Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

Corporate Security

Starting a Hospital Security Risk Assessment

How to make sure your Security Department is Working for the Hospital.

Security Risk Assessment are not just Required by the Joint Commission – they are required in many states as a preventive measure to help prevent and reduce workplace violence.

The Risk Assessment also helps managers and administrators assess their security program, directly measure it’s effectiveness and helps determine
cost effective methods that can give you a great deal of protection for the lowest possible cost — something we call “bang for the buck”. 

The recent increase in violence comes as a surprise to doctors, nurses, managers and administrators, too.  Violence is not a concept that people usually associate with hospitals.  For years, hospitals have been seen as almost a sanctuary of care for the sick and wounded in our society.   However, the perception of hospitals has been changing over the last fifteen years due to a variety of factors.

 1.  Doctors are no longer thought of as “Gods”.  This means they are
      are more easily blamed when a patient’s condition deteriorates.

 2.  Hospitals are now regarded as businesses.  This perception has been
       been aggravated by television in shows like a recent “60 Minutes”, as well as
       by the effects of the recession on jobs and the loss of health insurance.

3.  Lack of respect and resources (funding) for hospital security departments
  
.  Rather than being seen as a crucial protection for the hospital staff and
      patients, many security departments are chronically underfunded and used
      for a variety of non- security functions, such as making bank deposits for
      the hospital gift shop, driving the education van, etc.

The federal government  issued a guidance document for dealing with violence issues in healthcare,  called OSHA 3148.01R, 2004, Guidelines for Preventing Workplace Violence for Health Care & Social Service Workers.  You can download a copy at www.osha.gov/Publications/osha3148.pdf



Did you know that Organized Crime now Runs Most Identity Theft rings and That They Already Have Your Personal CC Information?

A recent CNNMoney article looks at why cybercrime has gotten so pervasive and concluded that you have probably already been hacked!

Cybercrime and theft of personal identity elements like credit cards, bank accounts, passwords, etc. has moved from a kitchen industry populated by techy college students in countries like Bulgaria and Romania, to a dependable source of income for organized crime.

Similar to the way Russian crime gangs have infiltrated the shipping-port business, identity theft has become a commodity and they are stealing BILLIONS of dollars every year, including from the world’s largest corporations like Sony and Citigroup.

According to CNN Money, “These aren’t petty thieves. They’re committing breaches like the Sony attack that stole credit card information from 77 million customers and the Citigroup hack that stole $2.7 million from about 3,400 accounts in May. They’re organized, smart, and loaded with time and resources.

“It’s not like the Mafia, it is a Mafia running these operations,” said Karim Hijazi, CEO of botnet  monitoring company Unveillance. “The Russian Mafia are the most prolific cybercriminals in the world.”

The Russian mob is incredibly talented for a reason: After the Iron Curtain lifted in the 1990s, a number of ex-KGB cyberspies realized they could use their expert skills and training to make money off of the hacked information they had previously been retrieving for government espionage purposes. Former spies grouped together to form the Russian Business Network, a criminal enterprise that is capable of some truly scary attacks. It’s just one of many organized cybercriminal organizations, but it’s one of the oldest and the largest.

“The Russians have everyone nailed cold in terms of technical ability,” said Greg Hoglund, CEO of cybersecurity company HBGary. “The Russian crime guys have a ridiculous toolkit. They’re targeting end users in many cases, so they have to be sophisticated.”

Though credit cards continue to be a source of revenue for organized crime syndicates, there’s not much money in credit card theft, so crime rings go after large corporations and sensitive information that can be sold or used for blackmail.

Globally, data breaches are expected to account for $130.1 billion in corporate losses this year, according to the Ponemon Institute. Historically, about 30% of that total cost has been direct losses attributable to the breaches, which would mean about $39 billion will stolen in 2011.



Using Risk Assessments as a Business Process

Risk assessments are increasing in utility and popularity – being used for everything from compliance to safety assessments, and used by financial institutions, healthcare organizations, manufacturers, government of the world and think tanks. 

Many regulators require formal risk assessments on everything from gauging political risk in an unstable country, to protecting consumer financial information, to assessing workplace violence potential.  

