Counter Attack

Healthcare security threats can be avoided through careful planning and systems integration

• By W.H. Hobbs, RCDD, NTS
• Sep 05, 2007

HEALTHCARE providers today deal with threats not thought of a few years ago. In the past, a family’s gravest concern was infectious disease, and if there were significant security threats, many people were comfortably oblivious of them. Today, healthcare facilities must be aware of multi-dimensional threats such as infant abduction, drug theft, workplace violence and even terrorism.

Emphasis on homeland defense since Sept. 11, 2001, has brought to light the ever-increasing importance of protecting critical infrastructures, including healthcare facilities. The role of the security industry is to help healthcare institutions ensure total patient safety by providing systems that protect the assets, people and data within a facility. Planning for protection of a healthcare facility requires an in-depth understanding of the security and healthcare landscapes.

Systems Integration
Multi-layered threats exist in today’s world; therefore, organizations should take a multi-layered approach to deterring risk through integration of disparate systems and selective use of technological advances.

It’s seems straightforward. Hospitals must protect people and data, therefore they must employ the systems to make that happen. But the priority in healthcare is always direct patient care so the availability of funds for anything other than that is lowered. A 2007 survey on hospital infrastructure conducted by Health Facilities Management and the American Society for Healthcare Engineering found there is indeed strong demand among America’s hospitals for upgrading and replacing security systems, but respondents have no expectation of increased funding.

Budget cuts have forced many healthcare facilities to reduce the number of full-time employees, as well. For instance, it’s not economically practical for security guards to be chained to a desk waiting for something to happen. Healthcare executives can instead consider an in-house wireless paging system integrated with panic and other alarm systems—an automated way to quickly summon guards to an incident. Several vendors provide systems that will send a pre-set message with the location of the alarm to one or multiple pagers. These systems are cost effective and simple to operate and will permit security personnel to be mobile, yet easily accessible.

Unfortunately, healthcare organizations will continue to work under slim margins, and employees will be increasingly asked to do more with less. If healthcare security executives could better justify the cost of and return on systems, it may be easier to secure the funding. Executives should work with industry experts—dealers, integrators and manufacturers—and discuss how system integration provides reduced installation and operating costs, and enables streamlined operations for staff. The value of systems integration is two-fold—it can simplify the complex operations of today’s healthcare systems while increasing the level of security. @

Proactive Assessment
Investing in the auditing process will save pain, time and resources in the future. An audit will take a holistic look at each facility in order to ensure the protection of patients, employees, physicians and visitors by identifying strengths and weaknesses in physical protection and security practices. While a security self-assessment is an annual requirement to meet The Joint Commission Environment of Care standards, a qualified consultant can evaluate a hospital's security management program and review existing systems to identify gaps in protection or system redundancies.

To ensure safety, security personnel must first understand potential threats. For example, don’t allow the emergency department entrance to be used as an employee entrance. The potential traffic flow through the lobby area may desensitize staff to noticing what’s happening around them. Controlling in-bound and out-bound traffic to the facility by routing staff, patients and visitors through a minimum number of ingress and egress points is critical.

From a planning standpoint, don’t down-play potential security threats outside the facility. Parking lots are prime targets for criminal activity. Price predicts quality in this industry, and a clear image provided by installing cameras appropriate for the situation will be the key during incident review and potential prosecution.

Systems also must provide easy access to the data they acquire from all points inside and outside of the facility. It is just as critical to be able to lock down doors and view real-time video from a command post outside of the building as it is from the security center inside the building. The worst situation for a responding officer is to enter an area where they have no idea what the tactical situation entails. Remotely accessible video can be the difference between an effectively measured response and one of simple brute force. @

Equipment Lifecycle
According to the Health Facilities Management 2007 infrastructure survey, security systems were cited by 20 percent or more of survey respondents for having replacement or upgrade cycles of less than three years, and the top reasons for replacement are obsolete technology or failed components.

Cutting-edge security companies have combined digital video surveillance, access control and environmental health monitoring solutions to put customers in control of their IT-based security assets. This level of integration, visibility and predictive monitoring mitigates the most common causes of security system failure that could result in an HIPAA violation—human error, sabotage, environmental threats and power vulnerabilities. The value of these integrated systems is complete transparency into the real-time health of security systems, extended equipment lifecycles and lower total cost of ownership.

