Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

My Pool got Hit by Lightning – Are You Next?

My swimming pool got hit by an adjacent lightning strike!   The lightning strike hit a tree about 6 houses down from my home in Maryland.  I heard the lightning strike at the time (midnight), and I still remember that it was so loud the beagles dived under the bed.

But the next morning, when I woke up, I looked out from my 2nd floor window and saw something that looked like two fried eggs floating in the pool.  It took me about 2 minutes to realize that they were the pool lights, floating in the pool, still tethered by the electrical lines.

The lightning strike was so sharp and close that it broke the lights out of their plaster enclosures and now there they were, fully electrified, floating right in the water.  It took me eight calls to find someone who would come and fix the lights, turn off the electricity and get the lights out of the pool.

If a lightning strike could do that from 6 houses away, what could it do to a person? Because it’s Lightning Safety Week, I looked up some interesting stats from the National Weather Service – check out these stats:

Your chance is being struck by lightning in your lifetime is 1 in 3000!

From 2006 – 2012, about 2300 people were struck by lightning and 238 people were struck and killed by lightning in the US.

2/3rds of the deaths were to people enjoying outdoor leisure activities.

82% of all fatalities were to men.

70% of the lightning deaths occurred in the months of June, July, and August.

Only 10% percent of people struck by lightning actually die, but 70% of those that survive

a lightning strike have serious long-term effects from the strike, including fear, depression and debilitating physical injuries.

STAY SAFER THIS SUMMER, and teach these tips to your kids, too.

  • Get out of pools, away from beaches, lakes or ponds.

  • Never stand by a tall tree during a lightning storm

  • Drop or get away from metal objects like golf clubs, umbrellas, etc.

  • Get indoors or into your car if you can’t get inside.

  • Stay indoors for 30 minutes after the last flash you see.

 

And have a wonderful, active summer?



Why HIPAA Risks are Growing Every Day

If you’re a healthcare employee, you already know alot about the HIPAA Rules. You’ve probably received training on how to protect Health information, and have heard about all the fines being levied against everything from small hospices to the largest hospitals (like Massachusetts General Hospital).
Because HIPAA is a federal law, there are expensive penalties involved in HIPAA mistakes (breaches). Fines have ranged from millions of dollars to $50,000. Here are just a few of the recent fines.

Shasta Regional Medical Center –            $ 275,000, June 2013

Hospice of Northern Idaho                         $ 50,000, January, 2013

BCBS Tennesee –                                 $ 1,500,000 March 2013

State of Alaska –                                   $ 1,700,000, June 2012

Phoenix Cardiac Surgery –                        $ 100,000 April 2012

Mass General Hospital –                         $ 1,000,000 February 2011

There have been dozens of other fines, many in the millions of dollars, and, with the passage of the new HIPAA Omnibus Rule, which takes effect on September 24, 2013, there will be many more.

If you are a healthcare organization, you need to address the risk of a potential HIPAA Fine. And the fines not the worst part, because the “resolution agreement” you sign, forces your organization to file all sorts of quarterly reports, meet with regulators for years to come, and those ongoing activites are even more expensive than the fine!

The Office of Civil Rights (part of the U.S. Dept. of Health and Human Services), is self-funded from these fines, and they use the money from the fines to start even MORE enforcement activities.

The basics you need to have in place to reduce the risk of a HIPAA fine include 1) having a Risk Analysis done in the past 12 months, 2) having HIPAA Training conducted annually for EVERY employee, 3) Updating all your Business Associate agreements, 4) developing a robust security awareness program, just to name a few.

HIPAA compliance-related fines are a risk that should be considered by every healthcare organization, no matter how big or how small, because your bottom line, AND your reputation may depend on it!

 



Snowden’s Shameful World Tour

Being a security person, and believing that extrodinary measures are required to keep us safe from
the increasing terrorist threat…   I maintain that Edward Snowden is a total coward, now that he has launched his travel from the US to China to Russia, and presumably, Cuba, Venezuela and Equador.

His judgement on many things is in question, especially in taking advice from another coward, Julian Assange, who’s been living in a small Embassy in the UK for a year.

Perhaps he could make a case that he thought US taxpayers had a right to more details about their tax dollars at work – the NSA’s surveillance programs, but he certainly DOES NOT have the right to disclose any classified program information to other nations, like China and Russia – just to name 2.

