A new 40-page study on Data-Driven Security Programs is now available:
Readers of this blog may receive a complimentary copy. Please click here to request a copy.
Tuesday, November 11, 2008
Thursday, October 30, 2008
An interesting and timely study by an economist at the Federal Reserve Bank of St. Louis finds limited correlation between crime and economic cycles. According to the report, short-run changes in economic conditions, as measured by changes in unemployment and wages, are found to have little effect on city crime across many cities, but property crimes were more likely to be influenced by changes in economic conditions than were more violent crimes.
Thursday, October 23, 2008
A recent article in the New York Times outlined a number of potential weaknesses in NYC hospitals, including unarmed police officers, no security patrols, no supplemental security force, security equipment in disrepair, among others. Hospital management may be able to articulate a good case for this somewhat unusual security program. The crimes outlined in the article might also speak to mismanagement and a failure to understand the situational nature of security at these NY hospitals.
read the New York Times article
Related Posts:
Thursday, October 2, 2008
Everyday crimes, rather than terrorism or natural disasters, are the most common threat facing hospital security professionals in protecting their assets and a thorough assessment of the specific nature of crime and security breaches can reveal possible weaknesses in the hospital’s current security posture and provide a guide to effective solutions. A full understanding of everyday crime’s dynamic nature allows hospital security professionals to select and implement appropriate countermeasures to reduce the opportunity for these incidents to occur in the future. Threat dynamics identifies key elements of each threat and the methods to block specific threats. There are a number of threat dimensions that the hospital security professionals should be well versed in before selecting countermeasures. These dimensions include:
- The hospital’s situational elements
- Criminal motivation and capability
- The criminal’s target selection factors
- Opportunity reduction strategies
Situational elements are those characteristics of the hospital that create an environment which is more or less conducive to certain types of crimes or security violations. For example, a hospital may suffer more from auto thefts in the parking lot than the average number in the community due to the number of targets (patient, family, and staff automobiles) in a small area. Another example of situational elements affecting crime may be the nature of hospital “customers” who are focused on something other than their personal security such as their own or their family’s health. Offenders may use this to their advantage to snatch purses, burglarize cars, or perpetrate other crimes. Situational elements also include the nature of the activities that occur on the property. A pediatric hospital, like childcare centers, may be more prone to infant abduction.
Criminal motivation and capability is key to understanding the nature of crime on the property. Criminals, more often than not, are rational decision makers capable of being deterred or enticed to commit their acts. In modern criminal justice, it is widely accepted that certain people can be generally deterred from committing crimes given swift and severe punishment. Specific deterrence measures can be taken by introducing countermeasures that increase the risk of detection. For example, the presence of a visitor management system or closed circuit camera systems (CCTV) may deter some criminals. By the same token, people may also be encouraged to commit crime by providing them with ample opportunity and a low risk of detection.
A criminal’s ability to select specific targets is a process by which the rational criminal will select the easiest target that provides the highest reward. Criminals also select targets where the rewards are high. Hospital parking lots, for example, provide ample auto theft opportunities for the perpetrator who specializes in stealing cars. One may think of target selection primarily as a force of opportunity. The goal, then, for hospital security professionals is to reduce the number of crime opportunities.
Opportunity reduction strategies address the characteristics of the hospital that either encourage or deter crime. Opportunity reduction strategies may take the form of enhanced policies and procedures, physical security measures, or security personnel. Each hospital will be different in terms of the solutions that are effective because each hospital has its own unique characteristics and unique threats. Unfortunately, what works at one hospital may not work at a similar hospital in a different geographic area. Security, unlike safety, is situational.
Accurate threat assessments are critical for understanding these dimensions. It should be noted though that not even the best threat assessment can anticipate every possible scenario including the addition of more assets. Criminals can adapt to and overcome updated countermeasures, and thus, conceptual threats must be identified. In today’s world of technology, state of the art countermeasures are outdated at an increasing pace and criminals usually move at a similar pace. Hospital security professionals should keep abreast of the latest threat information using the best available sources of information. Using multiple threat information sources will assist in keeping the security professional abreast of the latest threats and the threat profile up to date.
