Threat Analysis Group, LLC

Securing the environment of care is a challenging and continual effort for most healthcare security managers, who face unique challenges in balancing the open campus environment with the protection needs of the hospital’s patients, employees, and other assets. No hospital is without risk and effectively managing risk is crucial to maintaining the protection and openness balance. By conducting a comprehensive risk assessment, hospital security managers can prioritize identified risks, develop an effective hospital security program, and reduce risk to a manageable and acceptable level. This article discusses a 5-step risk assessment process that enhances the hospital security program by effectively mitigating risks to the hospital.

Risk management, as the name implies, is the management of risks to an organization. For most healthcare facilities, risk management includes not only security functions, but also insurance, legal issues, and health and safety. The primary component of risk management is the risk assessment process whereby risks are monitored and addressed on a continual basis. This process consists of the identification of threats, vulnerabilities, and risks to the hospital with the end goal of selecting appropriate security measures to reduce identified risks. As seen in the flow chart below, the five steps of the risk assessment process are asset identification, security inventory, threat assessment, vulnerability assessment, and risk assessment.

Before entering into a discussion of the five steps, it might be helpful to identify key security terms and definitions used in this article. Among the more commonly used terms are threats, vulnerabilities, and risks. Generally speaking, threats are acts or conditions that can damage, destroy, or take hospital assets. Examples include natural disasters and criminal perpetrators. Vulnerabilities are weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset. Vulnerabilities are those things that make the hospital more prone to security related problems, such as crime, unauthorized access, and damage from natural disasters. Risk is the result of threats and vulnerabilities. Without the potential for a threat and a vulnerability coming together in time and space, risk is undetermined or non-existent. A simplified example may be a small town hospital which has open access to the facility and limited visitor management (vulnerability), but no historical security incidents (threat), thus the risk to the hospital is low.

Risk = Threat + Vulnerability

Asset Identification

Identifying assets, as seen in the flow chart, is the first step of the risk assessment process. Asset identification is the process of determining what people, property and information are critical to the mission of the hospital. People assets may include doctors, nurses, and patients along with other persons such as visitors and support personnel. A hospital’s property assets consist of both tangible and intangible items. Tangible assets are usually simple to identify, while intangible assets, such as the hospital’s reputation, are more difficult to identify and assign a dollar value. For all hospitals, information assets include medical records. While all assets have value, not all assets are critical to the hospital’s mission. Critical assets, then, are those assets necessary for the hospital to carry out its mission of providing healthcare, for without them functions and processes will fail and cause the hospital’s mission to fail. The higher the consequence from the loss, damage, or destruction of an asset, the more critical the asset is. Depending on the type of care and treatment provided, a hospital’s critical assets invariably include patients, medical professionals, support personnel, medical records, equipment, supplies, and pharmaceuticals. Other critical assets may not be as evident and must be identified during this step of the risk assessment process. One common way of identifying critical assets is to interviews and/or survey the people charged with carrying out the hospital’s mission. Questionnaires of department administrators can also help to identify assets. Regardless of the technique used to identify assets, it is crucial to identify all critical assets to ensure that they are considered during the risk assessment.

Security Inventory

The second step of the risk assessment process is the security inventory. Typically, a hospital has already deployed various security measures throughout the facility or campus to resolve past security problems, thus the risk assessment is measuring mitigated risk, in contrast to raw risk. These security measures may include policies and procedures, physical security equipment, security personnel, or some combination of these measures. Security policies and procedures may include a security management plan, an emergency management plan, workplace violence prevention policy, medical records protection procedures, visitor management policies, and bomb threat procedures. Physical security equipment can include alarm systems, closed circuit television systems, access control systems, perimeter security systems, and lighting. Security personnel include the proprietary security force, contractual security personnel, off-duty law enforcement officers, and other personnel who serve in a protection capacity. Typical physical security measures will depend on the nature of the hospital, however many physical security measures are common across various hospitals. For example, closed circuit television is commonly deployed at most hospitals.

The risk assessment team should identify each component of the security program, what asset(s) it used to protect, and its level of effectiveness. There are two methods for inventorying current security measures, inside-out or outside-in. Using the outside-in approach, the risk assessment team begins at the facility’s perimeter and works their way in toward the identified critical assets through each line of defense. The inside-out approach is the opposite with the team starting at each critical asset and working their way out to the perimeter. In addition to these methods, the inventory process should also include reviewing any available security documentation including security plans, policies and procedures, security officer’s post orders, and physical protection system documentation.