Here’s a definition of a risk assessment:   A process to determine what controls are necessary to protect sensitive or critical assets both adequately and cost-effectively. Cost effectiveness and Return On Investment (ROI) are required elements of a risk assessment.  

A risk assessment is not a democratic process where the most popular answer wins.  It is not consensus driven.  Instead, it is a business process that manages a security function.   Security is very process centered.  Because security often consists of many different elements which are critically important, such as managing network access,   it makes sense to manage it as a process.

According to the statistics, risk assessments are way up in popularity in 2011.  Maybe
it’s economics – maybe it’s result of the previous economic downturn, but the requirements for risk assessments have never been broader, and there have never been more of them than there are now.  Here’s a partial list:  

The Joint Commission
HIPAA, HITECH, NIST 800-66
FFIEC, BSA-AML,
ISO 27001 and 27000 series; NIST 800-53
Red Flags Identity Theft
NCUA Part 748
FEMA 426, FEMA 428

The exercise of doing a risk assessment affords a level of protection which is related to how many other people actually contribute to the risk assessment results.   Using an online compliance survey as a participatory measure takes the onus of absolute responsibility away from the manager/analyst and distributes it throughout the organization where it belongs.

Obviously people are a critical component of information security.  In a risk assessment, people are also important to include because they are able to report what’s going on in their workplace every day.  How can one analyst know enough to do the entire risk assessment by themselves?  They would have to be everywhere at once – in the morning, late at night, on the weekends, and also be able to channel the work of everyone from the newest tech support person to the director of the data center.   And the inclusion of a variety of individuals adds weight and power to the risk assessment.

The true value of the risk assessment is in the cost benefit analysis, which details what controls need to be implemented, how much they cost and how much they would protect the organization by either prevent threats from occurring or by mitigating the impact of the incident if it occurs. 

While the analysts may be accountable for the reporting or analysis of potential risk, the responsibility for any action that needs to be taken is up at the C level, or with the Board of Directors.  In fact, in the FFIEC IT (Federal Financial Institutions Examination Council Information Technology ) Handbook, they spell out, “The Board is responsible for holding senior management accountable”.  Often we have found that the actual President of a bank or credit union doesn’t always KNOW that he is going to be held responsible – this information is down another level in the organization.

I recommend getting management to sign off on the basic assumptions,  in writing,  in the course of completing the risk assessment – and of course, on the final reports. Areas where senior management can review and approve include: 

  • Calculation of asset values, including the value of the organization in total
  • The potential costs of implementing different controls, singly or in combination.
  • Validating which controls are currently in place and how well they are working.
  • The conclusions from the draft report, and the final report.

The analyst is just the messenger, doing the work of assembling the risk elements and calculating their potential results.  But senior management makes the final decisions on each element.   There’s nothing like a signature on a piece of paper to foster a climate of accountability. 

Risk Assessments have the potential to save corporations and governments millions of dollars by making decision-making based on real analytics, instead of just guesses – plus they are an essential element of compliance.  These are good reasons to evaluate whether it’s time for you to do a Risk Assessment!



A Short Note on Father’s Day

A Father’s Day about Remembering

My father was a teenager during the Depression.  That means there was no college for my very intelligent and very creative father.   Here are some of his best moments, commemorated in a great photo of him barbequeing on the green Weber grill, wearing only swim trucks, a big Chef’s apron and a chefs hat!

When I was sixteen, I went outside to tell my father that I didn’t believe in the Easter  Bunny anymore, so he didn’t go have to go thru the whole Easter Bunny drill which included getting up in the middle of the night and putting pieces of cotton on the underside of the chain link fence, so he could take us outside and say, “The bunny was leaving your Easter baskets and he heard you waking up and he ran out so fast, he left a little bit of tail on the fence,” and then he’s bend down to show us the Actual Easter Bunny evidence.

Finally, after an hour of discussion – he said, “OK – you win, I’m the Easter Bunny”.  I locked myself in my room and cried all day.

My dad always made the best of whatever happened, a lesson he passed on to me, the eldest child.  He always had a job – usually a great job with perks like boxes of oranges and pears at Christmas, and he taught adult Baptist Sunday school for 36 years.  What a commitment.

