Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

Workplace Violence

Man Wants to Commit Suicide at Hospital to Donate his Organs!

Suicidal Man Triggers an Evacuation in Denton, Texas.

The emergency department at Texas Health Presbyterian Hospital was evacuated after an armed man threatened to shoot himself in the hospital’s parking lot, as reported in a newspaper article. The man had sent suicidal messages to his ex-wife. She contacted police, who in turn began tracking the man’s cell phone. He was found in his vehicle, which was parked in front of the hospital’s ED. Police cleared the ED while they negotiated with him for about 45 minutes. The man told police he chose the hospital because he wanted to donate his organs after he killed himsel



Data-Driven Security – Using Metrics to Focus & Target Security Programs

Security programs can be dramatically improved by using a metrics-based assessment to focus them on the areas of greatest threat, and to use metrics as a management tool to keep the security program targeted on the areas that need the most attention.

Using a data-driven approach – that is, using real numbers to measure
and quantify security, always results in tangible improvements.

Management of a security program is no different than management of any other department, whether it’s human resources, cash flow, employee productiveness, profitability, or any other set of metrics that organizations use to measure how well something is being done, and how it could be improved.

Security officers may complain that management is not listening to their complaints, including not making enough money available to implement new technology, or to fix a loophole that has the potential to create havoc in the organization.

Most security conferences feature sessions with titles like “How to Sell Security to Management” and try to address this disconnect between senior management and their security programs. Peter Drucker, the world famous management consultant, said “If you can’t measure it, you can’t manage it.”

Fortunately, recent improvements in security technology and in development of wider reporting of threats and vulnerabilities, allow management metrics to be applied to the management of the security program to target the program to be maximally effective, to focus the available dollars in the areas which would provide the most protection for the least amount of money, and to prioritize the controls that need to be implemented,  based on their return on investment.

Risk assessments are the foundation of a data-driven security program. Through the process of risk assessment, managers can measure the effectiveness of the organization’s total security program, including analyzing the value of the organizational assets, the threat level (based on the mission of the organization), the existing vulnerabilities, and the effectiveness of existing controls.

Basing the risk assessment on the concept of data-driven security means that real numbers are used in the following areas:

1.  Determining the value of the assets of the organization, including the facilities, the personnel, the security systems and the current controls.

2.  Analyzing the Threat Level, based on either internal incident reports, or industry data, including the Uniform Crime reports. 

3. Identifying vulnerabilities in the organization, including surveying individuals at every level of the organization, from the local facility manager to the CEO to find out how they are implementing security in their workplace.

4. Identifying potential categories of loss, which help focus the security program on the problem areas.

5. Analyzing current Controls that are currently in place, or that could be added to protect an organization.

By gathering data in these 5 categories, it becomes possible to run scenarios that pair the threat and vulnerability, match it to organizational assets, analyze the loss potential, and evaluate the cost effectiveness of a variety of different controls and prioritize security controls by “bang for the buck”.

Using data-based security builds a bridge between executive management and the security professionals in the organization who now have an avenue for open communication and consideration of the role of security throughout the organization.

 

 

 



Another Look at OSHA & Workplace Violence

I just finished reading a new book called HALT THE VIOLENCE, written and edited by Patricia Biles and her Alliance Against Workplace Violence group.  Here are some of my thoughts on it, if your organization has been evaluating workplace violence issues:

Here’s my review and why I think you should get it (Amazon) and take a look – it’s a short read — less than 150 pages.

I like the insider perspective on how to prevent violence in the workplace. Patricia Biles was a former OSHA (U.S Occupational Safety and Health Administration) employee and their guru on violence issues.  Her work with industry groups and individuals has given her rare insight on the subject of stopping the epidemic of violence, and she gives practical solutions that employers and individuals can use to halt the violence.

The book covers the escalation of violence in the workplace and how OSHA reacted to the problem, which came to the forefront in 1989.  She identifies the groups most affected by violent events at work, including nurses, healthcare workers, taxi drivers, convenience stores, and late night retail establishments in particular.

As well as covering a complete history of the issue, she also weaves together input from other experts who specialize in aspects of the overall workplace violence problem, including the problem of violence in hospitals,  the increased incidents of bullying in the workplace, the importance of early intervention and practical strategies for diffusing angy, aggressive individuals.

