How to Stay Welcoming Yet Secure in Healthcare
by Bill Zalud
Healthcare security and life safety is “a constant balancing act between securing the facility and offering an open and caring welcome.” That’s consultant Tom Clancy’s sage advice. And an echo of Ohio Health’s Harry Trombitas’ experienced guidance: His security operation “values an open and welcoming atmosphere that focuses on outstanding patient care. However, many of the patients and visitors are experiencing their ‘worst days’ and emotions are raw. This can lead to people acting out in a stressful situation in ways they normally would not,” as he says.
Trombitas generally views healthcare risks as fitting into several buckets. “One, as far as people safety is concerned, I worry about the safety of all of our patients, visitors and associates,” he says. There are “the threats of infant abductions, assaults against our associates and violent behavior including the possibility of having an active shooter situation. Second, in regard to the facility, “risks include theft of personal or hospital property, damage to valuable equipment and vandalism to property. With information services, obvious threats include the theft of patient or associate personal information and the compromise of our computer network.”
Considering all of these and other challenges, it’s clear that healthcare and hospital security as well as emergency management stand apart from other business, government, institutional, financial and commercial protection assignments.
“I view our mission at Protective Services as creating a culture of safety and security in everything we do at OhioHealth. We currently have responsibility for 11 hospitals, over 50 ambulatory care sites and 28,000 associates, physicians and volunteers,” says Harry Trombitas, system vice president, security operations at OhioHealth in Columbus. “Along with our welcoming atmosphere also comes some inherent danger even though we have metal detectors at all of our emergency departments to screen for weapons, the other 95 percent of our hospital is open, with little or no screening of visitors,” points out Trombitas. “Fortunately, we’ve had very few problems as a result, but the possibility is always there.”
Access a Matter of Authorization
When it comes to access control, Trombitas basically focuses on allowing associates who are authorized to enter an area while keeping those not authorized out. “It also aids us in internal investigations. We use our access system to support our various alarm functions such as burglary, fire and temperature alarms,” he adds. “Many of our parking areas and garages require card access, which keeps a lot of problems out. In the areas where our visitors and patients park, we have aggressive vehicle and foot patrols, video surveillance and bike patrols to reduce incidents.”
Tom Clancy, CEO and principal at Alert Security Consulting, says there are the odd visiting hours and challenging locations of some – especially urban – parking facilities. He always looks at increasing lighting, adding surveillance, more guard tours and escorts during certain hours and situations, and placement of emergency call boxes.
On the security video side, OhioHealth recently transitioned analog cameras to digital output with use of encoders. Trombitas notes: “All new cameras that we purchase are IP-based. Our long-term goal is to create a security operations center where all cameras, alarms and other systems can be monitored from a central location, rather than the multiple command centers that we have now.”
Trombitas observes that Protective Services and Information Security team up against the technological threats that exist in today’s world. “Although we interact every day, we hold monthly meetings to discuss projects and issues that have come up recently that we each need to know about. We also have a larger confidentiality, integrity and availability meeting, what we call CIA, with various key departments on a bi-monthly basis,” he says.
De-escalate to Mitigate Violence
In mitigating the risk of workplace violence, OhioHealth created an Assault Prevention and Response program. “The focus of this program is to conduct associate training on de-escalation techniques, violent incident avoidance techniques and, should an incident occur, how to provide the care, comfort and support our associates need to deal with the issues that arise from being the victim of an assault,” Trombitas says.
More generally, Clancy believes violence mitigation is, in some ways, a matter of understanding locations and the history of past incidents. He is a big proponent of CAP scores. The CAP Index provides crime risk assessment and loss forecasting tools based on previous incidents and other data at specific healthcare locations. Still, some hospital security executives have to play the cards they are dealt. Level I trauma centers often are in bad neighborhoods, comments Clancy.
The future of healthcare security? The mission will remain to keep people safe, property secure and information from getting into the wrong hands.
