Using risk-based security to stem the tide of violence in hospitals

May 22, 2014
Changes in the healthcare environment demand a more proactive security program

Hospital and healthcare security is experiencing a major increase in violence, instigated by patients, patient families and even healthcare staff. 

Just last year, there was an active shooter incident in Reno, Nev., in which two physicians were shot, and in Houma, La., a hospital administrator was shot to death by a terminated nurse. As recently as Easter Sunday in California, two nurses were stabbed at the hospitals where they worked. One was stabbed in both the upper and lower torso and is in critical condition. These two incidents add to the more than 100 violent incidents in 2013 and the first half of 2014.

Since 2010, violence in healthcare has skyrocketed. As a result, the Joint Commission has issued a "Sentinel Event Alert" on the issue and contributed to numerous articles on shootings in U.S. hospitals. The Department of Homeland Security and a consortium of state and local hospitals recently released a standard for active shooters in healthcare. These all point to the conclusion that the current law enforcement-based hospital security model is not working.

The changes in healthcare, including the increase in insured Medicaid patients and increased traffic to emergency departments, highlights the fact that very well-intentioned people are working with an outdated security model that hasn’t evolved to address a changing healthcare environment. The change in billing and reimbursements for healthcare organizations, such as tracking of readmission rates, has squeezed hospital profits causing reductions in funding in many security departments at a time when violent events are steadily increasing.

A new risk-based model for hospital security is emerging that is less linear and more cyclical.  It uses technology to a greater extent, employs forecasting and statistical models to predict the likelihood of future incidents, and is proactive instead of reactive, focusing money and energy on preventing events instead of simply responding to them. This model also uses risk assessment formulas to quickly assess the current security profile of a hospital, clinic, hospice, or behavioral health facility, factoring in heightened threat-risk environment, not only for the facility in question, but also adding in the wealth of healthcare data that’s now available.

A major focus of this model is the continual assessment and evaluation of preventive security controls, which are reviewed quarterly, semi-annually, or annually to discover gaps in controls, and to fix gaps as soon as they are identified. This dovetails nicely into the assessment models already required by the Joint Commission, OSHA and new CMS standards.

Looking at recent high-profile security events that took in place in hospitals shows that incidents happen because of exploited gaps in the existing security of the healthcare facility. In the past, security officers successfully worked hard to reduce response time so that often officers could arrive in under two minutes, but it’s still too long.  In the Reno shooting, response time was under two minutes, but that was long enough to kill two doctors.

Focusing on prevention makes sense for healthcare, much in the way the Joint Commission focuses on patient safety, by continually assessing controls, reducing discovered gaps in controls, and mitigating gaps by reassessing and tightening security, which creates a cycle of continual improvement in the healthcare security environment.

The healthcare risk-based security model takes advantage of technology. Instead of waiting for manual recording of security incidents every day, software programs allow hospital security officers to enter data at the end of each shift, and that means security directors can map what’s happening in the hospital or facility on a daily, weekly, monthly and yearly basis.  This can go a long way to identifying trends early and help facilities make appropriate changes in controls so that negative trends can be reversed quickly and both patient and staff security is increased.

In addition to automating incident collection and analysis, the healthcare security risk assessments must be automated too.  Risk assessments are too time-consuming and labor intensive to be done manually.  By the time the risk assessment is over, the environment has changed again.  By automating the risk assessments, including environment of care and hazard vulnerability, it produces data that can be used instantly to analyze and recommend the most cost-effective controls, and rank them by their return-on-investment (ROI).

The role of security in hospital and healthcare organizations is changing too. Security organizations should no longer be isolated without intensive interaction with others in the organization, including the human resources department, the facilities managers, safety managers, and the emergency management staff.

With DHS issuing new guidelines for active shooters in healthcare, hospital emergency managers are now required to prepare for active shooter incidents, as well as storms, hurricanes, tornadoes, power interruptions and other events related to natural or man-made disasters.  This creates a natural partnership between the emergency management staff and the security program, because the skills of both functions are needed to properly prepare an organization for any disaster.

Instead of existing in a vacuum, healthcare security directors and managers should cheer at this development because it expands the importance of security inside the hospital or healthcare facility, and underscores its value in protecting the organizational assets -  the physical facility, patients, visitors and staff -  to proprietary information, including the HIPAA mandated PHI (Protected Health Information), vehicles, security systems, high-value healthcare equipment and the healthcare provider’s reputation.

Security budgets have always suffered because security costs are seen as operating expenses, not an income source, but by tying the security expenses more closely to loss prevention and protection of the organization, it creates a cost justification for hospital and healthcare security.

A risk-based security model also links security to myriad compliance standards that affect healthcare and this also supports and justifies the costs related to security. For example, hospitals are required to have a variety of security controls in place related to tagging of newborns, posting of no-weapons signs, and environment of care issues. Any healthcare organization accepting funds from Medicare or Medicaid must comply with the new mandate for annual security risk assessments. 

OSHA 3148 also requires hospitals and healthcare organizations to do annual workplace violence assessments, and more than 33 states also require enhanced protection of hospital and healthcare staff.

As security incidents continue to increase and violence in healthcare escalates, making the switch to a risk-based security program will provide better protection for hospitals and healthcare organizations, making more effective use of existing security personnel, as well as justifying and expanding healthcare security budgets.

About the Author

Caroline Ramsey-Hamilton | President, Risk and Security, LLC

Caroline Ramsey-Hamilton is a leading threat and risk assessment expert in both physical and IT security. She has developed many specialized risk and threat assessment programs for hospitals, healthcare organizations and large public and private organizations including the Department of Defense, the Department of Homeland Security, the Department of Justice, and companies like Northrop Grumman, AT&T, Parrish Medical, and Magellan Health Services, Inc. Ramsey-Hamilton also serves on the board of the South Florida Chapter of the International Association of Healthcare Security and Safety.