Diagnosing Security Challenges
Developing the secure hospital of the future starts with planning and collaboration today
A hospital in America continues to be one of the most dangerous places to work. Health care organizations face a varied and constantly evolving threat landscape, from longstanding issues with workplace violence and infant abductions to more modern malicious activities such as cyberattacks and data breaches. Hospitals must be ready for anything that would disrupt their ability to provide care, jeopardize the safety of patients and staff, or damage the reputation of the health system. At the same time, they must remain in compliance or risk audits by regulatory bodies.
Some of the incidents that are happening today were unimaginable a few years ago, so it is no surprise that relying on older systems is limiting success in adapting to new challenges.
Data is now obtained from multiple devices, including video management, computer-aided dispatch, mobile phones (and the cameras that reside within them), GPS tracking, mass notification, panic alarms, intrusion detection, and more. Protecting a hospital environment requires a vast number of sensors, but unifying multiple devices into one system to gain complete situational awareness remains a challenge. Therefore, identifying the best solution requires working with a team from both a technical and an operations background, and that includes physical security, data security, IT, and hospital operations. Furthermore, integration partners should have subject matter experts who are mindful of all relevant challenges and who can be a collaborative partner to other departments, such as risk management, privacy, IT, and human resources, among others. They should be a total solution provider, not a parts and pieces installer. Through a collaborative effort, hospitals can leverage technology to create the secure hospital of the future.
Identifying the best solution requires working with a team from both a technical and an operations background.
The Secure Hospital of the Future
What does the secure hospital of the future look like?
- It has enhanced campus security and provides an environment of care and comfort to patients, visitors and staff.
- It has reduced costs of claims and improved Hospital Consumer Assessment of Healthcare Providers and Systems (HCAHPS) scores.
- It has a centralized command and control center on one platform that is bidirectional in its communication.
- It has improved its operations and workflow, such as cross-department and cross-hospital coordination, with risk management, facilities and IT.
- It is using nonconventional means to enhance its environment of care. For example, some hospitals have placed cameras at the entrances of hallway bathrooms. In addition to providing a security benefit, the cameras count the number of people who enter the restroom and, after a certain number, notify a cleaning crew.
- It is better at managing its devices and assets. Security has a record – an audit trail – of access to all controlled areas in the facility.
- Security relies on sound protocols and response procedures and has become more efficient and effective in deploying them.
- And, of course, it is in full compliance with regulations.
Assuming you embrace change in order to future-proof your hospital, physical security will converge to a virtual environment. Your secure hospital of the future continues to thrive in the midst of risk. Your security department is in lockstep with IT, its applications and its network. Your data is automatically aggregated by systems you have put in place. You have demonstrated cost savings, reduced space, and developed an efficient IT infrastructure. You have become the centerpiece of the hospital portfolio for infrastructure assessment and improvement. Not only are you not a cost center, you have decision-making authority because of the multiple levels of ROI that you demonstrate. Your peers appreciate having previously unobtainable data and you deliver a wealth of cross-functional value in the form of operational intelligence gathering. Like other department heads, your business processes are driven by policies that are based on regulations and industry best practices.
You are counted on because of the data points and sensors in the ceiling that were previously referred to only as cameras. They provide, among other things, information on improving and securing your infrastructure, reducing risk, streamlining workflow, and enhancing the quality of care. You provide a high degree of situational awareness to operational executives. You have seamless communications mediums, detailed protocols, and adequate coverage to protect your health system from any liability. You have the ability, training, and comfort to access any of these systems in order to identify incidents.
Your security officers and operators have one system that aggregates data from all of their previous screens. This system includes video surveillance, access control, social media, alarms, and geolocation systems to understand where an event is taking place. Not only does security staff have better information, they are more prepared with response protocols that are launched when an event is triggered. Management departments work closely with security to build a proactive partnership to develop the hospital’s safety and emergency response plans as the environment of care changes.
Failing to Prepare
What will happen if you do not prepare for the secure hospital of the future?
Physical security systems have converged to IT, but you continue to use siloed tools, leaving your team with multiple devices and monitors to manage. The alerts from all of these standalone systems require time and attention, and you realize that you are working on your technology instead of having your technology work for you. Your department continues to react, respond, and recover, losing millions of dollars in time, productivity, reimbursements, and employee turnover. You have submitted your budget, but your $250,000 request has been denied because the radiology department was able to demonstrate ROI after just four months for a $1 million machine.
You get hacked. Data thieves gained entry through the access control system because the security equipment has not kept pace with the technological progression of the rest of the hospital. Your patient and employee information has been exposed, and the news has made the cover page of peer-reviewed publications as an example of what goes wrong when security is not taken seriously. The Occupational Safety and Health Administration (OSHA) has cited you for violence committed against nurses in your emergency department and for not demonstrating any sort of improvement, staff comfort, or safety. You have gotten the attention of The Joint Commission and, despite an inspection not being due for another year, they will be showing up at your facility any day now. Staff morale is down and you struggle to recruit good talent. These challenges have negatively affected the quality of care and the hospital’s HCAHPS scores reflect this. So is not preparing really an option?
