Hospital Security Roundtable

Sept. 26, 2004
A look at the trends in hospital security, with input from top healthcare security directors

Consultants suggest that, because so many hospitals are run by a purely budget-driven administration, a proposal for high-tech security implementations is faced by a single question: "How many jobs can I cut from security to pay for this?" Perhaps the answer to this myopic approach lies in educating the administration on the benefits of combining the power of manned security with electronic security measures.

We asked several industry experts to comment on the hospital security issues for 2002. The respondents are: Carl H. Magovero, CHPA, director of security services for Cook Children's Health Care System, Ft. Worth, Tex.; Bill Farnsworth, CHPA, director of safety and security at St. Vincent's Health System, Jacksonville, Fla; Anthony N. Potter, CHPA, CPP, CST, FAAFS, member at large of the International Association for Healthcare Security & Safety and president of Anthony Potter and Associates Inc. healthcare security and safety consultants; and Lee Matthews, Interim Executive Director at IAHSS and former security manager at Loyola Medical Center in Maywood, Ill. These four experts make a strong case for layered hospital security in the coming year and beyond.

ST&D: What do you see as the most significant changes in hospital security issues for 2002?

Farnsworth: I see the reaction to, and preparation for, weapons of mass destruction in the wake of terrorist activities, and bringing the HIPAA regulations on-line.

Mogavero: The September 11 terrorist attacks and the anthrax scares have changed the focus for many hospitals from an open-campus philosophy to one that is more guarded. Doors once used for entry and exit have been locked. I don't remember a time in my experience, until recently, when we did drills to see how quickly we could lock down the campus to keep people in and out of our buildings.

Potter: Demand for additional security in response to September 11 will be more than offset by continued cost-containment efforts in response to reductions in reimbursements from Medicare, Medicaid and insurance carriers. Security needs will continue to expand, but there will be fewer resources (FTEs and capital expenditures for equipment) to meet them.
The security director that identifies and provides value-added services (safety, fire prevention, haz-mat, parking, telecommunications, etc.) and reduces operating costs will be perceived as a valuable asset by top management. Others will see their budgets cut and even their positions eliminated.

Matthews: After September 11, healthcare security practitioners faced preparation for emergencies that were rarely considered in the past. The Joint Commission on Accreditation of Healthcare Organizations (JCAHO) has required healthcare practitioners to have bomb threat plans in place for some time. The new challenge is integrating bio-chem devices into the plan. Revising emergency plans and adding decontamination and perimeter security are occupying a lot of time and energy. Security systems improvements such as instituting the use of card access and the hardening of access points to more completely prohibit unauthorized access may have to wait until federal dollars for homeland defense trickle down. Integration and drilling with municipal authorities is a key factor these days.

ST&D: How do you create an atmosphere that is comfortable and non-threatening while still maintaining an appropriate level of security?

Farnsworth: While it is perfectly possible to provide the strictest level of security to any given hospital, it is highly debatable whether that hospital will have any customers under those strict conditions. It is extremely easy to provide very high levels of security that are well disguised. Security officers in blazers and ties; locked and monitored doors controlled by pleasant, polite and intelligent care givers; and security officers disguised as Patient Advocates in emergency rooms are just a few examples of heightened security with a comfortable look and feel.

Mogavero: Many times the officer is the first person a visitor sees when entering the hospital. A smile and a greeting from the officer help to create such an atmosphere. Officers are trained to stop and say hello to employees and staff during the course of their shifts.

Potter: Security should not be threatening except to potential criminals. In today's society, people generally feel more comfortable when security is present, but this presence must be professional in appearance and courteous in demeanor.

Matthews: The human component in the security program continues to be important. People's interactions with properly selected and trained security staff is critical. Technology plays a role by freeing security staff to do the "high-touch" aspects of their job. An example is using technology to remotely lock and unlock perimeter doors on a programmed schedule, which frees up an officer from having to walk around the facilities to do the same task.

ST&D: How can a hospital best protect the nursery area?

Farnsworth: Hospitals use many methods, including key access, card access, remotely viewed and released access, banding systems to prevent unauthorized departure and some still have no physical controls, relying instead on staff awareness.
One successful hospital physically locks the area 24/7, with an auto-release in case of fire. Staff uses a swipe badge, while visitors and patients must activate an intercom and provide ID to staff via CCTV. Patient pre-admission training identifies policies, demonstrates unit-specific staff ID badges and compiles a visitation list. Only Labor & Delivery staff (and assigned support personnel including housekeeping and clergy) have a unique addition to their ID badges.

Potter: Nurseries are best protected by a combination of integrated technology (infant abduction prevention system, access controls, CCTV surveillance) and staff training. A trained, alert staff will always provide the best protection, but with today's staff cutbacks and high turnover this is hard to achieve and maintain.

Matthews: Some practitioners may speak about their protection measures by describing the technology they employ. Technology is only an enhancement and can be defeated. Having a plan, hiring the right people, training and drilling them to demonstrate competency and to test and perfect the response plan is what is needed. Technology is ideal for documenting who comes and goes (CCTV), alerting staff of suspicious activity (alarms) and routing persons to appropriate areas (access control).

ST&D: What are the most important elements of a Security Awareness Program?

1) Ingraining into all staff that security is everyone's responsibility.
2) Forcing staff to take responsibility for access control in their work areas 24/7.
3) Annual (more frequently as needed) risk assessments of the entire facility and surrounding area utilizing real-world data and trending results.
4) Maintaining staff awareness through newsletters, crime bulletins, security training topics or presentations at department meetings.

