
  35. 35. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 35The Risk to Healthcare FacilitiesA variety of reasons account for the elevated risk to healthcare facilities.Foremost among these is the nature of the workplace itself: hospitals,especially emergency rooms, are open to the public 24/7, and they offerparticular allure by way of availability of drugs and/or money.Bryan Warren, CHPA, CPO-I IAHSS PresidentDirector, Corporate SecurityCarolinas HealthCare System, Charlotte, NC, USAThe primary concerns are access control, violence generally (butparticularly in the emergency department), the threat of infantabduction, blending customer service with a secure environmentand dealing with increased volumes of patients.Fred Roll, MA, CHPA-F, CPPPresident and Principal ConsultantHealthcare Security Consultants, Denver, CO, USA
  36. 36. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 36The Risk to Healthcare FacilitiesCommunication is a large concern as it directly leads to other eventsthat we (as security) have to deal with…….such as patient – staff andstaff – security communication. By de-escalating a situation earlier inthe process (before it gets out of control), we can then avoid the codeblack situations (and keep any disturbance at a code grey level).Chris RasmussenSecurity ManagerSt. Andrew’s War Memorial Hospital, Brisbane, AustraliaThe increasing risk to healthcare is the move to provide care in thecommunity (where we have our healthcare workers providing careoutside the walls of our hospitals) along with a rise in the clinical acuity(sicker people in our hospitals) and finally, our threat management program(as part of our violence prevention program) is a key to our daily activity.Jeff Young, CHPA, CPPExecutive Director, Integrated Protective ServicesFraser Health, Vancouver, BC, Canada
  37. 37. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 37The Risk to Healthcare FacilitiesThe current and emerging healthcare security concerns are…….---the potential active shooter situation in the healthcare environment---the increasing number of serious incidents of violence in the healthcaresetting – by patients, family members, staff, domestic violence andthe increasing number of forensic patients (situations)---the multi-faceted issue of providing protective services in the emergencysetting (an issue that keeps growing each year despite constantattention by healthcare security professionals)---the current focus on the increasing use of access control, video / cctv,exterior door locking, staff training / education and the designchallenges for the “people / vehicle” pathways,both internally and externally to the hospitalRuss CollingAuthor, ConsultantFounding Member of IAHSS
  38. 38. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 38Healthcare & Security –The Healthcare Security Director’s World
  39. 39. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 39Healthcare & Security –Fundamentals of the Security Department● The fundamentals of the healthcare security department are:● Selection & Recruitment● Policy & Procedure● Training & Education● Technology – the Force MultiplierThe name of the hospital, the organisational structure,the language and local culture may all be different,but these four concepts are the“fundamentals” in the healthcare security department
  40. 40. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 40Selection & Recruitment
  41. 41. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 41Policy & Procedure
  42. 42. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 42Training & Education
  43. 43. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 43Technology – The Force MultiplierThe Reality and Messageof Technology . . . . .Technology should not providethe message of a less secureor safe environment. . . . . it should be the ForceMultiplier to support and helpWe used to look at security technology as different widgets, andthen went under a paradigm shift. Now we think about strategyfirst, then technology, which concentrates and simplifies thesearch for technology solutions.Mike Howard, Chief Security Officer, Microsoft
  44. 44. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 44Healthcare & Security –Patient Care is the # 1 PriorityRisk Based & Incident DrivenRelationships, Communication & CollaborationA Customer Service Organisation
  45. 45. Schneider Electric – Healthcare & Security…..Sweden, April, 2013 45Healthcare & Security –Tack.