My dad should have been an artist, because he had the most beautiful handwriting, and could draw anything.   One of the great things he did for us was put together a whole book of photos of us for our 21st birthdays.  Mine had a Winnie-the-Pooh theme, totally illustrated, of course.  It included a list of the all the 20 songs I could sing at the age of 2!

My dad was also a fantastic grandfather to my two sons and they were only in their teens when he died, way too young, at 72.  He still swam 60 laps of the pool every day. 

Daddy, I think about you all the time, and wish you were here.



The 5 Missing Elements of Most Workplace Violence Prevention Programs

The 5 Missing Elements of Most Workplace Violence Prevention Programs

After working with a variety of organizations on a baseline Workplace Violence assessment, there are several areas that seem to be common problems for most organizations.  These elements are not expensive, and not timing-consuming, so they are natural candidates for improvement.

A baseline workplace violence assessment is a survey of employees in different roles, combined with a threat analysis and an analysis of existing controls and a historical incidents that can be reviewed and aggregated.

Here are the top 5 most common missing elements, with potential solutions.

1.  Missing workplace violence awareness/training programs.  Many organizations report that they have set these up, that they have sent out emails to all employees, but we consistently find that the employees didn’t read the emails, didn’t know the training was available, or that it wasn’t included in their initial company orientation.

2.  Mis-categorization of workplace violence incidents.   There is a mistaken (in my opinion) idea that domestic violence incidents that happen at work should not be categorized or reported as a Workplace Violence incident.  This is a mistake, and leads to bad information about the true nature of the problem.  If someone comes and shoots her significant other at work (IN THE WORKPLACE) – it is a workplace violence incident.

3.  Staff feels subtle pressure from management not to report every incident.
In my research, management wants every incident reported, every time, but
staff members report that their own direct supervisors may discourage them by not taking time to discuss these pre-incidents, and also by chalking up comments as merely office gossip.

4.  Not linking Human Resources with Security on the issue of Workplace Violence Prevention.  This is a management issue, but organizations that create bridges between HR and security are way ahead because this is one issue where cooperation makes a big difference in results.  HR can’t do a security assessment and security can’t write termination policies and set up employment screening. They are both absolutely necessary.

5.   Not doing an Annual Workplace Violence Assessment.  Since late 2008, when the economy suffered major job losses,  the number of workplace violence assessments have increased dramatically, especially in the healthcare field.  Annual assessments are best way to stay on top of the ‘potential’ for violence in your organization.

Check out one of our regularly scheduled webinars to learn more about this important issue.

 

REMEMBER – Workplace Violence is the one threat that is PREVENTABLE!

 

                                        — Caroline Hamilton

                                                                 Caroline.r.hamilton@gmail.com

                                                                 chamilton@riskwatch.com

 


                                  www.riskwatch.com



Arming the Office – What Happens When We Let Employees Bring Guns to Work

One of my colleagues wrote to me so passionately about the terrible gun violence he witnesses every day, that I wanted to share it with all of you.  You can call it a ‘Guest Blog’ from the Field — a Hospital Security Director in a Major U.S. City.

The gun lobby had several recent legal “wins” for the gun rights advocates in Texas, Indiana, and Tennessee.   Apparently lawmakers and gun rights advocates find it a sane and reasonable  policy to open up the workplace to armed employees.

It t is also clear that our lawmakers are not satisfied with our current national gun carnage. Currently, we shoot to death about a 100 people a day in the United States, including 25 children killed every three days.  And this tally accounts for only those killed by guns.

This doesn’t include all those I see on a daily basis who are shot, crippled, maimed and ruined by the daily shooting gallery in the USA.   In order to continue to make money and sell more guns, the gun rights advocates, and  the legislators they have paid off, corrupted and stripped of reason,  are intent on even greater carnage and human tragedy.

Every day I witness the extreme becoming mainstream, and even commonplace.  
Guns are now finding their way into the workplace, brought into churches, brought into our colleges and universities. They are brought to hospitals, and shot off over highway bridges.

The logic is totally missing.  We are already a nation awash in fear and loathing.  We hate people  we don’t know and don’t understand.  The answer to this problem is NOT to arm EVEN MORE people and have guns readily available to everyone.