“How we do that job will evolve with the times as newer, better security-related technologies are created,” Trombitas comments. “Organizations must be willing to stay up with the times and invest in their security departments. The status quo is not an option. Failure to address new threats and vulnerabilities as they arise will cost an organization ten times what they would have paid for a competent, full-service security department.”
Dr. Bob Banerjee, senior director of training and development for NICE Systems’ Security division, points to another evolution: security was viewed as a cost center, stopping bad things from happening. With a refocus on enhancing the customer experience, security professionals and their healthcare integrators now seek technology in a new light. So security technology can spread beyond security applications.
Cost Versus Value
Specific to squeezing more out of that investment is security video. Banerjee sees increasing value in systems that employ behavior analytics or real-time monitoring for suspect searches and tracking from camera to camera or for quick-find forensics uses. He says that you can find that specific person in the crowd, adding that with so much data – access control transactions and video images, to name two – you can build a history of incidents and reach conclusions to strengthen security and help improve operations.
Ongoing healthcare industry consolidations and acquisitions also impact security. For instance, Trombitas observes: “OhioHealth has grown in the short almost three years that I’ve been here…As we have taken on new hospitals and care sites, we have taken our time to transition existing security departments into the OhioHealth Protective Services way of doing things. As you can imagine, there is always some angst. We realize that and go to great lengths to calm people’s fears and assimilate them into the system with the least amount of anxiety as possible.”
Tom Clancy sees most things the same as his healthcare clients but, at times, through a different lens. When considering tight client budgets, Clancy looks deeper into America’s hospital C-suite psyche, suggesting that budgets may remain tight while the healthcare and insurance industries settle into the effect of the Affordable Care Act. “There are a lot of unknowns,” he says. [Editor’s note: This interview was conducted prior to the late June 2015 U.S. Supreme Court decision upholding key provisions of the Patient Protection and Affordable Care Act.]
On a more day-to-day basis, Clancy sees consolidation in the healthcare industry, porous facilities, antiquated technology, lack of adequate security equipment maintenance and overall uncertainty among complications. Visitor management, for instance, he says, is still a challenge. Moving security into a hospital’s network infrastructure continues, mostly in phases often determined by prioritizing risks and applying new tech first at high-risk points.
A Total Integrated Approach
Taking an expansive view, there is no doubt that the future use of technology in healthcare settings is a total, integrated approach.
One example: Western State Hospital (WSH), a state psychiatric hospital licensed and operated by the Virginia Department of Behavioral Health and Developmental Services. For a recent new construction project, Jim Smith, director of physical plant services with the Virginia department operator, worked with a team to determine which access control system would best fit their complex requirements. WSH consultant Facility Dynamics Engineering proposed a Symmetry access control system from Amag Technology and the ability to custom-integrate third-party software systems. Integrator Ambassador Enterprises installed the system, which included some unique features and integrated capabilities.
Due to the sensitive nature of the hospital, exterior perimeter doors remain locked around the clock to prohibit patients from leaving and keep out unwanted individuals. Employees must use their badge to enter and depart the building, and one set of doors is open during visitor hours.
Zones are created to control interaction between patients. Access is defined for each patient based on various levels.
All patients wear a wristband that serves as their access credential. The hospital has readers mounted on the ceilings all over the facility that can pick up a signal from the wristbands and report location information back to the access system. CenTrak, with a real-time locating system, integrates to allow tracking of patients. An RFID chip fits under the CenTrak transmitter, broadcasting the location of the credential. Individual patient bedrooms are equipped with locks and activate by the wristbands. The wristband is programmed to open the individual patient room doors and other doors appropriate for the patient’s level of treatment.
RFID to Identify Patients and Locations
“Patients are assigned a ‘tag’ on their wristband, and when granted permission to go someplace (say, the gym), the doors along this ‘tour’ are enabled for their wristband for the period of time specified. If they vary from this ‘tour,’ we are notified via Symmetry alarms,” says Smith.
By creating reader groups that control access to various departments and treating those reader groups as building masters, the need to carry big heavy key rings is no longer necessary.
