Workplace Violence Against Hospital Staff Discussed

Just got back from a regional meeting of hospital security officers in Myrtle Beach. Aside from the T’storms every night – and the college kids shooting off bottle rockets, it was a great conference.

It reinforced my feeling that violence against hospital staff is one of the biggest challenges facing healthcare professionals. Vermont passed a law this week making violence against a healthcare worker a FELONY instead of just a misdemeanor. That’s progress, similar laws are being passed in other states, too. The governor of Vermont signed the bill on May 12, 2011. Congratulations to Vermont — they were first on this important issue.

Arming the Office – What Happens When We Let Employees Bring Guns to Work

One of my colleagues wrote to me so passionately about the terrible gun violence he witnesses every day, that I wanted to share it with all of you.  You can call it a ‘Guest Blog’ from the Field — a Hospital Security Director in a Major U.S. City.

The gun lobby had several recent legal “wins” for the gun rights advocates in Texas, Indiana, and Tennessee.   Apparently lawmakers and gun rights advocates find it a sane and reasonable  policy to open up the workplace to armed employees.

It t is also clear that our lawmakers are not satisfied with our current national gun carnage. Currently, we shoot to death about a 100 people a day in the United States, including 25 children killed every three days.  And this tally accounts for only those killed by guns.

This doesn’t include all those I see on a daily basis who are shot, crippled, maimed and ruined by the daily shooting gallery in the USA.   In order to continue to make money and sell more guns, the gun rights advocates, and  the legislators they have paid off, corrupted and stripped of reason,  are intent on even greater carnage and human tragedy.

Every day I witness the extreme becoming mainstream, and even commonplace.  
Guns are now finding their way into the workplace, brought into churches, brought into our colleges and universities. They are brought to hospitals, and shot off over highway bridges.

The logic is totally missing.  We are already a nation awash in fear and loathing.  We hate people  we don’t know and don’t understand.  The answer to this problem is NOT to arm EVEN MORE people and have guns readily available to everyone.

Obviously, the recent horrors of Arizona and the slaughter of innocent people in a Safeway parking lot,  has already been forgotten by security professionals and criminologists.  There is no condemnation or follow up  about a terminally troubled young man and the ease in which he purchased a semi-automatic pistol and 30 shot clips.

There has been no rallying cry to address the ease in which tormented and troubled and dangerous individuals on the margins of our society can easily obtain weapons of human mass destruction.   These realities are not relevant and cannot be discussed. And in today’s political climate to even MENTION this makes one a pariah, or a “liberal”, or a “communist”.

 I have been in the Security and Prevention profession for over 35 years, so I can easily dismiss the attacks from gun rights advocates and zealots.  And in fairness,  I have found many gun rights people to be in fact reasoned and decent and willing to engage in reasoned discourse.

What troubles me, and why I wanted to write directly to YOU,  is that the vast majority of professionals in the Security profession totally bypass, ignore and in fact, minimize the reality and tragedy that is our national gun slaughter.   As a profession,  we have done nothing to challenge these trends,  or address them, or at the very least,  debate the current flood of laws designed to turn American work places into armed camps.  

And this in my view is nothing less than a tragedy.

Does Being on TV Make Us Better World Citizens?

Does Being on TV Make Us Better World Citizens?

To quote the character in the 1995 movie, “To Die For” — “You’re not really anybody in America unless you’re on TV… ’cause what’s the point of doing anything worthwhile if there’s nobody watching?  So when people are watching, it makes you a better person.” So if everybody was on TV all the time, everybody would be better people.

A minor statistic – that the recent tsunami in #Japan got CNN its highest ratings since Obama’s inauguration!   What can beat the reality of earthquakes and rising water, followed almost immediately by nuclear power plants with seawater cannons blasting?   And then add the airstrikes over #Libya – all delivered in breathtaking color.

Does showing these images on TV make people more sympathetic to the plight of the rest of the world?   I think it probably does – and that it does make us better people for caring.

The social media has contributed greatly to this – working hand in glove with TV – expanding coverage to new audiences and flashing breaking news around the world.  The immediacy of Twitter and email make us seem empathetic because we are sending the news out to our social circles. 

The middle east uprisings are possible not because of just the media, but because people around the world weigh in and give political support to the protesters.  They know the world is watching and because they know they are not alone anymore, they are empowered to stick with their protests. 

And look at the payoff – the rebels in Libya make their case and the world comes to their aid.  Obviously there are other critical factors at play here, but the TV makes it all possible. 

Just five years ago, people were wondering when the One World concept would finally catch hold and we would collectively realize that we’re really all people on this tiny planet – Pax Humana, aka World Peace. 

It looks like that day has come – not because of highideals or harmonic convergence, or universal values, but because we can tweet pictures to our friends about other people on the other side of the world.  This is true reality TV and it’s going to be a game changer for businesses and governments everywhere.

Not with a Bang…. The Japanese Nuclear Disaster

Too late to run a formal risk assessment on the dismal situation at the Japanese nuclear plants.  Obviously, the switch has been turned to ‘survival mode’.  But risk decisions are still being made, individually and collectively.

The bravery of the nuclear plant workers who stayed to continue at their posts and try to avert a full catastrophe reflects 50 individual risk decisions  by people risking their own lives for the elusive greater good. 

One of the U.S. TV morning shows talked about the risk calculation being made about whether to continue to build nuclear plants when “stuff happens”, as this double play of earthquake-tsunami proves.  

The assets which are generated by nuclear energy are large amounts of relatively ‘clean’ energy.  The risks have been underwritten by governments which support the growth of these plants by sharing the risk with the electric companies to encourage them to build. 

The threats to these plants have been addressed dozens of times and right at the top of the list are both international and domestic terrorists; followed by natural disasters, including earthquakes, tsunamis (we added tsunamis into our threat matrix in 2002),  tornados and hurricanes; followed by sabotage by insiders who work in the plants themselves. 

Personnel working in these plants are heavily investigated and also undergo continuing scrutiny of their lifestyles, checking accounts, etc., because of the sensitivity of the work they do.    US National Public Radio (NPR) reported yesterday that U.S. nuke plants have a failure rate of 40% on security inspections – and that’s when they get TWO WEEKS ADVANCE NOTICE of the inspections.  What if they got no notice?  What kind of results would we see?

One of the major risk correlations in formal risk assessment is the Threat-Asset ratio, which means, for example,  don’t build a nuclear plant on an earthquake fault line.  If the threat is too high, it increases the probability that the asset (the plant) will be compromised and could experience a loss, based on a threat occurring.

The standard list of controls are also analyzed and these can range from specific security controls to having multiple backup power sources (that DO NOT DEPEND on electricity).    Obviously, when this control was no longer viable due to the natural disasters, that’s when things started to go rapidly downhill.

Without electricity to keep the cooling activities running, you have to start to look at the possible losses that could result from the event.   The nuclear power equation is especially worrisome because radioactivity is not only instantly fatal, but it can be blown around, and it is FOREVER.  It doesn’t burn itself out in a few days like a fire, or dry up like a flood when the sun comes out.

