Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

Caroline Ramsey-Hamilton

Return of the Sea Monster as a Force of Nature

Last week I wrote about the oil spill in the Gulf and today I was looking at my Loch Ness model of a sea monster with a cute little red beret.  I thought about the concept of a SEA MONSTER. Any terrible  sea monster worth its salt would:

     1.  Kill things indiscriminately

     2.  Hide under the water until it is unleashed on an unsuspecting world.

     3.  Be very hard to kill or subdue.

Sound familiar?  Because the gulf oil spill IS a Sea Monster – probably worse because the Spill Monster doesn’t just kill virgins and itinerant fishermen – it kills everything.  Kills grass and insects and crustaceans (like shrimp) and also sucks the oxygen right out of the water so it doesn’t just kill everything now and then go about its business, but it makes recovery impossible.

If I was a senator or congressman I would be drafting up a bill requiring drilling AND mining companies to not only do a complete and comprehensive risk assessment PRIOR to exploration or drilling activity, but also to publish their contingency plans, disaster recovery plans and emergency plans.

Somewhere along the way – the phrase “disaster recovery” planning got pinned to the information technology recovery but it really applies to everything and certainly to risky endeavors like mining and drilling.

It would be tempting to say that the risk assessment and disaster recovery planning (in the broad sense) should be required on everything that has the potential to adversely affect the planet.   Who would administer it?   This is where the U.S. is again trapped into a corner by the responsibilities of each federal agency.  

In a perfect world, you’d like to think that the EPA (Environmental Protection Agency) would be in charge, but that, under the present structure, would exclude deep sea drilling and agribusiness concerns.   Because the EPA is regulating toxic substances like chemicals, and air quality, but not everything that affects the ‘natural environment’.

We need an ENVIRONMENTAL OMBUDSMAN to protect the citizens of the United States, and maybe of the whole world.   This position would cut across the current agency lines to include oil drilling/extraction; mining as in strip mining;  use of pesticides in agribusiness; industrial pollution of rivers, lakes and oceans; and deforestation.

Over-fishing belongs in the same category.  I have heard that Blue Fin Tuna is now endangered and the United Nations is going to vote this year on protective measures. 

Basically all these kind of industries, mining, drilling, fishing are all scooping raw material up out of the earth and selling it.  The companies involved seem intent on drilling, fishing or scooping up as much as they can get of FREE STUFF from the planet, and then selling it for enormous amounts of money.  Again, you would think that old self-preservation gene would kick in, but instead, it may be that when one of these industries hears that whatever they are taking could be limited, or managed, or made less easy to get, they rush to get every more before the limit or ban goes into effect. 

This behavior accelerates the underlying diminishing supply problem, drives up prices, making industries want to get even more of their oil, minerals, diamonds, fish, whales, or whatever and so the cycle becomes maximally destructive to the environment on even a shorter time line.

One of the biggest aggravating factors of the current SPILL MONSTER is that we, the taxpayers, basically financed it and now we are going to get to pay to clean it up, and the paying includes providing services for all the damaged parties.  Do you really think that BP is going to cover the entire costs by the end of the day?  I am highly skeptical.

We keep hoping that man’s (and woman’s) survival instinct is going to kick in at some point and people will think, “If we don’t keep the earth clean, it is going to negatively affect MY health, or MY business, or MY customers”, but we, as a country, are not quite a that tipping point yet.   I hope we get there sooner instead of later.



The Oil Rig Disaster and Risk Assessment — And Accountability Issues with Politicians

“Drill, baby, drill.”   We have heard that before – being from California and being a tree-hugger, I didn’t think that was a great idea, especially since I know our oceans are already struggling, but I did not expect something this bad to happen.

The politicians who were so busy expanding oil leases and the profit-rich oil companies who are raking in billions,  don’t spend much time on assessing the potential risks AND the potential losses for a catastrophic oil spill.

