The challenge of ensuring secure

clinics and hospitals for patients

and staff

Danie Schoeman

17 September 2015

What’s your emergency?

Critical issues for hospitals and

medical centres

Workplace violence

Budget/funding

Technology integration and management

Active shooter

Staffing and training

Patient behavioural health and violence

Asset protection/theft

ASIS: The 2014 Security 500 Sector Reports

Top security concerns

Guardian 8 Survey

8%

10%

12%

16%

17%

19%

24%

56%

57%

OSHA fines

Employee retention

High incidence of fatalities

Lack ofaccountability/documentat…

Administrators'understanding of regulations

Legal fees/repercussions

Disruptions to patient care

Office safety

Patient safety

Increasing crime and violence

Health Facilities Management/ASHE 2012 Hospital Security Survey

0%

0%

1%

1%

3%

3%

8%

9%

10%

11%

12%

17%

17%

18%

21%

25%

26%

33%

79%

80%

78%

78%

74%

79%

77%

78%

74%

75%

77%

70%

75%

64%

68%

68%

68%

60%

21%

20%

21%

21%

23%

18%

15%

13%

16%

14%

11%

13%

8%

18%

11%

7%

6%

7%

Infant abduction - actual

Infant abduction - attempted

Shootings in hospital and on grounds, excl. ED

Shootings in ED

Bomb threats

Staff-on-staff violence

Other thefts (major - more than $500/item)

Patient care equipment thefts

Pharmaceutical and supply thefts

IT equipment thefts

Domestic incidents involving employees

Other thefts (minor - $500 or less/item)

Elopements/patient wandering

Auto thefts/car break-ins

Property damage/vandalism

Attacks/assaults

Patient/family violence against staff in hospital, excl. ED

Patient/family violence against staff in ED

Change in frequency of incidents

Increase About the same Decrease

A unique balancing act

A paradox

Patients

Employees

Visitors

Vendors

Infant units

Paediatric units

Pharmacy

Psychiatric units

A fine balance

Privacy vs Security

Challenges

Patient safety

Patient elopement,

especially high-risk patients

Patients need access to

reliable emergency call

systems

Paediatric patients need to be

protected from abduction and

patient flight

Patients who may be a danger

to themselves or others

Infant protection

Potential infant

abduction

Infant care outside the

mother’s room

Mother/infant

mismatching

Patient information security

Verizon 2015 Data Breach Investigations Report

0,1%

3,1%

3,3%

8,1%

9,4%

10,6%

18,0%

18,8%

28,5%

Denial of serviceattacks

Payment cardskimmers

Physical theft andloss

Miscellaneouserrors

Web app attacks

Insider andprivilege misuse

Cyber espionage

Crime ware

Point of saleintrusions

Almost all cyber attacks can be

classified by 9 patterns

32% 26% 16%Healthcare

Miscellaneous errors Insider misuse Physical theft / loss

Typical cyber attack incidents for

healthcare

of the incidents in an industry can be described by just

three of the nine patterns.

PHYSICAL THEFT / LOSS

Any incident where an

information asset went

missing, whether through

misplacement or malice.

INSIDER AND PRIVILEGE MISUSE

This is mainly by insider’s misuse,

but outsiders (due to collusion) and

partners (because they are granted

privileges) show up as well.

Potential culprits come from every

level of the business, from the

frontline to the boardroom.

MISCELLANEOUS ERRORS

Incidents where unintentional

actions directly compromised

a security attribute of an

information asset. This does

not include lost devices,

which is grouped with theft

instead.

Verizon 2015 Data Breach Investigations Report

ON AVERAGE

76%

Cyber attacks are physical

of insider and

privilege misuse

attacks used the

corporate LAN.

of theft / loss

happened at

work.

of miscellaneous

errors involved

printed

documents.

