This post is also available in: heעברית (Hebrew)

18397011_s A recent tragedy like what took place in Newtown, Connecticut where 20 elementary school children and six adults were killed by a mentally disturbed young man, can happen even in hospitals. In fact, it happened at Johns Hopkins Hospital in 2010. A gunman killed himself and his mother, who was a patient there, and wounded her doctor.

i-HLS Israel Homeland Security

But security risks in hospitals are unlimited. At a basic level hospitals need to find a fine balance between sense of security and the sense of fear. If a hospital puts barbed wires fences around the hospital and has security guards everywhere carrying guns, it may appear like a prison. On the other hand, intruders have many ways of sneaking in to do the harm or may have other motivations such as terrorism, kidnapping children from the nursery or stealing. The hospital may require investment in technology at every entry such as CCTV, card access technology, metal detectors, and surveillance equipment to keep out unwanted intruders including terrorists. But that is not enough.

According to hospital portal net among many risks are: intruders pretending to be visitors, volunteers, vendors, or utility personnel; un-authorized key duplication, false alarms (a supposed gunman spotted at a Los Angeles hospital, which led to the evacuation of dozens and a police search, turned out to be the hospital’s own security guard); contracting security to an outside company; hospital parking lots; transporting patients; HIPAA information; and media( two radio staff members in Australia pretended to be the family of the British prince and got private information from a nurse who later committed suicide). Security during earthquakes, tornadoes, power outage, fires, explosions are also security risks.

How prepared are we? A more important question is how unprepared are we? Lisa Gallagher (, senior director of privacy and security at Healthcare Information and Management Systems Society (HIMSS) gives a “C” grade to the security of patient data. She says it’s the basic assignment that’s the big problem for most providers. According to her the fundamental activity that has to happen for organizations – is to conduct a security risk assessment, and to do ongoing security risk analysis.

Why is the assessment so problematic? Mostly because doing one is so far outside the areas of most health professionals’ expertise. “Security and security risk assessment is a discipline that this industry just does not have a handle on,” says Gallagher. “They don’t understand it, they don’t have people on their staff who can do it, they know they need to hire a consultant and they don’t always have the time and the budget to do that.”

What Lisa Gallagher says is true about many other security risks as well. So, what can we do to earn a higher grade? Joint Commission standard EC 2.10 (Environment of Care Standard) sheds some light on security management plan (includes pre-employment screening, standardized training, screening of volunteers) and EC 4.10 gives an emergency management plan. But security issues are much more complex. They require analysis of “what has historically happened” to “what can happen in the future.”

The Joint Commission’s standards ( ) require that hospitals identify and manage security risks. A key component of that identification process is a vulnerability assessment. A vulnerability assessment is a systematic approach used to assess a hospital’s security preparedness, analyze the effectiveness of the existing security program, and identify Security weaknesses.

There are some analysis tools available to assess vulnerability. Hazard Vulnerability Analysis (HVA) is such a tool applied to emergency preparedness for unexpected events such earthquakes, tornadoes, and terrorist attacks. It can be used for predicting scenarios that are related to security. Another tool called “Preliminary Hazard Analysis (PHA)” used in aerospace risk assessment, can be used for security risk assessments. It is a brainstorming technique for learning from the past risks and for looking for potential risks in the future. This tool also includes risk mitigation methods. It is covered in the military standard 882. There are additional tools covered in this standard but they are not widely used in hospitals. You may want to access my article on HVA. JSSHVApdf This tool is also used for assessing the safety risks in medical devices (ISO 14971).