Four leading healthcare security directors discuss issues impacting their facilities

Feb. 27, 2014
Mitigating risk, protecting staff and patients loom as top concerns for hospital security leaders

Few will dispute that hospitals and healthcare facilities face some of the most challenging security issues today. Security directors are working with ever decreasing budgets as threats continue to increase. Federal mandates and compliance pressures are forcing new alliances among physical and IT personnel with the end game of ensuring patient and staff privacy.

Never before has the healthcare industry encountered such daunting hurdles. But as four of the nation’s leading security directors point out, you just have to keep calm and carry on. Formulating successful risk mitigation strategies, being smart with technology purchases and establishing policy and procedures that provide for a cohesive working environment are all key elements to building a healthcare security roadmap that works.

Security Technology Executive editor-in-chief Steve Lasky talked with four influential healthcare industry security directors to get their take on some of the trends and key issues they see on the horizon.

  • Joseph V. Bellino, CHPA, is currently the Chief of Police/Director of Security, for the Greenville Health System, Greenville South Carolina. Prior to joining Greenville Health System he served as System Executive for Security and Law Enforcement Services for the Memorial Hermann Healthcare System in Houston Texas. He has been in healthcare leadership positions encompassing Safety, Security, and Emergency Management positions over the past twenty years. His professional memberships include, International Association for Healthcare Security and Safety, for which he has served in leadership positions at the Chapter level and served as Board Member and President of the IAHSS Board of Directors. Currently, he is serving as a board member of the IHSS Foundation.
  • Bruce Forman, CISO is for UMass Memorial Healthcare, Inc. He is responsible for the protection of electronic patient health information and overall IT security for one of the largest Healthcare providers in Massachusetts. Over the past four years, he has been instrumental in establishing security strategies and an effective IT control environment meeting HIPAA regulatory requirements. He also led the design of extensive IT controls across various processes (audit, application access, and network access). Prior to joining UMass Memorial, Foreman was the Director, Information Security for Genesis Healthcare Corporation.
  • Scott Jack, CPP is the Security Technologies Director for Baylor Scott & White Health. He is responsible for the design and development of the security technology systems and police dispatch for Baylor Scott & White Health. Baylor Scott & White Health is the largest not-for-profit healthcare system in Texas and is also one of the largest in the United States with 43 hospitals, more than 500 patient care sites, more than 6000 active physicians and 34,000 employees. He has been involved in the security field for more than 25 years. He is a member of the American Society of Industrial Security (ASIS International)
  • James A. Romagnoli is the Vice President and CSO of Protective Services at the North Shore-Long Island Jewish Health System (NSLIJHS). Under Romagnoli’s leadership, the Corporate Security, Public Safety & the Emergency Management Divisions are constantly striving to be an industry leader in the disciplines of Protective Services and Crisis Management. He leads these initiatives in education and research to elevate the quality and efficiency of these services in the NSLIJS.  His daily responsibilities include, but are not limited to, maintaining a regional situational awareness for the Health System and responding to and managing all Health System emergencies at any NSLIJHS facility.

STE: As a security professional in the healthcare sector, what keeps you up at night?

Bellino: “Did I do everything possible to ensure my staff’s success and safety while performing their security functions. Have I and my team done everything possible to identify our potential risks and have we put into place proper mitigation strategies.”

Foreman: “The most challenging issue in information security is in not knowing what you don’t know. After all, you can’t develop controls to cover your blind spots if you don’t know that the risks exist.”

Scott: “In the current heath care environment we are seeing mergers and re-alignments with many health care systems. As these new entities move forward together, the disparity of security technology systems requires constant assessment and adjustment. As we approach each new opportunity, we have to continually refine the desired end result. Reviewing varied processes and procedures and ensuring a uniform approach to risk assessment and security process management are the initiatives that are always on my mind.”

