By Jason Wolff, RCDD, PMP, Security+
Jason is a senior application engineer who focuses on DoD secure communications, information management, ISP/OSP cable, facility designs and specifications, and our leading DHS CIP Secure(it) initiative with a focus on energy. He provides direct engineering and sales support to the regional government and government strategic account managers across the WESCO Solutions spectrum.
Physical security concerns are an integral issue for healthcare facilities. These vital organizations are open to the public and serve vulnerable populations. A physical or cybersecurity attack could be devastating to the facility, its personnel, patients and the community. Conducting a risk assessment can significantly mitigate the vulnerabilities of a healthcare facility to ensure a safe environment for everyone.
Here’s how to protect critical infrastructure, the three phases of a successful risk assessment, and solutions to protect every area of a hospital from the parking lot to a surgical room.
Risk Assessments Aren’t Just Prudent, They’re Federally Mandated
The Department of Homeland Security (DHS) considers healthcare and the public sector to be Critical Infrastructure (CI). CI can be defined as an industry whose services are so vital that their incapacity or destruction would have a debilitating impact on the defense, social and/or economic stability and security of the United States. Therefore, the essential public services and functions of the industry require additional resources and attention concerning its security posture, facility by facility.
Presidential Decision Directive (PDD 63) of 1998 directed that the appropriate authorities identify and protect American Critical Infrastructure.
Based upon the vulnerability assessment, there shall be a recommended remedial plan. The plan shall identify timelines for implementation, responsibilities, and funding.
The PDD 63 has since been replaced by the National Institute of Standards and Technology and their new Risk Management Framework (RMF) practices. This RMF process provides enormous details on product and controls which a team can implement for mitigation.
A risk assessment is not only prudent – it’s mandated by the federal government for all 16 sectors of the DHS. Don’t think that cybersecurity standards and directives are limited to data. The mandates distinctly recognize the need for physical security and protection for American’s critical assets. For the time being, the FBI classifies physical security protection under the cybersecurity label.
Steps to Conducting a Security Assessment
A security assessment for a healthcare facility starts with defining objectives. These can be basic action statements such as “maintain operations,” “continuity of operations,” “critical asset protection,” and “customer and staff safety.” Keep in mind, your objectives should take into consideration any disruption to the functions outlined which could result in significant or total destruction of the healthcare facility.
Each objective has multiple functions that need to be assessed for risk and vulnerabilities. These functions are static, for the most part, regarding the RMF directive. These functions of a physical CI plan must be followed:
1. Identify the risks
2. Protect the assets and services
3. Detect what is happening, when it is happening, and where it is happening
4. Respond with the appropriate level of resources
5. Recover from the event to keep the essential services operational (Continuity of Operations Plan or COOP) for the public good
The 3 Phases of a Successful Security Assessment
1. Define the objectives and what you need to protect.
For example, if the objective is “personnel safety,” you would need to collaborate with the security team. Identify the personnel in the building and where they would congregate outside on the property, for example, smoking areas and meditation gardens. Defining objectives can be overlooked or blended into other phases. It’s imperative that security teams and management work together to clearly identify objectives.
2. Identify the threats, vulnerabilities and risks.
Threats are defined here as an event, natural or manmade, that would significantly reduce or destroy the functionality of a health care facility. Vulnerabilities include where and what would be attacked and how to prevent it. Risks are identified as what an attack would do to operations and what is acceptable as likely or unlikely, scaled and measured.
In this step, managers and security teams identify the types of dangers to personnel. Their likelihood should be listed and given a “rating” as to the probability of occurrence. The rating system is completely up to the security team, but it must be logical and scaled.
The DHS lists active shooters, disgruntled or violent persons, bomb detonation, arson, criminal violence, proximity to neighborhood violence, as well as a danger-close proximity of the hospital to other High Value Targets (HVT) such as military bases, power stations, and government buildings as the most likely threats to a healthcare facility.
3. Apply and integrate risk mitigation.
At this point in the process, careful resource allocation analysis is required to include the “rating” designators discussed in the previous step to rate one event likelihood and its impact versus another. The team should take into account the single-loss expectancy and multiply that against the annual rate of occurrence to compute an annualized loss expectancy. Once the decision is agreed upon by the security team, it’s time to decide on the types of solutions to implement at your facility.
Mitigation and Solutions
From parking lots, waiting areas, surgical rooms, electrical rooms, and pharmacies, healthcare facilities have dozens of critical areas that must be properly protected. Working closely with security integrators and other experts can provide security solutions for each of these unique locations. Learn about the types of security solutions available to determine what would best protect your facility.
Some solutions that benefit healthcare facilities include:
• Many types of surveillance cameras are available for indoor or outdoor use in all types of applications, ranging from patient care areas to parking lots, to meet specific security objectives.
• Barriers and bollards can be carefully deployed to slow or restrict access to unauthorized areas or channel traffic in a certain direction.
• LED and intelligent lighting systems offer technological advances over many current lighting networks.
• Perimeter detection systems can be deployed around properties, including the use of sensitized cabling running along fences to identify and report any sort of grabbing, cutting, climbing or lifting.
• Sensors on ingress/egress points, such as doors, windows and even manholes, can instantly notify personnel when opened or closed.
• Access control systems utilizing badging or various types of authentication techniques help prevent unauthorized access to critical areas such as electrical rooms, water and sewage areas, gas/oil storage areas, pharmacies or surgical rooms. Depending on the area, appropriate access control could include smart chip-enabled identification cards for employees, biometric scanners, or remote management systems to allow security personnel to view activity and unlock doors.
Safeguard Your Facility, Patients and Personnel
Hospitals have many vulnerabilities that must be secured for the safety of personnel and the general public. It’s important for management and security teams to collaborate when conducting a security assessment, defining objectives and possible solutions to protect your facility.
When it comes to handling hazardous chemicals, workers need the proper equipment to stay safe. Protecting a worker’s face and head should be an employer’s top priority. And while many businesses supply safety equipment, it’s not always used in the right way. A faceshield doesn’t provide the coverage necessary to prevent injury 100 percent of the time. Workers need to wear personal protective equipment (PPE) that protects both the eyes and the face from injury. A faceshield alone doesn’t always guarantee safety.
Efficiency on a lighting project is critical to profitability. Contractors seek ways to save time and money — particularly on labor costs — to ensure maximum profitability from every job. While lighting installations come with their own set of challenges, properly managing material can save time and ultimately increase job profitability.
Over the last decade, rapid improvements in lighting technology coupled with a focus on energy conservation backed by legislation have resulted in a noisy marketplace. Consumers are inundated as big brands compete every day to get their latest products and statistics online.
As consumer demands on networks increase, more businesses are turning to Category 6A cabling for their network infrastructure. This decision is primarily being driven by affordable price, high quality, and exceptional performance. Here are five reasons why you should choose Category 6A cable for your enterprise applications.
While sensors have long played an important role in industrial settings, the intersection of market forces in manufacturing with the Internet of Things (IoT) has recently propelled sensor technology to new heights. Coupled with greater network connectivity and improved machine learning, sensors are now more vital than ever as manufacturers search for ways to optimize value throughout all levels of operation.