Violence perpetrated against employees by patients, their families, and unauthorized visitors – including estranged members of employees’ own families – tops the list of concerns and threats for healthcare security directors. Although active shooter incidents are always on their minds, and part of their planning, they are still a distant second given their relative infrequency.

In any case, security directors are constantly evaluating equipment and technology like access control, cameras and use of force options, combined with needed refinements in training and policies.

“The No. 1 concern inside of healthcare organizations continues to be patient-generated violence,” says Alan Butler, president-elect of the International Association for Healthcare Security and Safety (IAHSS). “It is the place where most of our staff get hurt. It initiates from of security-sensitive areas, like the emergency department or the behavioral health unit, but violence often ends up in other areas of the hospital, such as a medical surgical or intensive care unit.”

In April, the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) released a report encouraging healthcare workers and organizations to more reliably report incidents of workplace violence, including verbal abuse, which the Joint Commission said are too often written off as just “part of the job.”

Although JCAHO has documented 68 instances of homicide, rape or assault of hospital workers during the past eight years, the Joint Commission estimates the actual number is much higher. The report also notes that the Occupational Safety and Health Administration (OSHA) estimates nearly three-quarters of the 25,000 reported annual workplace assaults occur in healthcare, where workers are “four times more likely to be victimized than any other industry.”

Patients who perpetrate violence against healthcare staff frequently suffer from altered mental states due to dementia, delirium, substance abuse or untreated mental illness, the report says. Other factors include stressful conditions like long wait times, bad news related to patient prognosis, domestic disputes, and the presence of weaponry, inadequate staffing, poor lighting and lack of access to emergency communications, according to JCAHO.

The Joint Commission recommended that healthcare leaders provide “simple, trusted and secure” methods to report all abuse, including verbal, while ensuring that those who make such reports do not face retribution or disapproval. Healthcare organizations also need to clearly define workplace violence, capture all possible data, provide appropriate follow-up and support, analyze every reported case and the data as a whole, develop appropriate quality improvement initiatives and train all staff in de-escalation and self-defense.

Threats Security Directors See

Security directors at healthcare facilities are well aware of the challenges that the Joint Commission lays out and are working to implement solutions that best fit their particular environments, starting with the perennial and acute issue of violence directed at employees.

“We know that a majority of aggravated assaults that occur in industry occur in the healthcare sector,” says Paul Sarnese, IAHSS board member and assistant vice president of safety, security and emergency management for Virtua, a New Jersey-based comprehensive healthcare system. Patients and their families “have stress, anxiety and fear, and then, add on top of that, pain, addiction and mental instability. It puts our staff at greater risk.”

At UT Health and MD Anderson Cancer Center in Houston, an embedded group of sworn Texas police officers works alongside a security team and attempts to be preventative about workplace violence incidents, says Ray Gerwitz, director, risk strategy and operational excellence. “The healthcare industry as a group is very concerned around the amount of workplace violence that’s going on,” he says.

Bryan Warren, director, corporate security at Charlotte, N.C.-based Atrium Health, says long-term boarding of behavioral health patients in emergency departments when there isn’t room elsewhere adds to the likelihood of workplace violence. “You can imagine the ripple effects that causes,” he says. “The ER [staff is] trained for medical crisis-to-crisis. You need more training for such staff to instill a de-escalation or conflict resolution mindset for dealing with behavioral health patients. The emergency department is just not the ideal place.”

Domestic violence against employees also finds its way into the healthcare setting, in addition to patient violence, says Chief Joel Huggins, director of public safety at Lexington Medical Center in Lexington, South Carolina. “We have 6,500 employees. That means 6,500 families. And not everyone has the best home life, and their issues can follow them to work,” he says.

Butler, who serves as senior vice president of strategic account management for HSS Inc., knows the issues from the cross-section of about 200 hospitals for which his company provides security-related services.

Second on his list is the threat of active shooter incidents, both those that could occur inside healthcare facilities and those that occur in the nearby community, which result in an influx of emergency department admittances that can turn chaotic – and deadly. “Many of the shooting incidents inside healthcare are not stranger-to-stranger crimes,” he says. “No matter where the active shooter incident is, the next stopping place is healthcare, our emergency departments.”

Those can sometimes become gathering places for rival gang members checking up on their wounded, leading to confrontations and attempts at revenge, Sarnese notes. “We have to prepare ED’s for that influx or surge that they may not see on a daily basis, when an active shooter incident occurs,” he says.