The important of risk management procedures, such as performing regular threat assessments is identified as one of the few ways to identify individuals who may pose a threat, although the authors point out that both the Virginia Tech shooter and Jared Loughner, the diagnosed schizophrenic who shot Gabby Giffords, her staff, and innocent bystanders in Tucson, were both examined, and had psychological profiles which stated they were ‘unlikely’ to be a threat to others.

Specific violence-prone workplaces are also identified and specific recommendations given for hospitals, home health and social workers, and educational institutions such as schools, colleges and universities.

In some ways, this is an insider’s book because it gives you the behind-the-headlines details, not only of major workplace violence incidents, but also a look at what it takes to create new laws and encourage congress and federal agencies to recognize the problem and take concrete steps to ‘halt the violence’!

All in all, this is a very insightful and practical look at a problem that affects every workplace and every person who goes to work and counts on returning home in the same condition.  Employers will want to implement the suggestions in the book on how to reduce violence in individual organizations, and it also offers a valuable perspective on how to comply with new OSHA standards and they continue to evolve their approach to this critical issue.

 



Threat Modeling is the Exciting, Sexy Part of Risk Assessment

As a risk assessment professional, when I get into a risk discussion, most security people want to talk about THREAT!  Threat is the most sexy and exciting part of doing a risk assessment.

Threats are exciting all by themselves.  Think about all the threats you can name:

All the natural disasters like Earthquakes, Tornadoes, Storms, Hurricanes, Tsunamis, Lightning, Floods

Crimes like Homicide, Assault, Rape, Burglary, Theft, Kidnapping, Blackmail, Extortion

Terrorism like Sabotage, Explosions, Mail Bombs, Suicide Bombs

All the IT Threats like Malicous Code, Disclosure, Data Breaches, Theft of Data

And about 50 more including Chem/Bio incidents, Magnetic waves, High Energy Bursts, Microbursts, Contamination and Reputation Damage.

Each of these threats could theoretically occur at any time, but we try to establish a pattern of how often they have occurred in the past, in this location, in this county, in this country, in the company, etc.   So NASA, for example, gets thousands of hacker attacks, but another company, like the local Salvation Army, gets 1 every 10 years.

Same model for natural disasters, although you might have to factor in climate change, it’s easy to get the threat incidents for hurricanes in Florida, snow storms in Cleveland, earthquakes in northern California, etc.

We also like to examine industry specific data to see if some threats are higher in a certain industry, like the high incidence of workplace violence incidents in hospitals and high risk retail establishments (like Wawa or 7-11).

Another factor we use in calculating threat likelihood is how the threat could actually affect different types of assets…. for example, would an earthquake damage a car?  Probably not. Would it cause damage to an old historical building – probably (unless it had been retrofitted).  Could it cause loss of life, or injuries (think Haiti).

So I use a multidimensional model that takes the threats list (I have a standard list of 75 threats that I use), and map it to each potential loss, based on the ‘asset’ that might be affected.

The more data you get, the better your model will be, and the more value it will have as a decision support tool!

 



Why Violence in Hospitals is Increasing

Why Violence in Hospitals is Increasing

Violence is not a concept that people usually associate with hospitals.  For years, hospitals have been seen as almost a sanctuary of care for the sick and wounded in our society.   However, the perception of hospitals has been changing over the last fifteen years due to a variety of factors. 

  1. Doctors are no longer thought of as “Gods”.  This means they are
          are more easily blamed when a patient’s condition deteriorates.
     
  2. Hospitals are now regarded as businesses.  This perception has been
           been aggravated by television in shows like a recent “60 Minutes”, as well as
           by the effects of the recession on jobs and the loss of health insurance.
  3. Lack of respect and resources (funding) for hospital security departments
         
    Rather than being seen as a crucial protection for the hospital staff and
          patients, many security departments are chronically underfunded and used
          for a variety of non- security functions, such as making bank deposits for
          the hospital gift shop. 
  4. ASIS Security Association issued it’s industry guidelines for Workplace
         Violence 
    Prevention in September 2011, in conjunction with the SHRM – the
         Society for Human Resources Management to address this issue.

    The federal government   issued a guidance document for dealing with violence issues in healthcare,   OSHA 3148.01R, 2004, Guidelines for Preventing Workplace Violence for Health Care & Social Service Workers.

