Healthcare security is one of the most challenging missions, and a look at recent trends reveals it is getting more difficult every year. States are getting more involved in establishing parameters for workplace violence prevention programs, but it does not seem to be enough to stem the trends, and violence is underreported. Effectively managing security for healthcare is very complex. This article focuses on issues including access control, weapons screening and command and control, which are key goals considering emerging risk trends revealed in the threat assessment below.
While healthcare workers make up less than 10 percent of the U.S. workforce, there are nearly as many violent injuries in the healthcare industry as in all other industries combined, Alexia Fernández Campbell reported in a December 2016 article in The Atlantic. She also cited a 2015 study, where 76 percent of nurses at a private hospital system in Virginia said they had experienced physical or verbal abuse from patients in the previous year. A survey by the Emergency Nurses Association revealed that one out of three ED nurses surveyed considered leaving the job and/or the profession due to concerns over workplace violence.
Workplace Violence (WPV) is clearly the top risk for healthcare security. There is a common model widely used for classifying WPV offenders. This model is particularly useful in the assessment of various offenders to properly structure security response. Threats may occur from external or internal sources as shown below (see chart):
The healthcare industry continues to suffer from increasing acts of lethal violence. Recently, six people died in one week in the United States from hospital shootings. While most healthcare violence is affective (in the heat of the moment), numerous incidents support extreme violence in the form of targeted attacks. Twenty years after his mother was lost on the operating table, Joseph Pappas allegedly shot the cardiologist, then killed himself when confronted by police. Business Protection Specialists, Inc. (BPS) has on file over 425 instances of hospital shootings since 2009, a list started by others but now maintained by me. While comprehensive, the list is not all-inclusive. What is noteworthy is that even within this incomplete data set, evidence shows an 88 percent increase in hospital shootings annually since 2009.
Drugs, alcohol and an increase in acute behavioral health patients is making emergency departments and other high-risk areas of hospitals places where violence can emerge with little or no warning. A recent study published in the Journal of the American Medical Association looked at the estimated 1.3 million amphetamine-related hospitalizations in the United States from 2003 to 2015 and found an alarming increase of 245 percent between 2008 and 2015. Researchers say this staggering increase is not widely known as it has been overshadowed by the opioid epidemic, which led to a significantly smaller increase of 46 percent in hospitalizations during the same timeframe.
Children are presenting to emergency departments due to mental health crises in drastically increasing percentages according to a recent study (55 percent between 2012 and 2016). The study revealed that in 2012, 50.4 visits per 100,000 were mental health related. That number jumped to 78.5 visits by 2016.
Managing criminals as they’re cared for in hospitals can also be a complicated task. As recent hospital escapes have shown, if prisoners are not handled properly, they can put themselves and others in danger. Forensic patients present a variety of risks to the hospital in terms of workplace violence. Prisoners receiving service may be violent criminals or be highly motivated to escape. For instance, in February 2018, a West Virginia inmate was accused of shooting a police officer during an attempted hospital escape. He was arraigned on charges including fleeing with reckless indifference, disarming a law enforcement officer and attempted murrder.
In a recent court case, a nurse was awarded $7.2 million as a result of an incident with a forensic patient. A hospital nurse who was held hostage at gunpoint and sexually assaulted by a patient received $7.2 million from the lawsuit she filed against the county. The inmate was being treated at the hospital when he grabbed a pistol from a county jail correctional officer and pointed it at the nurse. He then took her into a room where he beat and raped her. The lawsuit claimed officer carelessness by the county led to the hostage situation. It stated that the rotating of sheriffs and security guards responsible for watching the inmate provided inadequate security.
When considering all the incident types above, it is not inconceivable that a hospital could have multiple serious events happening simultaneously. Considering the threat and risk context, there are key challenges for hospitals today involving staffing levels, access control and visitor management, weapons screening, and command and control. Threats can emerge internally or from external sources. An illustration of an externally sourced threat can be found when analyzing the risks associated with gun shot or stabbing victims being brought into the emergency department. These patients may be accompanied by friends and family. It is possible that parties on both sides of a dispute are now in the hospital and the situation can escalate into an onsite civil disturbance with significant risks to staff, other patients and visitors. The security posture of a hospital needs to be able to adapt rapidly in cases like this, and the information below offers guidance on how to improve the effectiveness, efficiency and speed of response.
There are several methods to determine benchmarks for staff which have been published over the years for the healthcare industry. Many of these tend to oversimplify the process and run the risk of leaving healthcare facilities inappropriately staffed. Given the rising trend with threats and violence, this is not a good strategy for healthcare organizations committed to being proactive versus waiting for a serious incident to occur. This is all too common a headline seen on a weekly basis: “Hospital Increases Security After Emergency Department Shooting.”
BPS believes that no single dimension dictates the level of staffing necessary. Further, when determining staffing levels, take a position on whether the use of staffing will be committed based on a philosophy of incident prevention or a more passive philosophy of incident response. Some of the more common criteria used in relation to staffing levels have been:
- Number of beds
- Number of employees
- Square footage of the facility
These single-dimensional approaches fall short of being accurate. For instance, what type of beds are being measured? General care? Psychiatric crisis beds? Clearly there is a difference in security impact. There have been more complex formulations developed from the academic sector, but even those lack some of the comprehensive assessment consistent with a facility’s calls for services and the types of risk inherent to the services being provided. Desired response times and patrol frequency are two other metrics that have a direct correlation to the amount of staffing necessary. No administrator wants to hear that they have to spend more money on security staffing, so when taking that business case forward, it is essential to do your homework.
