Using this methodology, healthcare administrators are provided with a short list of the "most likely" worst-case scenarios, taking into account the local threats, vulnerability and critical assets. Using a scenario based methodology for identifying risk, limited security resources can be surgically applied to the areas of greatest need. For example, in a recent risk assessment conducted by my company, Business Protection Specialists, one loss event scenario was identified and projected to occur within the next five years. It only took five months for the employee assault that was predicted to occur. While tragic, the incident lent credibility to the process and the mitigating recommendations that had been made.
Development of a Department Security Plan
The next critical step in an effective security program is to develop a security plan. For Joint Commission Accredited Healthcare Organization (JCAHO - see http://www.jcaho.org/index.htm) certified facilities, the pharmacy is likely to be considered a security sensitive area. A security sensitive area is one that is considered to have a higher risk of a serious security incident. As such, it will require a security plan that encompasses three basic elements: an access control plan, employee education and emergency response procedures.
Access Control Program
Implementation of an effective access control program involves two elements.
The first element is the processes and procedures to ensure that the department manager responsible for the pharmacy approves all persons gaining access to the pharmacy. Where organizations are controlling access with keys, this means nobody gets a key without the approval of the pharmacy director. For companies using automated card access, pharmacy directors would have to approve all persons who would get access privileges to the pharmacy.
The second element includes physical barriers to ensure that only personnel who have been approved by the department manager are able to access the pharmacy. In some cases access control is achieved with technology, in others it is achieved with mechanical locks. Service openings should be protected to reduce the risk of an assault on an employee by someone being able to reach in or jump over the counter and gain access to the area. Bullet resistant glazing on service windows may even be prudent in high-crime environments.
Employee Education and Awareness
Educational programs should ensure the attending employees are made aware of the relevant security threats to them personally and to the organizational well being, and they should know of the security measures and precautions that are implemented for security behaviors that constitute security risks and how to react in likely emergency situations. In robberies, it is especially crucial to ensure employees know not to resist and know to make careful observations of the robber's appearance for the police. In my experience, untrained employees may represent the single largest vulnerability in an organization. Untrained employees may not understand the reason for security measures and either circumvent them for convenience or ignore them completely, leaving personnel and assets exposed. Employee education should be approached from different angles. New hires should receive a briefing and all other employees should be periodically reminded about security threats, their role in the security program and the consequences if the security program fails.
To counter the risks posed by the insider threat, it is important to have an effective pre-employment background-checking program. No security program can be effective without some degree of trust in personnel who work for an organization. The mission of the background-checking program is to ensure persons who are in positions of trust are trustworthy. CFR 21 1310.90 governs employee-screening procedures and has been posted on the securingpeople.com website at http://www.securingpeople.com/download/pdfs/21cfr1301.90.pdf for downloading in a PDF form.