He DOES NOT have the right to stir up suspicions between nations, sort of a misguided meddler, basically selling out US secrets to a hostile world, and who knows who’s paying for all the international travel?  Is he handling out secrets for free, or is he selling out our country for financial gain?

His cowardice is illustrated by his total fall into the “What’s Good for Me” logic, which totally ignores issues of national security, destruction of trust between nations, and these actions compromise every statement he’s made so far.

He made himself into a 7-day media star.  He got his 15-plus minutes of fame, and now, he obviously has done a little more thinking about his choices, so he’s totally intent on protecting himself from any penalities, any recriminations, any dialogue with the US over the far-reaching implications of his bad choices.

For these reasons, and quite a few more, and mostly because I believe that he threatens our hope for a more peaceful world, I hope that other nations will grab him, return him to the US – to face the music he chose.

More distrust, more self-absorbed leakers, more lack of respect for the laws that govern civilized countries, is just not something we need right now.



NSA Hearings on the Hill

NSA is answering questions this morning about their mega data collection of phone call destinations, before the House Intelligence Committee.

Having worked with NSA for years, I decided to watch the hearings and hear what General Keith Alexander had to say.   Of course, I have a family history with congressional hearings.

For myself, I’m in total agreement with NSA that they should be LISTENING, COLLECTING and ANALYZING intelligence so we can know what is happening all over our complex world and be in a position to prevent catastrophic attacks by those terrorists using their religion like a free pass to kill, maim and attack.

My father died over ten years ago, but one of my favorite memories of him is that is, while he was suffering from cancer, he never missed a Congressional hearing.  He sat with a TV Tray in front of him, with a stack of monogrammed notepaper, envelopes and stamps.

As the hearings progressed (I especially remember him watching Iran-Contra), he would write to each of the congressmen and senators, telling them how he judged their questions, writing to them about mistakes he thought they made.  This was true democracy in action.  From his pen right to the powers-that-be.    And he took his responsibility in this very seriously.

I hope everyone starts watching, learning and taking their role in our democracy as seriously!  An attention-seeking junior technician is having his 5 minutes of fame, and I hope that the great work of the US intelligence community is not going to be slowed down or damaged by his thoughtless disclosures. He should start writing letters to HIS elected representatives.

 



Oklahoma Tornado, Boston Bombing, Young Soldier Killed – It’s time to do a Security Risk Assessment!

More Tornado victims will be buried this week.   Including many children who died at their schools because the school district didn’t spend the extra $3000 to have a storm cellar/safe room available.

One month ago, we watched as victims of the Boston Marathon Bombings were buried.

Yesterday, we watched an Islamic Jihadist savagely kill a  young British soldier with knives.

What other events do we have to witness before we start taking security assessments seriously?   How many more grieving parents do we have to watch crying on TV and, in my opinion, the casualities did not need to be so high and the aftermath so catastrophic.

If you group all these disasters together, you can that at the root of each one, is the feeling that, “IT CAN’T HAPPEN HERE”…..    Britain, for example, has tolerated mosques preaching hate, thinking that nothing like the knife attack could happen in civilized London.

In Moore, Oklahoma, people thought, “we already had a major tornado, so IT CAN’T HAPPEN AGAIN”!  Well, surprise – it happened again.  While forecasters cannot dictate the exact path of a tornado, they can get close, and with just fifteen minutes advance warning, there is  time to get everyone into storm cellars, safe rooms and underground shelters.  BUT IF THERE IS NO SHELTER AT A SCHOOL…….

Many obvious solutions-controls-safeguards were missed in these recent tragedies because proper, formal security risk assessments weren’t done effectively.  If they had been done, perhaps the London police could have picked up someone who touted murder and hate.

If a risk assessment had been done in Moore, OK, maybe the high risk of a tornado would have allowed the schools to all add the safe rooms they needed, and in Boston, the older brother Boston bomber, should have been in jail already for his participation in a previous murder – or at least actively monitored based on his facebook postings.

The clues are all there, and, looking backwards, you can see the pieces that SHOULD HAVE BEEN ENOUGH TO PROMOTE some kind of action to either:

        1. Eliminate the threat  or, 

              2. Reduce the severity of a potential threat in case it occurred.

Security risk assessments gather the numbers and the information organizations need to make better choices about how to protect people’s lives, facilities, and organizations.  I hope these events will prompt more Security Directors to take an objective and unbiased look at their own organizations, and the controls they have in place, before you end up on CNN!