Access Control and Visitor Management
What BPS is recommending to their clients in the realm of access control includes:
- Ensuring hospitals are using a reputable access control product. In one recent case, a large hospital was using a low-cost access control product which was not able to elegantly handle card downloads without locking up, resulting in the interruption of service to patients and a federally reportable violation. One would not normally connect these two things together but imagine your access control system locks up and prevents a doctor from getting into an operating room which results in the death of a patient.
- Naturally limiting access points would be the bare minimum for in-patient entry, outpatient services, and staff entrances. All routinely used external access points should be connected to the electronic access control system to enable rapid lockout should the need arise (and it is not a matter of if but when this capability will need to be exercised for most hospitals). Openings that are not required for entry should be classified as emergency exit only and external door hardware and key cylinders removed.
- Be careful about the use of sliding doors for openings. Popular in hospitals, but typically significantly vulnerable when there are no alternatives designed around the opening to enable emergency egress. Entry points where sliding doors are used should be equipped with an alternative conventional emergency egress door so the slider can be properly secured after hours without impeding necessary egress.
- More and more hospitals are recognizing the need for true access control (not theater) where it becomes possible to ensure that all persons entering, including patient visitors, are accounted for and controlled via the use of visitor management software programs and turnstiles. This is revolutionary for healthcare and expect that trend to accelerate.
Hospitals should not underestimate the impact a lack of access control capability has on staff morale and staff and patient safety. Nobody goes to a hotel and sleeps with the door open, but that is precisely what patients in hospitals are doing. Hospital administrators are wise to support effective security measures.
It is difficult to truly know how many weapons are being brought into a facility until you start to screen for them and track statistics on how many are discovered. Patients and family members do not likely start their day thinking, “I am going to assault a healthcare worker.” However, given the affective nature of violence in healthcare, allowing weapons into the patient care areas is a risk to healthcare workers. Organizations serving the behavioral health and chemical dependent population, particularly in urban settings, recognize that these patients likely carry some form of a weapon for self-defense while out on the streets.
Persons who are at risk for self-harm can be very creative in terms of bringing in contraband which can be used to aid in suicides. There is technology now that is highly sensitive at detecting items such as razor blades or needles which might otherwise be missed in more traditional wanding or walk-through metal detection efforts. Emergency departments are typically the first place where metal detection is considered, but more hospitals are also deploying this on main entrances as well. In-patient behavioral health units have their own unique risks and require consideration of proper screening of visitors which goes beyond the conventional “trust and not verify” policy associated with amnesty lockers for visitor belongings.
Command and Control – Design and Implement for Speed
What is intended here is the ability to utilize technology for rapid response to healthcare risks which can occur with little warning and where seconds literally make the difference between success and failure. For instance, consider the risk of infant abduction. While it is very infrequent, it still occurs, and nobody wants it to happen at their hospital. It is not uncommon to see a situation where infant abduction technology is in effect, and when there is an alarm, nurses on the floor waste precious seconds conducting a local investigation and inventorying the infants on the unit. In the meantime, if it is an actual event, the abductor is already exiting through the facility to a vehicle.
This type of situation requires immediate detection, assessment and dispatching of the appropriate response to the right location. This translates to the alarm linked with video displayed ideally on a dark screen monitor in a security control room, or for hospitals which may not have that luxury, this function might be assigned to switchboard operations. If a hospital is not using a unified platform with access control and video, the following integrations should be considered in design or retroactively to ensure rapid response to actual or potential security incidents:
- Duress alarms trigger video call up
- Door alarms (held open too long and forced open) trigger video call up
- Infant or pediatric abduction alarms trigger video call up
The traditional display of every camera on a monitor at sizes far too small to discern meaningful details is not a wise strategy. At least one monitor might be reserved for video call up on event. Thinking through and organizing cameras with similar functions into manageable viewing groups and having security staff actively engage the viewing groups for short periods of time will yield far better results. For cameras that are purely for forensic purposes, there is very little need to consume real estate on your monitors and those images can simply be recorded. Video management system operators must be trained to detect irregularities and suspicious activities in order to effectively detect problems.
Simple analytics may also be applied to detect incidents in unoccupied areas of the hospital. For instance, in a recent assessment, an impaired patient visitor wandered into an unused lobby and broke into multiple drawers and cabinets stealing cellular phones and cash. After that incident, she burglarized the coffee kiosk in the same lobby over the course of several minutes, all of which was captured on video. Had the facility employed simple motion or line crossing analytics, these crimes would have been detected while the burglary was in progress resulting in significantly less property damage and repair costs for the hospital.
It is easy to gravitate toward the sexy new things being brought to bear in the security marketplace and at the common trade shows we all attend. What should not be lost in all of this is making sure foundational programs such as staffing, access control, visitor management and command and control are working. It is difficult to effectively manage what one cannot measure; therefore, establishing and monitoring program performance metrics in these key areas will help administrators assess their security needs and provide support for a budget for the necessary tools of the trade.
About the author: Frank Pisciotta, CSC, is president of Business Protection Specialists, Inc., a nationwide independent security consulting firm focused on healthcare risk identification, regulatory compliance and security design services. Pisciotta has managed more than 4,500 security-consulting engagements in his thirty-year consulting career. He possesses a master’s degree in public administration, a bachelor’s degree in criminal justice, and was board certified in Security Management by the American Society for Industrial Security as a Certified Protection Professional in 1994. He is a past President of the International Association of Professional Security Consultants. Pisciotta was the eighth person in the United States to achieve the Certified Security Consultant designation. He is currently leading the IAPSC's technical standards committee. Pisciotta serves as the Vice Chair on the ASIS Council for Food Defense and Agriculture Security. He was the Chief of Security for Alfred University ending in 1991.
 Sample size was over 7,100 nurses