The risks/potential losses can include:

Loss of life of plant employees
Loss of life of the surrounding population – to 5 miles, 50 miles, 100 miles, farther?
Loss of the electricity that cannot be generated and what that means to a country.
Loss of the plant itself – as a replacement cost of billions of dollars.

The problem with the nuclear power risk equation is that the biggest potential loss is the contamination of one, two or multiple countries, possible permanent radioactive contamination of the ocean, or, in a very worst case, loss of the planet.

As this latest disaster proves, the potential loss is so high, that even twenty years of extra electricity don’t seem worth the risk, especially if the calculation includes plants built-in areas susceptible to the list of potential threats exactly like earthquakes.

We’re running a set of scenarios that will continue to evolve as the situation stabilizes or possibly gets even worse. It seems that Mother Nature is controlling events now.

The REAL VALUE of a Hospital Security Program

Violence in hospitals and against healthcare staff has been steadily increasing since 2004. A recent article in the Journal of the American Medical Association (JAMA), cited the National Institute for Occupational Safety and Health, NIOSH publication 2002-101, which indicated that healthcare workers face four times the violence potential as other occupations.

If you add in the many domestic violence cases that play out in our hospitals, you can double or triple that figure. For reporting purposes, OSHA does not count domestic incidents (like murders) that take place in hospitals as officially “workplace violence incidents”.

Anecdotal incidents such as the shooting of a physician at Johns Hopkins Hospital in Baltimore, Maryland in September, 2010, and the January 1st, 2011 stabbing murder of an engineer at Suburban Hospital in Maryland by an employee angry because he didn’t get a good performance evaluation, keep the issue on the front pages, and cause hospital staff to worry about their personal safety.

The Joint Commission issued a Sentinel Event Alert in June 2010, on violence in hospitals and how it can affect both staff and the patients themselves. Nurses are on the front lines, and they are the most likely to be attacked, a fact which has not been lost on the nurse’s associations who are actively lobbying for safer working conditions.

Workplace violence issues were traditionally something handled in the Department of Human Resources, but security departments are increasingly involved in violent incidents and are critical to safeguarding hospitals.

Why Violence in Hospitals is Increasing

Violence is not a concept that people usually associate with hospitals. For years, hospitals have been seen as almost a sanctuary of care for the sick and wounded in our society. However, the perception of hospitals has been changing over the last fifteen years due to a variety of factors.

1. Doctors are no longer thought of as “Gods”. This means they are
are more easily blamed when a patient’s condition deteriorates.

2. Hospitals are now regarded as businesses. This perception has been
been aggravated by television in shows like a recent “60 Minutes”, as well as
by the effects of the recession on jobs and the loss of health insurance.

3. Lack of respect and resources (funding) for hospital security departments
. Rather than being seen as a crucial protection for the hospital staff and
patients, many security departments are chronically underfunded and used
for a variety of non- security functions, such as making bank deposits for
the hospital gift shop.

4. Resistance to Visitor Management programs in many hospitals. Again,
because of the unsettling effect of the recession, violent solutions are
becoming more common in the United States in general, for example, the
recent Tucson tragedy.

The federal government issued a guidance document for dealing with violence issues in healthcare,
OSHA 3148.01R, 2004, Guidelines for Preventing Workplace Violence for Health Care & Social Service Workers

The Evolution of the Hospital Security Program

Even as recently as five years ago, many hospitals didn’t have a Security Director, instead they used the Safety Officer to double up and handle security. However, the Joint Commission and many professional hospital organizations recommend the formation of the Security Director position.

Now every almost every hospital has a Security Director who oversees the various security functions at the hospital. These cover a wide range of duties including managing either a contract security force, or developing and managing a proprietary security force; managing violent patients in the Emergency Department; managing incidents regarding kidnapping, infant abduction, cash handling, helicopter coordination, handling admission of prisoners, monitoring visitors, managing hundreds of cars and garages, dealing with harassment, sexual assaults and domestic violence issues which end up at the hospital.

As the Security Director has assumed responsibility for an expanded list of duties, the security budget has not always kept pace with the expansion of the security function.

Assessing the Value of Security to the Functioning of the Hospital

When we start to assess the value of the security program to a hospital, we have to start with the total value of the hospital.

One of the greatest surprises we find in conducting risk assessments on hospitals, is that they possess tremendous value but because they are so large, and perform so many different functions, individuals can’t always see the hospital as a whole.

To make it easy to understand, we can breakdown the value of a hospital into its component parts:

1. The value of the Facility – this is the current replacement value of the building, usually over 50 million dollars.

2. The value of the hospital Staff, including both administrative and medical staff members (use the value of their salaries for a year).

3. The value of specialized medical equipment, including all
the IT systems, X-rays, Cat scans, MRIs, and medical lasers, photon knives, etc.

4. The value of the actual revenue from the patients.

5. The value of the patient’s safety and their health information.

You can see that when we add up these asset values, and add another 10-12 categories, the hospital usually ends up with a value of $100 million to $500 million, or often higher. That is the total of the assets that are potentially ‘at risk’.

That is the value that the security function protects. Each of these asset categories can potentially experience a loss that would interrupt their operations, either for a limited time (like a gang fight in the lobby; or a theft of pharmaceuticals), or permanently (for example, a catastrophic fire).

The next step in the analysis is the see what kinds of controls are already in place to protect all these assets. Controls are mandated by a variety of federal, state and local laws, as well as best practices from insurance companies, and standards created by industry associations such as the Joint Commission, the Center for Missing and Endangered Children, the International Association of Hospital Security and Safety.

Is Hospital Management Listening to Security Directors?

Just finished a webinar yesterday to over 60 hospital security directors and managers and they later wrote in to say that their management listened politely to their suggestions, their budget needs, their warnings about the new violence levels — and then they said, “Thank you very much”, and went back to their paperwork.

We all know how tough it is to run a hospital, but when will the administration realize that violence in hospitals, whether it’s a distraught son, shooting his mother’s doctor in Baltimore, or a grief-stricken Chinese man running through a Shanghai hospital killing innocent bystanders with a knife — that we have a BIG PROBLEM with the increasing violence in hospitals.

The nurses know about the violence.  In a recent survey of 1000 nurses who worked in emergency departments, nurses reported that 97% experienced verbal abuse, 94% had physical threats, and 66% HAD BEEN ASSAULTED.  The saddest part of this was that 25% of the nurses said they expected abuse and violent attacks.

We need to devote some resources to this problem and not wait until 100% of nurses report assaults.  It starts with awareness that there is a problem. Tomorrow we’ll discuss the next steps.

What do they want? #egypt

#EGYPT –

Watching events play out on CNN, a saw a commentator ask, “What Do They Want?”, meaning what do these protestors want?   

I know what they want. I know because I have been working with people all over the world for years – both in person and online, by blog, by email, by phone.