Maybe we should require them to do REAL risk assessments on the total possible impact of an oil disaster.    It would not be an environmental impact statement, which downplays the risk by putting in lots of scientific jargon and ASSUMES that proper safety controls and contingency plans are in place.  But obviously that either was not done;  or it was not accurate, or it was done and burned so no newsperson would ever see the smoking document (or should I say, the oily document).

If we go back to the classic risk model – we are by listing the assets at risk:

  1. The Cost of the Original Rig and Drill Equipment – $500,000,000
  2. The Value of the Lives of the 11 workers who died –    25,000,000
  3. The Value of the Oil itself, with replacement value
    (5 million gallons at  $2.00 per gallon = $10 million dollars)
  4. BP’s Reputation as a good company – $2 million
  5. Gulf Fishing and Shrimp Industries Value – $2.5 billion dollars for

Just Louisiana – add in Alabama, Mississippi and Florida and quickly     the bill runs up to $10 billion dollars.

  1. Value of Summer Beach Tourist Business in the Gulf – $20 billion
  2. Value of lives of 20,000 – 50,000 shorebirds; 10,000 turtles; 0ther assorted marine mammals, birds, and fish   – $25 million.

So we have a resource worth about $33.5 billion dollars – that is potential loss estimate.

What we will lose if a threat materializes?    Keep in mind, for comparison purposes, that BP had recently doubled it’s profits from $3 billion to $6 Billion a quarter,  which calculated out to about  $24  Billion Dollars a Year.

Next we factor in the likelihood of a threat occurring.  Reviewing the frequencies of and problems problems with oil rigs, and oil spills, we find:

There are an average of about 2000 oil spills a year of various degrees.

There are an average of 1 million gallons spilled each year (going back 7 years).

(Already you can start to get a idea of how terrible this spill is.)

Next we list all the problems (vulnerabilities) that could or would have made it more likely to have a disaster occur,  you will recognize many of these from the latest news conference

  1. New,  untried technology
  2. No recovery plan if secondary shut offs fail
  3. Difficulty of working on deep ocean
  4. No reliable oil containment systems have ever been developed

SO – if British Petroleum is making $24 BILLION A YEAR and because of this spill, BP loses about $1 billion dollars. That’s not a bad Return.

The problem comes in with the $30 Billion dollars that is borne and felt, not by BP, who goes on to drill somewhere else, but by the citizens of the affected states and the whole United States due to the incalculable environmental damage.

The last thing we look at in a risk assessment model is the potential controls that could have been put in place to reduce the likelihood of the threat materializing, and the cost of those controls that could either reduce the threat, or, and even more important in this case, minimize the damage if the threat occurs anyway.

What controls could have been improved in this model?

Development of effective oil capping techniques BEFORE a disaster

Better training of oil rig workers

Better fire controls which might have saved the rig from sinking.

Accountability Increased for the Materials Management Service (MMS)

Tougher Regulations for Oil Companies

Better oil containment tools

Better oil absorption tools

Regular drills so that workers are better prepared in an emergency like this.

I’m still here watching the news coverage but I have learned why this happened – because BP was making so much money, it just didn’t have that much to lose from a disaster.  So it avoided improving its technology and spending money on controls that might have helped.

And the former and current U.S. administrations are to blame for not requiring accountability from the MMS.  And the rest of us, including the bluefin tuna, the birds, the jellyfish, the crabs, the shrimp, bottlenose dolphin, sperm whale, dozens of varieties of sharks, manatees, oysters, warblers, terns, swallows, egrets, plovers, sandpipers, pelicans,  loggerhead turtles, Ridley’s turtle, diamondback terrapins, and alligators.

According to the Louisiana Department of Wildlife and Fisheries,   here are the numbers of species that will be affected:

445 species of fish,

45 species of mammals

32 species of amphibians and reptiles

134 species of birds,
and the ocean itself, and all of us.



All about the HIPAA Risk Analysis — from the Department of Health & Human Services Office of Civil Rights (OCR).

An amazing development in HIPAA compliance took place on May 7th.  What a great surprise for a Risk Analysis/Risk Assessment Person!  The Department of Health and Human Services, Office of Civil Rights finally came out with their draft guideline for the HIPAA Risk Analysis on May 7th!