Romagnoli: “The safety of our employees, guests and visitors. The recent increase in serious workplace violence issues, specifically active shooter scenarios is of great concern. After 34 years in law enforcement and security I am hard pressed to explain this unfortunate phenomenon. With that being said, we have rolled out an employee education program which in part, explain to the employee what he or she needs to due in such an event. In addition we are piloting visitor control systems in our facilities so we have the opportunity to screen visitors.”

STE: What is your number one security and/or risk management issue you envision for 2014 and how to you plan to approach it?

Foreman: “Passwords still represent a weakness in the overall information infrastructure. Passwords can be guessed, cracked, or social engineered. Two-factor authentication represents potential risk mitigation, but many people find these solutions inconvenient. We are investigating alternative solutions to address this risk including risk based and location based authentication.”

Scott: “For the healthcare setting I believe that the number of workplace violence incidents will continue to rise. These increases can be attributed to many things, but I believe the primary causes are:

  • Improved incident reporting: Incidents of patient violence against staff may have gone unreported in the past. The rationale for the erroneous or omission of reporting past incidents includes that the violence was seen as a “part of the job”. The victim may have also felt embarrassed to report any incidents for fear that they would be perceived as not controlling their patient.
  • An increase in the number of Mental Health Mental Retardation (MHMR) patients being treated due to economic conditions, drug abuse, and the general aging of the overall population. Government programs that were handling many of the MHMR patients have had cost cutbacks or elimination of programs.  From 2009 to 2011 alone, cutbacks exceeded 4 billion dollars. These cutbacks oftentimes force the MHMR patient to utilize the Emergency Room as their primary care portal.
  • The past decades specialization of disease treatment methods fosters an environment of “silos” where the different hospital specialties and disciplines utilize a communication method or vernacular that is specific to their site (or even within their unit). This type of environment creates a communication gap that hinders the true reporting of incidents and hinders the processes needed to manage workplace violence. It is imperative that we reach out to these varied disciplines and ensure we are giving them the necessary environment and tools to address and report the issue. We have to make sure that staff is encouraged to report all incidents.

Our plans include better employee education addressed at the specific issues as they continue to evolve.  We have also modified our security risk assessments to address changing or new field conditions and to also take into account workplace violence. We continuously monitor our metrics reports to define and address any emerging crime trends and utilizing any available resources, conventional and non-conventional. Flexibility is the key here, to be proactive rather than reactive.

Romagnoli: “The safeguarding of patient and employee database information {is a big concern}. Hospitals and healthcare systems, by the nature of the business hold a tremendous amount of a person’s personal and financial information, as required by the government agencies that regulate this industry. Although we have a robust IT security team, and breaches are virtually nonexistent -- though attempts occur frequently, the safeguarding of hard copy data has become a focus of our security awareness and education programs. While we are steadily moving to an electronic health record, paper will never be totally eliminated. The theft of those hard copy files has been on the rise and we have been victimized through the theft of that data. Our investigative division has been quick to identify the perpetrators and we enjoy an excellent working relationship with law enforcement and prosecutors; however prevention, through eliminating opportunity is the key to protecting this data. Security awareness education is the key to reducing this exposure.

Bellino: “Workplace violence and active shooter situations {are our biggest concerns}. We are establishing active shooter policy and procedures, training, and then exercising the plan/procedure. I will use a similar approach that I used at my last employer. We will assemble a multidisciplinary team from across the health system. Together we will craft a policy and procedure over a set period of time with established milestones. The policy/procedure will then be presented to various stakeholders at the various campuses for review and comment. Implementation dates along with training of staff will commence with rollout of the Active Shooter-Extreme Workplace Violence Response plan. Finally, exercises will be completed under very stringent security and safety protocols. This process will take 18-24 months to fully implement.

STE: Considering recent shootings in big city emergency rooms, how do you prepare to meet the challenge of protecting staff and patients in an environment that is essentially open to all? 

Bellino: “Fortunately I have -- in addition to our security force -- a fully sworn police department that has already received Rapid Response Team training to respond to active shooter events. I have a distinct advantage in the fact that my law enforcement officers know the facility and its inherent dangers, i.e. medical gases, non-ambulatory patients, etc. We also deploy metal detection at our ER which also provides an additional measure of protection. Now, the task at hand is to refine existing policies and procedures, train staff, implement and exercise the plan.

