This document discusses the security challenges faced by hospitals and medical centers. It outlines several key issues including workplace violence, budget constraints, active shooters, behavioral health of patients, and theft. Ensuring the safety of patients, staff, and assets requires balancing privacy needs with security. Cyber attacks and insider threats are significant risks. Physical security systems and real-time locating technologies can help address challenges like patient elopement, infant protection, and locating medical equipment. Developing an integrated security management plan that leverages technology and outsourcing non-core functions can improve operations while reducing costs.

1. The challenge of ensuring secure
clinics and hospitals for patients
and staff
Danie Schoeman
17 September 2015

2. What’s your emergency?

3. Critical issues for hospitals and
medical centres
 Workplace violence
 Budget/funding
 Technology
integration and
management
 Active shooter
 Staffing and training
 Patient behavioural
health and violence
 Asset protection/theft
ASIS: The 2014 Security 500 Sector Reports

4. Top security concerns
Guardian 8 Survey
8%
10%
12%
16%
17%
19%
24%
56%
57%
OSHA fines
Employee retention
High incidence of fatalities
Lack of
accountability/documentat…
Administrators'
understanding of regulations
Legal fees/repercussions
Disruptions to patient care
Office safety
Patient safety

5. Increasing crime and violence
Health Facilities Management/ASHE 2012 Hospital Security Survey
0%
0%
1%
1%
3%
3%
8%
9%
10%
11%
12%
17%
17%
18%
21%
25%
26%
33%
79%
80%
78%
78%
74%
79%
77%
78%
74%
75%
77%
70%
75%
64%
68%
68%
68%
60%
21%
20%
21%
21%
23%
18%
15%
13%
16%
14%
11%
13%
8%
18%
11%
7%
6%
7%
Infant abduction - actual
Infant abduction - attempted
Shootings in hospital and on grounds, excl. ED
Shootings in ED
Bomb threats
Staff-on-staff violence
Other thefts (major - more than $500/item)
Patient care equipment thefts
Pharmaceutical and supply thefts
IT equipment thefts
Domestic incidents involving employees
Other thefts (minor - $500 or less/item)
Elopements/patient wandering
Auto thefts/car break-ins
Property damage/vandalism
Attacks/assaults
Patient/family violence against staff in hospital, excl. ED
Patient/family violence against staff in ED
Change in frequency of incidents
Increase About the same Decrease

6. A unique balancing act

7. A paradox
 Patients
 Employees
 Visitors
 Vendors
 Infant units
 Paediatric units
 Pharmacy
 Psychiatric units

8. A fine balance
Privacy vs Security

9. Challenges

10. Patient safety
 Patient elopement,
especially high-risk patients
 Patients need access to
reliable emergency call
systems
 Paediatric patients need to be
protected from abduction and
patient flight
 Patients who may be a danger
to themselves or others

11. Infant protection
 Potential infant
abduction
 Infant care outside the
mother’s room
 Mother/infant
mismatching

12. Patient information security
Verizon 2015 Data Breach Investigations Report
0,1%
3,1%
3,3%
8,1%
9,4%
10,6%
18,0%
18,8%
28,5%
Denial of service
attacks
Payment card
skimmers
Physical theft and
loss
Miscellaneous
errors
Web app attacks
Insider and
privilege misuse
Cyber espionage
Crime ware
Point of sale
intrusions
Almost all cyber attacks can be
classified by 9 patterns

13. 32% 26% 16%Healthcare
Miscellaneous errors Insider misuse Physical theft / loss
Typical cyber attack incidents for
healthcare
of the incidents in an industry can be described by just
three of the nine patterns.
PHYSICAL THEFT / LOSS
Any incident where an
information asset went
missing, whether through
misplacement or malice.
INSIDER AND PRIVILEGE MISUSE
This is mainly by insider’s misuse,
but outsiders (due to collusion) and
partners (because they are granted
privileges) show up as well.
Potential culprits come from every
level of the business, from the
frontline to the boardroom.
MISCELLANEOUS ERRORS
Incidents where unintentional
actions directly compromised
a security attribute of an
information asset. This does
not include lost devices,
which is grouped with theft
instead.
Verizon 2015 Data Breach Investigations Report
ON AVERAGE
76%

14. Cyber attacks are physical
of insider and
privilege misuse
attacks used the
corporate LAN.
of theft / loss
happened at
work.
of miscellaneous
errors involved
printed
documents.
Verizon 2014 & 2015 Data Breach Investigations Report
85%
49%
55%

15. Look inside your company
PWC Global State of Information Security Survey 2015
0% 5% 10% 15% 20% 25% 30% 35% 40%
Unknown
Domestic intelligence service
Foreign nation-states
Competitors
Activists / activist organisations / hacktivist
Organised crime
Hackers
Suppliers / business partners
Former service providers / consultants / contractors
Current service providers / consultants / contractors
Former employees
Current employees
Likely sources of incidents
All industries in all regions Healthcare

