Unique and Developing Security Challenges in Healthcare

March 9, 2020
How hospitals are challenged to assure staffing adequacy in the face of increasing risk

Imagine that you are employed for an organization and responsible for the security of its staff, property and assets (which includes cash, controlled substances and quantities of hazardous materials). Your company is open 24 hours a day, seven days a week and has the highest rates of workplace violence in any industry in the country, yet the perpetrators of this violence are also your primary customers.  In fact, you cannot turn them away or refuse them business when they request it. Add to this that your industry is governed by a multitude of separate regulatory, accreditation and legislative agencies who can revoke your primary funding source at a moment’s notice, and you can begin to see why healthcare security operations are, in a word, challenging. This article will address strategies to develop the best business case for the appropriate level of staffing, which can then support a need for technology as a force multiplier.

Healthcare Security is Complex for Many Reasons

Successfully managing security operations for a healthcare organization in the U.S. is a rewarding but complex proposition. There are many unique challenges to maintaining a safe and secure healthcare environment that other industries do not have to deal with on a routine basis. Most hospitals are microcosms of the communities which they serve, which means that whatever types of criminal activity are occurring on the streets, they are also likely occurring at the hospital (or at a minimum spilling over into its emergency department.) The spectrum of security issues for healthcare facilities is quite broad, from the daily issue of indigents and crimes of opportunity (which are rampant in waiting areas due in part to family members and visitors who are focused on their loved ones and not their valuables) all the way to the growing threat of active assailants (due to the unpredictable behaviors of patients and the presence of victims and perpetrators of criminal activity.) Workplace violence rates for the healthcare and social service industries in the U.S. are incredibly high, with persons in these professions facing greater than four times the likelihood of suffering an injury due to workplace-related violence than all other industries combined.  Yet, according to the Bureau of Labor Statistics, approximately 80% of the violence is perpetrated by the very patients for which such organizations exist to serve (which you cannot legally turn away if they request emergency care due to the Emergency Medical Treatment And Labor Act.) There are many other perplexing and at times contradictory, regulations and standards which only apply to healthcare organizations.  For example, how does one interpret this accreditation standard from a security operations standpoint: “The hospital identifies individuals entering its facilities. Note: The hospital determines which of those individuals require identification and how to do so.” Keep in mind that the security function in many healthcare organizations generates no revenue and in fact, is considered a “cost center” rather than a business enabler; therefore, resources can be hard to come by. Aesthetics and customer service are also important parts of the healthcare industry’s philosophy, so how does one safely and efficiently identify individuals entering their facility while not delaying medical care or creating poor public perception through an intrusive process?  It can be done, but there are many considerations that must be included in the design and implementation of such programs. This level of complexity holds true for many aspects of planning and managing a security operation in the healthcare environment.

Types of Healthcare Security Staffing Models

Just as there are a wide variety of challenges, there are likewise many different types of security operations currently being used in the healthcare industry. Some organizations do not have any dedicated security personnel and rely instead upon maintenance or other support personnel and local law enforcement to manage any security issues which arise at their facilities.  Some organizations choose to outsource their security operations to a third-party vendor, while others have a combination of both proprietary and contract security staff. Still, others determine that a proprietary security force is their best option, and this can vary from a basic “observe and report” guard force all the way up to a fully sworn and equipped healthcare police department. The various types of security operations at U.S. hospitals each have their own benefits and challenges. For example, those organizations that opt to rely solely upon local law enforcement to respond to security-related issues on their premises run the risk of regulatory and accreditation inquiry should those officers improperly use force or any “weapons” as part of a medical intervention or patient restraint (since this is prohibited by the Center for Medicare and Medicaid under their Conditions of Participation.) Under A-0154 of the CMS State Operations Manual, Appendix A, “CMS does not consider the use of weapons in the application of restraint or seclusion as a safe, appropriate health care intervention. For the purposes of this regulation, the term ‘weapon’ includes, but is not limited to, pepper spray, mace, nightsticks, tazers [sic], cattle prods, stun guns, and pistols.” While the same risk exists for a proprietary operation, most in-house security programs specifically educate their officers on these types of healthcare regulatory matters whereas most local law enforcement agencies do not (since it is not required as part of their routine duties and responsibilities.) Appropriate training of personnel and up-to-date policies and procedures are critical parts of any successful healthcare security operation regardless of the size or type of program being used (including the use of off duty law enforcement for security, since regulatory agencies view them no differently than any other hospital employee in regards to their requirements.)