While hospitals and health plans, business associates, technical service providers and physicians have struggled to understand the original HIPAA risk analysis requirement, the Health & Human Services Department finally published the draft guidance to help healthcare providers understand what is expected of them in doing a risk analysis of their protected patient health information (ePHI).

This is a critical part of the HIPAA Security Rule, but there was never any ‘official’ guidance of exactly what was expected and how they should accomplish the risk analysis. 

Why the Office of Civil Rights?  Because the new HITECH Act (February 2010) directed that OCR oversee health information privacy including the enforcement of the HIPAA requirement.   And the guidance is long overdue.  I have had dozens of conversations with individuals at hospital and, discussing what a risk analysis is, what are the basic elements, and I am THRILLED to report that the OCR agrees with my methodology.

 The draft guideline on risk analysis also takes the same track that the financial institutions have given as guidance to banks and credit unions.  That is risk analysis is a foundational document that should be used (and referenced) as the organization evaluates and implements appropriate controls.

OCR refers to the risk analysis, not as a one-time drill, but instead, as an ongoing process to help organizations evaluate their risk focusing on the confidentiality, integrity and availability of protected health information.  The Risk Analysis Report, creates the blueprint that an organization will follow as they improve their compliance – for example, deciding what data should be authenticated in particular situations, deciding, when, if or how to use data.

A risk analysis is also the basis for an understanding by organizations of the technologies they will need to secure protected health information, OCR said in the draft guidance May 7. 

To quote directly:  “We begin the series with the risk analysis requirement in § 164.308(a)(1)(ii)(A).  Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule.

Therefore, a risk analysis is foundational, and must be understood in detail before OCR can issue meaningful guidance that specifically addresses safeguards and technologies that will best protect electronic health information.”

Among the basic elements of a risk analysis, OCR said, organizations must identify data collections, document threats to information that could create a potential for inappropriate disclosure and assess current security measures the organization uses to protect patient information. This was great to read because it follows the elements I have built our solutions around.

Those elements, which were reinforced by the draft guideline include the following five elements of risk analysis (and risk assessment).

1.     Identify and characterize the assets that need protection,  including the databases, the applications, etc.

2.    Analyzing the relevant threat data – focusing on what could adversely affect the assets (ePHI) in this case.

3.    Modeling the potential losses that could result from the threat actually materializing.

4.    Finding the existing vulnerabilities in the current security situation that would increase the odds of the loss actually occurring.

5.   Developing appropriate controls to reduce potential loss, reduce existing vulnerabilities and make sure the controls are cost effective.

 The OCR also referenced the NIST 800-66 to show sample questions that need to be part of the risk analysis.  Luckily – we totally agree with them and have included the NIST 800-66 Guidance in every HIPAA Risk Analysis software solution.

 Here’s another short excerpt from the OCR:

 “Risk Analysis Requirements under the Security Rule

 The Security Management Process standard in the Security Rule requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).)  

Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard.  Section 164.308(a)(1)(ii)(A) states:

RISK ANALYSIS (Required).

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

OCR went on to cite NIST 800-66:  “The following questions adapted from NIST Special Publication (SP) 800-66  are examples  organizations could consider as part of a risk analysis. These sample questions are not prescriptive and merely identify issues an organization may wish to consider in implementing the Security Rule:    Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.    What are the external sources of e-PHI?

The publication of this first draft guideline gives healthcare organizations and other affected organizations a hint about which direction the OCR enforcement is going to go.  As I mentioned previously, the regulators are likely to follow the example of financial audits and ask for the current copy of the organization’s risk analysis and use that as the blueprint to measure how well the organization used the risk analysis to prescribe and dictate all other actions which were taken to protection the organization’s protected health information.

In the words of the OCR –

In Summary, Risk analysis is the first step in an organization’s Security Rule compliance efforts. Risk analysis is an ongoing process that should provide the organization with a detailed understanding of the risks to the confidentiality, integrity, and availability of e-PHI.