Everyone wants the same thing – personal dignity and the chance for a better life for themselves and for their children. The desire for upward mobility is built into our DNA. It is built into the idea of evolution. It is why animals compete for the best perch, the best cave, the best tree, the best nest, the best plumage, the best mate……

You can apply all the slogans you want and make a list of the emotions people everywhere want to feel:

Dignity
Pride
Relevance
Happiness
Secure
Stable
SAFE

And what that means, as I see it, is that they want:
Choices
A better life for their children
To be able to Laugh
To fall in love and have a family
Better education
Stable food supply
Basic healthcare
Affordable basics – like food and housing and energy
 Jobs
Freedom to be themselves.

The internet is sort of like God, without all the judgement. In many ways – the internet is THE GREAT EQUALIZER. That’s why the 60-year old man can hide and pretend to be 27 again on a dating site – or even pretend to be a woman!   When you communicate on the internet, all the external things that people use to stereotype, pigeonhole and judge people are eliminated because of the way the message is communicated. (Remember – the MEDIUM IS THE MESSAGE….)

So it doesn’t matter what you look like on the internet – it doesn’t matter about your religion, race, sex, formal education, job – nothing. The only things that matters are your words – what you choose to tell the world about yourself.

That creates GREAT freedom and the way the internet lets you search and research and look around – so that a person in Cambodia living on one dollar a day can get online and see that amazon has 50 million different things to buy.   And look at those things – and see how much a bag of crackers cost in the US.

So these events in the middle East are earth-shaking for a lot of reasons, but mostly because this yearning for equal opportunity and the yearning to make your own life better is the irresistible siren call. It cannot be stopped. It cannot be silenced and just because it is starting in Egypt, doesn’t mean it is going to take over the world. Because I think it is.

Maine Hospital Fined by OSHA for Not Providing a Safe Workplace

The Acadia Hospital in Bangor, Maine was fined $11,700 by OSHA (Federal Occupational Safety and Health Administration) on January 26^th, 2011 for failing to provide a safe working environment for employees and improperly documenting workplace injuries.

They were referring to the fact that staff at the hospital had been subject to 115 attacks by patients between 2008 and 2010.  The report went on to say, “”The serious citation points to the clear and pressing need for the hospital to develop a comprehensive, continuous and effective program that will proactively evaluate, identify and prevent conditions that place workers in harm’s way,” said Marthe Kent, OSHA’s New England regional administrator.

OSHA’s report on The Acadia Hospital was at least partially the result of hospital officials making a policy decision to not use restraints on violent patients.   In fact,  Acadia Hospital’s CEO, David Proffitt, Ph.D., was very proud of this policy, saying in a published article in 2010,  “I want to share something I think is very exciting. The last mechanical restraint recorded at The Acadia Hospital was on June 21^st, 2009.  This is a big deal.  We set a goal to end mechanical restraints and you have done so. It reflects a commitment to be the best at what we do.  And it gets better…… Our adult rate of restraint has been well below the national mean since May of 2009. . That means we are now in the top 3% of best performing hospitals!  I hope that fact inspires great pride in your self, your co-workers, and this hospital.  I know it does me!”.

Obviously, the no restraints policy wasn’t so great for the nursing staff!

Additionally, the OSHA report ordered the hospital to implement procedures to better protect staff, including screening patients for violent tendencies and offering more staff training on how to use physical restraints, though it did not specifically order the hospital to use them.

In the last eighteen months, OSHA has fined only a handful of hospitals for workplace violence-related incident, including Danbury Hospital, which had a homicide, and Oregon State Hospital in Oregon, which was fined in November 2010 for failing to give staff members self-defense training for dealing with violent patients.

According to The Statesman Journal,  OSHA fined the hospital $3,750 for violating three major safety violations:

• Failing to provide timely training for staffers to use shields as “a tool to protect employees from projectiles, riots, and to approach patients in order to secure them.”
• Not reporting to OSHA that a worker was hospitalized in late January after being assaulted by a patient.
• Lack of written verification showing that a “hazard assessment” had been performed to ensure employees were provided with adequate personal protective equipment.

Looks like OSHA is gearing up to take workplace violence incidents more seriously in the future.   One of the backstories is that hospital employees talk to their unions, and the union leadership contacts OSHA on behalf of the employees.

The increasing problem with workplace violence in hospitals makes it absolutely imperative to start with a comprehensive program to combat and prevent workplace violence.

After Arizona, Does Congress Need Gun Legislation, or Just More Effective Security Risk Assessments?

The terrible shooting in Tucson this week was widely seen as a wake-up call for members of Congress who probably spent at least part of the weekend wondering if their security was enough.

 I can answer their question – it is probably NOT enough.  The morphing of politicians into celebrities (call them Pol-ebrities??) is great as long as you get lots of TV time and the cameras are flashing and the contributions are rolling in.   The downside is the same one that led to John Lennon’s death – Celebrities draw the crazies.  Now that elected officials are becoming Pol-ebrities – they are becoming targets.

With proposals rolling in from all quarters, including putting a giant Plexiglas shield around the House floor, limiting the distance a constituent can stand in relation to a congressperson or senator, and many other ideas, it is clear me that what is missing is the use of standardized Threat/Risk Assessments.

 Security is always a trade-off.  How much money to spend to protect a public servant and legislator?  Is it worth an extra $25,000 per year per person, or should it be $100,000 per person per year – or should it be a million dollars?

Ask the potential target and I guarantee they are voting for the $100,000 solution.  Ask a beleagured taxpayer and they would think maybe $5000.00.  The problem is that it is impossible for an individual to do a true cost benefit analysis and decide how much money is enough?

Enough to provide ‘adequate” and ‘reasonable’ protection. 

Enough for a ‘normal event’?  What about a high-profile event?

Can you analyze it based on the numbers of people who attend a certain event?

All these questions are about 1/15^th of a security risk assessment. 

Like the Department of Homeland Security – the executive protection should move to a more quantitative, risk-based model.  Traditional executive protection checklists are no longer enough.

There are so many elements that go into a threat risk assessment of an public, or private event.  We can look at the Tucson shooting and see that if the usual checklists were used, someone might have:

Checked the crime rate around the location (which turned out not to be at all relevant.)

Checked to see if any other congressperson had ever been attacked
at a town hall meeting in the last twelve months (perhaps more relevant).

These are just a few of the many checks that would have been performed prior to the event, but whether these were done partially, completely, or not at all, they are not risk-based, instead, the classic protection model is more threat-based than risk-based, when what you need is a combination of the two.

If we can create a standardized risk-based scenario for protection of these high profile Pol-ebrities, it would include all the basic information, plus data on the number of phone threats received by that individual legislator; and also, an aggregate of threats received by all legislators.  It would include blog and web searches to see how many times a particular name was mentioned or cited in a negative way.  (And yes, finding a web site that includes a rifle target signal over your district counts).