Threat Assessment

The third step in the risk assessment process is the threat assessment. Threats are specific events or conditions that seek to obtain, damage, or destroy a hospital asset. Historical information is the primary source for a threat assessment; however other threats may emerge without a historical context. For example, an Avian Flu outbreak is a potential emerging threat to hospitals. Regardless of whether hospital security decision makers are dealing with an emerging or existing threat, they should share information regarding criminal incidents, security breaches, and other threats with other hospitals in close proximity. While hospitals sharing information is an informal approach to threat assessments, formal threat assessments are more detailed analyses used to evaluate the likelihood of adverse events, such as terrorism, natural disasters, and crimes that may affect hospital operations. The focal points of threat assessments are assets (targets) and the threats that seek to compromise those targets. Threat assessments also ask who the bad guys are by evaluating each threat on the basis of capability, intent, and impact of an attack.

The most common form of threat assessment is crime analysis. Broadly speaking, crime analysis is the logical examination of crimes which have penetrated preventive measures, including the frequency of specific crimes, each incident’s temporal details (time and day), and the risk posed to a property’s inhabitants, as well as the application of revised security standards and preventive measures that, if adhered to and monitored, can be the panacea for a given crime dilemma (Applied Crime Analysis, 2001). While the above definition of crime analysis is holistic, it can be dissected into three basic elements:

• The logical examination of crimes which have penetrated preventive measures
• The frequency of specific crimes, each incident’s temporal details (time and day), and the risk posed to a property’s inhabitants
• As well as the application of revised security standards and preventive measures

Examining crimes perpetrated at the hospital is commonplace in today’s healthcare environment, however it is normally limited to internal security data. External data in the form of crime analysis should also be evaluated to develop a complete picture of threats to the hospital. Crime analysis guides security professionals in the right direction by highlighting the types of crimes perpetrated (crime specific analysis), problem areas on the property (spatial analysis), and when they occur (temporal analysis). Using this information, it is much easier to select appropriate countermeasures aimed directly at the problem. In summary, crime analysis seeks to evaluate actual risk at a company facilities and rank facilities by risk level, reduce crime on the property by aiding in the proper allocation of asset protection resources, justify security budgets, continually monitor effectiveness of the security program, and provide evidence of due diligence and reduce liability exposure.

Vulnerability Assessment

Vulnerabilities are weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset. Simply stated, vulnerabilities are opportunities. The fourth step of the risk assessment process is the vulnerability assessment, a systematic approach used to assess a hospital’s security posture and analyze the effectiveness of the existing security program. Vulnerability assessments measure the security programs effectiveness, compare it against valid security metrics, and provide recommendations to hospital security decision makers for improvements. In essence, the vulnerability assessment assists hospital security decision makers in determining the need for additional security measures, security equipment upgrades, changes in policies and procedures, and manpower needs. The primary tool of a vulnerability assessment is the security survey which identifies and measures the vulnerabilities at the hospital by determining what opportunities exist to attack, obtain, or damage the hospital’s assets.

Security surveys are simply questions and checklists that guide the assessment team during off-site preparations and on-site inspections of the facility. Surveys may range from a few basic questions to highly detailed lists comprising thousands of questions. A typical security survey contains general information about the hospital, including geographic characteristics, and physical layout of the facilities. The security survey also evaluates security deployment schedules, operational requirements, security equipment capability, and internal security incidents which have impacted the hospital security.

Risk Assessment

The actual risk assessment is the fifth and final step in the process and is basically the logical analysis of the previous steps which included asset identification, security inventory, threat assessment, and vulnerability assessment. While assessing risk is more of an art than a science, the risk assessment should be benchmarked against industry standards and guidelines. The purpose of risk assessment step is to identify risk mitigation strategies which can be employed to reduce the hospital’s risk to an acceptable and manageable level. Mitigating risk involves identifying strategies that can reduce threats and vulnerabilities through the implementation of additional security measures or other means.

Given a specific threat, there are five risk mitigation strategies available to the hospital security decision maker. Generally, the five strategies for managing risk include avoidance, reduction, spreading, transfer, and acceptance. Risk avoidance requires the removal of the target (asset) from the equation. Avoidance is an extreme measure since it can hamper the hospital’s operations. Reducing risk involves the deployment of security measures to reduce risk to an acceptable level. Risk reduction is the driving force for a hospital’s security department whose role it is to provide protection for assets. Risk spreading is a strategy to move assets to different geographic areas so if one area is attacked; the consequence is limited to that area. Storing necessary pharmaceuticals and other medical supplies off site is good way to spread the risk, thus if an area of a hospital is attacked or damaged by natural disasters, there is another supply available elsewhere. Risk transfer is a strategy used to remove the risk from the owner to a third party. Insurance is the best example of risk transfer whereby the insurance company assumes the risk for a fee. Risk acceptance is another strategy for mitigating risk. As the name implies, risk acceptance is simply where the hospital assumes the risk to an asset, typically after reducing the risk level to an acceptable level.