For a complete copy of the 8 page OCR guideline, please send an email to chamilton@riskwatch.com.

.



Avatar, the Field and the BP Oil Spill

As the old drill-baby-drill cry loses its appeal, the coastal communities in the Gulf of Mexico are beginning to understand that they will feel the devastating consequences of the BP oil spill. 

The U.S. is a bicoastal country – 50% of the entire population of the United States lives within 50 miles of a coast.  And pays extra in housing prices to live there.  Ignore for a moment all the businesses that will be impacted – and think about buying a $4 million dollar house on the water – and have the water turn into an oil slick. 

I watched Avatar last night and noticed how the movie depicted the planet, Pandora, as an interconnection of elements that you could SEE how they supported  and depended on each other. 

That illustrates our relationship with our own Earth and how if one thing changes, it effects everything along the food chain (literally, in this case).  So the oil gets the birds and the blue crab larvae and the shrimp and now they are saying it may wipe out a generation of sea life.

As a species, we generally do not recognize that our connection with the earth is every bit as interconnected and tangible as the network on Pandora.  We need the earth to give us water, provide us with food (whether you are a vegetarian or not), provide water and shelter, medicine – everything – even manufacturing of plastic comes from the earth through our use of petroleum.

 That is also why ideas about animals are often so ‘un-evolved’, meaning they are thought of a things, not spiritual beings.  Time magazine ran an article on animal intelligence several years ago and said, at the conclusion of the article, “if we recognized and were aware of how sensitive and intelligent animals actually were, we would have to change everything we do as humans.”

News flash — we ARE going to have to change everything we do – we have to find our connection to the earth and the animals and plants who share it, or we will continue to have these devastating environmental disasters and wake up one day to a wasteland that can no longer support us. 

If you’ve watched “What The Bleep”, which is a movie that explains new developments in quantum physics – and I highly recommend that you watch it…  you will reach the same conclusion – that the electric Field exists on our planet and connects you and me to every dog, every blue crab, every tree, every blade of grass.  There is no artificial separation.  We are them and they are us and we are the same thing – just a different sector of the same energy field. We are Pandora. 

Oil spills and other disasters make this living network more apparent by watching, hour by hour on CNN, how one event affects everything, first in the Gulf, then in the entire coastal area touching the Gulf, then probably the Caribbean – who knows how wide the damage will be from this one oil platform. 

Do you feel the connection?  A few years ago, I got a great book about ‘curing the incurable’ and it was a collection of Russian folk remedies – from a former doctor to the Russian Olympics.  One of the remedies was how to use trees for healing – complete with details about which trees were most responsive – how to tap into the energy of the trees and use them by standing eighteen inches from the tree and putting your hands on the trunk…

This oil spill may dissolve political differences and even national differences and show us, one more time, how interconnected we are with the earth – and I’m hoping that we will find a positive way to use that information.



BLUES ON THE BORDER – WILL SECURITY FINALLY GET A BREAK?

Arizona finally did it.  They called DHS’s bluff, and actually DID SOMETHING about the US-Mexican border.  it has nothing to do with racial profiling and nothing to do with discrimination — it has everything to do with America’s security against terrorism.

Everyone who is so shocked, appalled and worried – shouldn’t be.   Everyone wants to prevent the next 911, they want to keep out drug traffickers….. and you cannot get that done with an open border to our south. 

I say it over and over – PLEASE QUOTE ME – you can’t have homeland security with an open border!  You can NEVER have homeland security unless you have security at the border first. This is a key risk assessment vulnerability that anyone doing a formal assessment would spot immediately. 

What good is having a checkpoint on the I-5 interstate in San Ysidro if illegals can avoid the border crossings and run right into the U.S.? 

Look at strictly as a cost issue – looking at the real numbers helps… 

  • Cost of maintaining our phony border controls   $100 Million Dollars for 2010

(from the total ICE (U.S. Immigration & Customs Enforcement) budget of  $5.7 Billion Dollars). 

  • The Drug Enforcement Agency (DEA) says that since 2005, 15% of domestic arrests are arrest of illegal aliens!
     
