When it comes to life safety in a hospital or healthcare setting, security executives face many unique challenges. A typical day can involve unauthorized access, crowd control in an emergency room, wandering patients, infant abduction and securing expensive medical equipment. Recently, healthcare security has been charged with increased regulations and preparing for the latest medical pandemic – the H1N1 flu.
     
Sister publications Security and SDM brought together five professionals in healthcare security – two end users and three systems integrators – who specialize in finding solutions to the security issues in healthcare security. Through a telephone roundtable discussion, they discussed the unique needs, the technology solutions and their personal wish lists for making healthcare facilities more secure.
     
The roundtable discussion was moderated by Security editor Diane Ritchey, and SDM editor Laura Stepanek.

Diane Ritchey: What are the unique security needs in healthcare facilities as you see them?
     

Mark Moscinski: It’s the physical domain of many healthcare facilities and the campus environment. And providing the correct infrastructure; one that can connect disparate buildings or physically-disparate buildings with the intelligent systems that are available today.
     

Robert Ryan: In effect, [a hospital] is a city that’s open 24 hours a day, 7 days a week. The challenges cross the spectrum of security specialties. We have transportation security because we have vans, loading docks, and shipping and receiving. We have retail security because we have stores and shops that are usually on the ground level. We have bio-tech security because most all healthcare facilities are also research centers, as we are. And we have parking lots and parking garages and security challenges that come with that.
     

When we have a patient inbound, we get the entire family, particularly with children – not only do Mom and Dad come here, but also the aunts and uncles and cousins. So it can be crowd control as well as incident control that come with being in healthcare.
     

Scott Jack: In our Metroplex, we have 11 hospitals that have different kinds of environments – everything from higher crime areas to lower crime areas. We really have to look at each one of the sites [individually] to know how we treat the security at that facility. We’re getting people that aren’t always in their best personality. Sometimes it’s a high-stress situation. In our emergency departments we can have all kinds of situations arise. So we try to allow the general public access, but we also have to segregate the general population from our staff so that they can work behind the scenes.
     

Scott Welborn: From the perspective of an integrator trying to assist healthcare professionals, I would echo the sentiment that what you’re dealing with is securing a small city in most cases. I’ve been in this business for 20 years, so I’ve seen a dramatic and comprehensive change from how healthcare facilities looked at security 10 or 15 years ago to the way they look at it today. Most healthcare facilities want leading edge technology. They’re looking at things like video analytics, more sophisticated alarms and the need for true integration.

 

 

Laura Stepanek: Are you finding that more healthcare institutions are using PSIM, which ties everything together into one cohesive center for control, and manages different alarms while automating some responses?
     

Scott Welborn: I would say they are looking at it strongly. I don’t have a lot of situations where they have made a commitment yet. I think what’s slowing it down is the economic downturn, because the cost of these PSIM systems is quite high. But I think we’re on the verge of making that transition.
     

Mark Moscinski: We’ve seen a lot of interest in this product set, and this solution set. And it has been gaining adoption. I see it a lot in the public safety space, primarily in the airport space, which is similar in that an airport is a city as well.
     

Manufacturers have been very effective in maturing the product set. The challenge is that there often is not enough R&D money to make integrations happen until they have the customers that will fund it.
     

Scott Jack: Much like everybody else, nobody wants to be the beta tester. We’re waiting to see it rolled out and used in some large operations before we look at something like that for our campus.

Laura Stepanek: But without a system that brings it all together and with multiple locations and multiple tasks, is the operation of security systems still being done at the sub-system level?
     

Robert Ryan: At Children’s we have our main campus, but we also have satellites in a number of different cities in Massachusetts. We have an enterprise system that we use for the satellite offices. We have a central alarm monitoring station, but I would be interested in learning more about this. Is it just one product?
     

Scott Welborn: There are multiple products out there. Some are more mature than others. But essentially all of them overlay a piece of software with graphics that then allow you to write to the different applications that you have.
     

Mark Moscinski: I think what purports to be one of the greater advantages or benefits of this platform is two-fold: one, it really seeks to increase the world of systems that you can bring into it; for example your HVAC, building systems and your security systems into a single common interface and platform to give you greater situational awareness of your environment.
     

Secondly, the more mature enterprises have built in a large set of business rules behind the systems. Try to equate it to clicks – maybe today it takes you six or eight clicks to dispatch an ambulance or to dispatch a security guard. These systems purport to say, “I can reduce that to two clicks.”
     

Roger Starnes: I think the technology is there. We look at it in four components: ID management; compliance management with CMS and JCAHO; events management that supports the security staff; and the building management piece, which was just mentioned.
     