Crime happens. A robust analysis of threats can help to further reduce risks to hospital assets and maximize security dollars.
Monday, September 22, 2008
If I remember correctly, America the Vulnerable is the title of a book that collects dust on my bookshelf. I can’t confirm that because its dark and we have no electricity. Ten days ago, Hurricane Ike devastated southeast Texas. Other than losing electricity for the past ten days, we made it through safe and with little property damage. Other people lost their lives and many more lost their homes. Our lack of electricity is of minor concern, though for others its causing significant problems. Since Ike rolled through Houston ten days ago, we have seen gas lines and grocery lines. We’ve seen many more gas stations and grocery stores stand empty. Many due to a lack of electricity to run the pumps and the cash registers. Today, the news is reporting that Atlanta is short on gas. In some parts of Tennessee, they are limiting they are rationing the gas ($40 per car). The impact is far reaching.
The lack of electrical power is hampering life. Many businesses and schools have still not re-opened. Some schools that opened don’t have hot food for children. Even some churches canceled services. Boredom is rampant. Tempers are short. A sheriff’s deputy said he’s tired of being yelled at by frustrated citizens. Assaults and burglaries are on the rise. No doubt.
Back to the point, is America vulnerable? As past natural disasters have shown, we are. Ike is only the latest example. It doesn’t take access to the best intelligence to know that terrorists could exploit a natural disaster to make a more lasting impression.
After the storm, there were 2.1 million people without power in the area. Soon after, the local electric company had their crews on the road. They also had mutual aid agreements with other electric companies across the country and from Canada to bring in more crews. Ten days after the storm, we have more than twelve thousand electric crews working around the greater Houston area to restore power.
Are we vulnerable? If the goal of terrorism is to scare people, what if the terrorists made a concerted effort to hamper the restoration process? As I type away on this laptop, which I have come to know too well over the past ten days, I can think of a handful of ways to do it. I also think it would be inappropriate to share them in this public forum. I’m sure the terrorists will figure them out. I only hope the the powers that be (government and the utility companies) do first.
Thursday, August 28, 2008
The National Institute of Standards & Technology has released a Guide for Assessing the Security Controls in Federal Information Systems: Building Effective Security Assessment Plans. As more security consultants crossover into information technology security consulting, its increasingly important to keep up with the developing knowledge base.
According to NIST, “The purpose of NIST Special Publication 800-53A is to establish common assessment procedures to assess the effectiveness of security controls in federal information systems, specifically those controls listed in NIST Special Publication 800-53 (as amended), Recommended Security Controls for Federal Information Systems. The assessment methods and procedures are used to determine if the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements of the organization. Organizations use the recommended assessment procedures from NIST Special Publication 800-53A as the starting point for developing more specific assessment procedures, which may, in certain cases, be needed because of platform dependencies or other implementation-related considerations. The assessment procedures in Special Publication 800-53A can be supplemented by the organization, if needed, based on an organizational assessment of risk. Organizations must create additional assessment procedures for those security controls that are not contained in NIST Special Publication 800-53. The employment of standardized assessment procedures promotes more consistent, comparable, and repeatable security assessments of federal information systems.”
Sunday, August 3, 2008
Securing the environment of care is a challenging and continual effort for most healthcare security managers, who face unique challenges in balancing the open campus environment with the protection needs of the hospital’s patients, employees, and other assets. No hospital is without risk and effectively managing risk is crucial to maintaining the protection and openness balance. By conducting a comprehensive risk assessment, hospital security managers can prioritize identified risks, develop an effective hospital security program, and reduce risk to a manageable and acceptable level. This article discusses a 5-step risk assessment process that enhances the hospital security program by effectively mitigating risks to the hospital.