In addition, it’s interesting to get a historical perspective to see how many government representatives have been threatened, shot, stabbed or murdered in the last five years, and to see whether that trend is increasing or decreasing.

The shooting in Tucson was a workplace violence incident by a totally deranged person who had total access to his victims.   There was no advance screening, no physical barriers, no bodyguards waiting in the wings in case something went wrong.

Many of these missing elements, along with others, can be used to create useful threat risk assessments that can be standardized,   and automatically generated for all our high profile public servants to provide much more effective security for the people who need it most.  

Instead of treating each of these violent incidents as a completely isolated event, society needs to recognize these patterns that are emerging as legislators become celebrities, and that there is an increasing acceptance of violent solutions to individual problems.  These patterns need to be watched, tracked, and applied to each individual’s protection profile to improve personal security and prevent future violent attacks.

January 1st, 2011 Wake Up Call – Another Hospital Workplace Violence Incident.

My happy 2011 celebrations were marred by another workplace violence homicide in my home state of Maryland.   I guess it’s not always ‘the most – wonderful time of the year’!

This incident brings up again the question of how to keep our hospitals and their employees, safe in the new year.  In a recent Wall Street Journal article, they brought the hospital workplace violence problem up to a management level – reporting that many doctors now say they feel unsafe at work.

In upscale Bethesda, Maryland, just a minute north of Washington DC, a 40-year old male employee of Suburban Hospital (part of the Johns Hopkins Health System since July 2009), was found dead in a non-patient area of the hospital on January 1 at 10 a.m.

Here are the details (from the Suburban Hospital press release, from January 2, 2011):

Yesterday morning, a Suburban Hospital employee was assaulted in a non-patient-care area of the hospital.  Despite the heroic efforts of the hospital’s emergency response team, attempts to resuscitate the employee were not successful.  He died at the hospital as a result of traumatic injuries sustained to his upper body.

The victim has been identified as Roosevelt Brockington, Jr.  He was 40 years old and he had been employed at Suburban Hospital since August 2006.    Mr. Brockington was a Lead Engineer in the hospital’s Plant Operations Dept,   where he was responsible for operating and maintaining the heating, ventilation and air conditioning systems.

Because of the ongoing police investigation, no further information about Mr. Brockington is being released by the hospital at this time.  Suburban Hospital is fully operational today and remains open to patients and visitors.

This incident was a little different from some of the other incidents which have been in the news lately.   First, it was not an inner-city hospital, but instead, a hospital in a very affluent area.  In fact,   Bethesda is one of the most affluent and highly educated locales in the country, placing first in FORBES list of America’s most educated small towns and eleventh on CNNMoney.com’s list of top-earning American towns.

Another difference was that it occurred in mid-morning – 10 a.m., not late at night. News reports about the incident surmised that it was not patient-related, but no one really knows at this early stage in the investigation.

 The victim, Roosevelt Brockington, Jr., was a resident of Lusby, Maryland.  For those who aren’t familiar with Lusby, it is a small town of less than 3,000 people in southern Maryland, over 70 mile commute from Bethesda. 

Having been to over twenty hospitals in 2010, I am struck by the difference between the northern east coast hospitals and the south Florida hospitals.   Many of the hospitals in south Florida have effective visitor management systems in place.  I visited a hospital in Florida just before Christmas, and they had the local choir singing carols in the background, while I took out my drivers license, had my photo taken, and received a visitor’s badge.

There seems to be a mind set in some of the northeast hospitals against trying to manage visitors.  This includes a lack of metal detectors, and a lack of visitor sign-in procedures.  I wonder if this is a cultural attitude – because many of the north east hospitals are older than their south Florida counterparts and may be more entrenched in their attitudes. 

The epidemic of workplace violence in hospitals is only starting to gain national attention since the Journal of the American Medical Association published a research paper on the increase in violence in U.S. hospitals in December 2010, and included the statistics from

The Centers for Disease Control and Prevention/National Institute for Occupational Safety and Health, summarizing Bureau of Justice Statistics data, estimate 1.7 million injuries per year due to workplace assaults, accounting for 18% of all violent crime in the United States and the rate of workplace violence in healthcare setting is about 4 times the national average.

There are a plethora of workplace violence prevention strategies that can be put in place and maybe this New Year’s Day wake up call will result in every hospital examining their Workplace Violence Prevention plans.

TSA – Why pat-downs are ridiculous and after 9 years – they still can’t spell R*I*S*K management. Follow the money.

Every fifteen minutes, the media is full of images of children being patted down at the airports. The media is stirring up the porridge on this story.  But think for a moment – TSA is spending 90% of it’s budget, resources and energy on passengers who are not and will never be a threat.  And that leaves only 10% to spend on legitimate and potentially dangerous travelers.  This raises several questions.

First – why?  When the DHS espouses it’s emphasis on RISK MANAGEMENT – it’s clear that they don’t follow it.  The private company that runs the screening programs makes substantially more money by screening everyone, if they only had to screen real suspects – their income (which is over $8 Billion per year) could be cut in half!

By applying the risk management principles that are in their charter – they would be able to spare the poor traveling public and spend more time and more resources on checking and double-checking the potential terrorists. 

Most rational people can watch an airport scanner line for two hours and realize it is an enormous waste of resources for very little results and testers can routinely smuggle in knives, lighters and whatever else they want.

The inability of TSA to adopt a rational approach to airport screening – and remember – they still don’t’ screen the cargo riding on the same plane – is just lining pockets including the lobbyists who have been pushing the extra-expensive full body scanners.

The justification for this big expenditure is that is avoids the dreaded “profiling”.  We should be profiling – we should be checking people who like to visit Yemen for Easter.  We should be doing intense screening of young men between the ages of 18 and 30 who have recently traveled in or out of Pakistan.

 Here’s a partial list of who we shouldn’t waste time and resources screening:

 Children under 10
Active and Retired Military
Civilian Federal Employees
Civilian Federal Partners
Members of a ‘Preferred Traveler Program’
Individuals who opt for an intensive background check
Senior Citizens over 70

But you know what they say – Money Talks… and it’s talking to me this Thanksgiving week.

TSA – Why pat-downs are ridiculous and after 9 years – they still can’t spell R*I*S*K management. Follow the money.

TSA – Why pat-downs are ridiculous and after 9 years – they still can’t spell R*I*S*K management. Follow the money.

The Risk Assessment – Live – and Cross-Cultural

I just got back from a great trip to the Middle East.  I spoke at a State Department conference (ISAC) Conference in Doha, Qatar and then did a full risk assessment of a large hospital in Abu Dhabi.   Besides that I loved the food, and loved the people, and came home with lots of beautiful earrings and bangles and perfume.

The great insight I got on this trip was that security problems are exactly the same everywhere… they are not based on sex, race, nationality, gender, religion, hair color, height,  politics, or anything else.   Maybe this is why the TV show “The Office” is a worldwide hit.   Organizations work the same way all over the world.  As a person who got her degree in cultural anthropology of all things — I am amazed less at the differences than I am in the similarities between organizations.