 



The Active Shooter – What’s the Right Response? Run Out or Lock Down?

I got to sit in on a security group discussion yesterday.  It includes both security directors and local law enforcement and It was interesting to see how both groups approached the active shooter scenario differently.   Which way is the best?  Is there a best?

For law enforcement officers at both the state, city and county level, they want all doors to be unlocked so that all the occupants of a facility, or a hospital, can get out and run for safety as quickly as possible.   They say that means more people will survive, not get shot, and it works with the natural human reaction to run away from danger.

Some of the active shooter experts in the room said that active shooter situations should be treated like fire drills, because people are used to fire drills, and they know what to do, because they practice fire drills more frequently than active shooter drills.

For the Security Directors, especially of hospitals, they wanted to be able to lock down if there was an active shooter call in their facility.  They felt that there were problems in evacuating quickly, and some were concerned about leaving bed-ridden patients behind while the clinical staff run out of the building.  So they advocated locking down all doors instantly.

While the heated discussion continued for almost three hours – at the end there was no “BEST” solution.  Each Security Director or Manager will have to decide for themselves which approach is right for their organization.  The important thing is to think it through in advance, prepare people in advance, and take advantage of the great materials that are available to help organizations prepared.


Get more information including videos, training materials, on line courses and more at
http://www.dhs.gov/active-shooter-preparedness.



Benghazi Hearing Demonstrates Attack Uncovered A Fatal Lack of Coordination & Funding for Embassy Security

Just two weeks ago, we were talking about the lack of coordination between DHS agencies and known intelligence on the brothers responsible.

Now we have the Benghazi Senate hearings, and here is the same problem again – lack of coordination between different parts of the State Department, and with the Defense Department, AND with the CIA and the intelligence community.

Add to this, the appalling cuts in funding for diplomatic security, and a flawed process about what needs to be done about security and protection to our embassies around the world.

“In these tight budget times, the committee has had to make some tough choices to prioritize funding.”, said a GOP aide in The Hill article (GOP cuts to embassy security draw scrutiny), by Alexander Bolton on September 18, 2012.   In spite of the uncertainly of the Arab Spring, the demonstrations every Friday in streets from Bahrain to Tunesia, the embassies had their budgets cut.

Of course, security experts are used to this, security doesn’t directly generate revenue, and it is often one of the first functions on the chopping block.  However, to cut funding to the critical embassy functions in this volatile environment, is obviously a very bad decision on the part of the GOP.

For example, the security risk assessment which are routinely done on these embassies are not done on a systematic basis.  As a risk expert, these security risk assessments should be done WEEKLY, and they should be automated so they can instantly be compared to environments in other embassies, and comparisons made by month, by year, and trends can be tracked.

If we can’t afford to do these assessments and just as important, if we can’t afford to fix the problems that assessments reveal, then we should not have embassies in these places.

The security risk assessments that are done properly must also include complete threat assessments.  “We need to develop a paradigm for managing risk“, said Gregory Hicks, a Foreign Service Officer who testified today on Capitol Hill.

These paradigms for managing risk already exist and they have been totally ignored by the State Department, which makes it almost impossible to get a clear, unfiltered view of the security situation at any embassy, at any point in time.

At least both sides of the political aisle agree, we do not want this to happen again!  Benghazi is not a political problem, it is a massive security failure problem!

 



3 Cleveland Women Freed -The New Front Line of the War on Women

Posted on by

For the past 4 days, media attention has been focused on the three Cleveland girls who were abducted close to their homes and kept as prisoners in an old run-down house with neighbors on all sides.

NOW, neighbors tell how they broke down the door to free the women, the little 6-year old girl who came out with them, presumably the child of their abductor, and stories of screams coming from the house over the LAST TEN YEARS.

Besides the obvious curiosity about how they are, how this happened, how they were subdued for so long, and all the salient details, my question is WHY DID THIS HAPPEN, AND WHAT DO WE NEED TO CHANGE TO MAKE SURE IT NEVER HAPPENS AGAIN!

As a security analyst, I have to place some of the blame at the door of the Cleveland police, not that they are different from any other police department in the U.S.  Police are trained to catch criminals – that is their reason for being.   But it seems that, increasingly, in crimes where women go missing, even a 16-year-old, the search for them never really gets underway.  With no speeding car to chase, no easy suspicious person to detain, they stop looking.