To Learn more:  join my webinar on Thursday, January 12th at 12 noon Eastern time by
       Clicking on this link:  https://www2.gotomeeting.com/register/835835290.



Outlook on Risk & Security Compliance in 2012 – What to Expect.

This New Year’s Eve, I thought at times my neighbors were using a rocket launcher and several assault rifles to shoot up the New Year.  Lucky for me,  I spent the awake time to contemplate the outlook for risk, threat and security issues for 2012 and here’s what I see for 2012.

1.  Government-Mandated Compliance Is Here to Stay for the Healthcare Industry.

I remember when the IT departments are many hospitals thought George W. was going to revoke the HIPAA Security Rule.  It never happened, and this year, for the first time, there is a regulatory body in place that is intent on REAL ENFORCEMENT.

The Dept. of Health & Human Services, Office of Civil Rights,  has expanded HIPAA Security and Privacy Rules to include “Business Associates” including lawyers working in healthcare, and the infamous “3rd Party Providers” who do everything from warehouse data to taking over the IT function of a hospital, and this trend will continue as pressure builds from consumers who’s medical and financial data continues to be compromised.

2.  Workplace Violence Prevention will become an OSHA mandate, if not in 2012, at least by 2015.  Based on the slug-like pace of OSHA, who only recently provided directives for high risk industries, and the pressure from the more than 30 states who have passed their own regulations,  the pressure to stop the number of incidents and to lower their intensities will increase and management will be forced to address it as a major corporate issue.

3.  Pressure on the financial industry to protect consumer information will increase.
  Like many other areas, pressure is increasing to prevent the enormous data breaches we saw in 2011, like Tricare, the recent Stratfor hack by Anonymous, Wikileaks and HealthNet breaches.  Consumers are the squeaky wheel and they want the convenience of plastic and internet use, and they will not tolerate breaches, and they are all registered voters!

The FFIEC has already tightened up on both risk assessment standards, as well as
authentication guidelines for all financial institutions.

 

There will be a increase in requirements for risk assessment as an accountability feature to force managers to maintain better security in all areas of their organizations. 

Accountability means that individual managers will be held responsible for the decisions they make regarding other people’s:

1.  Financial Data

2.  Medical Records

3.  Safety from both Violence & Bullying in their workplaces.

Budgets can be cut, and staff can be reduced but consumers are demanding protection of their information, and themselves, and the regulators will make sure they get it in 2012!



Webinar Looks at New OSHA Workplace Violence Directive

Workplace Violent Incidents have been on the rise in several specific organizations, including hospitals, home health organizations, social workers who do in home visit, and also late-night retail stores.

On September 8, 2011, OSHA suddenly released their internal Directive on what their OSHA investigators look for when they go to an organization to investigate a Workplace Violence incident.

Whether the incident involves a domestic violence incident, like when a husband shoots his wife at work; or whether it is patient violence against the Emergency Room nurses, it is a big problem that has been increased over the last 8 years.

We have set up a special no-cost webinar to review the new directive and see what it means for employers. Join us to look at how to protect your organization and make sure your staff, and patients stay safe.



OSHA Starts New Enforcement Initiative for Workplace Violence Issues

On September 8, OSHA issued a new directive about enforcement activity on workplace violence issues.  This directive (CPL 02-01-052) takes effective on Sept. 8, 2011 and is called Enforcement Procedures for Investigating or Inspecting Workplace Violence Incidents.  It details new procedures for the OSHA inspectors, but it is also a valuable document to show employers what they can expect.

The directive follows the shocking news that in 2010, 18% of workplace fatalities were caused by assaults and violent acts, while only 14% were caused by falls, according to the Bureau of Labor Statistics.

Workplace violence incidents are even higher in the hospital and healthcare industries.

The new inspection directive shows how OSHA inspectors are going to look at employers to see whether they have performed a workplace violence analysis.  These assessments follow the security risk assessment model and should take into account the threat level at the organization, the history of incidents and examination of trends, and whether ‘accepted’ controls have been implemented at the place of employment.

