Intrusion & Access Control

 

 

https://sm.asisonline.org/Pages/Access-With-A-Twist.aspxAccess With A TwistGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-12-01T05:00:00Zhttps://adminsm.asisonline.org/pages/holly-gilbert-stowell.aspx?_ga=2.206806619.913735308.1534771762-1627284918.1496762042, Holly Gilbert Stowell<p>​Living on campus affords college students the opportunity to commune with their peers, live close to academic halls, and take advantage of the city where their college is located. At Vanderbilt University in Nashville, Tennessee—often referred to as Vandy, for short—more than 90 percent the students choose to live on campus the entire time they are in school. </p><p>“With students on campus, we have to make sure that only students are accessing their residence halls, rather than members of the public wandering onto the campus,” says Mark Brown, assistant director of business services at the university. </p><p>For this reason, having a secure access control program is of utmost importance to Vanderbilt, which has more than 6,400 undergraduate students. Because the school is situated in an urban environment, it wanted to ensure only those with proper credentials could access residence halls, academic buildings, and faculty and staff areas. </p><p>The school offers wireless proximity access cards to students, faculty, and staff. Presenting the credential close to the reader opens the door. But​ with a $600 million building expansion project underway, Vanderbilt wanted to upgrade to a more convenient system for access control that was Bluetooth-enabled, eventually moving to mobile credentials. This would allow those on campus to more conveniently access their dormitories, dining halls, and academic buildings with their mobile devices, and give the university a simple way to provision and deprovision credentials. </p><p>Vanderbilt’s access control platform is CBORD Gold, which integrates with the university’s HID Global access cards and door readers. Because of its existing relationship with HID, Vanderbilt decided to conduct a pilot phase of HID Mobile Access. With this platform, credential holders can use their smartphone, tablet, or wearable device to unlock doors. “You hold up your device to the card reader, just as you would a contactless card, and it sends that credential to the reader and unlocks the door, giving you access,” Brown explains. </p><p>During the pilot phase in mid-2015, Vanderbilt tested HID Mobile Access with faculty and staff for several months, after which it decided to begin adopting the product at a broader scale. </p><p>“After the pilot, we decided we’re not buying any more readers without Bluetooth,” Brown says. “Probably 90 percent of our contactless readers on campus are Bluetooth enabled.” </p><p>Another feature from HID Global called Twist and Go allows users to enter the door from further away by making a twist motion with their device—like twisting a doorknob. </p><p>“The idea of twisting is to show that intent to go through the door, so you twist as you approach, and you can be probably up to 30 feet away,” Brown says. “When you install the door reader you can change that range, so if you only want it to be available from a much closer distance you can dial it all the way down.” </p><p>During the pilot phase, Vanderbilt deployed the Twist and Go feature on a roll-up door to a parking deck so that authorized drivers could enter more conveniently. “On hot days or cold days, you don’t even have to open the window to your vehicle,” Brown adds. </p><p>Currently, only faculty and staff have access credentials on their phones—eventually the university plans to roll it out to the entire student body. “The readers are all enabled,” Brown says. “So, when we do get to that point, we’re ready to go.” </p><p>With HID Mobile Access, issuing credentials to new users is simple. New users receive an email on their phone with a link to the HID Global app. “As soon as they’ve accepted that invitation and clicked on the link in the email that gets sent to them, the credential gets pushed down to their handset,” Brown explains. “So really from the user experience it’s very easy.”</p><p>The solution cuts down on the time it takes the university to issue credentials. “When it comes to issuing the identities to somebody, what was probably a 10-minute process before can now be done in literally 10 seconds,” he adds. </p><p>For contractors or other parties needing temporary access, Brown says provisioning those credentials is simple and more secure than a physical card. “Just a couple of days later—or however long they’re going to be on campus—you can pull that credential off the phone, so they’re not walking around with a credential maybe they forgot to hand in.” </p><p>In October 2017, Vanderbilt began slowly reissuing its students’ access cards to Seos, the newest version of HID Global authentication—an upgrade from the current platform, iClass. “We plan to slowly phase in the Seos chip as we issue cards over the next couple of years, and then eventually we’ll just take the iClass chip off the card,” Brown says. “That way we’ve migrated to the latest and most secure sort of card format.” </p><p>HID also wrote an application programming interface (API) for Vanderbilt, so the HID Seos and CBORD platforms could communicate. </p><p>The convenience of the new system has made it easier to conduct business on campus, Brown notes. “If faculty and staff are working late in the evening and they pop in to the restroom, they might leave their ID card on their desk but they’ll probably take their phone with them, so they’ll come back and they can get back into their suites,” Brown says. “So in terms of convenience it’s been very popular.” </p><p>There have been virtually no issues since the deployment of HID Mobile Access, Brown says, save for when someone forgets to turn on the Bluetooth feature on their device. “That’s the one issue we had, but it was a very minor one, and not something that happens very often,” he notes. </p><p>Brown iterates that keeping students safe is a top priority, and having a secure credential makes security that much stronger. “We need to make sure that students are in a safe environment, so it’s one less thing that they have to worry about and that the parents have to worry about,” he says.  </p><p><br></p><p><br></p><p><br></p><p><br></p>