This is my 17^th country that I have visited to do a security risk assessment and they all come down to these basic steps: 

1.  Identify what you want to assess.   Many times you need to cut down the proposed assessment, it doesn’t need to include things that are 10 miles away.

 2.  Write up a Project Plan to show other people what you’re doing to do – and give management a time line to work with.  (It keeps me focused – a value add).

3.  Find the dollar VALUE for whatever you are assessing, for example — How much is the facility worth?   What’s the value of one patient record – two dollars or two thousand dollars?

4.  Come up with a realistic threat profile that includes the local crime rate, some historical data for crime, cyber crime, natural disasters, fire, etc.

 5.   Ask other people in the organization how they handle security.   I like using our automated surveys because it captures more immediate data from individuals.  You can use a translator if you don’t speak the language and I guarantee you’ll be amazed at the results.  The more people you interview – the more amazing the results will be.

6.   Examine all the existing controls and see how they are being used in other areas of the organization,  are they 100% implemented?   80%?   50?  Even less?

7.  Analyze the results with good math.  This is commonly done by software, but you can also use a regression analysis model with a database program like Access –   don’t guess.    Let the numbers do the talking.

8.   Write up a simple report, illustrated with lots of color graphs and photos, so someone  can just page through the report and understand what the assessment revealed.

The best risk assessment report in the world is a waste unless it comes up with actionable results — the list of what the organization needs to do NEXT.  Some people call them After Action Reports, maybe they are called Corrective Action Reports, maybe they are called a Task List.  The name doesn’t matter, but the results matter.

The report should cover the basics of what you did, what areas you reviewed, who you talked to (or got answers from with a survey), and what you recommend should be done, based exactly on the risk assessment.  In banking and financial companies, the regulators already get the last risk assessment and ask the organization to show “where in the risk assessment did it say you should add a stronger firewall?  add a better camera system to the Emergency Department?  do background checks when you hire new people?

These are just examples,  any improved control could be used – but you will need to show the regulator exactly WHERE in the risk assessment it said you should do this or that.     In the follow up Blog – I’ll talk about how to present your findings to your management.

JOHNS HOPKINS HOSPITAL MURDER/SUICIDE IS TOO CLOSE TO HOME!

My summer vacation is over so I jumped right back into work by doing four webinars on workplace violence in the last four days.   I have been very concerned about the trend toward violence toward healthcare and hospital workers.

Having just researched and presented on this subject two days ago, I was greatly saddened to see it AGAIN, 30 miles from my home, at the prestigious Johns Hopkins Hospital.   Local media and CNN covered it extensively because the man shot his mother’s doctor in the stomach, apparently after his mother was paralyzed as a result of spinal surgery.  He then barricaded himself into his mother’s hospital room and eventually shot and killed her and then shot himself.

With a staff of over 30,000,  this was a major incident.  I would love to calculate how much the hospital might have lost from having the staff vacate the building for at least two hours.

This incident once again opens the debate about how to ‘secure’ hospitals, or at least to have a better way to ensure the safety and security of both the staff and the patients.  Hospital administrators continue to maintain an ‘open environment’, and don’t seem to understand that this problem will continue to increase, if there is not way to better manage access in hospitals.

On the radio today, I heard that Baltimore City Council President Bernard C. “Jack” Young said that John Hopkins security is adequate and that using metal detectors would create a hazardous situation for patients entering the building.   ”Why would they want metal detectors going into the hospital?” Young said. “People go to the hospital because they got shot. People wouldn’t go to the hospital because of the metal detectors. They would stay away and die rather go through metal detectors.”  He also mentioned during the same interview that the hospital has over 80 entrances.

This exact problem is raging at hospitals all over the country, because violence is dramatically increasing in healthcare.  The NIOSH study from 2004 reported that  violence in hospitals was over four times the national average for non-healthcare workplaces.  Of course, it is now 2010 and that is a long way from 2004 – AND – we have had a terrible recession raging since 2008….

The results of an Emergency Nurses Association survey released in 2009 found that more than 50% of ER nurses had experienced violence by patients on the job and more than 25% had experienced 20 or more violent incidents in the past three years. Research showed long wait times, a shortage of nurses, drug and alcohol use by patients, and treatment of psychiatric patients all contributed to violence in the ER. 

There has been only sporadic interest in this phenomenon and no standard has emerged.  For example, a NIOSH (National Institute for Occupational Safety and Health) Publication in 2004 is called Guidelines for Preventing Workplace Violence for Health Care and Social Services . OSHA Publication 3148-01R (2004). This guide describes the special considerations surrounding workplace violence in the environments of health care and social services.

After my last column on Workplace Violence issues in healthcare, I got a few angry letters from associations and organizations saying they had been working on creating standards for this – FOR THE LAST FOUR YEARS… but amazing, they have not been published.  

There is NO standard or requirement for preventing workplace violence, only the vague requirement for employers to maintain a safe workplace.   Twenty-seven states have come up with their own ‘guidelines’.  Remember – standards are Required, guidelines are only recommended.  That means if the incident happens, the management has no liability because they did not disregard a requirement.

My regular readers will remember that I recently visited a hospital that had a murder about two years ago and even two years later, it was still having a traumatic impact on the staff who witnessed the incident. 

I am a big believer in risk assessments and I think having a workplace violence assessment REQUIRED of every hospital, and having that information aggregated nationwide and studied, would be a big step that improve our knowledge of why this continues to increase, and would also point to more effective solutions to safeguarding our hospitals.

Maybe people will start to press hospitals on this issue – after all – they may end up in a hospital some day, and probably would like to be safe and secure during their visit.

Maybe the aging baby boomers will finally demand more security in their hospitals.  I hope so.

Thinking about a Model for Workplace Violence Prevention

Since I posted my blog yesterday – I got a big reaction, which ranged from those who thought there was no need for any standards on workplace violence prevention and believes that people will should help each other.  “Work place violence cannot be stopped by legislation! Good feelings cannot be legislated!  They are stopped by a community who cares!”, one reader commented.  

Obviously, people like Omar up in Manchester, Connecticut might have been treated in a more caring manner, with as much dignity as you can give to someone stealing beer on camera, but I could not disagree more with this statement.   I’m hot on standards – and these days, more than ever, people need lots of direction on how to do their job and how to apply security-related concepts.

Have you done any hiring lately?  Some people we’ve interviewed need to have every part of their job written down for them.  There seems to be less incentive to solve a problem that is not directly in the job description.   That’s one argument for setting some kind of minimum standard for companies, to assist them in dealing with the workplace violence increase. 

Standards make life easier for everyone because you don’t have to constantly reinvent the wheel – wheels now come in standard sizes, too.   