Staff badges contain buttons that, when pressed, generate a duress alarm, which registers a user-defined message and also passes a message to “Sara,” which is a voice annunciation system. Staff uses their badge to move throughout the building. However, all exterior doors require a dual authentication (badge plus PIN). If a patient grabs a staff member’s badge, they will not be able to exit the building without use of the PIN.
WSH uses the access system’s visitor management module. Routine maintenance vendors present their ID or driver’s license and are given a badge. Individual visitors call ahead, and are escorted in or out of the building. Doors on the visitor pathway open to allow the visitor through.
Concerning security video, more than 330 IP cameras from Axis Communications, are throughout the inside and outside of the hospital and monitored via Symmetry. An interfaced intercom system from Aiphone is in the parking lot. When an emergency call station is activated, cameras begin recording and the video displays.
Importance of the Infrastructure
Transitioning security to an enterprise’s network infrastructure is important and closely involves a healthcare facility’s IT operation.
A case in point is the Carolinas HealthCare System (CHS), which covers facilities in North and South Carolina with more than 2,600 cameras and more than 175 video recorders.
System Integrator Jim Underwood of SAF Technologies says that by replacing their legacy DVRs with hybrid NVRs that support analog and IP megapixel cameras as well as running a new VMS from 3VR, CHS no longer has to question security systems’ reliability. Forensic capabilities are no longer impaired by poor video quality and camera failures. The outcome:
Investigations staff could review video eight times faster without significant lag or choppiness. Overall investigation time was reduced by 40 percent with intuitive case management tools. About 99 percent of key performance indicator “measured availability” of healthy video was met. One technology served two security purposes: video surveillance and intrusion alarm functionality through video motion detection. This is important when a critical investigation counts on the availability of quality video or adhering to pharmacy security compliance regulations for two-hour response times.
In addition, video analytics will allow CHS to proactively anticipate and track crimes of opportunity and meet the physical security department’s demands for continual security improvement. These feature sets include facial recognition, license plate recognition, advanced motion object tracking and search capabilities.
Proving Security’s Value
Don Wright, CHS director of physical security, believes that tech migration delivers on his departmental mantra of “Prove Your Value” to continually improve the physical security contribution to the organization while delivering a safe environment for those who work and visit their facilities.
The expertise that an integrator with deep healthcare security knowledge brings to an in-house security operation is also immeasurable. For example, at Community Memorial Health System (CMHS) of Ventura, California, the trust between VAS Security Systems and CMHS Chief of Security Stuart Glass led to a mission critical access system.
Many years ago, CMHS had an off-site data center built in order to keep records centralized for all of its facilities. At that time, an access system maintained its security. Recently, when it came time to expand into the hospital in Ventura, Glass decided to review systems from multiple sources. CMHS, after starting with just a handful of proximity readers hanging from the new system, has expanded and now processes between 10,000 and 20,000 transactions per day.
Of course, there are subsystem areas of security concern.
Hardening Visitor Management
Connecticut Children’s Medical Center, for example, was searching for a system to improve its existing visitor management solution, which consisted of color-coded plastic badges and paper sign-in sheets. “Getting the right pass for the right person was an extremely cumbersome process,” admits Phillip LeClair, the center’s security manager. The search for a better solution was accelerated by a security incident, after which the state asked the hospital to enhance the way they processed and tracked visitors.
Of particular interest to LeClair was the ability to configure a new visitor system with peripherals to handle visitor business cards, driver’s licenses and identity cards as well as barcode scanners and digital cameras.
“We use the new system to check in every visitor who enters our facility, at every entrance. All locations in the hospital are listed in the category field and the patient being visited is prominently displayed. Visitor badges are printed with a barcode for easy check-out. Even employees who have lost or forgotten their IDs are processed” through the system, comments LeClair.
The medical center also produces multi-day visitor passes, allowing guests to be checked in and out with a quick and easy barcode scan, either at a badging station or with mobile scanners. Service levels are enhanced by using a self-check-in kiosk, which provides a touch screen and driver’s license scanner for visitors, and a Web-based system that allows employees to pre-register visitors using their Intranet.