Obviously, the recent horrors of Arizona and the slaughter of innocent people in a Safeway parking lot,  has already been forgotten by security professionals and criminologists.  There is no condemnation or follow up  about a terminally troubled young man and the ease in which he purchased a semi-automatic pistol and 30 shot clips.

There has been no rallying cry to address the ease in which tormented and troubled and dangerous individuals on the margins of our society can easily obtain weapons of human mass destruction.   These realities are not relevant and cannot be discussed. And in today’s political climate to even MENTION this makes one a pariah, or a “liberal”, or a “communist”.

 I have been in the Security and Prevention profession for over 35 years, so I can easily dismiss the attacks from gun rights advocates and zealots.  And in fairness,  I have found many gun rights people to be in fact reasoned and decent and willing to engage in reasoned discourse.

What troubles me, and why I wanted to write directly to YOU,  is that the vast majority of professionals in the Security profession totally bypass, ignore and in fact, minimize the reality and tragedy that is our national gun slaughter.   As a profession,  we have done nothing to challenge these trends,  or address them, or at the very least,  debate the current flood of laws designed to turn American work places into armed camps.  

And this in my view is nothing less than a tragedy.



The Risk Assessment – Live – and Cross-Cultural

I just got back from a great trip to the Middle East.  I spoke at a State Department conference (ISAC) Conference in Doha, Qatar and then did a full risk assessment of a large hospital in Abu Dhabi.   Besides that I loved the food, and loved the people, and came home with lots of beautiful earrings and bangles and perfume.

The great insight I got on this trip was that security problems are exactly the same everywhere… they are not based on sex, race, nationality, gender, religion, hair color, height,  politics, or anything else.   Maybe this is why the TV show “The Office” is a worldwide hit.   Organizations work the same way all over the world.  As a person who got her degree in cultural anthropology of all things — I am amazed less at the differences than I am in the similarities between organizations.

This is my 17th country that I have visited to do a security risk assessment and they all come down to these basic steps: 

1.  Identify what you want to assess.   Many times you need to cut down the proposed assessment, it doesn’t need to include things that are 10 miles away.

 2.  Write up a Project Plan to show other people what you’re doing to do – and give management a time line to work with.  (It keeps me focused – a value add).

3.  Find the dollar VALUE for whatever you are assessing, for example — How much is the facility worth?   What’s the value of one patient record – two dollars or two thousand dollars?

4.  Come up with a realistic threat profile that includes the local crime rate, some historical data for crime, cyber crime, natural disasters, fire, etc.

 5.   Ask other people in the organization how they handle security.   I like using our automated surveys because it captures more immediate data from individuals.  You can use a translator if you don’t speak the language and I guarantee you’ll be amazed at the results.  The more people you interview – the more amazing the results will be.

6.   Examine all the existing controls and see how they are being used in other areas of the organization,  are they 100% implemented?   80%?   50?  Even less?

7.  Analyze the results with good math.  This is commonly done by software, but you can also use a regression analysis model with a database program like Access –   don’t guess.    Let the numbers do the talking.

8.   Write up a simple report, illustrated with lots of color graphs and photos, so someone  can just page through the report and understand what the assessment revealed.

The best risk assessment report in the world is a waste unless it comes up with actionable results — the list of what the organization needs to do NEXT.  Some people call them After Action Reports, maybe they are called Corrective Action Reports, maybe they are called a Task List.  The name doesn’t matter, but the results matter.

The report should cover the basics of what you did, what areas you reviewed, who you talked to (or got answers from with a survey), and what you recommend should be done, based exactly on the risk assessment.  In banking and financial companies, the regulators already get the last risk assessment and ask the organization to show “where in the risk assessment did it say you should add a stronger firewall?  add a better camera system to the Emergency Department?  do background checks when you hire new people?

These are just examples,  any improved control could be used – but you will need to show the regulator exactly WHERE in the risk assessment it said you should do this or that.     In the follow up Blog – I’ll talk about how to present your findings to your management.



Workplace Terror in Manchester, Connecticut

Yesterday a tragic story unfolded in Manchester,  Connecticut.   You probably already know that nine people were killed when an employee who was being fired, came back in with his hand gun,  started shooting and, after calling his mother, killed himself. 

