Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

Caroline Ramsey-Hamilton

Using Risk Assessments as a Business Process

Risk assessments are increasing in utility and popularity – being used for everything from compliance to safety assessments, and used by financial institutions, healthcare organizations, manufacturers, government of the world and think tanks. 

Many regulators require formal risk assessments on everything from gauging political risk in an unstable country, to protecting consumer financial information, to assessing workplace violence potential.  

Here’s a definition of a risk assessment:   A process to determine what controls are necessary to protect sensitive or critical assets both adequately and cost-effectively. Cost effectiveness and Return On Investment (ROI) are required elements of a risk assessment.  

A risk assessment is not a democratic process where the most popular answer wins.  It is not consensus driven.  Instead, it is a business process that manages a security function.   Security is very process centered.  Because security often consists of many different elements which are critically important, such as managing network access,   it makes sense to manage it as a process.

According to the statistics, risk assessments are way up in popularity in 2011.  Maybe
it’s economics – maybe it’s result of the previous economic downturn, but the requirements for risk assessments have never been broader, and there have never been more of them than there are now.  Here’s a partial list:  

The Joint Commission
HIPAA, HITECH, NIST 800-66
FFIEC, BSA-AML,
ISO 27001 and 27000 series; NIST 800-53
Red Flags Identity Theft
NCUA Part 748
FEMA 426, FEMA 428

The exercise of doing a risk assessment affords a level of protection which is related to how many other people actually contribute to the risk assessment results.   Using an online compliance survey as a participatory measure takes the onus of absolute responsibility away from the manager/analyst and distributes it throughout the organization where it belongs.

Obviously people are a critical component of information security.  In a risk assessment, people are also important to include because they are able to report what’s going on in their workplace every day.  How can one analyst know enough to do the entire risk assessment by themselves?  They would have to be everywhere at once – in the morning, late at night, on the weekends, and also be able to channel the work of everyone from the newest tech support person to the director of the data center.   And the inclusion of a variety of individuals adds weight and power to the risk assessment.

The true value of the risk assessment is in the cost benefit analysis, which details what controls need to be implemented, how much they cost and how much they would protect the organization by either prevent threats from occurring or by mitigating the impact of the incident if it occurs. 

While the analysts may be accountable for the reporting or analysis of potential risk, the responsibility for any action that needs to be taken is up at the C level, or with the Board of Directors.  In fact, in the FFIEC IT (Federal Financial Institutions Examination Council Information Technology ) Handbook, they spell out, “The Board is responsible for holding senior management accountable”.  Often we have found that the actual President of a bank or credit union doesn’t always KNOW that he is going to be held responsible – this information is down another level in the organization.

I recommend getting management to sign off on the basic assumptions,  in writing,  in the course of completing the risk assessment – and of course, on the final reports. Areas where senior management can review and approve include: 

  • Calculation of asset values, including the value of the organization in total
  • The potential costs of implementing different controls, singly or in combination.
  • Validating which controls are currently in place and how well they are working.
  • The conclusions from the draft report, and the final report.

The analyst is just the messenger, doing the work of assembling the risk elements and calculating their potential results.  But senior management makes the final decisions on each element.   There’s nothing like a signature on a piece of paper to foster a climate of accountability. 

Risk Assessments have the potential to save corporations and governments millions of dollars by making decision-making based on real analytics, instead of just guesses – plus they are an essential element of compliance.  These are good reasons to evaluate whether it’s time for you to do a Risk Assessment!



A Short Note on Father’s Day

A Father’s Day about Remembering

My father was a teenager during the Depression.  That means there was no college for my very intelligent and very creative father.   Here are some of his best moments, commemorated in a great photo of him barbequeing on the green Weber grill, wearing only swim trucks, a big Chef’s apron and a chefs hat!

When I was sixteen, I went outside to tell my father that I didn’t believe in the Easter  Bunny anymore, so he didn’t go have to go thru the whole Easter Bunny drill which included getting up in the middle of the night and putting pieces of cotton on the underside of the chain link fence, so he could take us outside and say, “The bunny was leaving your Easter baskets and he heard you waking up and he ran out so fast, he left a little bit of tail on the fence,” and then he’s bend down to show us the Actual Easter Bunny evidence.

Finally, after an hour of discussion – he said, “OK – you win, I’m the Easter Bunny”.  I locked myself in my room and cried all day.

My dad always made the best of whatever happened, a lesson he passed on to me, the eldest child.  He always had a job – usually a great job with perks like boxes of oranges and pears at Christmas, and he taught adult Baptist Sunday school for 36 years.  What a commitment.