Some of the ‘accepted controls’ they will be examining include:

  • Having a recent workplace violence analysis
  • Having a formal workplace violence training program in place
  • Showing the employer had incident reports to identity possible threat levels
  • Methods the employer used to inform employees of the risk of workplace violence
  • Evidence the employer has a workplace violence prevention plan in place
  • Evidence the employer has a current security plan
  • There are also a set of recommended physical controls that include proper lighting, cameras, curved mirrors, etc.

For more information, or a copy of the document, email info@riskwatch.com.



Starting a Hospital Security Risk Assessment

How to make sure your Security Department is Working for the Hospital.

Security Risk Assessment are not just Required by the Joint Commission – they are required in many states as a preventive measure to help prevent and reduce workplace violence.

The Risk Assessment also helps managers and administrators assess their security program, directly measure it’s effectiveness and helps determine
cost effective methods that can give you a great deal of protection for the lowest possible cost — something we call “bang for the buck”. 

The recent increase in violence comes as a surprise to doctors, nurses, managers and administrators, too.  Violence is not a concept that people usually associate with hospitals.  For years, hospitals have been seen as almost a sanctuary of care for the sick and wounded in our society.   However, the perception of hospitals has been changing over the last fifteen years due to a variety of factors.

 1.  Doctors are no longer thought of as “Gods”.  This means they are
      are more easily blamed when a patient’s condition deteriorates.

 2.  Hospitals are now regarded as businesses.  This perception has been
       been aggravated by television in shows like a recent “60 Minutes”, as well as
       by the effects of the recession on jobs and the loss of health insurance.

3.  Lack of respect and resources (funding) for hospital security departments
  
.  Rather than being seen as a crucial protection for the hospital staff and
      patients, many security departments are chronically underfunded and used
      for a variety of non- security functions, such as making bank deposits for
      the hospital gift shop, driving the education van, etc.

The federal government  issued a guidance document for dealing with violence issues in healthcare,  called OSHA 3148.01R, 2004, Guidelines for Preventing Workplace Violence for Health Care & Social Service Workers.  You can download a copy at www.osha.gov/Publications/osha3148.pdf



Should Hospital Staff Brings Guns to Work with Them?

Should hospital staff bring guns to work with them?

At a time when many hospital security departments have unarmed security officers, and some departments don’t even allow the use of mace, changes in state laws allow hospital staff in some states to bring their guns to work with them.

This turn-around, where the nurses may have guns – and security officers do not, has created a big, contentious debate in the security community.

In a recent paper printed in the Journal of Healthcare Safety and Security, my co-author, Jim Sawyer and I discuss the different elements of this debate and whether this is a constitutional issue, or a real threat-risk issue.

Here’s an excerpt,

Violence is not a concept that people usually associate with hospitals.  For years, hospitals have been seen as almost a sanctuary of care for the sick and wounded in our society.   However, the perception of hospitals has been changing over the last fifteen years due to a variety of factors.

or you can read the entire article (below). 

Critical Issues on Gun Violence in the Hospital Workplace

By James Sawyer and Caroline Ramsey-Hamilton

 Background

 Every reader knows that violence in hospitals is increasing at an increasing rate.  The Joint Commission has issued Sentinel Alerts, the Journal of the American Medical Association, the bastion of the American healthcare system, published an article in October, 2010, written by two doctors about the murder-suicide at Johns Hopkins Hospital in September of 20101.. 

This article started as a guest blog from a security professional at a west coast children’s hospital.  After the blog appeared, we received dozens of notes, letters and angry outbursts, as well as emails arguing for a more reasoned approach.  This article will explore those issues, and includes quotes from the emails themselves.

Why Violence in Hospitals is Increasing

Violence is not a concept that people usually associate with hospitals.  For years, hospitals have been seen as almost a sanctuary of care for the sick and wounded in our society.   However, the perception of hospitals has been changing over the last fifteen years due to a variety of factors.

  1.  Doctors are no longer thought of as “Gods”.  This means they are
          are more easily blamed when a patient’s condition deteriorates.
     
  2. Hospitals are now regarded as businesses.  This perception has been
           been aggravated by television in shows like a recent “60 Minutes”, as well as
           by the effects of the recession on jobs and the loss of health insurance.
  3. Lack of respect and resources (funding) for hospital security departments
       .  Rather than being seen as a crucial protection for the hospital staff and
          patients, many security departments are chronically underfunded and used
          for a variety of non- security functions, such as making bank deposits for
          the hospital gift shop. 

