Preventing Prescription Drug Thefts from Pharmacies

Nov. 9, 2004
A look at recent crimes and what every pharmacy security director should think about when planning security, access and response plans for their pharmacies

Pharmacies present a unique challenge in the healthcare setting due to the attractive nature of the goods and cash associated with their operation. There have been an increasing number of attacks on pharmacies, especially targeting such drugs as OxyContin, a narcotic painkiller that is in increasingly high demand on the street. In fact, OxyContin targeted armed robberies are rising at an alarming rate. The following robbery figures were presented to the Senate by leading pharmacy retailer CVS in 2002 from data of its stores:

1998: Total robberies - 7, Armed robberies - 1
1999: Total robberies - 27, Armed robberies - 5
2000: Total robberies - 25, Armed robberies - 2
2001: Total robberies - 105, Armed robberies - 87
2002, From Jan. 1, to Feb. 7: Total robberies - 13, Armed robberies - 13 (100 percent of total

The state of Massachusetts has the highest number of armed robberies of OxyContin in the nation, with 79 in just the first four months of 2004, according to public safety officials. In addition to Massachusetts, OxyContin armed robberies have already been reported in Maine, Virginia, West Virginia, Kentucky, Alabama, New Hampshire, Vermont, Florida, Indiana and Rhode Island. In one Boston pharmacy the threat of robbery and burglary is so significant that employees of pharmacies are informed to tell callers they do not carry the drug. Other pharmacies post signs on the front of their buildings indicating that OxyContin is not carried. To defend against these and other threats, pharmacy managers and owners must take the appropriate steps to safeguard employees and assets. This article addresses the threats to pharmacy security and the risks that result from operating with vulnerabilities, and looks at sound security principles to consider when determining how to secure your pharmacy.

The Threats Posed to Pharmacy Operations

To have an effective security program, it is essential to understand the threats that pose a risk to personnel and assets. For pharmacies, there are a number of relevant threats that originate from both internal and external sources. In hospitals, employees working for other departments such as nursing, maintenance, janitorial or security can cause losses by virtue of their access to the pharmacy, and nurses involved in drug diversion can create a risk to patient safety. Employees such as pharmacists, technicians and clerks working inside the pharmacy pose a similar risk to assets due to their uncontrolled access. For example, a pharmacy technician was arrested on Oct. 8 of this year after authorities say she stole more than a thousand hydrocodone pills, a stash worth several hundred dollars, from a Walgreens in Hernando, Fla.

Criminals financially motivated may engage in burglary to acquire drugs such as OxyContin or even flu vaccinations that have a significant street value. In a recent case, burglars stole powerful painkillers and anti-depressants from four pharmacies in Luzerne County, Penn. Police said the burglars knew what they wanted and how to get it. In one pharmacy the owner told reporters that, "The burglars disarmed the alarm system, pried open the door, then headed straight for the pills." The disarming of the alarm system was likely achieved by simply cutting the phone line. If phone lines are vulnerable to tampering as they enter a facility, a cellular back up system should be considered if there is an elevated burglary risk.

In another burglary, this time in Lincoln, Nebraska, burglars broke out a back-door window to get into the store. The building alarm went off, but police said the crooks apparently knew exactly what they were after, and were gone before police could respond. The theft netted over 700 tablets of OxyContin.

To properly address the burglary threat, there is a simple formula for achieving a successful physical security program. The time it takes to commit the crime must be greater than the time it takes the intrusion to be detected and assessed, and response forces (i.e. police) to be deployed and the adversary neutralized. The program at the Lincoln store was not effective, but a very common deficiency in pharmacy security programs. The use of an additional barrier such as a vault would likely have provided a sufficient delay for the criminal from reaching the target, and it might have tipped the scales back in the favor of the "good guys" and permitted police response to effectively intercept the criminals.

And then there are the armed robberies, which are more serious and can result in serious employee injury or death. Police in New Kensington, Penn., recently investigated an armed robbery at a pharmacy on a Sunday afternoon. According to police, the suspect entered the store and went to the pharmacy counter and at gunpoint ordered the pharmacist to give him all of the OxyContin. In another pharmacy incident early last month, an armed robber made off with thousands of dollars worth of OxyContin after a pharmacy heist where he simply pointed a shotgun at a clerk and demanded drugs.

While there are differing opinions on the value of panic alarms that can transmit a silent call to police in the event of an interior robbery, when properly installed, they have been effective in some instances. If you go this route, train your employees to only activate a panic alarm if it is safe to do so. Panic alarms should always be armed and there should never be any local audible activation after the panic alarm is sounded. Designers and installers must be cognizant of UL Standard 636, if panic alarms are used. Essentially this standard requires the appropriate devices, installation and monitoring of panic alarm devices. See http://ulstandardsinfonet.ul.com/scopes/0636.html. The full standard can be purchased from underwriter's laboratories.