The Path forward at a minimum, three departments need to be included in the process of identifying security solutions: Risk, Finance, and IT. These three branches of government should be data mining their non-recoverable costs. What costs could have been prevented? What is the risk and cost associated with doing nothing? How much can be captured by doing something? Demonstrate that your budget is obtained from a portion of the hospital savings that you have created through cross-department collaboration.
Risk includes things as varied as threats on social media to spending millions of dollars to have security officers watch patients one-on-one. Why isn’t there integrated social media monitoring? Why isn’t visual monitoring set up like telemetry? Hospitals have been doing a 1-to-20 or even 1-to-30 patient ratio with physiologic monitoring for years. Yet only two hospitals in the United States have data showing the millions of dollars in recoverable costs on payroll resulting from sitter utilization after implementing a camera monitoring system. That is two out of 5,724 hospitals in the nation. Save millions of non-recoverable payroll costs, invest a portion of that savings in a camera system, and write off the expenditure in capital equipment while maintaining a consistent and reliable approach to the new intensive monitoring equipment.
Anytime you reduce risk, you reduce insurance premiums. Who pays your insurance bill? After implementation to improve the security of your infrastructure, how soon will the savings hit the bottom line? What else can be done to further reduce premiums?
Do you have an $800 non-recoverable cost that is showing up repeatedly? Most hospital systems in the country have a dollar amount for paying out claims without extensive inquiry. In one case, a single fraudulent incident turned into nine when the perpetrators realized that getting compensated by the hospital for a “lost wallet” was easy. It was not until the security director was notified of this that cameras were installed in the area where the incidents were supposedly taking place. While it may seem small, if a company has multiple facilities at which it is occurring, this security gap could quickly become expensive. Another major consideration is high dollar amount claims. These are the slip-and-falls that cost you millions of dollars because you have no evidence to support your defense. How much are legal fees costing your hospital for incidents that could have been dismissed if a video recording had been available?
It behooves the security director to work with IT from the start. In short, if it’s IP, it’s IT. Collaboration should be exactly that: collaborative. The convergence of physical security systems, the pipeline for collecting, transferring, and storing data critical for daily operations, is a function of IT. However, IT generally is not capable of being proficient in every physical security technology, making the active participation of security in the process essential.
These are examples of components that should be prioritized to realize immediate operational and financial benefits. They can change a conversation with a CFO from “I need to get budgeted for this” to “Let me show you how much I’m saving you.” It is win-win for everyone, including employees, who work in a safer environment and see that their safety and security is important to their employer.
Choosing a Partner
Whom do you trust to be an extension of your team, to be your systems integration partner? Integrators should be in it for the long haul. They should be your trainer and advisor and, quite often, your advocate and friend.
It is paramount that the integrator understands your world and can assist with using technology to enhance safety and security while maintaining compliance.
An integration partner and solution provider should stay on top of the latest trends and technology and should have relationships with the leading healthcare security organizations.
The core competencies of a reliable solution provider are:
- They are accurate in their assessments.
- They are current with where you should be and are aware of the technologies that are available.
- They are experts in demonstrating how security technology is moving beyond traditional security applications.
- They recognize that hospitals are different from other organizations and have their own set of regulatory agencies.
- They are unbiased and vendor-neutral.
- They recognize and communicate what is essential.
- They not only provide recommendations, they give you options based on timelines, time constraints, priorities, prices, etc.
- They provide solutions that are readily usable.
- They show immediate benefits and savings, such as demonstrating how to obtain quantifiable data to support security initiatives.
- There is no drama on the backend, like erroneous invoices, manufacturer hiccups or inventory shortages.
Hospitals will not see any relief from the barrage of threats they currently face by being complacent. In fact, the challenges will probably only increase. Patient populations continue to grow, workplace violence is ever-present, hackers are becoming more sophisticated (and healthcare data more valuable), and the opioid epidemic shows no signs of abating. But there is good news in this daunting scenario: Technology can help provide solutions. It is up to security directors, though, to start planning for the secure hospital of the future today. The convergence of physical and IT security offers insights and coordination that were not thought possible until recently. Leveraging this technology and the new processes and procedures that come along with it, will enhance organizations’ ability to address these threats.
Change does not have to come all at once. Now is the time, though, to organize teams, present the possibilities and benefits, and begin to build out security systems. Integrator and manufacturer partners need to have a part in this and should be providing scalable technologies with an eye to a future holistic system. The best solution for right now (whether in terms of cost or technology) may not make sense in the long term and could set the whole effort back significantly. The industry has made tremendous strides in both technology and best practices. The path forward is there, and now is the time to take it.
Marianne Iannotta (firstname.lastname@example.org) is a hospital security specialist at Kratos Public Safety & Security Solutions (www.kratospss.com).