Connecticut Children’s Medical Center uses the percentage of visitors checked out as an ROI indicator and since has achieved a 90-percent check-out rate.
Expanding the Application
In preparation for a $300 million expansion project, Jersey Shore University Medical Center in Neptune, New Jersey, turned to security integrator Service Works to design and install a system that would integrate with equipment already in place. The project added a diagnostic/treatment tower, an atrium and a new hospital entrance. Also added were a state-of-the-art emergency department and trauma center, new surgical suites, an expanded outpatient pavilion and a 975-space parking garage. As part of the renovation, access control was incorporated into gates on most levels of the new parking garage.
One important security element was the number of people: with the expanded capabilities of the new emergency department, annual visits to that facility have increased to 90,000. With unhindered accessibility and hundreds of individuals coming and going each day, keeping track of that many was a major challenge.
It’s a Matter of Location
“We also had to consider our urban location,” says David Brooks, corporate director of risk management. “Because we’re serious about protecting everyone on campus, we wanted the ability to lock down the trauma center with one keystroke.” Hospital officials sought an access control solution that would integrate with the security video and infant abduction systems already in place. “We were looking for a non-proprietary system,” adds Brooks. “We wanted to avoid the problem of having to call a different vendor every time we needed something.”
Brooks decided to install a new security management system, a Pro-Watch Corporate Edition from Honeywell Security Group, because it works seamlessly with third-party systems.
Hospital officials decided on a standard proximity card for team members and doctors, and a medallion that affixes to the existing magstripe badges carried by students and volunteers. According to Brooks, it’s cost effective and easier to stick a medallion on an existing badge. “That’s the beauty of the system – it’s easy to update readers and change access to existing cards,” he says.
Leveraging Technology for Micro-City Safety
For Mickey Watson, who handles public safety, security, emergency preparedness and management for Sarasota (Florida) Memorial Healthcare System, technology is a change-agent. Says Watson of his mission, “Anything that can happen in a city can happen here. We are really a micro city. But we also are one of the most regulated industries.”
Watson sees a multi-year transition from analog to IP, including megapixel cameras. He looks to an integrator who understands the uniqueness of healthcare. “You just cannot drop out a ceiling tile during an installation. Hospitals are clean and safe environments.” He works with IT and Chris West, communications and technology manager for public safety. “There is a dotted line to the director of information technology, who has provided administrator access and virtual LAN support for our nine different databases.”
Bid Data a Big Deal
Vanderbles, with integrator Security Control Systems, sees value in big data, a popular term to describe the exponential growth and availability of data, both structured and unstructured, alarms, text, audio and video. And big data may be as important to business – and society – as the Internet has become. More data may lead to more accurate analysis. That can lead to more confident and accurate decision making. And better decisions can mean greater operational efficiencies, cost reductions and reduced risk.
Companies such as Pivot3 have healthcare customers on the IT/big data and security surveillance sides of their business. That firm’s Brandon Reich agrees that one security trend in healthcare security is to move aggressively into higher resolution security video. There are many reasons, he says: catching the bad guys, liability, tracking procedural incidents, operating room problems, operational interruptions and compliance relative to PHI or personal health information, as examples.
Reich adds that in building out infrastructure, healthcare security and IT have to be more involved in what happens to the data after it leaves the camera. He suggests the future may be hyper-converged infrastructure. Hyper-convergence, to many, is a type of infrastructure system with a software-centric architecture that tightly integrates computing, storage, networking and virtualization resources and other technologies from scratch in a commodity hardware box supported by a single vendor. Such a shift will also include more sophisticated video analytics. “Healthcare security will leverage video into more uses and extend its business value,” he says.
SIDEBAR: Navigating a HIPAA Breach
When a HIPAA (the federal Health Insurance Portability and Accountability Act of 1996) data breach occurs, healthcare itself is a victim in addition to patients or employees harmed. But the organization can quickly go from “victim” to “villain” in the eyes of its customers and in the media if the incident is not handled properly in the earliest days of the crisis, advises Douglas Nadjari, a partner in the law firm of Ruskin Moscou Faltischek and Katherine Heaviside, president of Epoch 5 Public Relations, a crisis management firm.