This incident is part of a bigger and growing trend to more workplace violence incidents – not only in companies in general, but in hospitals to an even greater degree.  The Manchester incident also illustrates again some of the basic tenets of preventing workplace violence incidents. 

Patrick Fiel, Public Safety Advisor for ADT Security, commented, “The industry standard is to not  terminate employees in open areas where other individuals may be working.   Firings are always touchy situations and should be conducted in an isolated areas, even off-site, away from the work areas.”  

“Many companies have crisis plans in place, and also conduct security risk assessments annually  to prevent this kind of incident.   A comprehensive security assessment  might have saved nine lives by setting up procedures for the termination; and additionally, by making sure employees knew what to do when he did draw his gun.” 

I have been reviewing workplace violence incidents in healthcare and find that they have skyrocketed since the recession started.   Violence against supervisors, managers and also nurses and other healthcare workers has spiked significantly.

 It is surprising to read the following statement on the osha.gov web site:

There are currently no specific standards for workplace violence. However, this page highlights Federal Registers (rules, proposed rules, and notices) and standard interpretations (official letters of interpretation of the standards) related to workplace violence.

Section 5(a)(1) of the OSHA Act, often referred to as the General Duty Clause, requires employers to “furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees”. Section 5(a)(2) requires employers to “comply with occupational safety and health standards promulgated under this Act”.”

It might be time for OSHA to develop some workplace violence prevention standards.  Many of the ones we use in our risk assessments are related to standard security safeguards – such as having a written termination policy; making sure that if  worker at one location is fired, that all other locations are notified so he can’t just go to another office and cause an incident. 

Much of the statistical data we found on the OSHA website were at least six years out of date, which makes it harder to track current trends in workplace incidents, unless you catalog the media-reported events and run an analysis on them.  The U.S. Bureau of Labor Statistics reported  “Mass shootings receive a great deal of coverage in the media, as we saw with the Orlando, Fla. office shootings in November 2009 and in the shootings at the manufacturing plant in Albuquerque, N.M. in July 2010.  Out of 421 workplace shootings recorded in 2008 (8 percent of total fatal injuries),  99 (24 percent) occurred in retail trade.  Workplace shootings in manufacturing were less common, with 17 shootings reported in 2008.  Workplace shooting events account for only a small portion of nonfatal workplace injuries.” from http://www.bls.gov/iif/.

It makes me wonder if the workplace violence statistics from 2008 until now may be such a large increase, that has been either underreported or even held from publication!

According to a report by the National Institute for Occupational Safety and Health — “State of the Sector/Healthcare and Social Assistance” — published in 2009, health care workers are more than three times as likely as workers in other industries to be injured by acts of violence.

“Health care workers are at risk for verbal, psychological and physical violence,” the report says. “Violent acts occur during interactions with patients, family, visitors, coworkers and supervisors. “Working with volatile people or people under heightened stress, long wait times for service, understaffing, patients or visitors under the influence of drugs or alcohol, access to weapons, inadequate security, and poor environmen­tal design, are among the risk factors for violence,” the report continues.

In the current economic environment, the physical security (facility) risk assessment can be used as an important tool in making sure that basic industry standards for preventing workplace violence incidents; or limiting the damage they can do – especially for making sure the staff are protected from violent incidents by their co-workers.

The security assessment can be followed by the creation of specific, detailed crisis plans that make sure people know what to do when the unthinkable happens at work.  One of the reasons that workplace violence incidents are so upsetting to all of us is because the person KNEW the people he was killing.  He probably knew their spouses and met their children at a company picnic.  It makes the violence more personal and scary, a whole different thing than falling off a ladder.   And it reminds us all that it COULD happen here!



Searching for Hard Data about Security Cameras…

I was really surprised when someone asked me about how many cameras should be put in a small hospital to deter violence against healthcare workers. They were asking for a universally recognized guideline or standard that would give them ammunition to take to management to prove why they needed the extra cameras installed in the Emergency Department.

If you’re already in either the security or healthcare field,  I’m sure you’re aware of the dramatic increase in violence against healthcare workers and why this is obviously a concern of all healthcare facilities.   Cameras are often the first stop in a security improvement program because they provide a lot of visibility/protection at a reasonable cost.  