  • Budget for DEA to combat Drug Traffic from Mexico   – over $25 Million Dollars (just to add an additional 128 agents along the southwest border). 
     
  • The Southwest Border Initiative Virtual Fence Project – $800 Million dollars
  •  The Secure Fence Act – over $7 Billion dollars 

AND OUR BORDER is still wide open.    Federal agents trying to police the border do not have the proper support and are discouraging from killing murderous drug dealers and human trafficking mules.   

If you look even farther – take the entire budget of the Department of Homeland Security, which is  $55 Billion dollars.   This money can largely be considered as wasted, if there is no control over our border with Mexico.  

You see it all the time at companies out in rural areas – they have a chain link fence around the back of the property, but the fence has a 14 foot gap in it, and all it does is concentrate the intrusions right through the gap in the fence.  It does not deter crime, it cannot prevent theft – because the fence is not secure, there is an open gap.  

That analogy works with our borders, too.  If you wanted to get into the U.S. illegally, would you choose to drive thru the checkpoint at El Paso?  Through San Ysidro?  Fly in from Mexico City and have to show a passport?   NO – you would breach the border and just walk across someone along the thousands of miles of unsecured border. It is a no-brainer, even for a terrorist.

As a risk assessment expert, I am personally thrilled that Arizona has pushed the envelope and passed a bill that at least attempts to find a solution to our horribly expensive and totally ineffective southwest border controls.  It might galvanize enough people to actually get something done about this open border policy. 

Remember, you cannot have a secure country without securing the borders.



DO WE NEED HEALTH INSURANCE?

HEALTHIER WITHOUT HEALTH INSURANCE

Last week I showed you my medical records – now I’m going to give you my take on the Healthcare Bill & Accountability! 

I never had health insurance — shocking, isn’t it!!  I grew up and raised two wonderful sons without any health insurance.  Part of it was my natural disinclination for paperwork, part of with my years of being self-employed but the main reason was I never understood why I should pay someone – that is – bet against myself — on my health.

Because I wasn’t saddled with medical paperwork, I could negotiate with the doctors for treatments I needed and usually got the price down 40% BECAUSE they didn’t want to use insurance anyway – it meant they got paid in six months instead of right now. 

My family believed in Adelle Davis – for those younger readers – she wrote “Let’s Eat Right to Keep Fit” and “Let’s Cook It Right”, “Let’s Get Well”, and “Let’s Have Healthy Children”. These books came out in the 50s and my mom was an immediately convert.  In fact, if you find these tattered old paperbacks in a used book store – you’ll see they were ahead of their time, in worrying about aluminum pans contributing to Alzheimer’s, endorsing fresh fruit and veggies for Vitamin C., and taking on the food industry which mightily contributes to disease in this country. 

I was never sick.  One bout of Scarlet fever that left my sister, Linda, deaf in one ear, but other than having two children – I was never sick.  The one year I did have health insurance was a total loss – paid about $3000 for N*O*T*H*I*N*G.  

Mind you, I’m in favor of national healthcare, delivered simply and effectively.  I am NOT in favor of fifteen xrays for a sprained ankle, seventeen mammograms that find nothing and basically – what I call the over-zealous use of medical technology.

Hey – news flash – healthcare is a BUSINESS!! Healthcare providers want to MAKE MONEY. The more procedures they perform – the more money they make.  It’s a very simple system.

So if it’s true that you have to incentivize people to stay healthy – maybe that’s the way to teach personal accountability for your own health!   I am amazed at how many of my friends, who are smart, and well-educated – turn their healthcare over to any doctor and do not question anything the doc says.  They don’t ask about the procedures or the tests, and they always assume that the doc knows best.

Nothing wrong with doctors – I love them.  But it’s YOUR BODY – learn how to take care of it!  Watching all the news about obese children, increase in diabetes, and declining health of the baby boomers (me included – I’m a baby boomer, but still healthy), it’s clear to me that what is missing is the connection between how someone lives every day – and how healthy they are.   So how do you encourage a healthy lifestyle?  That’s the $64,000 question.