 Huggins figures the majority of calls for security at Lexington come from the emergency department. “Not unlike any other hospital, our emergency department has grandma sitting in one chair, and guy in a gang sitting in another,” he says, adding that the hospital recently treated a wounded gang member who received visits from his fellow gang members – and from their rivals, too.

FBI data show that only about three percent of shootings actually occur inside hospitals, but threats of gun violence are probably more common, Sarnese says. “It’s the intended shooter, intended target: ‘You didn’t take care of my mother, doctor, so I’m going to take your life.’ It’s ensuring that we’re prepared, internally, to respond if, God forbid, the unthinkable happens in our hospitals.”

A preventative model works best with active shooter, as well, Gerwitz says. “Most security teams are interested in trying to get upstream of harm, to prevent things from occurring in the first place,” he says. “What are the behaviors that led to that? How can we prevent things from occurring before they occur?”

Warren cites the presence of weapons or contraband as a contributing factor to the threat of active shooter. “There’s more and more of that from not only patients, but visitors, and even vendors,” he says. “Healthcare, to a certain degree years ago, used to be sacrosanct, but not anymore.”

Equipment and Technology

To keep bad actors out of his organization’s facilities, Sarnese and his staff have put into place multi-layered access controls “starting with the perimeter and working your way into sensitive areas,” he says. This includes visitor management systems to ensure everyone is properly identified, surveillance systems including cameras, and specialized systems like those targeted at infant abductions. The goal, Sarnese says, is “integration of these systems, where access control is talking to the camera system, which is talking to infant abductions.”

That’s starting to mean greater integration between physical security and information technology personnel. “I always joke that one day I’m going to be reporting to IT because I can’t do anything without them,” he says. “You’re starting to see systems interface: when this panic button is pushed, I want this door to be unlocked. That technology, which we may not have thought was achievable 10 years ago, is reality today.”

Sarnese sees more hospitals looking at nonlethal weapons to maintain security in a way that prevents violence. “We’re seeing more deployments of tasers, of handcuffs, of pepper foam, of K9 units,” he says. “And we’re seeing the use of body cameras being deployed in a lot of facilities. In the next five years, if not sooner, that’s going to be par for the course.”

Butler believes access control provides the best opportunity for technology support to make healthcare institutions safer. “It allows healthcare administrators, security directors, to change the way security operates in real time,” he says.

Cameras and surveillance also can be helpful, but “surveillance is more of a reactionary tool,” Butler adds. “Proactively, cameras now have the ability to identify objects that are out of place,” he says. “The camera is familiar with what it normally sees, and you can set parameters, and if something appears that wasn’t there previously, it can send the system into alarm.”

Gerwitz says UT Health and MD Anderson use the same combination of access management to restrict unauthorized entry and video systems for situational awareness and review. “With video, we monitor the cameras in the area before security or law enforcement personnel arrive on the scene, to provide situational awareness,” he says.

Lexington Medical Center puts access control wherever it can without violating regulations and has cameras liberally placed in parking areas and in patient care common areas, Huggins says. “You can’t monitor 500 cameras, but it helps in the investigative phase,” he says. “A lot of criminals are repeat.” Police officers received firearms, handcuffs, pepper spray and tasers, while security personnel receive all of the above except the firearms, he adds. All wear bulletproof vests, and body cameras may be on tap in the next year.

Healthcare institutions are increasingly looking at metal detection for access control, whether walk-through magnetometers or hand-held wands, Warren says. Atrium Health has introduced a scanner from Metrasens that’s “not a walk-through, but a walk-by,” getting a picture of the entire body including hair and bodily cavities without the person knowing. That allows security to detect hidden objects and is helpful when dealing with someone who has behavioral issues that could be exacerbated by a physical pat-down, he adds.

Atrium Health also has been readjusting space for behavioral health patients at some of its facilities to mitigate workplace violence, self-harm and “elopement” of patients, Warren says. “That’s freed up the emergency department so people can get urgent care in a more timely manner,” he says.

Training and Policies

Training that focused on active shooters was the “hot button for a while,” but Warren believes it should be more focused on day-to-day workplace violence. “Assaults and other workplace violence is not ‘part of our job,’ ” he says. “A big problem is the lack of reporting and lack of follow through. A facility can’t file charges for a victim; an individual who’s assaulted has to file the charges themselves. … That’s an opportunity for improvement that most hospitals in this country have.”