16. Screening and vetting is business
critical
PWC Global State of Information Security Survey 2015
0% 10% 20% 30% 40% 50% 60% 70% 80%
Conduct personnel background checks
Require 3rd parties to comply with our privacy policies
Employee security awareness training programme
Priviledged user access
Secure access-control measures
Accurate inventory of where personal data for
employees and customers are collected, transmitted…
Employee Chief Information Security Officer in charge
of security
Information security strategy that is aligned to the
specific needs of the business
Security safeguards in place
All industries in all regions Healthcare

17. Staff safety
 Workplace violence
 Even though you know that workplace
violence occurs more frequently in
certain departments—including ED,
mental health, geriatrics, and substance
abuse—it’s very difficult to predict and
prevent staff duress
 Staff duress during emergency
situations
 High turnover, low morale in certain
departments particularly the ED
due to with frequent staff duress
 Staff members get injured, injury
claims push up costs and overtime
needed to cover absent caregivers’
shifts

18. Workplace violence
Occurrences Perpetrators
30%
18%
10%
4%
1%
One type Two types Three
types
Four types Five types
27%
15%
31%
14%
4% 4% 4%
Number of different types of violence experienced
per respondent
Susan Steinman; Workplace Violence in the Health Sector; Country Case Study: South Africa (ILO, ICN, WHO, PSI)

19. Pharmacy inventory management
 Little or no inventory visibility
causing overstocking to
compensate
 Increased risk to patient safety due
to product expiration or
unavailability
 Inefficient manual processes
 Complex payment structures and
regulations
 Data disconnection between
inventory costs and procedural
measures
8 to 10% of items expire annually in procedure rooms and
as much as 15% of critical assets are lost
Stanley Healthcare

20. Healthcare asset tracking and
management
 Productivity losses due to manual
processes to manage capital and rental
equipment
 “Squirrel stores” due to equipment
availability
 Having a hard time locating needed
equipment, health systems end up
purchasing or renting more than they
actually need
 Patient dissatisfaction due to waiting for
equipment when staff have difficulty
locating it
40% of nurses report spending up to one hour per shift
searching for equipment
Stanley Healthcare

21. Solutions

22. Top hospital security systems
being implemented
Health Facilities Management/ASHE 2012 Hospital Security Survey
12%
14%
16%
12%
20%
18%
27%
38%
25%
50%
41%
52%
72%
67%
76%
69%
71%
88%
5%
6%
4%
14%
7%
13%
14%
11%
26%
10%
21%
17%
7%
14%
10%
18%
19%
8%
Man traps
Metal detectors
Outsourced remote video surveillance and monitoring
Wireless RFID clinician badges with panic alert buttons
Biometrics
Video analytics capabilities
Physical security information management (PSIM)
Wireless panic alarm system
RFID for tracking equipment, supplies, medications,…
Patient elopement system
Visitor management system
Electronic lockdown from a central location
Wired panic alarm systems
Integrated security system
Vendor management system
Mass notification system for emergency preparedness
Digital IP-video surveillance system
Electronic access control
Already implemented Plan to implement in the next 24 months

23. Conduct a Hospital Security
Assessment
 Analyses existing
 Protocols,
 Policies, and
 Procedures
 Evaluates physical
security
 Vulnerabilities, and
 Threats

24. Develop a Hospital Security
Management Plan
 Develop and implement
protocols, policies, and
procedures
 Hazard surveillance
program
 Identify trends from
monitored data
 Maintain, evaluate and
improve system
 Ensure regulatory
compliance
 Employ reputable security
organisation

25. Is there a doctor in the house?
 Patient
management
 Patient flow
 Safety
 Asset
management
 Inventory
management
 Environmental
monitoring
Real-time locating system (RTLS)

26. Beyond basic security technology
 Enhance with video
analytics
 Integrate intrusion
detection, access
control, and video
surveillance
 Add RTLS
 Environmental monitoring
 Asset management
 Enterprise Systems
Integration

27. A single integrated system

28. Outsource non-core services
 Cleaning
 Maintenance
 Catering
 Fleet management
 Stores management
 Document storage

29. The payoff

30. Benefits to you
 Reduction in operational costs such as administration and
maintenance
 Lower capital expenditures due to flexibility of single integrated
system to accommodate add-on security components
 Single system also keeps training costs lower
 Decreased losses and lower associated operational costs
 Improved business continuity via a more robust, resilient, and
responsive operation
 Greater end-to-end transparency for improved process
management and efficiency
 Independent study showed that for single integrated system
 24% saving in installation cost for 13500m2 building
 33% reduction in training
 82% reduction in IT administration
 32% reduction in cost of changes, upgrades and additions
Strategic ICT Consulting, Teng & Associates

31. Thank you