A Dirty Little Secret about Reporting
The U.S. Department of Labor tasks OSHA with workplace violence information, but there is not one sanction against it, it says right on the OSHA web site that this is solely left up to the employer.  It makes it hard for hospitals to justify spending money on workplace violence prevention, if it is not a standard, and a major compliance issue (as it should be).  And here is a dirty little secret for looking at the statistics, OSHA does not count domestic incidents (like homicides) that take place in hospitals as officially “workplace violence incidents”, instead they are counted in another system.  Similarly, many hospitals don’t count staff to patient violence incidents, or patient to patient incidents.  These practices create a false impression of the actual number of violent incidents, by reporting only a fraction of the actual events.

 Gun Violence Represents a Significant Security Challenge

The prevention of gun violence in hospitals and the hospital as workplace may well be the most challenging issue for hospital security professionals in the foreseeable future.  What are some of the reasons for this growing concern?  There are many and they include:

 1.   The sheer numbers and easy availability of guns.  There are over 270 million guns in circulation in theUnited Statesand the numbers continue to grow.  After the 2008 election,  gun ownership surged and in some areas of the country, guns sold at such a pace that retailers literally ran out of ammunition. 

2.  Approximately a 100 people a day die from gunfire in the United States and an individual is shot approximately every twenty-two seconds.

3.  One in four Americans suffer from some form of mental illness, according to the Federal government. 

 4.  The U.S. is living in an era of economic instability, following the 2008 recession and the erosion of the middle class.  The Wall Street-triggered economic meltdown has propelled what was a slow steady decline into economic apocalypse for millions of Americans.  This has resulted in an environment of record home foreclosures, record personal debt, record banktupcy, record unemployment and record numbers of homeless individuals.

5.  The reluctance on the part of many hospitals to install magnetometers and limit entrances to hospitals so that the flow of guns into hospitals can be controlled.

The U.S. gun lobby has been very successful in pushing and supporting state legislation which permits guns in the workplace, and on college campuses.

It is a serious mistake for security professionals to deride,  make light of, or dismiss this surge of pro-gun-at-work-and-school legislation.  These laws are getting passed (see Texas, Indiana, and Tennessee), and the likely result is that we will see an ever greater numbers of guns at work, and if our work is in the hospital, then the guns will be coming to work here, too. 

Guns aren’t just increasing in numbers, but they are getting more lethal and currently 30- shot clips and armor piercing bullets are readily available for the civilian population.  Citizens can now buy weapons that rival what is found in military armories.   These lethal weapons again present a sentinel challenge to security professionals.

 Most security directors remember life when Space Invaders was the only video game around.  Now children are exposed to violent images from a very early age.  Children and teenagers sit entranced watching endless hours of violent programming where gun violence is choreographed in slow motion action scenes where the scripted hero’s miraculously avoid injury even while they are dispatching the prime time  villains while showcasing their amazing gun prowess.  

By the time they show up at your hospital, the average child over 18 years of age will have viewed over 45,000 murders and 200,000 acts of violence just on television! This grim tally does not account for the high octane bloodshed and slaughter that make up the majority of the most popular video games.  

All of these factors suggest that the prevention of gun violence in our hospitals will become our premier challenge.  Many hospitals are already hosting ‘active shooter’ seminars to teach hospital staff how to deal with  “shooters in the workplace”.  This subject promises to become a cottage industry for consultants and violence prevention professionals.

As hospital security professionals, there are some strong, prevention-based practices that we can implement and develop that drastically reduce the chances of gun violence in the workplace.  Some of these best practices include:

 1. Acknowledge the reality and the persuasiveness of the U.S. gun culture.

 2.  Develop a strong, multi-department workplace/domestic violence response team at your facility, and make sure that both Human Resources, and Security are part of this team.

 3.  Develop a written workplace violence plan that is reviewed annually.

 4.  Do an annual  baseline workplace violence assessment that you can build on.

 5.  Have your workplace/domestic violence response team respond and meet within 4 hours of any  reported incident.  Have a response plan/action plan in place within 24 hours.