Making the Business Case for Staffing

When it comes to staffing levels and models, there are many things to consider.  Predicting the level of guard forces in healthcare is not an easy task. There are several methods that are used in the healthcare industry which tend to oversimplify the process and run the risk of leaving healthcare facilities inappropriately staffed. No single dimension dictates the level of staffing necessary.  Example methodologies as recent as 2014 can be found which establish an average ratio of security guards based on the number of hospital beds and another which establishes an average ratio of security guards based on the number of employees at a hospital.  A third benchmarking service used by some hospitals attempts to draw conclusions about staffing adequacy based on the square footage of the facility, which is illogical.  Does that square footage encompass patients with acute psychiatric disorders or is it an ambulatory surgery space that might be closed for half the day?  Decisions on staffing cannot be considered based on square footage alone.  The International Association of Healthcare Safety and Security concurs on this position; refer to IAHSS Guideline 02.01 – “Security Staffing and Deployment.”

Further, when determining staffing levels, present Administration with the link between being reactive and being proactive.  Some key considerations when determining the type and level of staffing in a healthcare facility might include:

  • Data is critically important in making any case for change.  The more sophisticated hospitals are maintaining computer-aided dispatch (CAD) software platforms to track incidents and calls for service which support the demand side of the business.  An analysis of calls for service might also inform the number of staff members who need to respond to an incident.  In a recent analysis of CAD data associated with hospital disturbances, BPS was able to help a facility consider reducing security response from three security officers to one officer by stratifying the risk consequences associated with the calls, identifying that a high percentage of incidents could be mitigated by simply applying proper de-escalation skills, and not requiring that security show up as a group for the worst-case scenario.  A system can be established to classify calls for service with the relative security risk consequence associated with a call.  This will allow limited resources to be directed where needed most.  For instance, a call for a patient restraint would be classified as a higher priority than a “door unlock.” 
  • Be efficient with your security staffing resources.  There are several layers of security staffing that might be considered by healthcare administrators.  Armed, unarmed proprietary, unarmed contract (not recommended for any service where there might be patient interaction) and another layer BPS has been recommending.  This entry-level we recommend is designed to handle security duties requiring fewer skills such as door unlocks, patient property or simple escorts.  This leaves higher trained and skilled security officers available to focus on staff safety issues such as responding to disturbances or supporting doctors and nurses with patient restraints.  Stratifying also reduces the training burden.  Maintaining alignment between task complexity, defensive equipment required, meeting administration service expectations with staffing levels and type of staff is essential for achieving positive outcomes.
  • Be careful not to overarm staff.  In some hospitals every security member is armed and therefore every interaction with patients is an armed encounter.  Armed security staff arguably have the most focused and limited role in healthcare as defined in Table 1 “Potential roles for Security Staffing.”
  • Be mindful of how security positions are defined and managed.  There are two types of posts typically available – a) Fixed -- where security staff stays in a static location; b) Roving -- where security staff are mobile and expected to patrol or respond to calls for service.  In 2015, OSHA cited a hospital after a workplace violence incident that should have sent shock waves through the healthcare industry.  OSHA stated, “Ensure that security staffing is adequate in all areas to respond to incidents while security stations remain staffed.”  This is a strong warning to hospitals not to pull security staff from fixed posts to respond to a call for service.  This is a common practice but one that should be avoided.
  • For larger campuses, and to better manage roving resources, consider establishing patrol zones to appropriately subdivide the interior and exterior areas.  Establish patrol frequency and response time range options and present those to hospital administration to ensure that you have the appropriate staffing levels to meet those internal customer expectations.  For instance, if Administration wants a response to a high priority call in three minutes or less, get that fact established upfront and know what corresponding staffing levels are needed to deliver on this commitment.  It is not uncommon for multiple incidents to occur simultaneously, so ensure there is an approved plan to manage that contingency.  Track, trend and monitor response times based on defined priorities and expectations.  This again is where CAD software can be an essential element.
  • Tightening up of access control and visitor management, which is trending in healthcare, is going to substantially drive the need for more security staff to manage these processes around the clock.
  • Lastly, consider utilizing technology as a force multiplier.  This will be the subject of a future article.