My dad should have been an artist, because he had the most beautiful handwriting, and could draw anything.   One of the great things he did for us was put together a whole book of photos of us for our 21st birthdays.  Mine had a Winnie-the-Pooh theme, totally illustrated, of course.  It included a list of the all the 20 songs I could sing at the age of 2!

My dad was also a fantastic grandfather to my two sons and they were only in their teens when he died, way too young, at 72.  He still swam 60 laps of the pool every day. 

Daddy, I think about you all the time, and wish you were here.



The 5 Missing Elements of Most Workplace Violence Prevention Programs

The 5 Missing Elements of Most Workplace Violence Prevention Programs

After working with a variety of organizations on a baseline Workplace Violence assessment, there are several areas that seem to be common problems for most organizations.  These elements are not expensive, and not timing-consuming, so they are natural candidates for improvement.

A baseline workplace violence assessment is a survey of employees in different roles, combined with a threat analysis and an analysis of existing controls and a historical incidents that can be reviewed and aggregated.

Here are the top 5 most common missing elements, with potential solutions.

1.  Missing workplace violence awareness/training programs.  Many organizations report that they have set these up, that they have sent out emails to all employees, but we consistently find that the employees didn’t read the emails, didn’t know the training was available, or that it wasn’t included in their initial company orientation.

2.  Mis-categorization of workplace violence incidents.   There is a mistaken (in my opinion) idea that domestic violence incidents that happen at work should not be categorized or reported as a Workplace Violence incident.  This is a mistake, and leads to bad information about the true nature of the problem.  If someone comes and shoots her significant other at work (IN THE WORKPLACE) – it is a workplace violence incident.

3.  Staff feels subtle pressure from management not to report every incident.
In my research, management wants every incident reported, every time, but
staff members report that their own direct supervisors may discourage them by not taking time to discuss these pre-incidents, and also by chalking up comments as merely office gossip.

4.  Not linking Human Resources with Security on the issue of Workplace Violence Prevention.  This is a management issue, but organizations that create bridges between HR and security are way ahead because this is one issue where cooperation makes a big difference in results.  HR can’t do a security assessment and security can’t write termination policies and set up employment screening. They are both absolutely necessary.

5.   Not doing an Annual Workplace Violence Assessment.  Since late 2008, when the economy suffered major job losses,  the number of workplace violence assessments have increased dramatically, especially in the healthcare field.  Annual assessments are best way to stay on top of the ‘potential’ for violence in your organization.

Check out one of our regularly scheduled webinars to learn more about this important issue.

 

REMEMBER – Workplace Violence is the one threat that is PREVENTABLE!

 

                                        — Caroline Hamilton

                                                                 Caroline.r.hamilton@gmail.com

                                                                 chamilton@riskwatch.com

 


                                  www.riskwatch.com



Using a Project Plan for your HIPAA Risk Analysis

When HIPAA first became a law, at the end of 1997, most healthcare organizations were so sure that it would be repealed or rescinded when Bush came into office, that they never quite got around to doing that first risk analysis.

Later, the risk analysis requirement got harder and tougher, when the Office of Civil Rights (OCR) added their guidance document in May 2010, and suggested that in addition to HIPAA Security and HIPAA Privacy, and the HITECH ACT, that organizations should also use NIST Special Publication 800-66 as a reference guide for the risk analysis and the protection of electronic Protected Health Information (ePHI).

The risk analysis has gotten more complicated, by the tightening of requirements, and by the need to include business associates, third party vendors, and an all-hazards threat approach.

Using a detailed project plan as you start the risk analysis is a good way to not only deal with the technical requirements, but also to inform management and stakeholders in the organization what a risk analysis includes, and to outline their potential participation.

There are different roles including IT users who will answer questions related to HIPAA control standards, management who will provide financial data and approve different values, and department managers, who will supervise their own staff and make sure they answer the surveys and cooperate with the analyst in a timely manner.

After the roles have been assigned, the data gathered, the reports approved, the project plan can be used to create the mitigation activites, a corrective action plan, and used to manage and track the new controls that are implemented.

If you’d like to see a HIPAA Project Plan, just email me at chamilton@riskwatch.com

 

 

 

 

 

 

 

 



Workplace Violence Against Hospital Staff Discussed

Just got back from a regional meeting of hospital security officers in Myrtle Beach. Aside from the T’storms every night – and the college kids shooting off bottle rockets, it was a great conference.

