Security Planning for Public Health Emergencies

June 7, 2016
Having policies and contingencies in place before disaster strikes ensures safety and security of a facility

Hospitals have an extraordinary responsibility when it comes to security planning and countermeasures during public health emergencies. They have to continue to function regardless of the criticality of the situation  -- unless they have been so physically damaged that they cannot, such as in Joplin, Mo. after a tornado in 2011 or the five New York hospitals that had to evacuate during Hurricane Sandy in 2012.

When events in the community create patient “surges” that see a large number of patients arrive at a facility in a relatively short period of time, if proper planning and consideration is not given to security and traffic control issues (vehicular and pedestrian), such events can drastically impact or even shut down a healthcare facility, creating chaos and disrupting the ability to provide much needed medical care for the community. It has been said that in chaos there exists opportunity, and unfortunately many criminals subscribe to this philosophy.

This is why it is crucial to identify those critical infrastructures and key resources of our health care facilities prior to an event and understand what countermeasures will be needed for security sensitive areas of a hospital during a public health emergency event, whether natural or man-made, and how we need to work closely with other departments to be successful -- such as infection control specialists should an isolation or temporary quarantine type of event occur.

Common Security Sensitive Areas in Health Care

While hospitals do not typically present a primary target for terrorism or criminal action (although in certain specific circumstances they do have that distinction) all healthcare facilities, regardless of their size and scope, have a number of areas that can be considered “security sensitive”. In this context, such Security Sensitive Areas (SSA’s) refer to certain departments or areas of the facility that are more likely to suffer from security related problems than others. These “hot spots” are especially vulnerable for a number of reasons including exposure to potentially malicious actions, patient populations, presence of valuables or materials of interest, etc.

These areas can include, but are not limited to:

  • emergency departments,
  • labor and delivery / pediatric units,
  • behavioral health units,
  • pharmacies,
  • business offices / cash handling areas,
  • nuclear source material storage areas
  • and any other areas within the facility that may have specific issues due to critical facility infrastructures and/or confidential information.

Emergency departments require constant surveillance by security and law enforcement personnel during a disaster or public health emergency, as this is the primary “hot spot” for most hospitals. When not on patrol or answering other calls for service, security officers typically post themselves near the ED whenever possible due to this fact. Long-term presence of behavioral health patients, forensic prisoner patients being treated 24 hours a day, gang activity, acts of violence and potential response to public healthcare issues such as contamination events and patient surges keep the ED a very busy and strategically important asset.

Labor and Delivery / Pediatric units present special concerns from a healthcare security perspective. Aside from the possibility of infant abductions, these units are prime areas for domestic disturbances especially during increased times of anxiety and stress. Add to this the fact that an injured child often results in many more overnight visitors than adult patients and these areas can present a real security challenge when a community wide disaster occurs.

Likewise, due to a specialized patient population, Behavioral Health units also have unique security concerns. Many patients in these areas have conditions that can cause them to be irrational or have violent reactions to others with little or no warning as well as constant concern over elopement attempts or patients attempting to harm themselves should an opportunity become available -- such as a distraction of staff or an increase in patient to caregiver ratio that can occur during a public health emergency situation.

Due to the presence of scheduled drugs and other controlled substances, pharmacies have always been a security sensitive area of any healthcare facility, as are any business offices or areas that collect money. These areas are primary targets of criminal activity. Other areas of a hospital that may not appear as critical to the general public but can have a negative impact on the operation of the facility should illegal activity occur are data centers, medical records units, hazardous materials storage areas and infrastructure control centers.

Protecting the Data

Confidentiality is a huge concern in any healthcare facility. To ensure consistency and to meet the many requirements of the Health Insurance Portability and Accountability Act (HIPAA in the US, similar laws exist in other countries), healthcare providers must closely guard the security of certain records. Confidential information whether  patient-related, staff-related, or financial in nature can include a hard copy or electronic files and the potential misuse of such data could be related to a variety of criminal and other malicious acts, which is why extraordinary precautions must be taken to protect such data. Medical records, for example, have a long shelf life as far as ongoing criminal activity is concerned, providing long term gains with very little risk and significant anonymity. Medical records can offer a far better financial yield than other types of stolen information. For example, you can sell the contents of the medical record and keep a copy to obtain fraudulent prescriptions which you can then resell for even more profit.