My ingredients are simple:

Being outdoors
Taking extra vitamins and herbs
Getting moderate exercise
Eating less animal products
Low fat dairy
Don’t eat refined foods
Having pets
Doing work you love
Stress relieving activities – yoga and meditation work for me.

And… the big secret – being happy every day. 

So I am all for encouraging accountability and changing the insurance picture in this country.    This could mean – sliding scale of insurance costs based on how healthy you are.. like a Good Driver Discount for Staying Healthy! 

Having employer-sponsored plans also weighed and have unhealthy workers penalized.(I know that’s tough love – but they will thank you years later).

And adjusting pricing of health services so that preventive things  — like getting your blood pressure checked, become less expensive than expensive procedures like MRIs and CAT scans. 

Getting back to my original point – if you are totally RESPONSIBLE for your own healthcare – you make the extra effort to stay healthy. It’s a personal choice we all make every day.



Want to see MY Medical Records?? No Problem.

The fury and passion devoted to protecting medical records is totally incomprehensible to me. 

Who wouldn’t want their med records to be immediately available in case of  an emergency?   I have a twinge ( as opposed to a tweet) every time I go to my doc’s office and see his color-coded manila folder filing system.  It is a nightmare, but it doesn’t seem to bother the nurses.  

I understand that if someone had AIDS, they might not want their boss to know about it. But how many people reading this have AIDS (3/100 ths of a percent), based on U.S. Census Data (309 million Americans) and number of Americans afflicted (1 million). So could not be the only reason. 

I understand why not to disclosure STD’s.   What else?  I thought about my medical record and how bare and boring it is.   I’ll be happy to tell you all about it.  Here are the highlights:

     Had Scarlet Fever when I was about 11 years old.  I was lucky – no side effects, but my sister lost her hearing in one ear.

     Broke my right ankle in ballet class when I came down on the wrong angle after a SPECTACULAR tour jete!  I’m proud of that one.

     Got kicked by a pony near my left ankle when I was in my 40s.  Didn’t break anything, but insurance company put MY ANKLE on the list of NON-COVERED areas. LOL

    One dog bite from a German Shepard when I was college.  It was an accident.
    We were playing grab-it with a toy…

     Used to get bronchitis fairly regularly when I smoked, which was over twenty-five years ago.

     Had tubes tied after 2nd son.

     Had an eye lift – cosmetic surgery – Hurrah….

Pretty scintillating stuff!   You can see why I don’t worry about anyone getting their hands on my medical records.    I don’t even care about any of this – why would anyone else?  

I got another view of the medical record problem when my sister was diagnosed with a brain tumor.  HER medical records were enormous and included things I had never seen before like 3-D rotating images of her brain so doctor could turn it around and view it from any angle.  Her records were so complex that we literally had to take a set of CD’s to office visits.  Didn’t make any difference, she died four months later.

The cost of converting my boring records is something else I wanted to check out.  For a small doctors office with 3 doctors – installing a full document management system would cost about $100,000 with an annual maintenance fee of $30-50,000.  Quite an initial investment for a small office.

Here are some fun stats on paper records, from a Coopers Lybrand survey on the time and money spent on paper in today’s typical organization:

• Of all the pages that get handled each day in the average office, 90 percent are merely shuffled. 

.   The average document gets copied 9 times. 

• Companies spend $20 in labor to file a document, $20 in labor to find a misfiled document, and $220 in labor to reproduce a lost document.

.  7.5 percent of all documents get lost, 3 percent of the remainder get misfiled.  

• Professionals spend 5-5 percent of their time reading information, and up to 50 percent of their time looking for it.  

• There are over 4 trillion paper documents in the U.S. alone – growing at a rate of 22 percent per year. 

The famous Google Health project will digitize your medical records and put it in their repository for free, BUT you have to get them from your doctor in digital form first. 

And to see how mainstream this concept is going – there’s now an App for that! Yes, if you have an iphone you can get Health Cloud for free!  

But now that I have published my medical records on Twitter, or at least, my summary of my medical record – the whole world can have access!