Risk management, as the name implies, is the management of risks to an organization. For most healthcare facilities, risk management includes not only security functions, but also insurance, legal issues, and health and safety. The primary component of risk management is the risk assessment process whereby risks are monitored and addressed on a continual basis. This process consists of the identification of threats, vulnerabilities, and risks to the hospital with the end goal of selecting appropriate security measures to reduce identified risks. As seen in the flow chart below, the five steps of the risk assessment process are asset identification, security inventory, threat assessment, vulnerability assessment, and risk assessment.
Before entering into a discussion of the five steps, it might be helpful to identify key security terms and definitions used in this article. Among the more commonly used terms are threats, vulnerabilities, and risks. Generally speaking, threats are acts or conditions that can damage, destroy, or take hospital assets. Examples include natural disasters and criminal perpetrators. Vulnerabilities are weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset. Vulnerabilities are those things that make the hospital more prone to security related problems, such as crime, unauthorized access, and damage from natural disasters. Risk is the result of threats and vulnerabilities. Without the potential for a threat and a vulnerability coming together in time and space, risk is undetermined or non-existent. A simplified example may be a small town hospital which has open access to the facility and limited visitor management (vulnerability), but no historical security incidents (threat), thus the risk to the hospital is low.
Risk = Threat + Vulnerability
Asset Identification
Identifying assets, as seen in the flow chart, is the first step of the risk assessment process. Asset identification is the process of determining what people, property and information are critical to the mission of the hospital. People assets may include doctors, nurses, and patients along with other persons such as visitors and support personnel. A hospital’s property assets consist of both tangible and intangible items. Tangible assets are usually simple to identify, while intangible assets, such as the hospital’s reputation, are more difficult to identify and assign a dollar value. For all hospitals, information assets include medical records. While all assets have value, not all assets are critical to the hospital’s mission. Critical assets, then, are those assets necessary for the hospital to carry out its mission of providing healthcare, for without them functions and processes will fail and cause the hospital’s mission to fail. The higher the consequence from the loss, damage, or destruction of an asset, the more critical the asset is. Depending on the type of care and treatment provided, a hospital’s critical assets invariably include patients, medical professionals, support personnel, medical records, equipment, supplies, and pharmaceuticals. Other critical assets may not be as evident and must be identified during this step of the risk assessment process. One common way of identifying critical assets is to interviews and/or survey the people charged with carrying out the hospital’s mission. Questionnaires of department administrators can also help to identify assets. Regardless of the technique used to identify assets, it is crucial to identify all critical assets to ensure that they are considered during the risk assessment.
Security Inventory
The second step of the risk assessment process is the security inventory. Typically, a hospital has already deployed various security measures throughout the facility or campus to resolve past security problems, thus the risk assessment is measuring mitigated risk, in contrast to raw risk. These security measures may include policies and procedures, physical security equipment, security personnel, or some combination of these measures. Security policies and procedures may include a security management plan, an emergency management plan, workplace violence prevention policy, medical records protection procedures, visitor management policies, and bomb threat procedures. Physical security equipment can include alarm systems, closed circuit television systems, access control systems, perimeter security systems, and lighting. Security personnel include the proprietary security force, contractual security personnel, off-duty law enforcement officers, and other personnel who serve in a protection capacity. Typical physical security measures will depend on the nature of the hospital, however many physical security measures are common across various hospitals. For example, closed circuit television is commonly deployed at most hospitals.
The risk assessment team should identify each component of the security program, what asset(s) it used to protect, and its level of effectiveness. There are two methods for inventorying current security measures, inside-out or outside-in. Using the outside-in approach, the risk assessment team begins at the facility’s perimeter and works their way in toward the identified critical assets through each line of defense. The inside-out approach is the opposite with the team starting at each critical asset and working their way out to the perimeter. In addition to these methods, the inventory process should also include reviewing any available security documentation including security plans, policies and procedures, security officer’s post orders, and physical protection system documentation.
