It's always 'Orange Alert' for health facility security - News on the Cover

The World Trade Center and the Pentagon were marked for destruction by terrorists because they were visible symbols of America's economic and military might. Unfortunately, other high-profile targets, including hospitals, could also be in the crosshairs of terrorists, which means that healthcare facilities need to be on their guard at all times.

Threats to security have mushroomed since Sept. 11 and come from a variety of sources and in numerous ways. Take, for example, a recent episode at Southwest Regional Medical Center in Little Rock AR. According to a report in AHA News, a trio of "suspicious visitors in military uniforms" showed up at the hospital's emergency room on March 19 claiming to be there to protect the facility. After staying for a few minutes, the mysterious group disappeared as mysteriously as it had appeared. Officials later discovered that no military officials 'were assigned to the hospital. The FBI is reportedly investigating the incident.

Fortunately, this bizarre occurrence didn't result in disaster. But the margin for error gets smaller all the time and hospitals have to be on top of everything, says Steve Wilder, a Bradley, IL-based healthcare security consultant.

"Hospitals have taken a strong look at themselves regarding NBC (nuclear-biological-chemical) events, but they need to look more closely at intrusion," said Wilder, who is a partner with Sorensen, Wilder & Associates. "Two Midwestern hospitals recently had people sign up as volunteers and they specifically requested to work in the boiler room. The hospitals turned them away only because they don't assign volunteers to that area. They missed an obvious sign of potential terrorism. They later realized the mistake and reported it to authorities, but they should have recognized the situation immediately."

Hospitals are spending "tens of thousands" of dollars on security equipment -- cameras, monitors and alarms -- which is fine, Wilder said. But he cautions that too many think that's all they need to do.

"There is too much focus on technology and not enough on everything else," he said. "Hardware is only a small facet of a sound security system, part of what we call a F2T2 approach -- people and programs, training and technology."

By making cultural changes in conjunction with high-tech equipment, hospitals can effectively safeguard against outside threats. Especially important is avoiding a false sense of security, which Wilder says is still too common at small town and suburban hospitals.

"The 'it won't happen to us' syndrome is still prevalent in these areas and they're wrong," he said. "You're actually less likely to see a shooting in an urban hospital. Too often, small towns fool themselves into thinking they're safe."

Yet even large metropolitan hospitals can have security lapses, observes Judy Jacobs, CEO of Professional Healthcare Systems, a Rochester, MI-based firm that offers training on workplace violence issues and risk management. During a recent visit to one inner city Detroit hospital, Jacobs said she noticed several areas where an intruder could have gained entry unnoticed.

"There weren't enough guards posted at the exits and anyone could have slipped in the back door," she said. "People without badges weren't being stopped. The delivery dock was completely open and vulnerable."

Because construction and remodeling projects are constantly going on at hospitals, it invites potential intruders to pose as job site workers, noted Judene Bartley, CIC, president of Epidemiology Consulting Services, Beverly Hills, ML

"There should be renewed attention given to anyone who approaches the campus. All visitors should be checked out, especially construction subcontractors," Bartley said. "Hospitals should have a process for badging everyone. Anyone without a badge should be stopped."

Electronically monitored proximity badges take security a step farther. Kansas City-based Cemer has developed technology for a system that uses radio frequency-activated sensors to detect who belongs in an area and who doesn't. Cemer marketing manager Sue Tarkka says more hospitals are considering this option, but adds that it's a commitment.

"It's an infrastructure issue," she said. "It's an investment."

When it comes to visitors, there's no such thing as routine anymore, consultant Wilder says. Seemingly safe and innocuous events and circumstances can no longer be taken at face value. "One example is pizza delivery," he said. "The pizza guy can walk through every layer of security unimpeded. So if you carry a pizza into the hospital, you basically have unfettered access to the entire facility."

Therefore, it's the responsibility of all staff - not just security personnel -- to be on the lookout for anything out of place, Wilder said.

"You should be able to tell at a glance whether someone belongs or not," he said. "Someone who is supposed to be in orthopedics has no business in the boiler room. Accountability for all visitors is critical."

'Familiar' threats

Although the dangers of terrorism have dominated the headlines, much more familiar threats -- such as violent spouses, disgruntled workers, baby snatchers and street gangs -- haven't gone away, sources say.

Jacobs, who teaches conflict resolution in the academic and professional sectors, says hospital managers need to be enlightened about how to handle potentially violent individuals like spouse abusers.

"I still see a cavalier attitude about it -- especially in the urban area," said Jacobs, co-author of The Workplace Violence in Healtcare Tool Kit: A Guide to Establishing a Prevention and Train ing Program. "Many still believe it's a 'personal' issue and that they shouldn't get involved. They don't realize how dangerous these situations can be -- not only for the victims, but for anyone around them who gets in the offender's way."