Scott: “For sensitive areas such as the Emergency Department, we utilize compartmentalization and back of house (monitored or credentialed access) areas to control patient and visitor flow. We also conduct frequent security risk assessments. Several years ago, as part of our normal security risk assessment, we increased the workplace violence section of our survey to specifically address the work place violence issue.  We analyze environmental controls, patient access control, and patient and visitor flow. We have also developed specific training for aggressive management behavior. 

We have increased employee and staff training to recognize and manage possible aggressive behavior before it happens. Specifically, we give staff training focused on several core beliefs which are the bedrock of the program. Utilizing a combination of classroom lecture, video presentations and hands on active practice of defensive maneuvers, our course facilitators teach the students how to enhance their safety and the safety of those they serve.

These classes are open to all employees, physicians, students, volunteers, contractors and tenants. In the event that an incident does occur, we have also trained them on the correct methods to report the event.

Romagnoli: “As I stated in the first question, we do have to look at this in several ways. We have the active shooter scenario that is directed at the hospital or is related to a patient issue. We believe a hospital will see one of three types of active shooter scenarios:

  • A shooter enters to vent his anger at hospital staff because of what he/she perceives to have been poor treatment of a loved one that resulted in a poor outcome.
  • A mercy killing of a close relative, who is terminally ill, resulting likely in a murder/suicide within the hospital. Minimal threat to staff.
  • The disgruntled employee, who returns to vents his/her anger at management staff.

We then have the crime/shooting that spills into or continues in the hospital from the street, although not directed at the hospital in most cases; all of these scenarios need some level of threat avoidance and protection. Minimizing means of egress, locked entrances and focused or directed pedestrian traffic to controlled entrances and exits is an excellent way to minimize unauthorized persons from entering the facility. Historically in the New York area, most hospitals have limited arming of public safety or security staff. At our facilities we have a small number of personnel who are armed and have the ability to interrupt a shooting incident. Also having local law enforcement have a good understanding of a hospital layout, which can be very confusing, is vital to a rapid law enforcement response.

STE: How closely aligned are you with your organization's IT and network administrators, and have you teamed up to create an information security roadmap? If so, provide some of the basic highlights.

Foreman: “My position is within the IT organization and therefore information security is closely aligned with the information technology roadmap. One specific area where we support each other is regarding the need to apply patches to critical systems. My team plays a role in helping to raise the issue within IT management in order to provide needed downtime to address vulnerabilities.”

Bellino: “Here we have project managers assigned from both IT and Construction Services and we are very closely aligned. We have established electronic security standards and nothing is built without building in appropriate electronic security. Our IT staff is right there with us as our partner to ensure we are all on the same page providing what our internal customers need and expect. Do we have a roadmap? Yes, and we follow it daily to the right destination.

Romagnoli: “We are extremely closely aligned. We work with the Office of the Chief Information Officer’s (OCIO) Security Team virtually daily. We have algorithms in place for a variety of incidents identifying who may be the lead in a particular investigation, and the duties and responsibilities of our respective divisions in a particular investigation. In addition our voice over IP radio system, our selection of cameras and many physical security products is all done with guidance and in some cases project management from our CIO’s office.

Scott: “Our IT department assesses the physical security and security technologies needs on an enterprise level, and defines the infrastructure technologies to address those needs. Our department partners with our information services (IS) organization to implement solutions.  This partnership helps to ensure alignment of our department goals and objectives with enterprise IS technology standards through project governance, technology infrastructure, planning and implementation, and on-going IS technology support of our security technologies applications.

An example of this alignment can be seen in the design and implementation of our current enterprise security access control system.  By partnering with our IS project management, server, network, storage, database, and information security groups we were able to design and implement a system that provides the business continuity necessary to ensure that we are always able to provide for the safety of our patients, visitors and employees.

Note: Look for the extended version of this healthcare security roundtable-in-print at our website, www.securityinfowatch.com.