Similarly, with the increased threat of terrorism, many areas that previously were not considered security sensitive are now being reexamined, such as mechanical rooms, communications centers and other critical infrastructure departments of the hospital. Any incidents, planned or incidental, which affect systems such as telecommunications, utilities, or ARE / IT equipment can have a disastrous effect on patient care and the ability to treat those in the community. This includes sources of potentially dangerous raw materials for the creation of a radiation dispersal device (RDD), or “dirty bomb” due to the presence of sometimes significant amounts of certain isotopes of interest.

The US Department of Homeland Security has created a number of best practices and guidelines for securing and reporting suspicious activity in and around such areas. During a dynamic event such as a public health emergency, many first responders and local law enforcement (as well as your own security forces) may be otherwise engaged and the opportunity to exploit such security-sensitive areas, (for either profit or sabotage) increases exponentially without a dedicated guardian or physical security countermeasure to protect such assets.

Using Existing Resources and Toolkits

Every few years, the American College of Emergency Physicians (ACEP) issues America’s Emergency Care Report Card which grades each state on five primary criteria to determine an overall score related to its emergency care capabilities (the last one at the time of this writing was issued on January 16th, 2014). While the scores varied state to state for Access to Emergency Care, Quality / Patient Safety, Medical Liability, Public Health / Injury Prevention and Disaster Preparedness, the U.S. received an overall grade of a D+, down from a C- in 2009.

Despite the continued threat of terrorist and other criminal activity, 14 states received an F for their Disaster Preparedness capability. From a security perspective, consider this. As a general rule, no one comes to a hospital because they want to. In a disaster situation, be it a pandemic, a chemical or radiation contamination event or a natural or man-made catastrophe, a large number of people will be arriving at their local healthcare provider due to their own injuries to obtain treatment for family members or friends. Others come to get checked out “just in case”, which is sometimes referred to as the walking worried. This occurred in Tokyo in 1995 following a terrorist sarin gas release, where thousands of unaffected people flooded local hospital out of panic and quickly overwhelmed facility capacities. Patient surges resulting from a public health event is something that every hospital should be prepared for and have processes and plans in place to mitigate the security and traffic-related problems that accompany such events. It is for this reason that a number of specialized security and safety guidelines and tools have been designed by and provided to healthcare security professionals free of charge. Regardless of a hospital’s size, complexity or location, such reference materials can help in the coordination of emergency management and security planning efforts with local law enforcement and other first responders for a variety of situations.

One such program, the On the Safe Side Toolkit, has been developed to assist hospitals, public health agencies, and local law enforcement in planning for and responding to public health emergencies which may occur in their communities. This toolkit was developed by the South Carolina Dept. of Health and Environmental Control Advanced Practice Center and the National Association of County and City Health Officials and is designed to give preparedness planners easy access to many of the materials they will need to appropriately respond to such emergency events including:

  • developing effective hospital security and traffic management plans for medical patient surges and other emergency situations,
  • creating a “point of dispensing” site security and traffic management plan for mass prophylaxis and medication distribution,
  • preparing for and hosting a hospital and law enforcement multidisciplinary training workshop and assisting healthcare facilities in hosting a hospital and law enforcement security-based tabletop exercise to better prepare for such events.

This program contains several useful templates including a Point of Dispensing Site Security and Traffic Management Template, a Hospital Surge Security Template, a Law Enforcement and Healthcare Workshop Template and a Security-Based Tabletop Exercise Template plus various resource and support materials.

The Point of Dispensing Template (a location established to deliver appropriate pharmaceuticals or prophylaxis / vaccinations to the public) includes sections to assist with site selection, site suitability assessment, security measures for such sites, traffic management assessment and a POD field operations guide. 

The Hospital Surge Security Template includes both infrastructure and patient surge assessment forms as well as extremely useful diagrams which allow a user to copy and paste digital photos, screen captures, blueprints or any type of image file onto one of a number of predesigned Microsoft Word templates which are equipped with built-in icons (depicting various clinical and security personnel, vehicles, traffic barriers, and structures) which can be “dragged and dropped” onto the pasted image and then saved or printed out to create a quick visual illustration of a traffic management plan for a facility. With a little practice, this can be done within minutes, offering a true “just in time” capability to traffic and security management for a patient surge event.