Similarly, managers need to recognize the symptoms of a potentially violent employee, which Jacobs said can escalate into a "warlike" situation -- when diplomacy fails, the offender turns to violence as a last resort.

"The threat of workplace violence is very real and hospitals need to conduct a threat assessment and create a plan of action," she said.

Organization-wide training is the backbone of facility readiness, Wilder said, because if a serious security breach like an infant abduction is detected, it needs to be communicated quickly throughout the building. He illustrated the point by relating a recent unsuccessful infant abduction drill.

"This hospital has a great alarm system in the nursery, so the staff there knew what was happening, but it didn't extend outside the department," Wilder said. "They needed to seal the facility and people didn't know what to do. It wasn't communicated to the maintenance staff or the receptionist. When a breakdown occurs, the hospital tends to blame the equipment, when in fact, the organization didn't do its job."

Bio-Preparedness

Preparing for a biological attack on the hospital is not a new scenario for infection control practitioners. Even before Sept. 11, many ICPs have envisioned such an emergency.

Epidemiologist Russ Olmsted, CIC, says his hospital, St. Joseph Mercy, Ann Arbor, MI, has been holding drills since May 2000. One exercise included a mock release of anthrax at a local hotel.

Although the practice has helped hospital officials ferret out security gaps, Olmsted says "You can never be too prepared."

Municipal, county and regional emergency preparedness agencies are more than willing to participate in these exercises, Olmsted said, and he encourages hospitals across the country to establish relationships with these groups. The key to isolating a contaminant lies within the ability to coordinate team members inside and outside the hospital, he said.

The National Institute for Occupational Safety and Health -- a division of the Centers for Disease Control and Prevention -- issued guidelines in May 2002 on protecting building environments from airborne, chemical, biological or radiological attacks. The document, available online (see the accompanying Security Resources list) spells out some protective measures facilities can take.

One area of major importance is the heating, ventilation and air conditioning (HVAC) system at a facility, Olmsted said.

"The location of air handling units is critical to assessing vulnerability," he said. "Most of our outdoor intake is on the roof, which is pretty remote and fairly secure. But those that are close to the ground could be susceptible."

Because people are constantly moving back and forth from the site, construction projects can be, as previously mentioned, areas of vulnerability. However, Olmsted points out that they pose yet another area of concern as well: airborne particulates that can permeate other parts of the building.

"Infection control should provide the risk assessment for that," he said. "It is important that they educate the contractors about proper demolition procedures, that those procedures are done in a way so that particulates are contained to transmission."

The IT Front

Buildings and landmarks aren't the only security frontier in the terrorism battle. If federal security experts' fears come true, there are a multitude of hackers and cyber-terrorists trying every day to cripple the nation's information technology infrastructure with malevolent viruses and worms.

Are hospitals an inviting target? Yes and no, says Fred Langston, senior principal consultant for Guardent, a Seattle-based security services firm. "Terrorism is a factor in IT security, but I don't think it's that big of a threat for healthcare in particular," he said. "I'm not discounting it, but bombs are easier and sexier."

Still, that doesn't mean that IT departments should relax. One of the nation's fastest growing crimes is identity theft and it's the computer databanks that are being robbed.

"Identities are being stolen en masse," Langston said. "Some 50,000 thefts were reported last year alone and there is a huge black market where identities are laundered and brokered. Hospitals are at great risk for this type of crime."

Fortunately, HIPAA privacy and confidentiality initiatives are driving tighter protection of patient data, Langston said. Knowingly misusing patient data, he said, can result in heavy fines and jail time.

But even with the HIPAA shield in place to guard against privacy intrusion, hospitals need to be extremely cautious about "accidental exposure" of data, which is a byproduct of conventional IT methodologies.

"Healthcare has long used an open information sharing model in which patient identifiable data can be inadvertently exposed," Langston said. "They need to focus on new, more secure ways of handling this data. This is a challenge because it takes money to do it and IT spending has been a low priority in healthcare. Although it's changing slowly, there has been some resistance because healthcare is under going a financial crisis."

Security Resources

Agency for Healthcare Research and Quality

www.bioterrorism.uab.edu

American Red Cross

www.redcross.org/disaster/safety/guide.html

Association for Professionals in Infections Control and Epidemiology

www.apic.org/bioterror/checklist.doc

The Centers for Disease Control and Prevention

www.cdc.gov/niosh/bldvent/2002-139.html

Occupational Safety and Health Administration

www.osha.gov

California Office of Public Health & Environmental Hazards

www.oehha.ca.gov

Department of Health and Human Services

www.smallpox.gov

COPYRIGHT 2003 Nelson Publishing
COPYRIGHT 2003 Gale Group