Verizon 2014 & 2015 Data Breach Investigations Report

85%

49%

55%

Look inside your company

PWC Global State of Information Security Survey 2015

0% 5% 10% 15% 20% 25% 30% 35% 40%

Unknown

Domestic intelligence service

Foreign nation-states

Competitors

Activists / activist organisations / hacktivist

Organised crime

Hackers

Suppliers / business partners

Former service providers / consultants / contractors

Current service providers / consultants / contractors

Former employees

Current employees

Likely sources of incidents

All industries in all regions Healthcare

Screening and vetting is business

critical

PWC Global State of Information Security Survey 2015

0% 10% 20% 30% 40% 50% 60% 70% 80%

Conduct personnel background checks

Require 3rd parties to comply with our privacy policies

Employee security awareness training programme

Priviledged user access

Secure access-control measures

Accurate inventory of where personal data foremployees and customers are collected, transmitted…

Employee Chief Information Security Officer in chargeof security

Information security strategy that is aligned to thespecific needs of the business

Security safeguards in place

All industries in all regions Healthcare

Staff safety

Workplace violence Even though you know that workplace

violence occurs more frequently in

certain departments—including ED,

mental health, geriatrics, and substance

abuse—it’s very difficult to predict and

prevent staff duress

Staff duress during emergency

situations

High turnover, low morale in certain

departments particularly the ED

due to with frequent staff duress

Staff members get injured, injury

claims push up costs and overtime

needed to cover absent caregivers’

shifts

Workplace violence

Occurrences Perpetrators

30%

18%

10%

4%

1%

One type Two types Threetypes

Four types Five types

27%

15%

31%

14%

4% 4% 4%

Number of different types of violence experienced

per respondent

Susan Steinman; Workplace Violence in the Health Sector; Country Case Study: South Africa (ILO, ICN, WHO, PSI)

Pharmacy inventory management

Little or no inventory visibility

causing overstocking to

compensate

Increased risk to patient safety due

to product expiration or

unavailability

Inefficient manual processes

Complex payment structures and

regulations

Data disconnection between

inventory costs and procedural

measures

8 to 10% of items expire annually in procedure rooms and

as much as 15% of critical assets are lost

Stanley Healthcare

Healthcare asset tracking and

management

Productivity losses due to manual

processes to manage capital and rental

equipment

“Squirrel stores” due to equipment

availability

Having a hard time locating needed

equipment, health systems end up

purchasing or renting more than they

actually need

Patient dissatisfaction due to waiting for

equipment when staff have difficulty

locating it

40% of nurses report spending up to one hour per shift

searching for equipment

Stanley Healthcare

Solutions

Top hospital security systems

being implemented

Health Facilities Management/ASHE 2012 Hospital Security Survey

12%

14%

16%

12%

20%

18%

27%

38%

25%

50%

41%

52%

72%

67%

76%

69%

71%

88%

5%

6%

4%

14%

7%

13%

14%

11%

26%

10%

21%

17%

7%

14%

10%

18%

19%

8%

Man traps

Metal detectors

Outsourced remote video surveillance and monitoring

Wireless RFID clinician badges with panic alert buttons

Biometrics

Video analytics capabilities

Physical security information management (PSIM)

Wireless panic alarm system

RFID for tracking equipment, supplies, medications,…

Patient elopement system

Visitor management system

Electronic lockdown from a central location

Wired panic alarm systems

Integrated security system

Vendor management system

Mass notification system for emergency preparedness

Digital IP-video surveillance system

Electronic access control

Already implemented Plan to implement in the next 24 months

Conduct a Hospital Security

Assessment

Analyses existing

Protocols,

Policies, and

Procedures

Evaluates physical

security

Vulnerabilities, and

Threats

Develop a Hospital Security

Management Plan

Develop and implement protocols, policies, and procedures

Hazard surveillance program

Identify trends from monitored data

Maintain, evaluate and improve system

Ensure regulatory compliance

Employ reputable security organisation

Is there a doctor in the house?

Patient

management

Patient flow

Safety

Asset

management

Inventory

management

Environmental

monitoring

Real-time locating system (RTLS)

Beyond basic security technology

Enhance with video analytics

Integrate intrusion detection, access control, and video surveillance

Add RTLS Environmental monitoring

Asset management

Enterprise Systems Integration

A single integrated system

Outsource non-core services

Cleaning

Maintenance

Catering

Fleet management

Stores management

Document storage

The payoff

Benefits to you

Reduction in operational costs such as administration and maintenance

Lower capital expenditures due to flexibility of single integrated system to accommodate add-on security components

Single system also keeps training costs lower

Decreased losses and lower associated operational costs

Improved business continuity via a more robust, resilient, and responsive operation

Greater end-to-end transparency for improved process management and efficiency

Independent study showed that for single integrated system 24% saving in installation cost for 13500m2 building

33% reduction in training

82% reduction in IT administration

32% reduction in cost of changes, upgrades and additions

Strategic ICT Consulting, Teng & Associates

Thank you