Hi, I’m Caroline Hamilton. Welcome to my new blog – The Risk Insider. We’re going to be exploring all sides of security, including facilities security, active shooter incidents, information security, and security programs like HIPAA, CFATS and C-TPAT, and also how extreme weather events affect security.
I take a wide view of security, and use an analytical approach to look at a security issue, security trend, or security incident and evaluate it, then use a risk assessment approach to discover what controls best fit a particular situation. This includes looking at the threat profile of an organization and making sure that we are recommending or implementing controls that best address the most likely threat, and the threat that would cause the biggest potential loss.
The active shooter threat certainly fits the profile of biggest potential loss, because in addition to the deaths of individuals, the trauma of an active shooter event affects the entire organization, triggers widespread fear, and even PTSD.
Let’s analyze a shooting that happened on December 17, in Reno, Nevada. The shooter, Allan Frazier, 51, walked into the lobby at Urology of Nevada, told the receptionist he wanted to see a doctor, and then walked back into the clinical area and
began firing a pistol-grip, 12-gauge shotgun.
He first saw and shot Dr. Christine Lajeunesse who was critically wounded. Frazier subsequently shot and killed Dr. Charles G. Gholdoian, president of Urology Nevada, and seriously injured another staff member. The gunman then killed himself. The local paper reported that Frazier left a note saying that his vasectomy surgery had ruined his life. The surgery had been performed more than two years ago.
If we look at this incident, we can see that this small clinic, on the Renown Regional Medical Center campus, was missing several key controls. First, there was no access control, which allowed Frazier to walk right in with his weapon. Second, the door between the lobby and the clinical offices was not locked, so there was no way to contain the shooter. Third, there was no guard at the clinic.
In looking at the threat profile for Reno, we found that Reno’s crime rate is not much higher than the U.S. national average. However, if we look at the latest Joint Commission data for healthcare organizations, we find that a healthcare employee is between four to eight times more likely to be involved in a violent attack.
Because of the high threat in the healthcare industry, one of the easiest controls to implement would have been to make sure the door between the reception area and the clinical area was closed and locked.
Another potential control might have been to have a panic alarm at the reception desk, or a guard on premises. These are the physical controls that might have prevented the shootings, but there are also administrative safeguards.
If the shooter had been in pain for more than two years, his problems might have been more properly addressed over those last 24 months, keeping the conflict from increasing and escalating to the point of fatal shooting.
Communication issues and security awareness are often ignored in the after-action analysis of situations like this one. The repeated calls and letters from an angry patient might have prompted the clinic to lock that connector door, and to have a guard present, or just to be more situationally aware that a potential conflict was brewing.
The increasing violence in healthcare is one of the issues we will be exploring in future blogs. And don’t forget to watch for my article in the next issue of Security Technology Executive magazine on how security directors are using risk assessments to manage and justify their security programs.
You can write me with your comments at firstname.lastname@example.org.
About the Author:
Caroline Hamilton is an expert in security risk analysis and security risk assessment. She works with a variety of Infrastructure including, healthcare, finance, compliance and international companies. Recent projects include customizing risk assessment and risk analysis programs for clients -- the U.S. Department of Defense, the Sheikh Khalifa Medical City, KAUST in Saudi Arabia, the U.S. Nuclear Regulatory Agency, and dozens of multinational companies, hospitals, and government agencies.
She was a Charter member of the US-UK Risk Management Model Builders Workshop, which was a joint Workshop between U.S., Canada and the United Kingdom to create the first security risk guidelines from 1988 – 1995. She served on the U.S. National Security Agency’s Network Rating Model workshop, and from 1996-1998, served on a working group to create a Defensive Information Warfare Risk Management Model, for the U.S. Department of Defense, under the auspices of the Office of the Secretary of Defense.
She is on the ASIS Physical Security Council, the IAHSS Board, the ASIS Information Technology Security council, and is a member of SARMA. A former member of the IBM Data Governance Council, she grew up in California, and graduated from the University of California.