It is up to healthcare entities, their security and IT operations to protect data and monitor for suspected breaches of personal health information (PHI), which should include regular training and updating of patient privacy protocols.
When a breach is confirmed, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services is responsible for investigating complaints, conducting audits and ensuring compliance with all breach reporting regulations.
The law also requires that notice of the breach be given to the news media, which presents great potential for reputational damage if a crisis communications plan is not in place. Just one unintentional comment by someone not authorized to speak can do substantial damage to the reputation of the healthcare organization.
Delivering news of the PHI breach to employees in a timely and tightly focused manner is critical to avoid rapidly spreading rumors, misinformation or exaggerations. As the healthcare industry revolves around patient interaction, security and all staff and employees certainly should know some basic details of the breach as they will likely be asked by patients; but they should also have clear-cut instructions on where to guide patients for more information (whether a toll-free number or a specified spokesperson) so that the primary focus of employee-patient interaction remains on health care.
A HIPAA breach represents potential financial exposure to a medical practice or healthcare provider, beyond the heavy fines that can be levied by OCR. This includes extensive forensic examinations to identify the source of the breach to identifying and notifying all affected patients and from upgrading physical and IT security to securing outside legal representation and crisis communications counsel.
On top of those costs, the failure to meet HIPAA standards could form the basis for negligence cases in states that recognize HIPAA as the minimal standard for protection of personal health care information. And the cost of reputational damage can be incalculable.
Ultimately, the ability to withstand a breach will depend on administration and its security professionals to identify experienced legal counsel with expertise in HIPAA breach requirements and a skilled crisis communications consultant to navigate the rough seas ahead.
SIDEBAR: Emergency Communications at Parkland Hospital
Parkland Hospital in Dallas wanted to find an emergency communications solution that integrated well with existing security systems and future installations. Additionally, it wanted to find a system that could cover access control, mass notification and basic emergency communication. Lieutenant Dan Birbeck of the Dallas County Hospital District Police Department is the liaison for the Parkland Hospital replacement team that’s installing Parkland’s new access gates, mass notification system and security features.
“Parkland is adding a two million square-foot hospital replacement. It is the largest hospital replacement in the country. Extensive research was done to find the best emergency communication solution for the replacement.” Lieutenant Birbeck continues, “I think that Talkaphone adds to the overall safety of the campus. We’ve experienced a ton of improved efficiencies and response times due to the installation…our customer service response has improved dramatically. They integrate with all of our other systems and without them it would be hard for us to manage what we do. It makes our job and having contact with the public that much easier.”
The new hospital replacement connection to surrounding facilities forced security staff to integrate security systems effectively enough to cover the entire campus. The first piece of Parkland’s safety and security puzzle was installing emergency communications with access control readers in various locations indoors and in parking lots.
In order to even further improve the department’s response time and security management, Lieutenant Birbeck integrated the card readers, security cameras and mass notification system with the call boxes. “Once the access card reader is activated, in addition to the emergency communications unit, we verify the user’s information on our camera system. If everything checks out then the system, or our dispatch center, grants access to the individual. The units are additionally set up to provide a map for the dispatcher, indicating the location of the unit that’s been activated. If there is a malfunction with one of the access control systems at one of the gates, the users can activate emergency communications and be connected directly to our dispatch center. We can then send assistance.”
“We get calls for emergencies, parking issues and information requests. They are frequently used to request medical assistance near our emergency room parking garages. Our visitors also use them to report suspicious activity, in which we’re able to dispatch officers out to the location,” says Lieutenant Birbeck.
SIDEBAR: Consolidations, Acquisitions: When Cultures Clash
What about new construction? Healthcare is doing more than most in new construction. Should security play a key role here – and how?