Experience has shown that an active shooter who breaches the perimeter will probably not be stopped before reaching their intended target, Butler acknowledges. “But the real question is, how much collateral damage will there be because staff were either educated or not educated in how to respond to that scenario? Policy changes need to be mirror what organizations are offering in terms of training, whether run, hide, fight or another ALICE-recognized training,” he says. “The failure to train our staff is the biggest miss in healthcare security – not just training security officers but our hospital staff.”

Sarnese agrees that not only security officers but all employees should be trained in how to respond to violent incidents. “Every employee should have a basic idea of how to manage behavior, and based on location they may need a little more, up to and including how to protect themselves,” he says. “You need a robust violence prevention program that’s not only training but also capturing those incident reports.”

UT Health and MD Anderson have invested in a simulation center for training security personnel and staff more upstream of harm in areas like de-escalation techniques, as part of the healthcare organization’s “Safety University,” says Robert Haynes, risk and metrics analyst.

“We realize that different people in a healthcare organization have different perspectives – nurses, cashiers, pharmacy staff,” he says. “During simulation they’ll provide a video scenario, stop it, and say, how many of you would take actions A, B or C.” The training includes how to notice unusual behaviors, de-escalate with words, and then, “Let’s say John Smith is now acting out and escalating the incident – how does the participant prevent a violent outcome.”

“If verbal skills didn’t work, here are skills to de-escalate that event,” Gerwitz adds, noting that staff are taught restraint techniques but not pain compliance. “It’s the deliberate practice of skills.” And it needs to be done periodically, he says. “You can’t walk into a class, walk out, and then two years later think you’re going to retain those skills without currency training and deliberate practice.”

Lexington also works on de-escalation techniques, using a “Hospital Watch” program similar to neighborhood watches, in which officers are assigned to different zones, Huggins says. “Our biggest tool is our tongue,” he says. “The number of times we could use force vs. actually use force is minimal. … It’s just being vigilant, being visual, and knowing the area.”

Police officers do 15 minutes of training at the beginning of every shift and are mandated to do firearms training and defensive tactics certifications annually, Huggins says, but they usually do both every quarter. They also conduct a Security Vulnerability Assessment, which is reviewed annually for changes, and which allows the medical center to concentrate efforts – such as manpower or equipment – in the areas they’re most needed. “We shoot as much as we can, so that if we ever have to, we’re good shots,” he says. “A lot of that [training] is based on when to use a weapon, and how to de-escalate a situation.”

Cyber Threats Range from Employees and Vendors, to Hackers and Nations

 Healthcare organizations face a wide array of cybersecurity threats as well. These can include unintentional actors like vendors whose networks and devices are not adequately protected and, perhaps most dangerously, well-intentioned employees who are careless with theirs.

But threat actors also can be more malicious in nature, ranging from disgruntled workers, to cyber criminals and “hacktivists,” to rogue nation-states, according to Tom August, vice president and chief information security officer at John Muir Health in Walnut Creek, California. The impact can range from compromised credentials, to malware, to theft or loss of data, and potentially regulatory noncompliance, he says.

“So where should you focus your security programs?” August says. “Consider the difference between risk and compliance. A lot of healthcare systems focus on regulatory compliance because it’s simple to understand and communicate. However, organizations that focus on compliance are often only focused on minimum requirements, and they’re getting killed by real-world risks.”

That’s because the minimums don’t completely guard against threats like phishing attacks and ransomware, August says. “Further, the messaging I hear from a lot of information security vendors are focused on fear, uncertainty and doubt instead of an honest discussion of risk,” he says. “I believe risk can be studied, understood, planned for, and managed, to a large extent,” he says. “You can never get rid of all the risk, but it starts with risk assessment – understanding what the risks are, and then deconstructing them.”

For example, an organization could deconstruct the different ways ransomware could get into its system and figure out any commonalities, August says. “Can I break the chain of how it would execute?  Maybe not every place, but in key places?” he says. “Can I stop it from moving forward? Now you can start talking about processes: I can solve this with a technology tool here, I can educate there. You can start to apply a strategy.”

To combat unintentional threats from guileless vendors, August suggests putting language in contracts that puts the onus on them to monitor their systems and report suspicious activity to your security team.  And to guard against what he considers the top threat – well-intentioned but careless employees – organizations must train, train, train.

“Not only system-wide once a year, but also in monthly newsletters, periodic phishing reminders and tests, and system-wide messaging,” he says. “We round constantly across the hospital campuses at least quarterly, if not monthly. We try to share very practical information. We try to tailor the trainings so they’re relevant and not just theoretical. The important thing is to tell interesting stories that compel team members to avoid risky behaviors and instead follow safe practices.”