Mogavero: All employees, including administration and department leadership, must buy into the program. Reminders of the program must be sent out on a regular basis, and random testing needs to be done to determine if employees are familiar with the program.

Potter: Training every staff member (including physicians and students) to be security's eyes and ears, and to report anything and everything that represents a potential threat to the institution.

Matthews: Knowledge is power. Sharing what the environment is, what people should watch for and how to interface with the security staff effectively is key. Demonstrating to patients and staff how the security program has planned to prevent or interdict threats lets them know that they are valued.

ST&D: What do hospital visitor policies consist of and what should they consist of?

Farnsworth: That depends on what the individual hospital accepts as a level of risk. The risk acceptance involves the risk assessment-understanding the neighborhood (including hospital grounds) and the dynamics of crime within the neighborhood. There are situations in which visitors are completely controlled-each person granted access is identified, logged, tagged and possibly even escorted to and from his or her authorized visitation area. In other situations, visitors are never challenged, controlled or restricted in any way. Most hospitals fall somewhere between those two extremes.

Mogavero: Relatives who will be spending the night are issued a color-coded wristband corresponding to the patient's area. Anyone found in the hospital after visiting hours without a band is escorted back to the floor or out of the building.

Potter: Most hospitals are still open campuses except at night. Since September 11, some have returned to the old visitor badging systems, but they are very manpower intensive. Some type of visitor badge should be required in all patient and non-public areas. However, often the more chronic problem is getting the staff (especially physicians) to wear their photo-ID badges. There is always a great effort to ensure 100 percent compliance during a JCAHO survey, but it rapidly tapers off afterwards.

Matthews: JCAHO requires that an institution have a method to identify patients, visitors and staff. The degree of complexity that a hospital elects to use should be driven by the risk assessment they conduct.

ST&D: Should visitor badges be day specific, or even unit specific?

Farnsworth: I have surveyed hospitals that have nothing specific on their badges and others that have such specificity that there are X number of visitor badges for an individual room or rooms. There are badges that are designated for a specific unit-such as my own unit-specific Women's Services badges-which assure that the infant is only handled by a member of the L & D staff. Some badges have specific spaces for recording the patient's name and room number, the visitor's name, with a specific date, color-coding or an invisible ink that displays after a certain period of time.

Mogavero: I personally prefer the day-specific visitor badges that expire after 24 hours.

Potter: Yes, if possible. Temporary badges that fade after 24 hours are very effective.

Matthews: Elements that will greater protect the integrity of the pass system are welcomed. Color coding for the day of the week or using self-canceling print devices can discourage the wrongdoer from trying to use an old pass to get in. Like the ID, if the pass is set up so that the visitor can not only open doors but can obtain a cafeteria or parking discount, that will make the pass of value to the visitor.

ST&D: What do you see as the most important aspects of hospital security? Please discuss what measures hospitals can and should take for any of these areas.

Farnsworth: The JCAHO requires each facility to conduct an annual risk assessment. As a result of the assessment, each facility must designate their high-risk areas. Normally this designation is placed upon the L & D, Pharmacy and ED areas, although I have seen almost every single hospital area so designated. I normally recommend that hospitals keep this designation to as few areas as possible because JCAHO also mandates that each area so designated receive specialized security training for staff, both upon hire and annually thereafter. In surveys, I have also seen medical records, information systems, and even grounds listed as high-risk areas.

Mogavero: For any area that needs security, the hospital should provide a high level of continuous training and good equipment, a visible presence of the officers on campus, quick response time when there is a problem and a pro-active approach to security. We use an access control system with proximity readers on entrances to the hospital. We have an extensive CCTV system with many cameras, being auto domes or PTZ.

Potter: Parking lot security is the location of the greatest potential liability. Adequate lighting and high-visibility patrols (a bike patrol is ideal) are essential. Offering escorts for patients, visitors and staff, especially at night, is great PR and even greater security.
The Emergency Department should have a 24-hour security presence. Well-trained and properly equipped security officers are less expensive than off-duty police officers and can do a much better job keeping order in a healthcare environment. Every treatment room should have an alarm button to summon security, and officers must be trained in effective response procedures.
Administration and HR have been targets for workplace violence by angry patients and disgruntled employees. Both should have some type of access control, CCTV coverage and duress alarms.

Matthews: The risk to sensitive areas must be addressed as part of the facility's security plan. Silent duress alarms and emergency phones are key elements in areas such as parking, HR, the ED or cashiers. Intrusion alarms in the pharmacy and on high-value or limited-availability items are a standard. An area sometimes missed is a safe within an office. Adding a door contact to a safe will monitor that it is closed properly and indicate when it is opened.
Recorded CCTV can be a valuable tool in deterring wrongdoing and providing video documentation. It provides the control center security officer multiple windows from which he or she can watch the environment and direct others to assist persons or correct a problem. The proper employment of technology also requires a detailed plan for preventative maintenance, integrity inspection, and timely replacement as new technology emerges and equipment ages.

Joanne Harris is a published writer and photographer for such magazines as Security, Technology & Design, Control Engineering, PC104 Embedded Solutions, Florida Living and Better Homes & Gardens. She has more than eight years' experience in marketing, PR and advertising for the aerospace, security, industrial automation and telecommunications industries. She can be reached at [email protected].