It reinforced my feeling that violence against hospital staff is one of the biggest challenges facing healthcare professionals. Vermont passed a law this week making violence against a healthcare worker a FELONY instead of just a misdemeanor. That’s progress, similar laws are being passed in other states, too. The governor of Vermont signed the bill on May 12, 2011. Congratulations to Vermont — they were first on this important issue.



Arming the Office – What Happens When We Let Employees Bring Guns to Work

One of my colleagues wrote to me so passionately about the terrible gun violence he witnesses every day, that I wanted to share it with all of you.  You can call it a ‘Guest Blog’ from the Field — a Hospital Security Director in a Major U.S. City.

The gun lobby had several recent legal “wins” for the gun rights advocates in Texas, Indiana, and Tennessee.   Apparently lawmakers and gun rights advocates find it a sane and reasonable  policy to open up the workplace to armed employees.

It t is also clear that our lawmakers are not satisfied with our current national gun carnage. Currently, we shoot to death about a 100 people a day in the United States, including 25 children killed every three days.  And this tally accounts for only those killed by guns.

This doesn’t include all those I see on a daily basis who are shot, crippled, maimed and ruined by the daily shooting gallery in the USA.   In order to continue to make money and sell more guns, the gun rights advocates, and  the legislators they have paid off, corrupted and stripped of reason,  are intent on even greater carnage and human tragedy.

Every day I witness the extreme becoming mainstream, and even commonplace.  
Guns are now finding their way into the workplace, brought into churches, brought into our colleges and universities. They are brought to hospitals, and shot off over highway bridges.

The logic is totally missing.  We are already a nation awash in fear and loathing.  We hate people  we don’t know and don’t understand.  The answer to this problem is NOT to arm EVEN MORE people and have guns readily available to everyone.

Obviously, the recent horrors of Arizona and the slaughter of innocent people in a Safeway parking lot,  has already been forgotten by security professionals and criminologists.  There is no condemnation or follow up  about a terminally troubled young man and the ease in which he purchased a semi-automatic pistol and 30 shot clips.

There has been no rallying cry to address the ease in which tormented and troubled and dangerous individuals on the margins of our society can easily obtain weapons of human mass destruction.   These realities are not relevant and cannot be discussed. And in today’s political climate to even MENTION this makes one a pariah, or a “liberal”, or a “communist”.

 I have been in the Security and Prevention profession for over 35 years, so I can easily dismiss the attacks from gun rights advocates and zealots.  And in fairness,  I have found many gun rights people to be in fact reasoned and decent and willing to engage in reasoned discourse.

What troubles me, and why I wanted to write directly to YOU,  is that the vast majority of professionals in the Security profession totally bypass, ignore and in fact, minimize the reality and tragedy that is our national gun slaughter.   As a profession,  we have done nothing to challenge these trends,  or address them, or at the very least,  debate the current flood of laws designed to turn American work places into armed camps.  

And this in my view is nothing less than a tragedy.



Does Being on TV Make Us Better World Citizens?

Does Being on TV Make Us Better World Citizens?

To quote the character in the 1995 movie, “To Die For” — “You’re not really anybody in America unless you’re on TV… ’cause what’s the point of doing anything worthwhile if there’s nobody watching?  So when people are watching, it makes you a better person.” So if everybody was on TV all the time, everybody would be better people.

A minor statistic – that the recent tsunami in #Japan got CNN its highest ratings since Obama’s inauguration!   What can beat the reality of earthquakes and rising water, followed almost immediately by nuclear power plants with seawater cannons blasting?   And then add the airstrikes over #Libya – all delivered in breathtaking color.

Does showing these images on TV make people more sympathetic to the plight of the rest of the world?   I think it probably does – and that it does make us better people for caring.

The social media has contributed greatly to this – working hand in glove with TV – expanding coverage to new audiences and flashing breaking news around the world.  The immediacy of Twitter and email make us seem empathetic because we are sending the news out to our social circles. 

The middle east uprisings are possible not because of just the media, but because people around the world weigh in and give political support to the protesters.  They know the world is watching and because they know they are not alone anymore, they are empowered to stick with their protests. 

And look at the payoff – the rebels in Libya make their case and the world comes to their aid.  Obviously there are other critical factors at play here, but the TV makes it all possible. 

Just five years ago, people were wondering when the One World concept would finally catch hold and we would collectively realize that we’re really all people on this tiny planet – Pax Humana, aka World Peace. 