Threat Assessment
The third step in the risk assessment process is the threat assessment. Threats are specific events or conditions that seek to obtain, damage, or destroy a hospital asset. Historical information is the primary source for a threat assessment; however other threats may emerge without a historical context. For example, an Avian Flu outbreak is a potential emerging threat to hospitals. Regardless of whether hospital security decision makers are dealing with an emerging or existing threat, they should share information regarding criminal incidents, security breaches, and other threats with other hospitals in close proximity. While hospitals sharing information is an informal approach to threat assessments, formal threat assessments are more detailed analyses used to evaluate the likelihood of adverse events, such as terrorism, natural disasters, and crimes that may affect hospital operations. The focal points of threat assessments are assets (targets) and the threats that seek to compromise those targets. Threat assessments also ask who the bad guys are by evaluating each threat on the basis of capability, intent, and impact of an attack.
The most common form of threat assessment is crime analysis. Broadly speaking, crime analysis is the logical examination of crimes which have penetrated preventive measures, including the frequency of specific crimes, each incident’s temporal details (time and day), and the risk posed to a property’s inhabitants, as well as the application of revised security standards and preventive measures that, if adhered to and monitored, can be the panacea for a given crime dilemma (Applied Crime Analysis, 2001). While the above definition of crime analysis is holistic, it can be dissected into three basic elements:
- The logical examination of crimes which have penetrated preventive measures
- The frequency of specific crimes, each incident’s temporal details (time and day), and the risk posed to a property’s inhabitants
- As well as the application of revised security standards and preventive measures
Examining crimes perpetrated at the hospital is commonplace in today’s healthcare environment, however it is normally limited to internal security data. External data in the form of crime analysis should also be evaluated to develop a complete picture of threats to the hospital. Crime analysis guides security professionals in the right direction by highlighting the types of crimes perpetrated (crime specific analysis), problem areas on the property (spatial analysis), and when they occur (temporal analysis). Using this information, it is much easier to select appropriate countermeasures aimed directly at the problem. In summary, crime analysis seeks to evaluate actual risk at a company facilities and rank facilities by risk level, reduce crime on the property by aiding in the proper allocation of asset protection resources, justify security budgets, continually monitor effectiveness of the security program, and provide evidence of due diligence and reduce liability exposure.
Vulnerability Assessment
Vulnerabilities are weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset. Simply stated, vulnerabilities are opportunities. The fourth step of the risk assessment process is the vulnerability assessment, a systematic approach used to assess a hospital’s security posture and analyze the effectiveness of the existing security program. Vulnerability assessments measure the security programs effectiveness, compare it against valid security metrics, and provide recommendations to hospital security decision makers for improvements. In essence, the vulnerability assessment assists hospital security decision makers in determining the need for additional security measures, security equipment upgrades, changes in policies and procedures, and manpower needs. The primary tool of a vulnerability assessment is the security survey which identifies and measures the vulnerabilities at the hospital by determining what opportunities exist to attack, obtain, or damage the hospital’s assets.
Security surveys are simply questions and checklists that guide the assessment team during off-site preparations and on-site inspections of the facility. Surveys may range from a few basic questions to highly detailed lists comprising thousands of questions. A typical security survey contains general information about the hospital, including geographic characteristics, and physical layout of the facilities. The security survey also evaluates security deployment schedules, operational requirements, security equipment capability, and internal security incidents which have impacted the hospital security.
Risk Assessment
The actual risk assessment is the fifth and final step in the process and is basically the logical analysis of the previous steps which included asset identification, security inventory, threat assessment, and vulnerability assessment. While assessing risk is more of an art than a science, the risk assessment should be benchmarked against industry standards and guidelines. The purpose of risk assessment step is to identify risk mitigation strategies which can be employed to reduce the hospital’s risk to an acceptable and manageable level. Mitigating risk involves identifying strategies that can reduce threats and vulnerabilities through the implementation of additional security measures or other means.