One of the reasons it is an attractive idea to create a standardized program for WV is because it is usually totally preventable.  Many of these people leave an enormous trail of clues that they are considering something drastic – including detailed plans in writing on Facebook.   Another reader pointed out that California does have a workplace violence prevention standard.  I checked and found it here:  http://www.dir.ca.gov/dosh/dosh_publications/worksecurity.html

The Cal/OSHA policy includes this little nugget, “The demographic profile of victims of fatal workplace assaults indicate that the majority are male. However, even though the overall fatal workplace injury rate for women is substantially lower than it is for men, homicides represent the leading cause of death for women in the workplace.”  WOW.

Cal/OSHA also offers a resource guide – The Model Injury and Illness Prevention Program for Workplace Security (a nice term).     Like everything else related to security, the actual workplace violence incident is usually a slow escalation over time.  That’s exactly why it is possible to deter, or prevent it – because there are signs everywhere, and lots of coping strategies you can learn.

I worked on a project in Thailand where a manager from a big box store had been fired and humiliated.  His revenge was to call in bomb threats – FOR A YEAR.  Only when those were totally ignored did he actually bring a bomb into the facility and yes, it went off, and yes, it killed a young security guard.

But, they had ONE YEAR to take him seriously and get help for him.  Many of these incidents also have a long wind up before the actual incident is triggered.

WHY SHOULD WE CARE?  I totally buy the argument that more people are killed from industrial injuries and lightning and car accidents, than in a WV incident, but these things are usually hard to predict or detect in advance.  Think about it – the fall off the ladder, the accidental electrocution, the surprise car crash — all more random and UN-preventable.

Workplace violence IS usually preventable, in all the stages.  From the first stage when the employee starts to feel that they have been unfairly treated, right through to how to handle an insanely angry person who happens to be packing.

That’s why training is so important, because it can prepared employees to deal with an incident, and it may even help them recognize and deal with their own issues.  Here’s another note from Cal/OSHA, “The cornerstone of an effective workplace security plan is appropriate training of all employees, supervisors and managers. Employers with employees at risk for workplace violence must educate them about the risk factors associated with the various types of workplace violence and provide appropriate training in crime awareness, assault and rape prevention and defusing hostile situations. Also, employers must instruct their employees about what steps to take during an emergency incident.”

Who wants to write me and help develop a National Standard for Workplace Violence Prevention?   Let me know at caroline.r.hamilton@gmail.com.

Workplace Terror in Manchester, Connecticut

Yesterday a tragic story unfolded in Manchester,  Connecticut.   You probably already know that nine people were killed when an employee who was being fired, came back in with his hand gun,  started shooting and, after calling his mother, killed himself. 

This incident is part of a bigger and growing trend to more workplace violence incidents – not only in companies in general, but in hospitals to an even greater degree.  The Manchester incident also illustrates again some of the basic tenets of preventing workplace violence incidents. 

Patrick Fiel, Public Safety Advisor for ADT Security, commented, “The industry standard is to not  terminate employees in open areas where other individuals may be working.   Firings are always touchy situations and should be conducted in an isolated areas, even off-site, away from the work areas.”  

“Many companies have crisis plans in place, and also conduct security risk assessments annually  to prevent this kind of incident.   A comprehensive security assessment  might have saved nine lives by setting up procedures for the termination; and additionally, by making sure employees knew what to do when he did draw his gun.” 

I have been reviewing workplace violence incidents in healthcare and find that they have skyrocketed since the recession started.   Violence against supervisors, managers and also nurses and other healthcare workers has spiked significantly.

 It is surprising to read the following statement on the osha.gov web site:

“There are currently no specific standards for workplace violence. However, this page highlights Federal Registers (rules, proposed rules, and notices) and standard interpretations (official letters of interpretation of the standards) related to workplace violence.

Section 5(a)(1) of the OSHA Act, often referred to as the General Duty Clause, requires employers to “furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees”. Section 5(a)(2) requires employers to “comply with occupational safety and health standards promulgated under this Act”.”

It might be time for OSHA to develop some workplace violence prevention standards.  Many of the ones we use in our risk assessments are related to standard security safeguards – such as having a written termination policy; making sure that if  worker at one location is fired, that all other locations are notified so he can’t just go to another office and cause an incident. 

Much of the statistical data we found on the OSHA website were at least six years out of date, which makes it harder to track current trends in workplace incidents, unless you catalog the media-reported events and run an analysis on them.  The U.S. Bureau of Labor Statistics reported  “Mass shootings receive a great deal of coverage in the media, as we saw with the Orlando, Fla. office shootings in November 2009 and in the shootings at the manufacturing plant in Albuquerque, N.M. in July 2010.  Out of 421 workplace shootings recorded in 2008 (8 percent of total fatal injuries),  99 (24 percent) occurred in retail trade.  Workplace shootings in manufacturing were less common, with 17 shootings reported in 2008.  Workplace shooting events account for only a small portion of nonfatal workplace injuries.” from http://www.bls.gov/iif/.

It makes me wonder if the workplace violence statistics from 2008 until now may be such a large increase, that has been either underreported or even held from publication!

According to a report by the National Institute for Occupational Safety and Health — “State of the Sector/Healthcare and Social Assistance” — published in 2009, health care workers are more than three times as likely as workers in other industries to be injured by acts of violence.

“Health care workers are at risk for verbal, psychological and physical violence,” the report says. “Violent acts occur during interactions with patients, family, visitors, coworkers and supervisors. “Working with volatile people or people under heightened stress, long wait times for service, understaffing, patients or visitors under the influence of drugs or alcohol, access to weapons, inadequate security, and poor environmen­tal design, are among the risk factors for violence,” the report continues.

In the current economic environment, the physical security (facility) risk assessment can be used as an important tool in making sure that basic industry standards for preventing workplace violence incidents; or limiting the damage they can do – especially for making sure the staff are protected from violent incidents by their co-workers.

The security assessment can be followed by the creation of specific, detailed crisis plans that make sure people know what to do when the unthinkable happens at work.  One of the reasons that workplace violence incidents are so upsetting to all of us is because the person KNEW the people he was killing.  He probably knew their spouses and met their children at a company picnic.  It makes the violence more personal and scary, a whole different thing than falling off a ladder.   And it reminds us all that it COULD happen here!

Return of the Sea Monster as a Force of Nature

Last week I wrote about the oil spill in the Gulf and today I was looking at my Loch Ness model of a sea monster with a cute little red beret.  I thought about the concept of a SEA MONSTER. Any terrible  sea monster worth its salt would:

     1.  Kill things indiscriminately

     2.  Hide under the water until it is unleashed on an unsuspecting world.

     3.  Be very hard to kill or subdue.

Sound familiar?  Because the gulf oil spill IS a Sea Monster – probably worse because the Spill Monster doesn’t just kill virgins and itinerant fishermen – it kills everything.  Kills grass and insects and crustaceans (like shrimp) and also sucks the oxygen right out of the water so it doesn’t just kill everything now and then go about its business, but it makes recovery impossible.