 6.  Encourage reporting of all workplace/domestic violence incidents to the police – without exception.

 7.  Run background checks of individuals of concern.  Information is light and a background check may provide you with crucial information. Obtain orders of protection – anti-harassment orders against individuals of concern.  Security should take the lead here.

 8.  Flag problem patients – problem families – have a “red alert” or a “red flag” program that alerts – tips off – advises both the care team and security that a potential problem exists.  This is especially important if the patient/family member has a history of violence.

 9.  Build a workplace culture where verbal threats are reported.  Have Security immediately investigate all verbal threats.  Make sure that Human Resources is fully informed of any situation involving threats.

 10.  Post  large, prominent“No-Weapons” signs at your facility – especially in parking lots, perimeter areas and all main entrances.

 11.  Officially prohibit staff from bringing firearms to work.

 12.   Offer annual violence prevention and threat awareness training to all staff.

 13.   Require workplace violence training – either on line or via classroom training for all new staff and annual retraining.

 14.   Have security involved and part of the planning for all “problem” terminations.   Note – Advise Human Resources to never terminate a disgruntled staff without strong pre-planning.

 15.  Screen all hospital patients and visitors.  Develop a major entrance screening program for your institution.  Knowing who is inside your facility is a critical part of any good prevention program.

 These pro-active solutions  will support and enhance a hospital gun violence prevention program.  Let me state again, it is critically important to have a hospital gun violence prevention program in place.

 AND IN RESPONSE

 Here are some of the comments that were received by other hospital security professionals around the country, after the original blog post.

 “Please remove me from your mailing list immediately.  Apparently the letter below blames the firearm and not the person holding it and putting 5-7 lbs of pressure on the trigger with their index finger.  I find it difficult to separate the “Spirit of the Security Community and our commitment to safety and protection” from this attack on my Second Amendment rights.”               

                                                           — Hospital Security Director in the Northwest

“I believe we should focus our attention, and when I say attention I actually mean money, on mental health resources (or the lack there of) and domestic violence issues, which quite often lead to fatal shootings.  Our emergency rooms have become a revolving door for patients with drug abuse, depression and other psychological issues and there appears to be very little our legislators and community/government leaders are doing about it.  To me, that is the real injustice and crime related to the firearm issue!                                              
                                                                   — Hospital Security Director in the Midwest

 “I would agree with the individual that I don’t believe there is a place in hospitals, government buildings and places of worship for guns; however if there had been guns on some of the college campuses, maybe there wouldn’t of been the blood baths they turned into.                                                       
                                                                –  Security Analyst – Washington DC

“As for firearms being banned from the workplace, I agree.  Policies and procedure should dictate along with a severe disciplinary, then handle accordingly.  Just that simple.”
Let’s clean it up, let’s clean up America!  Let’s lessen the need for firearms to be in the hands of thugs as well as those who just want to feel safe.    The FIRST STEP would be to BAN and make it ILLEGAL for businesses to sell paraphernalia, pornographic anything, strip clubs, places that promote alcohol and drug use, etc. 

Let’s Clean That Up!  …something that is tangible and promotes drug and alcohol use as well as many other criminal actions just to run these types of businesses.  Let’s make that illegal.  Let’s get Americans involved in the real issues of illegal firearms and drugs coming into this Country.    All law enforcement know that it takes big money to keep drugs coming into this Country.      Disarming America. RIDICULOUS.    Keeping firearms away from the workplace, understandable.

                                                    — Ex Army, Ex-Police, Hospital Security Officer

 

 Conclusion
While the issue of “gun control” is both a “hot button” and simultaneously,  a topic that is seemingly a forbidden or taboo matter for hospital security professionals.  It should not be this way.  Questioning the wisdom of allowing citizens to buy 30-round clips for semi-automatic handguns and keeping assault rifles at home is not a crazy liberal rant, it is a reasonable, non-political position.

Challenging the wisdom, if not the sanity, of the current flood of legislation that both allows and actually encourages guns in the workplace is neither “liberal” or “radical” – but pragmatic and grounded.   Hospital security professionals are the vanguard for progressive crime prevention education and development in the United States.  This is a mandate and responsibility that we all share.  How we respond and learn to protect our staff, our hospitals and our patients from this senseless violence may prove to be our greatest and most important challenge.

 www.riskwatch.com               www.caroline-hamilton.com




top