In summary, assessing risk is a dynamic process that involves continuous evaluation of assets, threats, and vulnerabilities. Reducing the risk to the hospital is accomplished by decreasing the threat level, blocking vulnerabilities and opportunities through enhanced security, or reducing the consequences if a security event should occur. Without question, the best strategy for mitigating risk is a combination of all three elements, decreasing threats, blocking opportunities and reducing consequences. Remember, no hospital is without risk and some risks can be acceptable. Security is a carefully orchestrated balancing act that ensures an open, functional environment of care that effectively protects assets.

In protecting people, security measures are typically not deployed to protect against domestic or interpersonal violent crimes. Interpersonal and domestic crimes are more often prevented via social measures, not security measures. A battered women’s shelter, for example, is designed to keep batterers away from the victims of spousal abuse. Anti-bullying policies in schools are used to prevent students from bullying other students. Both are social measures, not security measures.

In contrast to social measures, security measures are deployed to protect legitimate users of a property from unknown criminals.

Thus, we can make a distinction between interpersonal crimes and stranger-initiated crimes:

• Interpersonal is defined as being, relating to, or involving relations between persons (www.merriam-webster.com). Interpersonal crimes are those that occur between known parties and include domestic crimes as well as other crimes where the victim and perpetrator are known to each other.
• Stranger-initiated crimes are those that occur between unknown parties.

When assessing the threat of violent crimes, a reasonable attempt to separate interpersonal crimes from stranger-initiated crimes. The primary method for separating the two is to review the incident report generated by law enforcement. The narrative of the report will often indicate whether or not the victim and suspect are known to each other. In some incident reports, domestic crimes are clearly marked, while in others, the narrative may identify the relationship between parties.  Other relationships, such as friends, roommates, classmates, boyfriend/girlfriend, typically do not have a “check box” but can sometimes be discerned via the narrative.

Shouldn’t we have thought about CCTV effectiveness before spending billions?

Directory of CCTV Effectiveness Studies 

Bruce Schneier’s Blog

Between July 2006 and November 2006 the City of Philadelphia installed 18 CCTV cameras at various locations in the city. Two types of cameras were installed. Phases I and II saw the installation of 10 police monitored cameras at four locations. These cameras are monitored by Philadelphia Police Department (PPD) officers, and have the capacity to pan, tilt and zoom (PTZ). Phase III took place during November 2006 and saw the installation of a total of 8 PODSS cameras at 8 locations in the city. These cameras are not monitored at police headquarters, but officers can monitor video feeds wirelessly from within patrol cars in the vicinity of a camera. Furthermore the PODSS cameras record the street scene continuously on a digital hard drive. If a crime is known or suspected to have been committed within the view of a camera, police officers retrieve the hard drive manually from the camera and review the recording.

The evaluation suggests that while there appears to be a general benefit to the cameras, there were as many sites that showed no benefit of camera presence as there were locations with a noticeable impact on crime. Discussions with police commanders and camera operators may explain the disparity between the various sites. An in depth study of the dynamics of individual camera locations and the arrest patterns at these sites may also explain the findings. These conversations and research will inform a greater understanding of the best locations to place cameras, and potentially help the city get a better cost benefit return on the city’s future investment by deploying forthcoming cameras in locations that provide the best potential crime prevention benefit.

Read the Philadelphia CCTV Study

….for 2007.

Preliminary figures indicate that, as a whole, law enforcement agencies throughout the Nation reported a decrease of 1.4 percent in the number of violent crimes brought to their attention in 2007 when compared with figures reported for 2006. The violent crime category includes murder, forcible rape, robbery, and aggravated assault. The number of property crimes in the United States from January to December of 2007 decreased 2.1 percent when compared with data from the same time period in 2006. Property crimes include burglary, larceny-theft, and motor vehicle theft. Arson is also a property crime, but data for arson are not included in property crime totals. Figures for 2007 indicate that arson decreased 7.0 percent in 2007 when compared to 2006 figures.

