By Jason Wolff, RCDD, PMP, Security+
Jason is a senior application engineer who focuses on DoD secure communications, information management, ISP/OSP cable, facility designs and specifications, and our leading DHS CIP Secure(it) initiative with a focus on energy. He provides direct engineering and sales support to the regional government and government strategic account managers across the WESCO Solutions spectrum.
Physical security concerns are an integral issue for healthcare facilities. These vital organizations are open to the public and serve vulnerable populations. A physical or cybersecurity attack could be devastating to the facility, its personnel, patients and the community. Conducting a risk assessment can significantly mitigate the vulnerabilities of a healthcare facility to ensure a safe environment for everyone.
Here’s how to protect critical infrastructure, the three phases of a successful risk assessment, and solutions to protect every area of a hospital from the parking lot to a surgical room.
Risk Assessments Aren’t Just Prudent, They’re Federally Mandated
The Department of Homeland Security (DHS) considers healthcare and the public sector to be Critical Infrastructure (CI). CI can be defined as an industry whose services are so vital that their incapacity or destruction would have a debilitating impact on the defense, social and/or economic stability and security of the United States. Therefore, the essential public services and functions of the industry require additional resources and attention concerning its security posture, facility by facility.
Presidential Decision Directive (PDD 63) of 1998 directed that the appropriate authorities identify and protect American Critical Infrastructure.
Based upon the vulnerability assessment, there shall be a recommended remedial plan. The plan shall identify timelines for implementation, responsibilities, and funding.
The PDD 63 has since been replaced by the National Institute of Standards and Technology and their new Risk Management Framework (RMF) practices. This RMF process provides enormous details on product and controls which a team can implement for mitigation.
A risk assessment is not only prudent – it’s mandated by the federal government for all 16 sectors of the DHS. Don’t think that cybersecurity standards and directives are limited to data. The mandates distinctly recognize the need for physical security and protection for American’s critical assets. For the time being, the FBI classifies physical security protection under the cybersecurity label.
Steps to Conducting a Security Assessment
A security assessment for a healthcare facility starts with defining objectives. These can be basic action statements such as “maintain operations,” “continuity of operations,” “critical asset protection,” and “customer and staff safety.” Keep in mind, your objectives should take into consideration any disruption to the functions outlined which could result in significant or total destruction of the healthcare facility.
Each objective has multiple functions that need to be assessed for risk and vulnerabilities. These functions are static, for the most part, regarding the RMF directive. These functions of a physical CI plan must be followed:
1. Identify the risks
2. Protect the assets and services
3. Detect what is happening, when it is happening, and where it is happening
4. Respond with the appropriate level of resources
5. Recover from the event to keep the essential services operational (Continuity of Operations Plan or COOP) for the public good
The 3 Phases of a Successful Security Assessment
1. Define the objectives and what you need to protect.
For example, if the objective is “personnel safety,” you would need to collaborate with the security team. Identify the personnel in the building and where they would congregate outside on the property, for example, smoking areas and meditation gardens. Defining objectives can be overlooked or blended into other phases. It’s imperative that security teams and management work together to clearly identify objectives.
2. Identify the threats, vulnerabilities and risks.
Threats are defined here as an event, natural or manmade, that would significantly reduce or destroy the functionality of a health care facility. Vulnerabilities include where and what would be attacked and how to prevent it. Risks are identified as what an attack would do to operations and what is acceptable as likely or unlikely, scaled and measured.
In this step, managers and security teams identify the types of dangers to personnel. Their likelihood should be listed and given a “rating” as to the probability of occurrence. The rating system is completely up to the security team, but it must be logical and scaled.
The DHS lists active shooters, disgruntled or violent persons, bomb detonation, arson, criminal violence, proximity to neighborhood violence, as well as a danger-close proximity of the hospital to other High Value Targets (HVT) such as military bases, power stations, and government buildings as the most likely threats to a healthcare facility.
3. Apply and integrate risk mitigation.
At this point in the process, careful resource allocation analysis is required to include the “rating” designators discussed in the previous step to rate one event likelihood and its impact versus another. The team should take into account the single-loss expectancy and multiply that against the annual rate of occurrence to compute an annualized loss expectancy. Once the decision is agreed upon by the security team, it’s time to decide on the types of solutions to implement at your facility.
Mitigation and Solutions
From parking lots, waiting areas, surgical rooms, electrical rooms, and pharmacies, healthcare facilities have dozens of critical areas that must be properly protected. Working closely with security integrators and other experts can provide security solutions for each of these unique locations. Learn about the types of security solutions available to determine what would best protect your facility.
Some solutions that benefit healthcare facilities include:
• Many types of surveillance cameras are available for indoor or outdoor use in all types of applications, ranging from patient care areas to parking lots, to meet specific security objectives.
• Barriers and bollards can be carefully deployed to slow or restrict access to unauthorized areas or channel traffic in a certain direction.
• LED and intelligent lighting systems offer technological advances over many current lighting networks.
• Perimeter detection systems can be deployed around properties, including the use of sensitized cabling running along fences to identify and report any sort of grabbing, cutting, climbing or lifting.
• Sensors on ingress/egress points, such as doors, windows and even manholes, can instantly notify personnel when opened or closed.
• Access control systems utilizing badging or various types of authentication techniques help prevent unauthorized access to critical areas such as electrical rooms, water and sewage areas, gas/oil storage areas, pharmacies or surgical rooms. Depending on the area, appropriate access control could include smart chip-enabled identification cards for employees, biometric scanners, or remote management systems to allow security personnel to view activity and unlock doors.
Safeguard Your Facility, Patients and Personnel
Hospitals have many vulnerabilities that must be secured for the safety of personnel and the general public. It’s important for management and security teams to collaborate when conducting a security assessment, defining objectives and possible solutions to protect your facility.
Electrical workers face many dangers on the job, but few (if any) are more devastating than an arc flash. This electrical release of energy can be hotter than the surface of the sun, producing an explosion with the force of eight sticks of dynamite. It is estimated that 10 arc flash incidents involving more than one death occur every day in the U.S.
Today’s data centers come in all forms, from large hyperscale data centers and collocation facilities, to small datacom closets. While the needs of data center managers are varied, numerous and frequently changing, there is one constant — expanding network needs drive bandwidth and speed requirements, and a data center must be able to accommodate. High-speed optics can help meet the increasing demand.
Today’s workplaces are expanding beyond the four walls of an office. As technology continues to evolve, employees are looking for new and alternative workspaces to inspire creativity and increase productivity. This includes taking their work to outdoor spaces. Bringing technology to outdoor spaces has become a challenge for facility managers and property owners who want to increase the value of their workspace while keeping their businesses running smoothly and their employees happy.
By now, you’ve probably heard of some of the benefits of LED lighting. LEDs last longer than other bulbs, reducing maintenance and costs, and can increase productivity. LEDs are also intelligent and hold potential to unlock further savings through the Internet of Things. But is LED lighting really right for your facility? Whether you work in retail, commercial or industrial sectors, answering that question is easier than ever.