These integrated IT security solutions are ideal for situations in which security equipment is housed in public or high-risk locations—such as decentralized, small wiring closets pervasive throughout many healthcare facilities.

Migration of Video Surveillance
Reputable security manufacturers and integrators are now bringing converged systems to life with the migration of CCTV video surveillance systems to IP-based digital systems that are seamlessly integrated into an existing network.

During the last few years, the security surveillance industry has seen a new group of players emerge, those whose systems are based on 100-percent digital signals and generated at the edge of the network by IP-enabled cameras. It is now possible to manage all components of a video system through the standards-based simple network management protocol (SNMP) suite of protocols, including cameras, network switching equipment, recording servers, storage and uninterruptible power systems. This allows IT directors to manage the security components in the broader context of the enterprise IT systems in the same manner as the rest of the enterprise network devices.

The shift to network video is a scalable and powerful long-term solution. Revolutionary new digital video surveillance software applications allow users to monitor and manage any combination of analog and IP devices through a single-client interface. These future-proof solutions enable customers to progressively build hybrid systems, and at the same time, increase capabilities of and safeguard the investment in legacy devices. An integrated system’s open architecture platform allows for flexibility and further addition of devices and advanced feature sets.

Access Control
There’s no room for downtime of access control systems. High availability electronic access control (EAC) systems are imperative to the basic protection of people and data in a healthcare facility. In terms of average system downtime, a few minutes is all that’s needed for unauthorized entry—perhaps making the difference between life and death.

An IT director may flinch at the idea of putting more strain on the hospital’s network with security devices. But with network health monitoring systems in place, this becomes less of an issue. Similar to IT’s five nines (99.999 percent) expectation for system uptime, the security industry is beginning to demand benchmarks for system uptime and equipment protection. Integrating network health monitoring devices with security systems will decrease the likelihood of EAC system failure.

The multi-layered nature of today’s security threats should dictate a multi-layered approach to access control. The most effective access security systems are those that allow for a single credential and integrate with video surveillance to provide visual verification of the person using the credential. Multi-layered credentialing can be accomplished by using a PIN in conjunction with an access card, or a smart card technology such as Mifare, combined with biometric identification. As with video surveillance, legacy access control systems can be integrated with new systems that are IP-based and PoE-enabled.

A New Facility or Retrofitting
Even though an increasing number of America’s 5,800 hospitals are raising funds for replacement hospitals, the majority must continue to add on to existing facilities in a framework that is not user friendly for visitors. Increasing regulations also are forcing healthcare facilities to retrofit their aging facilities, which can be exponentially more cumbersome and expensive than new construction.

As plans are made to build a facility or retrofit an existing one, care must be taken to ensure that any systems put into place provide security, ease of use, flexibility and expandability. Hospitals were once built for the convenience of patients and visitors. However, 30 years ago, no one could have imagined that someone would wander into a birthing center and escape with someone else’s newborn in a duffel bag.

Whether building new or updating an existing unit, security in the birthing center, for example, must start with a verifiable and accessible list of who should have access to this area. Limiting the ingress and egress points is critical; preferably no more that two access points to the birthing center should exist, and all access points must be controlled by an EAC system with multiple layers of identification, as well as video verification. The protection of all infants and young children is of the utmost importance, thus an infant abduction system is the best choice for a third layer of protection. Be careful to design a system that easily integrates with the other layers of protection in the security environment. Simply setting off a local alarm will not provide sufficient time to prevent abduction. Once the infant abduction system goes into alarm, immediate notification of the security and nursing staff is required; again, a wireless paging system is an effective choice. Video surveillance of all ingress and egress points in the facility should be automatically triggered by an alarm event, and locking down these access points must be automatic. Time is the most important component in any abduction incident, and multi-layered, integrated systems can be the key to providing the time needed to prevent a tragic event.

The healthcare industry is at high risk of terrorism, violence and criminal activity. The security industry’s responsibility is to be a strategic partner to healthcare institutions struggling to ensure total safety and protection of its most important assets. Increased efficiencies, streamlined operations and effective risk management are all potential outcomes of careful planning and security systems integration.