In Summary

Security leaders in the healthcare industry must be savvy given the budgetary challenges the industry faces.  Security staffing is expensive and recurring but essential in many cases for an effective security program.  By ensuring data is collected and analyzed, using all options available and aligning the staff resources to the level of risk associated with calls for service, security staffing resources can be optimized to protect staff and patients alike while improving patient and staff satisfaction.

About the Authors:  Bryan Warren, MBA, CHPA, CPO-I is President and chief consultant at War-Sec Security and has over 30 years in the healthcare security, safety and emergency management fields. He has conducted healthcare security assessments and training workshops across the United States, Canada and Australia and has served on several national task forces including the U.S. Centers for Disease Control and Department of Health and Human Services Office of Infrastructure Protection. He is a past president of the International Association of Healthcare Security and Safety and the longtime Director of Corporate Security for Atrium Health in Charlotte, North Carolina, the second-largest public not for profit healthcare provider in the United States.

Frank Pisciotta, CSC, is president of Business Protection Specialists, Inc., a nationwide independent security consulting firm focused on healthcare risk identification, regulatory compliance and security design services. Pisciotta has managed more than 4,500 security-consulting engagements in his thirty-year consulting career. He possesses a master’s degree in public administration, a bachelor’s degree in criminal justice, and was board certified in Security Management by the American Society for Industrial Security as a Certified Protection Professional in 1994. He is a past President of the International Association of Professional Security Consultants. Pisciotta was the eighth person in the United States to achieve the Certified Security Consultant designation. He is currently leading the IAPSC's technical standards committee. Pisciotta serves as the Vice-Chair on the ASIS Council for Food Defense and Agriculture Security. He was the Chief of Security for Alfred University ending in 1991.

About the Author

Bryan Warren, CHPA,CPO-I | Director of Corporate Security, Carolinas Healthcare System

Bryan Warren is director of corporate security for Carolinas Healthcare System, the third largest public healthcare system in the United States (based in Charlotte, N.C.). He holds a bachelor’s degree in criminal justice and has 20 years of healthcare security experience. His certifications include Certified Healthcare Protection Administrator as well as Certified Protection Officer Instructor, and he is a licensed trainer in numerous law enforcement and security subjects. Warren has been a contributor to various publications regarding risk and security issues and has also authored chapters for the IAHSS Basic, Advanced and Supervisory Training Manuals. He is a member of the American Society of Industrial Security (ASIS) International, the International Law Enforcement Educators and Trainers Association, and the Southeastern Security and Safety Healthcare Council.

About the Author

Frank Pisciotta | Frank Pisciotta, CSC, is president of Business Protection Specialists, Inc

Frank Pisciotta is president of Business Protection Specialists, Inc., a global independent security consulting firm specializing in developing global security programs for multi-national organizations. The firm supports global clients with risk assessment and security design services including the specification of security technology in various sectors. Frank has managed over 5,500 security-consulting engagements in his more than thirty-five-year consulting career. Frank possesses a master’s degree in public administration and a bachelor’s degree in criminal justice and was board-certified in Security Management by the American Society for Industrial Security as a Certified Protection Professional in 1994. He is a past President of the International Association of Professional Security Consultants. Frank was the eighth person in the United States to achieve the Certified Security Consultant designation.

www.securingpeople.com