One of the key elements with this system is the understanding of how a facility operates –both the clinical and non-clinical. When you start integrating systems and bringing in rules-based engines, automatic enrollment for security provisioning and other elements across IT systems, the person doing that role has to have a full knowledge of how every aspect of that healthcare facility operates. They also have to understand the growth the hospital is expecting to have, whether it’s a merger and acquisition or with a co-op type arrangement with another facility.
     

But today, I think the bigger challenge is not the equipment, it’s the working with facilities to understand after-hours access, their contractor and visitors policies, their security-sensitive areas and security staffing and deployment issues. All of that is almost impossible without having a full understanding and cooperation with the clinical, IT, facilities, security and bio-med departments, among others.

 

 

Diane Ritchey: What has worked best for you in terms of mass notification systems?
     

Robert Ryan: We have our own internal mass notification system that gets put out through our communications center, which hits people’s cell phones, pagers, emails via a Blackberry and their voicemail. But that’s an internal system to the communications center at the hospital pushed out through IT.
     

Scott Jack: We’re using something called 3N. It’s network notification via phone, cell phone, computer, email and Blackberry. Additionally, we can also pull up any one building or site and page them independently.
     

Mark Moscinski: An emerging development I’m seeing is utilizing Bluetooth. It’s not so much for the public, but for the private internal notification that Bob alluded to. It has the ability to communicate quickly to all those devices everybody has. We’re also seeing some developments whereby you have a Wi-Fi environment, but it utilizes Bluetooth technology. If you walk into the environment, it will automatically register you; notify you of a program to say, by saying “You entered our facility. Click here if you’d like to enroll in this notification system.” And once you do, you’re connected to it via the Bluetooth technology. That person then becomes a registered user of the system while they’re at your facility.
     

Roger Starnes: We’re finding a true source of who’s to be notified and how we’re going to notify them. We’re finding differences for each hospital we visit. Some are using fire alarm systems in combination if they have voice capability. Some are using, as they’ve indicated, pagers, a nurse call – any way that they can communicate to not only the staff but the patients as well as visitors and contractors.
     

Scott Welborn: I’ve seen many different types of approaches at hospitals. Many of them are more heavily reliant on traditional means such as radios, where others have gone to a completely network-based alert system or delivery system for alarms. But usually what I see is a combination. There’s a great interest in network intercom or IP intercom as well. But it all depends on the viability and the reliability of the network involved and the coordination between physical security and IT.

 

 

Diane Ritchey: Are you seeing a closer relationship between physical security and IT?
     

Scott Welborn: Yes. It’s either happening as a revolution or it’s happening as evolution, one or the other. But it has to happen.

 

 

Diane Ritchey: We’re all aware of the large amount of regulations in healthcare security. What is new in this area and how does it impact your role?
     

Scott Jack: We just had a JCAHO inspection last week. One of the things they were really hitting on was the fact if you do have a major incident, how do you credential doctors that might be visiting or coming to help?
     

We’re also learning more to follow our administrative safeguards. That’s where we look to HIPAA more or less. We’re more involved with the IT teams in regards to identity theft and the way it’s expected to keep growing. We need to identify who’s on our networks and who’s in our hospitals. These are all things we’re worried about – intruders who are looking for ways that may hurt us.
     

Roger Starnes: Compliance management is being looked at more critically today as a result of EMR, or Electronic Medical Records. We are working hand-in-hand with the facilities to try to get all the components of ID management so that you don’t have identity theft and that you still meet HIPAA requirements. The products available are getting to a level of maturity, yet the complexity is trying to safeguard the IT, the clinical and the facilities side of the data.
     

Scott Welborn: From an integrator’s perspective, regulatory compliance in healthcare has been one of the best things that could have happened to us. It has changed the course of the ways healthcare has had to look at, particularly access control, but other issues as well. So it’s created a broader market. There’s no doubt about that.

 

 

Diane Ritchey: When we all first started talking, Bob, you mentioned that parking lots and garages is one area that you need to keep secure. What are some of the challenges with doing that?
     

Robert Ryan: Here in Boston, GPS thefts from vehicles are a big, big business. So we need to educate the general public who park, not only in our garages or lots, but also on the city streets, that you can’t leave these things in plain view. It’s just a thieves’ paradise when things are left out – a quick smash-and-grab. In addition to educating, we also address safety with camera technology, emergency intercoms, as well as signage in key spots. But educating people is a big component. We also provide escorts after hours, especially to nurses, who are out after hours. It is important to have a good escort policy that’s publicized, well-used and understood not only by parents who visit our facility, but the nurses and the staff as well.
     

