We all recognize the vital role health care facilities play in providing care for the sick and the injured. When there is a crisis, those who have suffered the greatest harm are rushed to a hospital or medical center for treatment. But what happens when there is a crisis at the health care facility itself? What happens when the danger isn’t medical in nature? How are patients and staff protected?
Planning for crises is vital for any organization, but even more important in an industry the public depends on when there is an emergency. This is why many healthcare facilities have developed contingency plans in the event of a natural disaster or mass trauma[i]. However, the 9/11 attacks, and the anthrax attacks which took place a few weeks later, uncovered weaknesses in the U.S. national public health infrastructure[ii] when it comes to providing security. These include a lack of clear communication, poor training, and inadequate equipment.
We believe there are two types of incidents that should be the biggest focus for security in the health care system.
The Active Shooter Situation
Active shooter incidents have been on the rise in the U.S. Between 2007 and 2013, there was an average of more than 16 incidents per year, a dramatic increase from the seven years prior, which had an average of just over six incidents per year[iii].
Hospitals have not been immune to active shooter incidents. In December of 2012, a 38-year-old man walked into St. Vincent’s Hospital in Birmingham, Alabama, where his wife was receiving care in the hospital’s cardiac unit and opened fire with a handgun[iv]. He injured three people, including a police officer, before being shot and killed by officers responding to the scene. Almost a year later, a 51-year-old man armed with a shotgun and handgun walked into Renown Regional Medical Center in Reno, Nevada, and shot three people, killing one of them[v].
While not a common occurrence, an active shooter situation would be one of the most intense situations any organization – and its security team – could face. This is especially true for medical facilities, which are extremely active, have a large number of people coming and going throughout the day, and service patients who typically would not be able to defend themselves in the face of danger. With all of these factors, a gunman could go almost unnoticed when slipping into the environment of a healthcare facility.
Items found in healthcare facilities also can be targets for someone seeking to cause widespread harm. Some facilities contain infectious diseases and hazardous material that can be used in weapons of mass destruction[vi]. Some of the larger equipment, like MRI machines, contains large magnets that can be used to disrupt the operation of firearms[vii]. And most healthcare facilities maintain a large supply of pharmaceuticals and narcotics.
While many law enforcement agencies recognize the vulnerability of healthcare facilities, there has not been a substantial discussion surrounding how to prepare for and respond to active shooter incidents at a hospital or medical center. Many agencies, including the FBI, recognize this need and have begun laying the groundwork[viii].
While these discussions provide a good foundation, each health care facility – and its security team - should have its own plan of action based on the facility’s layout, its number of employees and patients and the nature of the patients most commonly seen at the facility[ix]. Each of these plans should include[x]:
- Proactive steps, including training of employees that can be taken to identify warning signs in individuals who may have the intention of committing a violent act.
- A method of reporting active shooter incidents, including informing those inside the facility and those arriving at the facility.
- A procedure to lock down areas affected by the incident as well as areas with patients who cannot be easily removed from the facility
- An evacuation policy and procedure for patients and staff who can escape from the building.
- A plan for security response to some of the facility’s more critical areas, including storage areas for chemicals and drugs.
- Coordination with local law enforcement in resolving the incident.
- A plan for returning to normal operations once the incident is resolved.
The New Security Threat to Health Care: Information Data Breaches
Earlier this year, Hollywood Presbyterian Medical Center in Los Angeles announced that it had paid a $17,000 ransom to hackers who had seized control of the hospital’s computer systems[xi]. And in March, MedStar Health, which operates 10 hospitals in Maryland and the District of Columbia, was forced to take its networks offline after being hit by a similar attack[xii].
These are just the attacks that have been made public. We believe there are many more attacks that have gone unreported. In 2014 alone, attacks on health data accounted for 37 percent of all data breaches, marking the fourth year in a row the health sector saw more cyber-attacks than any other sector[xiii]. This accounted for more data breaches than the retail, education, government and financial sectors combined. And it can be months or years before many of these attacks are noticed.
Attacks on health care networks have been increasing because of the value of the data they contain[xiv]. With one attack, cybercriminals can steal Social Security numbers, birthdates, patient-provider numbers, and other personal information. These can be used in anything from building false identities to filing false insurance claims.
