Time to look at your healthcare system's security measures
Recent studies have been showing that threats to hospitals are on the rise nationwide. It makes sense, actually, since hospitals can be a source of healing and solution but unfortunately are also a place where heartache, stress and loss are often at an all-time high.
Hospitals truly are the perfect target for those looking to create the ultimate disruption or to create chaos. No matter what hospital I have ever visited including the hospitals I have worked in, they are all what I would define as soft targets; vulnerable to even the worst-planned attack. Aside from the physical aspects of a hospital that could be a target such as power, patients, supplies or facility, there is also the ever-critical cyber portion of modern healthcare. Nothing happens in a hospital that does not rely upon the computer technology in place!
Assessing risk and threats at a hospital is different than doing so at a factory or school. The scope of healthcare is so vast that it can be difficult for a hospital ever completely assess all of the risk they are exposed to because the daily operations of any healthcare system are so fluid. Security, when referring to healthcare includes the facility, the grounds, surrounding campus area, closely located neighborhood, surrounding roadways or other means of transport, active shooter scenarios, violent aggressors, civil unrest, cybersecurity threats, natural disasters, fires, spills and the list goes on.
So with all of this in a world where our socio-economic-political world is changing the landscape (amidst pandemics and outbreaks), what measures should be considered and/or updated?
Let’s begin with the obvious and make sure we have enough security personnel on the grounds and within the facility. Any additions to security personnel needs to be well-thought out and done properly because when it comes to healthcare, security personnel working in the healthcare field need to be trained for that specific arena, for example, most security guards are not trained in infectious disease protocols. It is important to revisit and renew partnerships with local law enforcement and schedule visits to the facility and grounds for local law enforcement that may be called upon to respond in the event of an incident. Passageways from operating rooms to waiting areas, storage areas and sleeping quarters are just some of the areas that your local law enforcement will not know about until you show them. The more local LEO’s know your facility the better outcome you stand to see in an emergency.
Almost every hospital already has security cameras but now is the time to answer questions like “Are these cameras less than 5 years old?”, “Are we utilizing the latest technology when it comes to cameras?” “What resolution are the cameras we are using?”, “Is footage being stored in the cloud and readily accessible from off-site so law enforcement and responders can access it if the need arises?”. Unfortunately for healthcare systems around the country, most homes with security cameras have better cameras than hospitals. There is no excuse for poor video quality or lack of area coverage when cameras can cost as little as $100.
The American Hospital Association (AHA) reports that healthcare workers suffer more workplace injuries because of violence than any other profession. The industry group also says that 44% of nurses report an increase in physical violence since the pandemic and 68% report an increase in verbal abuse.
According to the U.S. Bureau of Labor and Statistics, The health care and social service industries experience the highest rates of injuries caused by workplace violence and are 5 times as likely to suffer a workplace violence injury than workers overall.
With ransomware the new trend in domestic and foreign terrorism, the financial status of hospitals make them perfect targets so a good look at your cyber security should be on the menu. Have you based your current protocols on case studies from the last five years? If not, it is time to do some research and begin rewriting your procedural policies. As the Covid-19 pandemic swept the world over the past three years, cybercriminals took advantage of the chaotic situation and repeatedly shut down hospitals’ networks at a time when they were least able to respond. That has meant curtailed emergency services, canceled operations and more deaths.
In 2020, a woman sued an Alabama hospital, after the death of her newborn baby, alleging that doctors failed to carry out critical pre-birth testing due to a cyberattack on the hospital, which meant the baby was born with the cord around its neck. This led to brain damage and — a few months later — the baby’s death.
In 2022, an attack on CommonSpirit Health, the nation’s second largest non-profit health system, compromised the personal data of over 600,000 patients, including electronic medical records which allegedly caused one child to be given five times the amount of medication needed. An attack in November of 2022 on three New York hospitals forced Doctors to go to paper charts delaying critical care.
While I find it hard to believe, there are still healthcare systems that have yet to hire an emergency manager that can focus completely on developing response plans. The last hospital I worked at did not have an emergency manager and it came as no surprise that this culminated in a lack of drills, regular training and education for most of the staff.
If we learned anything from COVID, it is that we probably should not sit on our hands while waiting to hear the latest recommendations from the CDC. Hospitals operate only as well as their reputation in the public eye and not having an expansive infectious disease control program after 2020-2021 is just poor management. Notice that I used the word Program.
As I traveled the United States during COVID as an infectious disease specialist, I was astounded by the lack of protocols followed by EMS transporting COVID patients to hospitals that then allowed the EMS personnel to enter the facility during the transfer. Before the next pandemic, hospitals need to start demanding more of local medical transport and perhaps should become the provider of new training for EMS personnel.
There is much more hospital and healthcare systems can do other than updating protocols or procedures; simple, enjoyable and easy-to-attend trainings and educational events for your staff, their families and the community can go a long way the next time a novel virus encroaches on your doorstep.
By implementing or at least taking a new look at these and other security measures, healthcare organizations can protect their patients, staff, and facilities from security threats and ensure that they are able to provide safe and effective care.