Healthcare executives are highly visible. Leaders must recognize the risk and take steps to ensure their safety and protect the organization.
Far fewer healthcare organizations have an executive protection function than you might think, and the organizations that have such capabilities, generally do so in response to a specific incident or threat.
The goal of this article is to increase the healthcare executive’s knowledge about potential personal and organizational risk and to provide proven mitigation strategies to decrease that risk.
Americans spend over $3 trillion annually for healthcare services. Navigating the complicated bureaucracy of insurance and healthcare in general is overwhelming for many. Our political landscape is dominated by conversations about the high cost and inefficiencies in the delivery of care. Medical errors continue to be the third leading cause of death in America.
For many, healthcare provides an absolute target for their anger and hatred. Family members who have lost a loved one may feel as though the physician or organization did not do enough to save their loved one. This was the case at John Hopkins Hospital when the son of a patient shot his mother’s physician after he received bad news.
Healthcare facilities that conduct medical trials, abortions, and animal experiments may be the target of homegrown activists/extremists. Additionally, the organization’s senior leadership, including CEO’s, are often being held accountable for the actions of their healthcare organization.
The Atlanta abortion clinic bombings that occurred in the 1990s were an act of terrorism designed to intimidate and scare the administrators and practitioners at these facilities. A hospital Emergency Department in Connecticut became the target of a mentally ill man who drove his car into the emergency department and set himself on fire while rambling about President Trump. The increase in patients who need mental health services and our nation’s opioid crisis increases our risk of these events.
Another significant concern is the “insider threat”-the disgruntled former employee. Often they pose a significant threat of violence, sabotage, theft or social media attack. One only needs to turn on the news to see a story about a former or current employee attacking an organization or its employees. Such was the case on July 1, 2017, when Dr. Henry Bello returned to his former employer, Bronx-Lebanon Hospital, a 972-bed facility in New York, and one of the largest providers of outpatient services in the area, with a rifle. Dr. Bello, described as a “disgruntled” employee who had resigned in 2015 after learning he was going to be fired, returned wearing a white lab coat and his hospital-issued ID. He wounded six people and killed one before turning the rifle on himself.
Today’s healthcare executives are highly visible.Executives must recognize the risk and take steps to protect themselves and the corporate image of their organization.
Executive protection refers to security and risk mitigation measures taken to ensure the safety of VIP’s or other individuals who may be exposed to elevated personal risk because of their employment, high-profile status, net worth, affiliations or geographical location. Today’s healthcare executive requires some level of executive protection.
Executive protection
In addition to physical threats, organizations should also be cognizant of attempts at economic espionage, perpetrated by foreign governments or competitors. Industrial or economic espionage is simply unlawfully obtaining sensitive financial, trade, or critical technologies. If not properly protected, an organization’s vital proprietary information or technology can fall into a competitor’s hand at a fraction of the true cost of its research and development.
In 2018, a hacking group called “Orangeworm” deployed custom malware on networks of healthcare providers and related organizations. The malware, dubbed, “Kwampirs,” was discovered on computers used to control medical imaging devices, such as X-ray and MRI machines, as well as devices used to help patients fill out consent forms. Experts believe the malware was not designed to steal patient data or interfere with medical treatment but rather was trying to carry out some sort of industrial espionage.
Organizations must protect confidential information such as, Board of Trustees and subcommittee meeting minutes, financial statements, contracts, and other confidential information. Access to the executive suite should be very limited and controlled. Access control systems or people screening by a receptionist or greeter must be used to ensure only authorized individuals have access to the C-suite.
The executive suite
The first step in securing the executive suite should be conducting a threat assessment, including a site survey and open records research on the company. The goal is to evaluate the overall security of the site – is there physical security presence? Are they armed or unarmed? Is there CCTV coverage? Are there fences around the exterior? Are there electronic access control and intrusion detection?
Remember, the most effective security system is one that incorporates physical security with electronic security, and meets the CEO’s requirements, threat level and budget.
The executive suite should be designed to prevent unauthorized access through doors, ceilings and walls. The outside walls of the executive suite should be made with metal mesh to prevent a break in. The ceiling should be secured and the ductwork must be secured to prevent unauthorized access or the planting of eavesdropping devices. The windows should be protected with government grade anti eavesdropping film to eliminate the potential of remote eavesdropping.