In some cases, the biggest threats to health care facilities are their own employees. Almost a quarter of security incidents in health care in 2015 were caused by employees misusing their privileges[xv]. In other cases, employees are a gateway for cybercriminals. More than three-in-ten breaches in health care in 2015 were the result of lost or stolen information assets (i.e. USB flash drives, laptops, mobile phones), and close to one-in-five were the result of a miscellaneous employee error[xvi].
Health care systems are also unintentionally opening a door to cybercriminals as the push continues to modernize health data storage. Hospitals and health insurance providers are moving to cloud-based systems that allow for easy access to medical records by doctors, nurses, administrators and patients. While this makes a visit to the hospital or doctor’s office more efficient, it also opens a virtual entry point that can be accessed from anywhere in the world.
You must start by educating employees when dealing with the threats of cyber-attacks on an organization. They need to understand the latest best practices when it comes to operating a health data network. This includes avoiding emails and attachments from unknown senders and not sharing personal information via email. A well-trained staff will be able to identify risks before they happen.
Health data networks must also upgrade their security. While there are many conversations across the industry about using technology to modernize health care, it is vital that advances in technology are accompanied by advances in security. This includes building a skilled and trained team of information data security professionals who can monitor for attacks and maintain a current, protective firewall.
The Role of Education in Planning
Security risks are evolving at such a rapid pace that organizations of all sizes are struggling to maintain a security workforce with the skills necessary to thwart criminal actions. A good plan needs a team of trained professionals with a strong set of soft skills to be properly executed. As leaders in education, it is our duty to work with industry leaders to arm our students with the skills they’ll need to face current and future security challenges within the health care industry.
At the University of Phoenix, we’re preparing to launch the Cyber Security and Security Operations Institute, which represents the convergence of cyber and physical security. It will prepare students with the training and competency to address 21st-century security risks and the skills to adjust to future challenges.
We have also worked with security industry partners to develop the Enterprise Security Competency Model, a first of its kind set of competencies that is the initial step toward aligning skill sets needed to improve security across all industries. This includes the health care industry where a skilled and trained security workforce is vital to protecting the delivery of care to those who need it.
When it comes to protecting the healthcare system, the best defense can sometimes be a good offense. It is critical that the healthcare and security industries work together to ensure all employees of health care facilities are adequately trained to protect themselves and their patients from harm.
About the Authors:
Mark Logan is an assistant dean with University of Phoenix College of Security and Criminal Justice and the director of the University of Phoenix Center of Research Excellence. Dr. Kirsten Hoyt is the Academic Dean with University of Phoenix College of Information Systems and Technology and the co-director of the University of Phoenix Cybersecurity and Security Operations Institute.
Notes of Reference:
[i] U.S. Department of Public Health and Human Services; Incorporating Active Shooter Incident Planning Into Health Care Facility Emergency Operations Plans, page 5
[ii] The Center for Disease Control: Public health preparedness and response in the USA since 9/11: a national health security imperative
[iii] U.S. Department of Justice; A Study of Active Shooter Incidents in the United States Between 2000 and 2013, page 6
[iv] U.S. Department of Justice; A Study of Active Shooter Incidents in the United States Between 2000 and 2013, page 40
[v] U.S. Department of Justice; A Study of Active Shooter Incidents in the United States Between 2000 and 2013, page 43
[vi] Healthcare and Public Health Sector Coordinating Council; Active Shooter Planning and Response in a Healthcare Setting, page 2
[vii] ibid
[viii] Healthcare and Public Health Sector Coordinating Council; Active Shooter Planning and Response in a Healthcare Setting, page 2
[ix] Healthcare and Public Health Sector Coordinating Council; Active Shooter Planning and Response in a Healthcare Setting, page 8
[x] U.S. Department of Public Health and Human Services; Incorporating Active Shooter Incident Planning Into Health Care Facility Emergency Operations Plans, page 11
[xi] NBC News; Hollywood Presbyterian Medical Center Pays Hackers $17K Ransom
[xii] The Washington Post; MedStar Health turns away patients after likely ransomware cyberattack
[xiii] Symantec: Internet Security Threat Report, April 2015, page 82
[xiv] Federal Bureau of Investigation; Health Care Systems and Medical Devices at Risk for
Increased Cyber Intrusions for Financial Gain
[xv] Verizon; 2016 Data Breach Incident Report: Healthcare
[xvi] ibid