“Before I came to OhioHealth, it appeared that security was an afterthought in the planning and construction of new care sites and was unfortunately retrofitted, usually at substantial cost,” according to Harry Trombitas, system vice president, security operations at OhioHealth in Columbus. “Now, whenever a new care site is considered, Protective Services is part of the overall site plan from the get-go and participates in various steering committees to ensure security is not an afterthought, therefore reducing the cost of implementation of necessary security-related technology.”
Healthcare security is an important facet of each organization and must be given appropriate recognition and financial support to remain effective. There is no one security solution out there, rather organizations must use a layered security approach to support our mission of creating a safe and secure environment for everyone, concludes Trombitas.
SIDEBAR 4: Technology as a Versatile Velvet Hammer
Dan Dahmen, director of security at Dartmouth-Hitchcock Medical Center, consistently seeks technology that can be part of a layered approach to crime prevention and incident mitigation.
Dartmouth-Hitchcock is that state’s only academic medical center and is headquartered on a 225-acre campus in the heart of the Upper Connecticut River Valley, in Lebanon, New Hampshire.
Dahmen has armed the center's proprietary security officers with non-lethal devices on a need basis. The technology from Guardian 8 “allows us to layered defensive response,” says Dahmen. A first layer with the device includes a laser spotter, camera and the ability to auto-record an incident. A second layer includes a command center communication link, alerting siren and strobe light. The third layer is Oleoresin Capsicum, or OC, best known for its most popular form of pepper spray. It can be a gel-like discharge “which limits contamination in a hospital setting,” adds Dahmen. “We train our officers in crisis intervention and how to manage situations. Should that fail, just the display of the device is a deterrent. There also is recording audio and video.”
Dahmen points out that the technology comes with a training package complemented by Dartmouth-Hitchcock’s own policies and procedures. “The technology is just a tool. It combines with a well-trained person.”
SIDEBAR 5: The Web Future: Good, Bad and Ugly
Experts from the IEEE Computer Society of Los Alamitos, California, have key predictions about what the future of the Web holds for healthcare operations, individuals, business, government and society. Explored are essential issues such as the Internet of Things, security, equal access, open data, growing global use of smartphones and devices, collaborative apps, cloud computing and more.
The five top predictions:
- Socioeconomic Gaps in Web Access– Although the Web has permeated the industrialized and wealthy world almost completely, that same level of permeation has not yet been achieved in mid-tier countries or in poorer regions of the world. Significant efforts are being made to bridge this gap because the Web provides phenomenal access to educational resources and consumer and financial markets.
- An Interconnected World– With mobile phones and devices, wearables and the Internet of Things (IoT), billions of devices are currently interconnected and more so in the near future, and this presents both risks and opportunities. The Web will continue to be a transformative platform, and many “things” in our world will be connected. The Web will be akin to electricity, less visible but as essential as an appendage in daily life. The Web will not only integrate many activities, it will also facilitate integration of machines, artificial intelligence and elements of the human condition. Computer scientist Dave Raggett says, “As Web services become smarter, we can expect that the things will have a near-human-level understanding – so such things can better relate to and serve the people who use them.”
- Open Data, Standards, and Sources– Many of the current IoT applications relate to specific application areas such as medical systems and devices, smart city applications or smart sensors in factories; but what could be a concern is these things could become stovepiped, which is the opposite of what made the Web so successful. It’s critical to ensure that data in the new interconnected world is available in open formats for everybody to use, while safeguarding privacy online. A powerful enabler in the IoT world will be the openness of data and interoperability, so that, for example, a sensor could be used for multiple applications over time.
- Net Neutrality– How to address the particulars of network neutrality objectives and how to achieve broader governance structures and protocols will be key areas of discussion and action for the foreseeable future. To better understand how one regulation might affect the overall ecosystem and policy implications, there’s a need for increasing the dialogue between government legislators and regulators and the technical community.
- Security and Privacy– Obvious to healthcare security executives and their IT colleagues, Web security isn’t just a technology issue, it’s a human issue as well. Even very secure, private infrastructures can become insecure and public if they’re misused. Hence, fundamentally different approaches are necessary to address cybersecurity and online privacy issues.