The Law Enforcement and Healthcare Workshop and Security-Based Tabletop Exercise Templates are also very easy to use and offer a wide variety of time-saving predesigned forms such as a detailed planning guide, customizable save the date, registration and participant and program evaluation forms plus exercise scenarios and in-depth facilitator and participant guides. It provides enhanced security planning capabilities for public health emergencies and surge events for hospitals and healthcare security professionals and is designed to be used to engage law enforcement in planning for and responding to public health emergencies, to enhance security planning for points of pharmaceutical dispensing and to augment security planning for hospitals and alternate care sites during patient surge events.

Another invaluable planning tool for public health emergencies and disasters that can affect hospitals is the IAHSS Security Design Guidelines for Healthcare Facilities. These guidelines, when used as part of a multidisciplinary effort in conjunction with organization’s emergency preparedness staff and other clinical and non-clinical departments, can provide a wealth of knowledge to both the veteran healthcare security practitioner and the novice. These guidelines promote security designs that are risk appropriate and provide the ability to quickly develop a comprehensive security plan that includes a consistent application of security safeguards while coordinating with existing emergency operations, life safety plans and applicable regulations for those having jurisdiction in the local environment.

Summary

Finally, a significant part of successful security planning for healthcare environments is engaging your vendors and integrators to provide subject matter expertise in not only installing and maintaining applicable physical security countermeasures (such as access controls, CCTV and alarms systems) but also in providing feedback and input based upon previous successful projects that they have worked on or have knowledge of through professional associations or through case studies that they have read about in industry publications. Your integrators provide a wealth of knowledge and experience when it comes to such issues, and they should always be included as part of any multidisciplinary team that is looking to make security improvements to its healthcare facility. Through your own knowledge of the facility and its current readiness state, local first responders input as far as ingress / egress routes and logistical needs and your integrators knowledge of current systems and capabilities, your project will have a much better chance of success using such a holistic approach during the design phase.

Public health facilities and hospitals are part of the critical infrastructure and a key resource for the communities and populations which they serve and must be provided with adequate resources, expertise, and safeguards for their protection. While incidents can (and do) occur at any time and any place, it is typically the security sensitive areas in the healthcare environment that are most likely to suffer substantial issues, and this is especially true during unexpected events such as a public health emergency when finite resources and limited protective measures are already taxed.

Preplanning and the sharing of best practices and successful mitigation strategies among healthcare security and safety professionals is a crucial step in preventing disaster when such events occur since security should be considered an integral part of any healthcare organization’s planning process.

About the Author:

Bryan Warren is Director of Corporate Security for Carolinas HealthCare System, the second-largest not for profit healthcare system in the U.S. with over 900 care locations and 70,000 employees (based in Charlotte, N.C.). He holds a bachelor’s degree in Criminal Justice, an MBA with a focus on legal foundations of healthcare and has over 26 years of healthcare security experience.

His certifications include Certified Healthcare Protection Administrator as well as Certified Protection Officer Instructor. He has been a contributor to numerous publications, is the author of the Workplace Violence Prevention section for the IAHSS Healthcare Safety Certification program and has served on a number of national task forces for the U.S. Centers for Disease Control and Department of Health and Human Services Office of Infrastructure Protection. Bryan is a two-time recipient of the Russell Colling Medal for Literary Achievement in Healthcare Security and is a Past President of the International Association for Healthcare Security and Safety (IAHSS). He is the Sector Chief for Emergency Services in the FBI’s Infragard program in the Charlotte N.C. region and is a member of the American Society of Industrial Security International (ASIS), the International Law Enforcement Educators and Trainers Association, and the Southeastern Security and Safety Healthcare Council. 

About the Author

Bryan Warren, CHPA,CPO-I | Director of Corporate Security, Carolinas Healthcare System

Bryan Warren is director of corporate security for Carolinas Healthcare System, the third largest public healthcare system in the United States (based in Charlotte, N.C.). He holds a bachelor’s degree in criminal justice and has 20 years of healthcare security experience. His certifications include Certified Healthcare Protection Administrator as well as Certified Protection Officer Instructor, and he is a licensed trainer in numerous law enforcement and security subjects. Warren has been a contributor to various publications regarding risk and security issues and has also authored chapters for the IAHSS Basic, Advanced and Supervisory Training Manuals. He is a member of the American Society of Industrial Security (ASIS) International, the International Law Enforcement Educators and Trainers Association, and the Southeastern Security and Safety Healthcare Council.