It looks like that day has come – not because of highideals or harmonic convergence, or universal values, but because we can tweet pictures to our friends about other people on the other side of the world.  This is true reality TV and it’s going to be a game changer for businesses and governments everywhere.



Not with a Bang…. The Japanese Nuclear Disaster

Too late to run a formal risk assessment on the dismal situation at the Japanese nuclear plants.  Obviously, the switch has been turned to ‘survival mode’.  But risk decisions are still being made, individually and collectively.

The bravery of the nuclear plant workers who stayed to continue at their posts and try to avert a full catastrophe reflects 50 individual risk decisions  by people risking their own lives for the elusive greater good. 

One of the U.S. TV morning shows talked about the risk calculation being made about whether to continue to build nuclear plants when “stuff happens”, as this double play of earthquake-tsunami proves.  

The assets which are generated by nuclear energy are large amounts of relatively ‘clean’ energy.  The risks have been underwritten by governments which support the growth of these plants by sharing the risk with the electric companies to encourage them to build. 

The threats to these plants have been addressed dozens of times and right at the top of the list are both international and domestic terrorists; followed by natural disasters, including earthquakes, tsunamis (we added tsunamis into our threat matrix in 2002),  tornados and hurricanes; followed by sabotage by insiders who work in the plants themselves. 

Personnel working in these plants are heavily investigated and also undergo continuing scrutiny of their lifestyles, checking accounts, etc., because of the sensitivity of the work they do.    US National Public Radio (NPR) reported yesterday that U.S. nuke plants have a failure rate of 40% on security inspections – and that’s when they get TWO WEEKS ADVANCE NOTICE of the inspections.  What if they got no notice?  What kind of results would we see?

One of the major risk correlations in formal risk assessment is the Threat-Asset ratio, which means, for example,  don’t build a nuclear plant on an earthquake fault line.  If the threat is too high, it increases the probability that the asset (the plant) will be compromised and could experience a loss, based on a threat occurring.

The standard list of controls are also analyzed and these can range from specific security controls to having multiple backup power sources (that DO NOT DEPEND on electricity).    Obviously, when this control was no longer viable due to the natural disasters, that’s when things started to go rapidly downhill.

Without electricity to keep the cooling activities running, you have to start to look at the possible losses that could result from the event.   The nuclear power equation is especially worrisome because radioactivity is not only instantly fatal, but it can be blown around, and it is FOREVER.  It doesn’t burn itself out in a few days like a fire, or dry up like a flood when the sun comes out.

The risks/potential losses can include:

Loss of life of plant employees
Loss of life of the surrounding population – to 5 miles, 50 miles, 100 miles, farther?
Loss of the electricity that cannot be generated and what that means to a country.
Loss of the plant itself – as a replacement cost of billions of dollars.

The problem with the nuclear power risk equation is that the biggest potential loss is the contamination of one, two or multiple countries, possible permanent radioactive contamination of the ocean, or, in a very worst case, loss of the planet.

As this latest disaster proves, the potential loss is so high, that even twenty years of extra electricity don’t seem worth the risk, especially if the calculation includes plants built-in areas susceptible to the list of potential threats exactly like earthquakes.

We’re running a set of scenarios that will continue to evolve as the situation stabilizes or possibly gets even worse. It seems that Mother Nature is controlling events now.



The REAL VALUE of a Hospital Security Program

Violence in hospitals and against healthcare staff has been steadily increasing since 2004. A recent article in the Journal of the American Medical Association (JAMA), cited the National Institute for Occupational Safety and Health, NIOSH publication 2002-101, which indicated that healthcare workers face four times the violence potential as other occupations.

If you add in the many domestic violence cases that play out in our hospitals, you can double or triple that figure. For reporting purposes, OSHA does not count domestic incidents (like murders) that take place in hospitals as officially “workplace violence incidents”.

Anecdotal incidents such as the shooting of a physician at Johns Hopkins Hospital in Baltimore, Maryland in September, 2010, and the January 1st, 2011 stabbing murder of an engineer at Suburban Hospital in Maryland by an employee angry because he didn’t get a good performance evaluation, keep the issue on the front pages, and cause hospital staff to worry about their personal safety.

The Joint Commission issued a Sentinel Event Alert in June 2010, on violence in hospitals and how it can affect both staff and the patients themselves. Nurses are on the front lines, and they are the most likely to be attacked, a fact which has not been lost on the nurse’s associations who are actively lobbying for safer working conditions.

Workplace violence issues were traditionally something handled in the Department of Human Resources, but security departments are increasingly involved in violent incidents and are critical to safeguarding hospitals.