Statistics say that about 2300 people go missing every day, over half are men, so that
leaves about 1000 females, and of these, about 70% are young women. so that easy math – about 700 A DAY! or 255,500 EVERY YEAR!

My point is just that the Cleveland Triple Abduction should be a wake up call for parents, citizens AND law enforcement to find a better way to search for these missing girls.

The world has changed – we have cameras, social media, facebook pages, and we need for all of these to be routinely used to find missing girls before we see another case exactly like this one.



Why the FBI and DHS Need Google’s Help to Track Potential Terrorists

The Boston Marathon bombings were bad enough.  The loss of life was terrible, but the runners and their families who lost legs and feet because they wanted to give their Dad a hug at the finish line were worse.

One week later, we all watch with trepidation as the first bomber is killed and the second captured bleeding in a boat in Watertown.

THE MOST TERRIBLE NEWS OF ALL IS THAT IT MIGHT HAVE BEEN PREVENTED!!  This is EXACTLY the situation that DHS was supposed to catch.  This is EXACTLY why the agencies were ORDERED to share information, and still these guys can tweet all they want, show violent Islamic videos on their web sites and call for Jihad and NOBODY NOTICES!!

This is made even more incomprehensible because the U.S. government was ALERTED BY THE RUSSIANS that one of them was DANGEROUS.

What do we need to do to get these agencies to start paying attention to these potential terrorists?  DO WE NEED TO MAKE THEM WEAR A RED SHIRT?

If the IRS can keep track of every American and in 2 minutes call up their entire history of taxes, and the Department of Labor can calculate your benefit rates in less than 1 minute, and Social Security keep track of all your information – why can’t DHS and the FBI  keep a contact database current?

Why can’t they have a person who scans these web sites and Facebook sites for Jihadist pages and then cross-references them with the site’s owner?   Why can’t a trip to a violent region of the world trigger a PING, as I heard one congressman call it.

Every company in the world has a simple Contact database on their own customers and suppliers that gives them years of data.   WHY CAN’T WE BE PROTECTED FROM THESE TERRORiSTS.

This one wasn’t hiding in the shadows – he was ON SOCIAL MEDIA!   He wasn’t locked up in a cabin – he was traveling internationally,   his brother was getting a scholarship.  And they did this FOR YEARS!!

This intelligence failure is just exactly like 9/11 all over again.  These agencies are so procedural that they cannot connect the dots.  Ok – they’re human. But we have super computers that CAN connect the dots and do profiles and create alerts…

Maybe we should call Google and get some help.  We obviously need it.

 

 



Tragedy at the Boston Marathon – What Went Wrong?

Looking at the CNN footage of the Boston Marathon finish line yesterday, I was struck by the shock of the bystanders and the chaos that followed the blasts.

Having just giving two seminars on security controls, I pulled out my list to see what could possibly have been done differently to prevent this devastating outcome, and there was the first word on the list ACCESS CONTROL.

After thirty years as a security expert and risk-threat analyst, I am about 85% sure that this was a lone wolf attacker who made his crude bombs to address some personal perceived problem, whether it was fear of gun legislation, spillover from the Israeli-Palestinian conflict, the Neo Con torture initiative, or something else.

Putting the attacker aside for a moment, the tragedy happened because SOMEONE WAS ABLE TO WALK RIGHT UP TO THE FINISH LINE AND PUT AT LEAST 3 BOMBS right near the finish line!   THiS IS NOT RIGHT.

There has to be SCREENING and ACCESS CONTROL PROCEDURES IN PLACE!  You can’t have security if you have open access to a major event like the Boston Marathon.  For year, security experts have cautioned that large crowds make a great target, and so events have paid lip service to this concept, without staying on the task, and making sure that SECURITY CONTROL NUMBER ONE –  ACCESS CONTROL  is ALWAYS in place.

But people don’t like access control, it’s too much trouble, they say.  They don’t like metal detectors, too expensive, too much trouble, too intrusive.  Well, it’s not as intrusive as having a major injury.   There are ways to secure these high profile sites, but the security community has to lead on this.

Yes, it is very sad and depressing that the world has come to this — but it has.  And it will happen again.  As long as security is perceived as too much trouble, too expensive, too tough to do, and too intrusive, there will be more tragic events like this one.

 

 




top