Given a specific threat, there are five risk mitigation strategies available to the hospital security decision maker. Generally, the five strategies for managing risk include avoidance, reduction, spreading, transfer, and acceptance. Risk avoidance requires the removal of the target (asset) from the equation. Avoidance is an extreme measure since it can hamper the hospital’s operations. Reducing risk involves the deployment of security measures to reduce risk to an acceptable level. Risk reduction is the driving force for a hospital’s security department whose role it is to provide protection for assets. Risk spreading is a strategy to move assets to different geographic areas so if one area is attacked; the consequence is limited to that area. Storing necessary pharmaceuticals and other medical supplies off site is good way to spread the risk, thus if an area of a hospital is attacked or damaged by natural disasters, there is another supply available elsewhere. Risk transfer is a strategy used to remove the risk from the owner to a third party. Insurance is the best example of risk transfer whereby the insurance company assumes the risk for a fee. Risk acceptance is another strategy for mitigating risk. As the name implies, risk acceptance is simply where the hospital assumes the risk to an asset, typically after reducing the risk level to an acceptable level.
In summary, assessing risk is a dynamic process that involves continuous evaluation of assets, threats, and vulnerabilities. Reducing the risk to the hospital is accomplished by decreasing the threat level, blocking vulnerabilities and opportunities through enhanced security, or reducing the consequences if a security event should occur. Without question, the best strategy for mitigating risk is a combination of all three elements, decreasing threats, blocking opportunities and reducing consequences. Remember, no hospital is without risk and some risks can be acceptable. Security is a carefully orchestrated balancing act that ensures an open, functional environment of care that effectively protects assets.
Thursday, July 31, 2008
In protecting people, security measures are typically not deployed to protect against domestic or interpersonal violent crimes. Interpersonal and domestic crimes are more often prevented via social measures, not security measures. A battered women’s shelter, for example, is designed to keep batterers away from the victims of spousal abuse. Anti-bullying policies in schools are used to prevent students from bullying other students. Both are social measures, not security measures.
In contrast to social measures, security measures are deployed to protect legitimate users of a property from unknown criminals.
Thus, we can make a distinction between interpersonal crimes and stranger-initiated crimes:
- Interpersonal is defined as being, relating to, or involving relations between persons (www.merriam-webster.com). Interpersonal crimes are those that occur between known parties and include domestic crimes as well as other crimes where the victim and perpetrator are known to each other.
- Stranger-initiated crimes are those that occur between unknown parties.
When assessing the threat of violent crimes, a reasonable attempt to separate interpersonal crimes from stranger-initiated crimes. The primary method for separating the two is to review the incident report generated by law enforcement. The narrative of the report will often indicate whether or not the victim and suspect are known to each other. In some incident reports, domestic crimes are clearly marked, while in others, the narrative may identify the relationship between parties. Other relationships, such as friends, roommates, classmates, boyfriend/girlfriend, typically do not have a “check box” but can sometimes be discerned via the narrative.
Thursday, July 17, 2008
Shouldn’t we have thought about CCTV effectiveness before spending billions?
Wednesday, July 2, 2008
Between July 2006 and November 2006 the City of Philadelphia installed 18 CCTV cameras at various locations in the city. Two types of cameras were installed. Phases I and II saw the installation of 10 police monitored cameras at four locations. These cameras are monitored by Philadelphia Police Department (PPD) officers, and have the capacity to pan, tilt and zoom (PTZ). Phase III took place during November 2006 and saw the installation of a total of 8 PODSS cameras at 8 locations in the city. These cameras are not monitored at police headquarters, but officers can monitor video feeds wirelessly from within patrol cars in the vicinity of a camera. Furthermore the PODSS cameras record the street scene continuously on a digital hard drive. If a crime is known or suspected to have been committed within the view of a camera, police officers retrieve the hard drive manually from the camera and review the recording.
The evaluation suggests that while there appears to be a general benefit to the cameras, there were as many sites that showed no benefit of camera presence as there were locations with a noticeable impact on crime. Discussions with police commanders and camera operators may explain the disparity between the various sites. An in depth study of the dynamics of individual camera locations and the arrest patterns at these sites may also explain the findings. These conversations and research will inform a greater understanding of the best locations to place cameras, and potentially help the city get a better cost benefit return on the city’s future investment by deploying forthcoming cameras in locations that provide the best potential crime prevention benefit.