Searching for Hard Data about Security Cameras…

I was really surprised when someone asked me about how many cameras should be put in a small hospital to deter violence against healthcare workers. They were asking for a universally recognized guideline or standard that would give them ammunition to take to management to prove why they needed the extra cameras installed in the Emergency Department.

If you’re already in either the security or healthcare field,  I’m sure you’re aware of the dramatic increase in violence against healthcare workers and why this is obviously a concern of all healthcare facilities.   Cameras are often the first stop in a security improvement program because they provide a lot of visibility/protection at a reasonable cost.  

My next step was to start looking through different standards to see if there was a standard for how many cameras should be in an Emergency Department, or a birthing center, or a hospital lobby.  I could not find a simple standard anywhere.  I first started looking at FEMA requirements for preventing terrorism (FEMA 428) (www.fema.gov) and while they covered lighting, they stopped short of recommending a basic configuration, or an “acceptable minimum” for cameras.  Next I looked at the International Association for Healthcare Security and Safety (www.iahss.org) and they also mentioned lighting and cameras but again, without specific guidelines for the various parts of a hospital.

More research followed.  I called about a dozen hospital security directors, and then started on a literature search.  I started with the classic Russell Colling book, “Hospital and Healthcare Security” and again found a great deal of common sense advice and recommendations on how cameras should be placed to view certain areas and the panning area, and what kind of cameras to use where, but again, no exact direction on how many cameras should be put in a hospital emergency department.

Back to the phone to get more information, I talked to more security professionals who explained that each facility is different — each hospital is different — each hospital has a different budget — different configurations.   I totally understand that companies that sell cameras and lighting to hospitals (and all sorts of other facilities) want to do an in-depth assessment before each installation to make sure the cameras fit the total security picture. 

But I think that the security organizations should start creating minimum standards with actual guidelines of WHAT KIND, HOW MANY and WHERE To INSTALL, as a sort of default value, or minimum to achieve some level of improved security.  For example, ‘basic’ or ‘minimum’ recommendation for an ED might be — one camera at each entrance and exit and a camera at the admissions area.  Having some basic configurations spelled out would be a great thing for security directors and probably for the camera companies.

Those who have read my blogs before know I am a big proponent of standardization — for lots of reasons.  It is good for the buyers because they don’t have to agonize over whether they are getting a certain (if minimal) level of protection; and it helps them secure the budget to install the new camera systems.  It’s good for the camera integrators because it increases sales because (see previous sentence), security departments can more easily get budgets approved and thus, sell more camera systems.

One of the security groups I talked to told me that the reason they don’t have a minimum is because it reduces pressure on smaller organizations that may not be able to afford a particular system, but I think that with the increasing use of cameras, having a minimum standard makes sense and would be a win-win proposition for everyone.

For example, did you know that rail gauge on railroad tracks used to be different for every state?  So early trains could chug around a state, but couldn’t cross the border into another state because the rail gauge was different.  After the rail gauge was ‘standardized’ so that the whole country used the same gauge of track — trains were going coast to coast and everywhere in between.  It allowed rail travel and shipping by rail to really take off.   Maybe we can do the same with cameras.



Risk Assessment: Too much emphasis on PROCESS hampers rescue efforts in Haiti

From the night that CNN showed Dr. Sanjay Gupta staying up all night to attend to patients in a field hospital, because the UN thought it was unsafe for their doctors and medical staff, you can’t help but feel like the security threat there has been used to avoid taking any chances — while the Haitian people are having to absorb all the risk!

Even Anderson Cooper said, from his position in the ground, that the security fears were overblown and other doctors have corroborated this! So why is the UN using security as a cover….

The UN is an organization that often favors PROCESS over ACTION. I can understand that they are used to having convoys attacked in dangerous areas like Cambodia and Ethiopia — but this is Haiti…. we know Haiti… no rocket launchers in Haiti — no political goals on display in Haiti. Just poor, starving, sick people with no homes, no resources, no medical facilities, no food, and no water.