Scott Jack: In addition to those factors, we try to have great surveillance communication. We implement crime prevention through environmental design (CPTED) principles as parking garages are built. We basically try to carve an island out of an area and run photo metrics on it to make sure we have adequate lighting levels. I can’t say enough though about the CPTED in regards to parking lots. It helps us to see our trouble areas and route our police patrols. Regarding escorts, it’s also important to make sure that people are comfortable calling our police officers to be escorted. A lot of times people think it’s a bother. But if they’re not feeling safe, we always want them to call us.
     

Mark Moscinski: One technical component that I’m seeing deployed very effectively that is helping in this specific environment is high-definition or mega-pixel video. Video surveillance is probably one of the primary tools to monitor and to protect these environments. It allows you a much greater field of coverage per camera.
     

It also addresses a lot of lighting concerns. And most significantly, it gives you the ability to enhance that zoom-in capability over a wide surface lot or within a level of a parking garage. You can really get the detail to see what’s happening or to retroactively do your forensic or investigative work.
     

Another technology being deployed very effectively in many situations is license plate recognition. You can effectively read and capture every license plate that comes in. And if you tie that to a database, it will alert you to warrants, stolen vehicles or known offenders. It gives you an immediate, proactive capability to send somebody out there and find out why they’re there.

 

Diane Ritchey: What percentage of the end users that you work with is using that type of technology?
     

Mark Moscinski: I would say 20-25 percent. The high-definition is really just starting to deploy. The license plate recognition, for example, is at two airports in Chicago. We have deployed it not just for the parking lots, but for the entrance to those airports as well.

 

 

Diane Ritchey: What trends are you seeing with regards to security systems that you have recently implemented?
     

Mark Moscinski: I recently started working with a DHS group called VQiPS, Video Quality in Public Safety, that’s trying to create a set of standards or specifications to how end users can specify and design systems. There is a large EMS component with it. I was impressed to see a number of deployments, including one where video was put into ambulances through a wireless infrastructure. The EMS technicians can transmit video about patients directly to the hospital. And it’s resulting in much greater doctor/patient care on that first response because of a video feed.
     

Roger Starnes: We’re seeing the most requests for Real Time Locating Systems (RTLS), both from the clinical side as well as with bio-med and security. Once you put the infrastructure in a facility, it’s easy to know where your security assets are located. It’s especially useful with tracking behavioral patients. From a theft and loss perspective in medical equipment, some paybacks are being seen that are five and six times the initial cost of the equipment.

 

 

Diane Ritchey: We are well into this year’s flu season and all the emphasis seems to be on the H1N1 flu – who will be affected and how severe of an impact it might have. What have you done to prepare?
     

Robert Ryan: We’re treating it as a mass casualty type of situation, where we’re anticipating large influxes of people who are sick, and some who are sicker than others. We’re gearing up with alternate site locations for distribution of the vaccine. Our emergency rooms are gearing up, schedule-wise, people-wise and resource-wise. This type of situation puts a challenge on the resources that we have, especially with our alternative care sites that we might open up.

 

 

Laura Stepanek: How will this affect your security operations?
     

Robert Ryan: It will be taxing on our resources and our people. We might need more security in the emergency room and at our alternate healthcare sites, and that draws on existing resources. We’re in a medical area that has four or five hospitals within the footprint of a nine-hole golf course. So we’re pretty tight with regards to geographic location. To gear up for [the flu season] there is a huge staffing and HR component that will be needed.

 

 

Laura Stepanek: Meaning more security guards and additional physical security?
     

 Robert Ryan: That’s correct.
     

Scott Jack: We’re doing quite a bit to prepare as well. We’ve been running tabletop exercises to see what we have in place. We work closely with our safety group to review our contingency plans – like exterior triages to segregate the [flu] patients.  We are also looking at how to reconfigure the building to make it a single point of entry. That way we can control who’s inside the hospital or in the clean areas, if you will, and another alternate entrance for the staff. We’re also looking at the fact that it may impact our staff as well. We’ve had alternate plans in case, for example, if 40 percent of our staff is sick. We’re looking at every alternative possible for manpower.
     

Roger Starnes: This also goes back to RTLS, which can also apply to an area that has nuclear plants, for example. We’re seeing some healthcare facilities tag people when they come in to the triage. Through RTLS, they can track everywhere a sick person went in the facility. They can then determine when that person is leaving the boundaries that they want them to stay in. You can also find out who they’ve been in contact with.
     

Another important piece today is hand washing. When you’re handling these patients, whether they have H1N1 or a different disease, hospitals are finding that they can track hand washing. From a compliance perspective, it can help to determine that the caregivers are in compliance with your policies and procedures.