Planning for Effective Security

Comprehensive security risk analyses are sometimes overlooked in the healthcare industry. A security risk analysis is the industry-accepted practice to determine the effort and energy required of one's security program to mitigate security risks to an acceptable level. A component of a risk analysis is a threat assessment. In a threat assessment it is critical to quantify the general threats to determine the probability that an adversary (internal or external, armed or unarmed) may be a concern to the healthcare setting under study. The risk analysis should result in a carefully defined set of security measures that mitigate the risks posed by the adversaries present in the local environment. Clearly, the criminal threat of burglary and robbery is more prevalent in certain locations, therefore it is important to conduct a study that looks at the local conditions to determine how likely the incident is to occur at the facility under study. The general steps for an effective risk assessment include:

* Identifying critical assets
* Conducting the threat assessment
* Examining safeguards and vulnerabilities
* Assessing the effectiveness of the current security program
* Developing loss event scenarios
* Developing mitigating recommendations
* Conducting a cost benefit analysis for implementation

Using this methodology, healthcare administrators are provided with a short list of the "most likely" worst-case scenarios, taking into account the local threats, vulnerability and critical assets. Using a scenario based methodology for identifying risk, limited security resources can be surgically applied to the areas of greatest need. For example, in a recent risk assessment conducted by my company, Business Protection Specialists, one loss event scenario was identified and projected to occur within the next five years. It only took five months for the employee assault that was predicted to occur. While tragic, the incident lent credibility to the process and the mitigating recommendations that had been made.

Development of a Department Security Plan

The next critical step in an effective security program is to develop a security plan. For Joint Commission Accredited Healthcare Organization (JCAHO - see http://www.jcaho.org/index.htm) certified facilities, the pharmacy is likely to be considered a security sensitive area. A security sensitive area is one that is considered to have a higher risk of a serious security incident. As such, it will require a security plan that encompasses three basic elements: an access control plan, employee education and emergency response procedures.

Access Control Program

Implementation of an effective access control program involves two elements.

The first element is the processes and procedures to ensure that the department manager responsible for the pharmacy approves all persons gaining access to the pharmacy. Where organizations are controlling access with keys, this means nobody gets a key without the approval of the pharmacy director. For companies using automated card access, pharmacy directors would have to approve all persons who would get access privileges to the pharmacy.

The second element includes physical barriers to ensure that only personnel who have been approved by the department manager are able to access the pharmacy. In some cases access control is achieved with technology, in others it is achieved with mechanical locks. Service openings should be protected to reduce the risk of an assault on an employee by someone being able to reach in or jump over the counter and gain access to the area. Bullet resistant glazing on service windows may even be prudent in high-crime environments.

Employee Education and Awareness

Educational programs should ensure the attending employees are made aware of the relevant security threats to them personally and to the organizational well being, and they should know of the security measures and precautions that are implemented for security behaviors that constitute security risks and how to react in likely emergency situations. In robberies, it is especially crucial to ensure employees know not to resist and know to make careful observations of the robber's appearance for the police. In my experience, untrained employees may represent the single largest vulnerability in an organization. Untrained employees may not understand the reason for security measures and either circumvent them for convenience or ignore them completely, leaving personnel and assets exposed. Employee education should be approached from different angles. New hires should receive a briefing and all other employees should be periodically reminded about security threats, their role in the security program and the consequences if the security program fails.

Background Checks

To counter the risks posed by the insider threat, it is important to have an effective pre-employment background-checking program. No security program can be effective without some degree of trust in personnel who work for an organization. The mission of the background-checking program is to ensure persons who are in positions of trust are trustworthy. CFR 21 1310.90 governs employee-screening procedures and has been posted on the securingpeople.com website at http://www.securingpeople.com/download/pdfs/21cfr1301.90.pdf for downloading in a PDF form.

CCTV cameras

In higher crime areas, it may be necessary to install a CCTV camera outside the employee entrance to ensure employees can view the outside area to ensure there is nobody waiting outside the door as employees exit the secured area. CCTV cameras have value for investigators piecing together evidence of a crime, but they often do little to prevent an incident from occurring. Their use should be judicious and employed with a clear purpose.

Quality Assurance

Whenever security technology is employed in a protection program, there must be a maintenance and testing program as well. This program is designed to ensure that deficiencies in the technology are detected prior to failure in an actual security emergency. Discovered deficiencies should be corrected as soon as possible and in some cases, supported by alternative countermeasures during downtime.

While this article can't cover every angle for protecting your pharmacy, it should at least get you thinking about the "what if" aspects of pharmacy security. Judging by the daily news reports of pharmacy break-ins, internal thefts and armed robberies, these scenarios are not unlikely for your business. Before a professional criminal who traffics in prescribed drugs makes a late-night attempt at your pharmacy's repository, or before an addicted criminal points a gun in the face of your employees, take the time now to assess your prevention and response plans as they relate to your local threat level. In the face of a wave of violent, pharmacy-directed robberies, it could mean the difference between a stifled theft and one that could mean fear, property loss and potential injury or loss of life.

About the author: Frank Pisciotta is president of Business Protection Specialists, a security consulting firm located in upstate New York. The former chief of security for Alfred University, Pisciotta is a member of ASIS and IAPSC, holds the CPP designation, and has experience as a director and trainer for the Bureau of Municipal Police, New York State Security Guard Training School, and has provided assessments and security system designs for many top companies. He can be reached by email at [email protected] or by web at www.securingpeople.com.