As a risk person, I just wonder if they actually did a quick 1 hour risk assessment on this disaster which would have pointed out that the risk of slow, un-action is much worse in this case – than the risk of a security incident.



Exploring Ideas to Prevent Disasters like the Haiti Earthquake Disaster

Exploring Ideas to Prevent Disasters like the Haiti Earthquake Disaster

CNN seems like it’s grabbed the lead on Haiti Earthquake coverage. They crossed that line last night when Sanjay Gupta, the CNN doctor, spent all night in a field hospital caring for patients that the UN left alone in a tent.

So there are thousands of images of the aftermath of the earth. Thousands of sad stories of loss and tragedy and all of it magnified by the grinding poverty of the country and it’s lack of government control and working infrastructure (even before the earthquake).

Obviously – it is impossible to prevent an earthquake, so there are three areas that could be explored to make earthquake disasters less horrific.

1. Advance notice of seismic activity in an area. Hurricane can be seen forming and building and can be graded, and prep work can began days before the disaster strikes
(yes – like Katrina). But perhaps it is also possible to have sensors that mark seismic activity. At least enough to get a glimmer of warning. My research says that there has been a project since 2007 to install sensors in the ocean floor to track tremors. After the Indonesian tsunami, the urgency to install these sensors increased dramatically. And because Haiti was on a fault line — I can’t help but wonder if someone somewhere in a research lab, may have noticed a few unusual tremors because this actually occurred.

2. Creating a System of International Building Codes. Obviously the death, injuries and damage occur from falling buildings and building materials (in the Haitian earthquake – cinder blocks). The UN could create standards for buildings with different standards based on the type of earthquake zone. For example, there could be a simple 1-5 scale and places that often have earthquakes (California, Japan, Pakistan) would have stricter standards than a place with almost no earthquakes, i.e. Florida and India.

While every building in a quake-prone country might not comply with the guidelines, the big multi-nationals would – the hotel chains, the government buildings (perhaps), and the better residential areas — and who lives in the better residential areas? The doctors, the medical professionals, the government officers, exactly the group of people you need in an emergency.

3. Creating Standards for Better Emergency Planning and Disaster Recovery.
The big increase in business continuity plans and disaster recovery plans (see
www.recoveryplanner.com) is amazingly limited to INFORMATION recovery and working to limit or prevent interruptions in information systems. The same kind of planning does not exist for disasters in most underdeveloped countries. Again, this is an area where the U.S. agency, FEMA could play a leading role; or the UN should make it a priority to do some kind of minimal planning standards for these devastating emergencies with massive injuries and loss of life.

The National Fire Protection Associations (www.nfpa.org) has published an Emergency Preparedness standard called NFPA 1600 – the Standard on Disaster/Emergency
Management and Business Continuity Programs and it’s a good example of the basics of Emergency Preparedness.

Individual countries would do their citizens a service by acquainting them with how to prepare families to survive in emergencies, whether they are triggered by power outages, severe cold, hurricanes or earthquakes!

Emergency Preparedness’ critical role in emergencies is something you can watch unfolding this week, as the relief efforts get stalled by lack of clear roads, problems at the airports, time involves in sea travel, etc. There has to be a better way – one that can be refined and used in future disasters.

In case you think you will never see an earthquake – here are the statistics on how many earthquakes occur in the world each year. These are averages but you can see that there is, on average, one giant earthquake, and seventeen large earthquakes, 134 strong earthquakes and many more light and moderate earthquakes.

TYPE STRENGTH AVERAGE PER YEAR
Great 8 or higher 11
Major 7–7.9 172
Strong 6–6.9 1342
Moderate 5–5.9 1,3192
Light 4–4.9 c. 13,000

The Boy Scouts were right when they adopted “BE PREPARED” as their motto.

These are three areas:

1. Better Ways to Predict Earthquakes (by even a day),
2. Minimum Building Codes based on local geography, and
3. Uniform Emergency Preparedness standards around the world.

These could be explored to prevent or at least mitigate the devastation we have seen in Haiti this week.




top