Read the Preliminary Report

Organizations can obtain a measurable return on investment through cost savings on security personnel deployment, effective implementation of physical security measures, and reduced liability exposure. Using data driven security, an organization can add to the bottom line in three ways:

1. Effective Selection and Deployment of Security Measures - Security measures are costly. Proper data driven security can define the exact nature of the problem at each or the organization’s properties which allows security professionals to select the appropriate security measures (personnel, lighting, alarms, cameras, etc.) to prevent future crimes. Data driven security also defines where the problems exist, inside or outside the facility and when the crimes are occurring. The latter is critical to the effective deployment of security personnel. When threats are high, security personnel may be deployed to deter crimes. Effective selection and deployment of security measures leads to a quantifiable return on investment.

2. Reduced Liability Exposure through Demonstration of Due Diligence - Data driven security helps security professionals demonstrate due diligence, and thus reduce liability exposure in the event of civil litigation for inadequate security. Return on investment can be calculated based on two factors as it relates to liability exposure. The first factor is to reduce the cost of settlements, while the second factor is based on using data driven security to demonstrate a lack of foreseeability and thus persuade the judge to grant a motion for summary judgment. Both factors can be used to obtain a sizeable return on investment.

3. Constant Monitoring of Threat Levels to Ensure Security Program Efficiency - Re-deploying (withdrawing) security resources based on reduced threat levels ensures that the security program is operating in an efficient manner. Data driven security provides the necessary information to constantly monitor threat levels so security spending can be reduced as the threat level drops. Constant threat monitoring can also provide a sizable return on investment.

Read more about Return on Investment

The International Association of Professional Security Consultants now have a blog. Check it out:

IAPSC Blog

Beyond Fear by Bruce Schneier

Unlike most security readings, this book speaks to broader issues of perceived risk vs actual risk and understanding the trade-off’s in various security strategies.  Schneier does a great job of describing how new technologies provide advantages to both defenders and attackers.

I have always been a believer in interviewing people intimate with a facility during a security assessment. People that work at the facility have a better understanding of the security problems than I do when I first walk into a new facility.

Recently, I’ve had some unique opportunities to conduct “fact-finding” missions for a couple of clients. Rather than working from a formal list of questions, the interviews were less structured and more conversational. This has proven to be a valuable method for getting to the facts.

For one of the clients, the goal of the “interviews” was to determine what the real security problems are at their facilities so a security program could be designed. For the other client, the goal was to determine how best to reduce security costs. In both cases, the conversational, unstructured interview elicited significantly more facts that were expected and likely more than would have come to light in a formal interview.

While the facts were more plentiful and the depth of understanding greater using this method, the downside is the time it takes to elicit the information. Each interview can take anywhere from 30 minutes to two hours. In structured interviews of comparable interviewees, it usually takes 25 - 50% of that time. For clients and consultants alike, time is money. Understandably, some clients don’t see the value of this approach as it takes their employees away from work for a longer period of time and ultimately they pay for both the employees time and the consultants time. Worse yet is the consultant who doesn’t dedicate the necessary time to gather the facts.

Having been exposed to the values of this method, I am now a true believer. Here are some basic guidelines for conducting this type of interview:

1. Do NOT prepare questions in advance - if you know what information you need, you’ll get there without a written list of questions

2. Let the discussion evolve rather than forcing it

3. Build rapport early - find something common with the other person before hammering out questions

4. If possible, try not to take notes, type on a laptop, or use tape recorders

5. Validate the interview - once you finish the interview, type the interview notes and send them to the interviewee to verify the facts and make changes as necessary

6. Take your time

Try this method once and let me know how it works out for you.

I find my industry falling behind. Where are all the physical security bloggers? Try running a search for them on Google and not surprisingly you’ll find plenty of information security bloggers and some blogging on convergence, but few focused on physical security. Where are the new Sennewald’s and Dalton’s rattling away on a keyboard every week sharing their knowledge in real-time? Are books and magazines still the way physical security professionals are going to share information? In the time it takes to write, edit, and publish a book, the information within is often dated. I knew this when I wrote my last book, Strategic Security Management so I included a link [www.ssminfo.com] where readers could find updates to the book in real-time. That site has a direct link back to this blog where readers can read my latest ruminations (for what thats worth) and provide their thoughts, feedback, and disagreements.

Is it a fear of real-time writing and self-editing that keeps the physical security bloggers away? I doubt it as most of my peers are not afraid to speak their minds….even those with the constant taste of shoe leather in their mouths. My guess is that they just don’t know how to set up a blog. If thats the reason, I’ll make an offer: Anyone with anything good to say can be an author here or I will show you how to set up your own blog.

I love books, I always will. But the gap between ideas developing in the mind and the publication of a book is far too long. I suspect that my days of book writing are over.