 

 

Diane Ritchey: Beyond wanting more time and money, which we all would want, what is on your wish list in terms of solutions, technologies, or training?
     

Robert Ryan: I’d say systems integration. At our hospital we have databases upon databases – the HR database, Occupational Health database, IT database and the Security database, among others. All of those databases need to share information. Unfortunately, not a lot of these databases talk to one another, specifically as it comes in with regards to an ID and badging program. HR knows when someone leaves the hospital. But does Security know when they leave? It would be nice to have integration of these databases, from one point of contact. I think it would make not only Security’s job much easier with regards to ID management, but also for the HR and IT departments as well.
     

Scott Jack: I would love to see some improved facial recognition programs and some improved video analytics. Everything I’ve seen, they work really well in the showroom. But when it comes to practical application, they all leave a little to be desired. They’re not very user-friendly.
     

We would like something that we would be able to have our dispatchers use without having a 30-hour training course to learn how to use it. I think we’ll see this in the next five years. 
     

Mark Moscinski: On my wish list would be more people like Bob! Pick up the phone and call me because we’re more than ready to help integrate those databases and put together a fluid system that can help facilitate the communication process between Security, HR, Finance – everybody that needs to be involved.
     

The solutions are out there. But the financial constraints that just about everybody is under today are really confining and constricting what we can do.
     

Robert Ryan: With regards to financial constraints, ROI is becoming more and more prevalent. How do you justify not only your own position but your department managers and the officers who work for you? And that’s a key component in these challenging times right now.
     

Scott Welborn: I agree with some of the comments. The technology has come a long way and gives us not only an opportunity for a higher level of security, but if we bring stakeholders together and work together with integrators and hospitals, we can show a return on investment.
     

You can make a solid business case for those things that need to be done. I work with a few hospitals that do a very good job of this, and then others that still rely on a two-line scope of work and a bill of materials as a solution to a problem and then get turned down more often than not.
     

Roger Starnes: My wish list is pretty simple. The technology’s available today and the need for it in the marketplace is there. But the more difficult piece is getting all of the stakeholders together to discuss what all the capabilities could be and what the return on investments would be. Venues like this are excellent ways of doing that.
     

The other thing I wish for is an absolute and complete understanding of how every aspect of a complete healthcare facility operates. But then again, tomorrow that would all change with technology and with the way we deliver those systems.
     

So the bottom line is I would like to see more opportunity to have these discussions.

Scott Jack is the physical security director for Baylor Health Care System, Department of Public Safety in Dallas, Tex. He is responsible for the design and development of all physical security systems for the Baylor Health Care System. He gained Certified Protection Professional status from the ASIS in 1999. Previously, he was the security manager for STMicroelectronics, a semiconductor manufacturer, and a security administrator for 20 years at Raytheon/Texas Instruments Defense Systems group.

Mark Moscinski is vice president of safety and security solutions for SDI, responsible for overall design, delivery and support of SDI’s advanced safety and security technology offerings.  Moscinski’s clients are concentrated in the government, aviation and transportation and heathcare sectors. Moscinski’s specializations include IT infrastructure, security, audit, strategic IT planning, project and vendor management, and business process analysis. He has more than 17 years of IT experience in the management and delivery of IT infrastructure outsourcing and consulting services. Moscinski received his Bachelor of Arts degree from Beloit College and holds a degree as a Certified Public Accountant (CPA) and a Certified Information Systems Auditor.

Robert M. Ryan, CPP, CHPA, is director of security and transportation for Children’s Hospital in Boston. Previously, he was vice president of field operations for Longwood Security Services and a maritime law enforcement officer with the United States Coast Guard. He is a member of ASIS and IAHSS. He received his Bachelor of Science, Magna Cum Laude, from Northeastern University. 

Roger Starnes is regional sales manager; Enterprise Security Sales for the SE Region at Johnson Controls, Inc. in Milwaukee, Wis. He is responsible for the sale of large, complex, bundled security offerings to specific Vertical Markets, in which Healthcare is one of the primary markets of focus. Other positions he has held at Johnson Controls include director of special systems sales, manager of sales support and standards, in addition to service operations responsibilities at the area level. Previous employers have included Simplex Time Recorder Company (manager, sales engineering, branch manager, Tallahassee, Fla.). He holds an AAS Degree in Business Management, and is a member of  NFPA, IAHSS, and ASIS and a past member and secretary-treasurer of AFAA.

Scott Welborn, CPP, has more than 25 years of industrial experience, including sales and sales management, and business development, with his current position with Tech Systems in Duluth, Ga. He has significant healthcare experience through account management and systems design. His certifications include CPP, NICET and NFPA Life Safety 101.