Why Violence in Hospitals is Increasing

Violence is not a concept that people usually associate with hospitals. For years, hospitals have been seen as almost a sanctuary of care for the sick and wounded in our society. However, the perception of hospitals has been changing over the last fifteen years due to a variety of factors.

1. Doctors are no longer thought of as “Gods”. This means they are
are more easily blamed when a patient’s condition deteriorates.

2. Hospitals are now regarded as businesses. This perception has been
been aggravated by television in shows like a recent “60 Minutes”, as well as
by the effects of the recession on jobs and the loss of health insurance.

3. Lack of respect and resources (funding) for hospital security departments
. Rather than being seen as a crucial protection for the hospital staff and
patients, many security departments are chronically underfunded and used
for a variety of non- security functions, such as making bank deposits for
the hospital gift shop.

4. Resistance to Visitor Management programs in many hospitals. Again,
because of the unsettling effect of the recession, violent solutions are
becoming more common in the United States in general, for example, the
recent Tucson tragedy.

The federal government issued a guidance document for dealing with violence issues in healthcare,
OSHA 3148.01R, 2004, Guidelines for Preventing Workplace Violence for Health Care & Social Service Workers

The Evolution of the Hospital Security Program

Even as recently as five years ago, many hospitals didn’t have a Security Director, instead they used the Safety Officer to double up and handle security. However, the Joint Commission and many professional hospital organizations recommend the formation of the Security Director position.

Now every almost every hospital has a Security Director who oversees the various security functions at the hospital. These cover a wide range of duties including managing either a contract security force, or developing and managing a proprietary security force; managing violent patients in the Emergency Department; managing incidents regarding kidnapping, infant abduction, cash handling, helicopter coordination, handling admission of prisoners, monitoring visitors, managing hundreds of cars and garages, dealing with harassment, sexual assaults and domestic violence issues which end up at the hospital.

As the Security Director has assumed responsibility for an expanded list of duties, the security budget has not always kept pace with the expansion of the security function.

Assessing the Value of Security to the Functioning of the Hospital

When we start to assess the value of the security program to a hospital, we have to start with the total value of the hospital.

One of the greatest surprises we find in conducting risk assessments on hospitals, is that they possess tremendous value but because they are so large, and perform so many different functions, individuals can’t always see the hospital as a whole.

To make it easy to understand, we can breakdown the value of a hospital into its component parts:

1. The value of the Facility – this is the current replacement value of the building, usually over 50 million dollars.

2. The value of the hospital Staff, including both administrative and medical staff members (use the value of their salaries for a year).

3. The value of specialized medical equipment, including all
the IT systems, X-rays, Cat scans, MRIs, and medical lasers, photon knives, etc.

4. The value of the actual revenue from the patients.

5. The value of the patient’s safety and their health information.

You can see that when we add up these asset values, and add another 10-12 categories, the hospital usually ends up with a value of $100 million to $500 million, or often higher. That is the total of the assets that are potentially ‘at risk’.

That is the value that the security function protects. Each of these asset categories can potentially experience a loss that would interrupt their operations, either for a limited time (like a gang fight in the lobby; or a theft of pharmaceuticals), or permanently (for example, a catastrophic fire).

The next step in the analysis is the see what kinds of controls are already in place to protect all these assets. Controls are mandated by a variety of federal, state and local laws, as well as best practices from insurance companies, and standards created by industry associations such as the Joint Commission, the Center for Missing and Endangered Children, the International Association of Hospital Security and Safety.



Is Hospital Management Listening to Security Directors?

Just finished a webinar yesterday to over 60 hospital security directors and managers and they later wrote in to say that their management listened politely to their suggestions, their budget needs, their warnings about the new violence levels — and then they said, “Thank you very much”, and went back to their paperwork.

We all know how tough it is to run a hospital, but when will the administration realize that violence in hospitals, whether it’s a distraught son, shooting his mother’s doctor in Baltimore, or a grief-stricken Chinese man running through a Shanghai hospital killing innocent bystanders with a knife — that we have a BIG PROBLEM with the increasing violence in hospitals.

The nurses know about the violence.  In a recent survey of 1000 nurses who worked in emergency departments, nurses reported that 97% experienced verbal abuse, 94% had physical threats, and 66% HAD BEEN ASSAULTED.  The saddest part of this was that 25% of the nurses said they expected abuse and violent attacks.

We need to devote some resources to this problem and not wait until 100% of nurses report assaults.  It starts with awareness that there is a problem. Tomorrow we’ll discuss the next steps.




top