My next step was to start looking through different standards to see if there was a standard for how many cameras should be in an Emergency Department, or a birthing center, or a hospital lobby.  I could not find a simple standard anywhere.  I first started looking at FEMA requirements for preventing terrorism (FEMA 428) (www.fema.gov) and while they covered lighting, they stopped short of recommending a basic configuration, or an “acceptable minimum” for cameras.  Next I looked at the International Association for Healthcare Security and Safety (www.iahss.org) and they also mentioned lighting and cameras but again, without specific guidelines for the various parts of a hospital.

More research followed.  I called about a dozen hospital security directors, and then started on a literature search.  I started with the classic Russell Colling book, “Hospital and Healthcare Security” and again found a great deal of common sense advice and recommendations on how cameras should be placed to view certain areas and the panning area, and what kind of cameras to use where, but again, no exact direction on how many cameras should be put in a hospital emergency department.

Back to the phone to get more information, I talked to more security professionals who explained that each facility is different — each hospital is different — each hospital has a different budget — different configurations.   I totally understand that companies that sell cameras and lighting to hospitals (and all sorts of other facilities) want to do an in-depth assessment before each installation to make sure the cameras fit the total security picture. 

But I think that the security organizations should start creating minimum standards with actual guidelines of WHAT KIND, HOW MANY and WHERE To INSTALL, as a sort of default value, or minimum to achieve some level of improved security.  For example, ‘basic’ or ‘minimum’ recommendation for an ED might be — one camera at each entrance and exit and a camera at the admissions area.  Having some basic configurations spelled out would be a great thing for security directors and probably for the camera companies.

Those who have read my blogs before know I am a big proponent of standardization — for lots of reasons.  It is good for the buyers because they don’t have to agonize over whether they are getting a certain (if minimal) level of protection; and it helps them secure the budget to install the new camera systems.  It’s good for the camera integrators because it increases sales because (see previous sentence), security departments can more easily get budgets approved and thus, sell more camera systems.

One of the security groups I talked to told me that the reason they don’t have a minimum is because it reduces pressure on smaller organizations that may not be able to afford a particular system, but I think that with the increasing use of cameras, having a minimum standard makes sense and would be a win-win proposition for everyone.

For example, did you know that rail gauge on railroad tracks used to be different for every state?  So early trains could chug around a state, but couldn’t cross the border into another state because the rail gauge was different.  After the rail gauge was ‘standardized’ so that the whole country used the same gauge of track — trains were going coast to coast and everywhere in between.  It allowed rail travel and shipping by rail to really take off.   Maybe we can do the same with cameras.



How to get Management On Board with Security Enhancements — or how to avoid cocktail party security decisions.

One of the most aggrevating issues that security people have to deal with is someone who has no security background and knows little about the current technology, who decides what should be funded based on:

1. My wife thinks cameras are an invasion of privacy.
2. My secretary like X instead of Y
3. My friend, Sam, said his company was adding
some new widget.

This applies whether you are doing corporate security or information security and it is basically having your management make an emotional decision, or what I call a “cocktail party decision” about where the security budget should be spent.

Don’t confuse them with the facts. In fact, most of this is from people who do not understand the complexities of security or the interactions of various security solutions with each other.

Last evening, I spent quite a bit of time with a client from Asia, who had a big client who couldn’t decide which solutions they wanted to implement. Should it be A or B; and how to set it up? Regionally? by Business Unit? By Subsidiary? By Sub-subsidiary?

As we discussed it, I realized that the Director in question was really avoiding having to spend any money! It wasn’t about the decision – it was sort of smoke and mirrors to avoid having to admit a lack of funding for security.

In these cases, when your organization may have had the budget trimmed, cut or slashed — it is imperative to be able to use some quantative measurement of the risk to justify the cost of the controls. Whether you have enough budget for one control, or for everything, it must always be prioritized by NEED and by RISK. By Return On Investment. What losses can we prevent or avoid if we add this specific control? How much loss are we preventing? What is our potential exposure if we do nothing?

These are the elements that need to be understood by management in order to get the right controls in place, in the right amounts, at the right time.




top