Many years ago while conducting an audit of an executive suite, it was discovered that a room that shared a common wall with the president’s office could easily hear everything the president said. The initial response was to convert the room to storage space with added access control to that room to mitigate the risk of eavesdropping. Later on, white noise was added to the executive suite to attenuate the sounds emanating from the suite.
The executive suite should be equipped with covertly mounted duress buttons that when activated will summon a law enforcement or security force response. The staff must know where they are located and how to use them and what the response will be when activated. Additionally, one should consider wearable wireless duress alarms or a mobile friendly app that connects to the user’s smartphone or tablet that when activated notifies either local law enforcement or the security force. These devices can be discreetly activated in an emergency and automatically notify preselected contacts, including providing the exact location of the individual.
A safe room should be provided for the executive. The room should be constructed with ballistic resistant walls and doors. The room should also have a duress button and a phone for dialing emergency response forces. A bathroom or storage closets within the executive suite can be used as a safe room.
The areas and hallways leading to the executive suite should be monitored by security or the administrative team that supports the executive team. The cameras should be very overt to increase the psychological deterrent factor. The cameras should be recorded as well for use during suspected or confirmed breaches in the security program.
Cyber threats
Executives are the most likely target of spear phishing attempts to gain information from them or their employees. Emails appearing to be from the executive can be sent to the employees seeking network username and passwords, payroll information and other financial or insurance related information.
Executives must work closely with both their IT security team and their physical security team to mitigate these risks. Electronic eavesdropping countermeasures should be utilized to ensure that there are no hidden cameras, no keystroke or no email monitoring software is installed on the executive computer, that there are no microphones and other eavesdropping devices in the executive offices, board rooms, and meeting locations.
Highly confidential meetings should take place face to face and not via video. All personnel who enter the executive suite, contractors, housekeeper, movers, installers, etc.-should be properly vetted.
Because the internet and social media sites have been used by many to express their opinion and to attack organizations or their leaders, social media posts must be also monitored to ensure that the organization and the leaders’ reputations are not being threatened.
On the move
Executives should ensure that their cell phone is fully charged or can be charged in their vehicle. Your locations and schedule must be accessible to others who need to know. The use of emergency communications and navigation systems on the executive’s vehicle is highly recommended. These systems can provide constant GPS tracking, emergency roadside assistance, medical alerts and crash detection technology.When traveling out of the country check the Travel Advisories issued by the U.S. Department of State and register with the Smart Traveler Enrollment Program (STEP).
At home
Your home should be protected by a burglar alarm with multiple locations for emergency communication devices. A good practice is to install a burglar alarm panel with panic buttons at the entrances and inside the bedroom. The home office should be set up by your IT security to ensure that your network is properly protected. Designating a safe room at your residence with emergency communications is also strongly suggested.
High profile events
For high profile events, engage your security expert to identify the threats, the vulnerabilities, recommended countermeasures, and develop the operations plan to determine the need for security or an assigned executive protection detail.
The operations plan should include law enforcement contact information, first aid and medical resource contact information, VIPs, other security details in attendance and an emergency evacuation plan. The security expert will compile this information, along with responses to likely scenarios, into a coherent document that will break down the event and guide the security team.
Relationships with law enforcement
Maintaining positive relationships with the local law enforcement agency is critical. Law enforcement can be useful in providing or reviewing intelligence of potential threats, assistance in selecting travel routes, or as additional resources for security projects.
A good practice is to invite them to lunch to discuss your facility’s unique services and sensitive areas or risks. This gives you an opportunity to share your concerns while also seeking ways to support their efforts of public safety. Hosting a Coffee with a Cop or Police Appreciation Day will go a long way to foster the relationship.
Security leadership
Ensure that your security force leadership is an active member of the International Association for Healthcare Security and Safety (IAHSS). The organization is dedicated to professionals involved in managing and directing security and safety programs in healthcare institutions.
IAHSS has developed industry guidelines and design guidelines to assist healthcare security leaders, administrators, and design professionals in fulfilling their obligation to provide a safe and secure environment to carry out the mission of the organization.
Today’s healthcare executives must actively support their organization’s safety and security program and be actively engaged in their own protection and well-being.
Paul Sarnese is past president of the International Association for Healthcare Security and Safety (IAHSS). Eric Clay is president-elect of IAHSS, and vice president of security for Memorial Hermann Health System.