If I was a senator or congressman I would be drafting up a bill requiring drilling AND mining companies to not only do a complete and comprehensive risk assessment PRIOR to exploration or drilling activity, but also to publish their contingency plans, disaster recovery plans and emergency plans.

Somewhere along the way – the phrase “disaster recovery” planning got pinned to the information technology recovery but it really applies to everything and certainly to risky endeavors like mining and drilling.

It would be tempting to say that the risk assessment and disaster recovery planning (in the broad sense) should be required on everything that has the potential to adversely affect the planet.   Who would administer it?   This is where the U.S. is again trapped into a corner by the responsibilities of each federal agency.  

In a perfect world, you’d like to think that the EPA (Environmental Protection Agency) would be in charge, but that, under the present structure, would exclude deep sea drilling and agribusiness concerns.   Because the EPA is regulating toxic substances like chemicals, and air quality, but not everything that affects the ‘natural environment’.

We need an ENVIRONMENTAL OMBUDSMAN to protect the citizens of the United States, and maybe of the whole world.   This position would cut across the current agency lines to include oil drilling/extraction; mining as in strip mining;  use of pesticides in agribusiness; industrial pollution of rivers, lakes and oceans; and deforestation.

Over-fishing belongs in the same category.  I have heard that Blue Fin Tuna is now endangered and the United Nations is going to vote this year on protective measures. 

Basically all these kind of industries, mining, drilling, fishing are all scooping raw material up out of the earth and selling it.  The companies involved seem intent on drilling, fishing or scooping up as much as they can get of FREE STUFF from the planet, and then selling it for enormous amounts of money.  Again, you would think that old self-preservation gene would kick in, but instead, it may be that when one of these industries hears that whatever they are taking could be limited, or managed, or made less easy to get, they rush to get every more before the limit or ban goes into effect. 

This behavior accelerates the underlying diminishing supply problem, drives up prices, making industries want to get even more of their oil, minerals, diamonds, fish, whales, or whatever and so the cycle becomes maximally destructive to the environment on even a shorter time line.

One of the biggest aggravating factors of the current SPILL MONSTER is that we, the taxpayers, basically financed it and now we are going to get to pay to clean it up, and the paying includes providing services for all the damaged parties.  Do you really think that BP is going to cover the entire costs by the end of the day?  I am highly skeptical.

We keep hoping that man’s (and woman’s) survival instinct is going to kick in at some point and people will think, “If we don’t keep the earth clean, it is going to negatively affect MY health, or MY business, or MY customers”, but we, as a country, are not quite a that tipping point yet.   I hope we get there sooner instead of later.

The Oil Rig Disaster and Risk Assessment — And Accountability Issues with Politicians

“Drill, baby, drill.”   We have heard that before – being from California and being a tree-hugger, I didn’t think that was a great idea, especially since I know our oceans are already struggling, but I did not expect something this bad to happen.

The politicians who were so busy expanding oil leases and the profit-rich oil companies who are raking in billions,  don’t spend much time on assessing the potential risks AND the potential losses for a catastrophic oil spill.

Maybe we should require them to do REAL risk assessments on the total possible impact of an oil disaster.    It would not be an environmental impact statement, which downplays the risk by putting in lots of scientific jargon and ASSUMES that proper safety controls and contingency plans are in place.  But obviously that either was not done;  or it was not accurate, or it was done and burned so no newsperson would ever see the smoking document (or should I say, the oily document).

If we go back to the classic risk model – we are by listing the assets at risk:

1. The Cost of the Original Rig and Drill Equipment – $500,000,000
2. The Value of the Lives of the 11 workers who died -    25,000,000
3. The Value of the Oil itself, with replacement value
   (5 million gallons at  $2.00 per gallon = $10 million dollars)
4. BP’s Reputation as a good company – $2 million
5. Gulf Fishing and Shrimp Industries Value – $2.5 billion dollars for

Just Louisiana – add in Alabama, Mississippi and Florida and quickly     the bill runs up to $10 billion dollars.

1. Value of Summer Beach Tourist Business in the Gulf – $20 billion
2. Value of lives of 20,000 – 50,000 shorebirds; 10,000 turtles; 0ther assorted marine mammals, birds, and fish   – $25 million.

So we have a resource worth about $33.5 billion dollars – that is potential loss estimate.

What we will lose if a threat materializes?    Keep in mind, for comparison purposes, that BP had recently doubled it’s profits from $3 billion to $6 Billion a quarter,  which calculated out to about  $24  Billion Dollars a Year.

Next we factor in the likelihood of a threat occurring.  Reviewing the frequencies of and problems problems with oil rigs, and oil spills, we find:

There are an average of about 2000 oil spills a year of various degrees.

There are an average of 1 million gallons spilled each year (going back 7 years).

(Already you can start to get a idea of how terrible this spill is.)

Next we list all the problems (vulnerabilities) that could or would have made it more likely to have a disaster occur,  you will recognize many of these from the latest news conference

1. New,  untried technology
2. No recovery plan if secondary shut offs fail
3. Difficulty of working on deep ocean
4. No reliable oil containment systems have ever been developed

SO – if British Petroleum is making $24 BILLION A YEAR and because of this spill, BP loses about $1 billion dollars. That’s not a bad Return.

The problem comes in with the $30 Billion dollars that is borne and felt, not by BP, who goes on to drill somewhere else, but by the citizens of the affected states and the whole United States due to the incalculable environmental damage.

The last thing we look at in a risk assessment model is the potential controls that could have been put in place to reduce the likelihood of the threat materializing, and the cost of those controls that could either reduce the threat, or, and even more important in this case, minimize the damage if the threat occurs anyway.

What controls could have been improved in this model?

Development of effective oil capping techniques BEFORE a disaster

Better training of oil rig workers

Better fire controls which might have saved the rig from sinking.

Accountability Increased for the Materials Management Service (MMS)

Tougher Regulations for Oil Companies

Better oil containment tools

Better oil absorption tools

Regular drills so that workers are better prepared in an emergency like this.

I’m still here watching the news coverage but I have learned why this happened – because BP was making so much money, it just didn’t have that much to lose from a disaster.  So it avoided improving its technology and spending money on controls that might have helped.

And the former and current U.S. administrations are to blame for not requiring accountability from the MMS.  And the rest of us, including the bluefin tuna, the birds, the jellyfish, the crabs, the shrimp, bottlenose dolphin, sperm whale, dozens of varieties of sharks, manatees, oysters, warblers, terns, swallows, egrets, plovers, sandpipers, pelicans,  loggerhead turtles, Ridley’s turtle, diamondback terrapins, and alligators.

According to the Louisiana Department of Wildlife and Fisheries,   here are the numbers of species that will be affected:

445 species of fish,

45 species of mammals

32 species of amphibians and reptiles

134 species of birds,
and the ocean itself, and all of us.

All about the HIPAA Risk Analysis — from the Department of Health & Human Services Office of Civil Rights (OCR).

An amazing development in HIPAA compliance took place on May 7th.  What a great surprise for a Risk Analysis/Risk Assessment Person!  The Department of Health and Human Services, Office of Civil Rights finally came out with their draft guideline for the HIPAA Risk Analysis on May 7th!

While hospitals and health plans, business associates, technical service providers and physicians have struggled to understand the original HIPAA risk analysis requirement, the Health & Human Services Department finally published the draft guidance to help healthcare providers understand what is expected of them in doing a risk analysis of their protected patient health information (ePHI).

This is a critical part of the HIPAA Security Rule, but there was never any ‘official’ guidance of exactly what was expected and how they should accomplish the risk analysis. 

Why the Office of Civil Rights?  Because the new HITECH Act (February 2010) directed that OCR oversee health information privacy including the enforcement of the HIPAA requirement.   And the guidance is long overdue.  I have had dozens of conversations with individuals at hospital and, discussing what a risk analysis is, what are the basic elements, and I am THRILLED to report that the OCR agrees with my methodology.

 The draft guideline on risk analysis also takes the same track that the financial institutions have given as guidance to banks and credit unions.  That is risk analysis is a foundational document that should be used (and referenced) as the organization evaluates and implements appropriate controls.

OCR refers to the risk analysis, not as a one-time drill, but instead, as an ongoing process to help organizations evaluate their risk focusing on the confidentiality, integrity and availability of protected health information.  The Risk Analysis Report, creates the blueprint that an organization will follow as they improve their compliance – for example, deciding what data should be authenticated in particular situations, deciding, when, if or how to use data.

A risk analysis is also the basis for an understanding by organizations of the technologies they will need to secure protected health information, OCR said in the draft guidance May 7. 

To quote directly:  “We begin the series with the risk analysis requirement in § 164.308(a)(1)(ii)(A).  Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule.

Therefore, a risk analysis is foundational, and must be understood in detail before OCR can issue meaningful guidance that specifically addresses safeguards and technologies that will best protect electronic health information.”

Among the basic elements of a risk analysis, OCR said, organizations must identify data collections, document threats to information that could create a potential for inappropriate disclosure and assess current security measures the organization uses to protect patient information. This was great to read because it follows the elements I have built our solutions around.

Those elements, which were reinforced by the draft guideline include the following five elements of risk analysis (and risk assessment).

1.     Identify and characterize the assets that need protection,  including the databases, the applications, etc.

2.    Analyzing the relevant threat data – focusing on what could adversely affect the assets (ePHI) in this case.

3.    Modeling the potential losses that could result from the threat actually materializing.

4.    Finding the existing vulnerabilities in the current security situation that would increase the odds of the loss actually occurring.

5.   Developing appropriate controls to reduce potential loss, reduce existing vulnerabilities and make sure the controls are cost effective.

 The OCR also referenced the NIST 800-66 to show sample questions that need to be part of the risk analysis.  Luckily – we totally agree with them and have included the NIST 800-66 Guidance in every HIPAA Risk Analysis software solution.

 Here’s another short excerpt from the OCR:

 “Risk Analysis Requirements under the Security Rule

 The Security Management Process standard in the Security Rule requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).)  

Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard.  Section 164.308(a)(1)(ii)(A) states:

RISK ANALYSIS (Required).

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

OCR went on to cite NIST 800-66:  “The following questions adapted from NIST Special Publication (SP) 800-66  are examples  organizations could consider as part of a risk analysis. These sample questions are not prescriptive and merely identify issues an organization may wish to consider in implementing the Security Rule:    Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.    What are the external sources of e-PHI?

The publication of this first draft guideline gives healthcare organizations and other affected organizations a hint about which direction the OCR enforcement is going to go.  As I mentioned previously, the regulators are likely to follow the example of financial audits and ask for the current copy of the organization’s risk analysis and use that as the blueprint to measure how well the organization used the risk analysis to prescribe and dictate all other actions which were taken to protection the organization’s protected health information.

In the words of the OCR –

“In Summary, Risk analysis is the first step in an organization’s Security Rule compliance efforts. Risk analysis is an ongoing process that should provide the organization with a detailed understanding of the risks to the confidentiality, integrity, and availability of e-PHI.

For a complete copy of the 8 page OCR guideline, please send an email to chamilton@riskwatch.com.

.

Avatar, the Field and the BP Oil Spill

As the old drill-baby-drill cry loses its appeal, the coastal communities in the Gulf of Mexico are beginning to understand that they will feel the devastating consequences of the BP oil spill. 

The U.S. is a bicoastal country – 50% of the entire population of the United States lives within 50 miles of a coast.  And pays extra in housing prices to live there.  Ignore for a moment all the businesses that will be impacted – and think about buying a $4 million dollar house on the water – and have the water turn into an oil slick. 

I watched Avatar last night and noticed how the movie depicted the planet, Pandora, as an interconnection of elements that you could SEE how they supported  and depended on each other. 

That illustrates our relationship with our own Earth and how if one thing changes, it effects everything along the food chain (literally, in this case).  So the oil gets the birds and the blue crab larvae and the shrimp and now they are saying it may wipe out a generation of sea life.

As a species, we generally do not recognize that our connection with the earth is every bit as interconnected and tangible as the network on Pandora.  We need the earth to give us water, provide us with food (whether you are a vegetarian or not), provide water and shelter, medicine – everything – even manufacturing of plastic comes from the earth through our use of petroleum.

 That is also why ideas about animals are often so ‘un-evolved’, meaning they are thought of a things, not spiritual beings.  Time magazine ran an article on animal intelligence several years ago and said, at the conclusion of the article, “if we recognized and were aware of how sensitive and intelligent animals actually were, we would have to change everything we do as humans.”

News flash – we ARE going to have to change everything we do – we have to find our connection to the earth and the animals and plants who share it, or we will continue to have these devastating environmental disasters and wake up one day to a wasteland that can no longer support us. 

If you’ve watched “What The Bleep”, which is a movie that explains new developments in quantum physics – and I highly recommend that you watch it…  you will reach the same conclusion – that the electric Field exists on our planet and connects you and me to every dog, every blue crab, every tree, every blade of grass.  There is no artificial separation.  We are them and they are us and we are the same thing – just a different sector of the same energy field. We are Pandora. 

Oil spills and other disasters make this living network more apparent by watching, hour by hour on CNN, how one event affects everything, first in the Gulf, then in the entire coastal area touching the Gulf, then probably the Caribbean – who knows how wide the damage will be from this one oil platform. 

Do you feel the connection?  A few years ago, I got a great book about ‘curing the incurable’ and it was a collection of Russian folk remedies – from a former doctor to the Russian Olympics.  One of the remedies was how to use trees for healing – complete with details about which trees were most responsive – how to tap into the energy of the trees and use them by standing eighteen inches from the tree and putting your hands on the trunk…

This oil spill may dissolve political differences and even national differences and show us, one more time, how interconnected we are with the earth – and I’m hoping that we will find a positive way to use that information.