Intrusion & Access Control

 

 

https://sm.asisonline.org/Pages/Access-With-A-Twist.aspx2018-12-01T05:00:00ZAccess With A Twist
https://sm.asisonline.org/Pages/Newsroom Shooting Demonstrates Vulnerabilities Of Run Hide Fight Response.aspx2018-06-29T04:00:00ZNewsroom Shooting Highlights Challenges of Securing Open Offices
https://sm.asisonline.org/Pages/VIDEO-Charleston-International-Airport-Modernizes-Security-with-Pivot3.aspx2018-06-27T04:00:00ZVideo: Charleston International Airport Modernizes Security with Pivot3
https://sm.asisonline.org/Pages/Supply-Chain-Company-Makes-Access-Control-a-Priority.aspx2018-06-01T04:00:00ZSupply Chain Company Makes Access Control a Priority
https://sm.asisonline.org/Pages/Multiple-Fatalities-In-Texas-School-Shooting.aspx2018-05-18T04:00:00ZMultiple Fatalities in Texas School Shooting
https://sm.asisonline.org/Pages/Personnel Peril.aspx2018-04-01T04:00:00ZPersonnel Peril
https://sm.asisonline.org/Pages/Take-No-Chances.aspx2018-04-01T04:00:00ZTake No Chances
https://sm.asisonline.org/Pages/Florida-Governor-Unveils-Major-School-Security-Plan-In-Wake-Of-Shooting.aspx2018-02-23T05:00:00ZFlorida Governor Unveils Major School Security Plan In Wake Of Shooting
https://sm.asisonline.org/Pages/Find-the-Fire.aspx2018-01-01T05:00:00ZFind the Fire
https://sm.asisonline.org/Pages/Call-for-Help.aspx2017-12-01T05:00:00ZCall for Help
https://sm.asisonline.org/Pages/ENDURECE-BLANCOS-SUAVES-CON-PSIM.aspx2017-11-21T05:00:00ZENDURECE BLANCOS SUAVES CON PSIM
https://sm.asisonline.org/Pages/What's-New-in-Access-Control.aspx2017-11-20T05:00:00ZWhat's New in Access Control?
https://sm.asisonline.org/Pages/School-Lockdown-Procedure-Prevented-Tragedy-in-Rancho-Tehama.aspx2017-11-16T05:00:00ZSchool Lockdown Procedure Prevented Tragedy in Rancho Tehama
https://sm.asisonline.org/Pages/Harden-Soft-Targets-with-PSIM.aspx2017-10-23T04:00:00ZHarden Soft Targets with PSIM
https://sm.asisonline.org/Pages/Safety-in-Shared-Spaces.aspx2017-09-01T04:00:00ZSafety in Shared Spaces
https://sm.asisonline.org/Pages/Book-Review---Biosecurity.aspx2017-08-01T04:00:00ZBook Review: Biosecurity
https://sm.asisonline.org/Pages/Identify-the-Solution.aspx2017-08-01T04:00:00ZIdentify the Solution
https://sm.asisonline.org/Pages/Healthy-and-Secure.aspx2017-07-01T04:00:00ZHealthy and Secure
https://sm.asisonline.org/Pages/Accesos-Bajo-Control.aspx2017-06-01T04:00:00ZAccesos bajo Control
https://sm.asisonline.org/Pages/On-Site-and-Cloud-Access-Control-Systems.aspx2017-05-22T04:00:00ZOn-Site and Cloud Access Control Systems

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Training-Your-Team.aspxTraining Your Team<p>​</p><p>Whether the action is on the battlefield or the basketball court, you can be certain that the winning team owes its success in large measure to extensive training. Recognizing the importance of training to any team’s performance, the Cincinnati Children’s Hospital Medical Center set out to makes its own training program better. </p><p>The existing training program, which the director of protective services felt lacked specificity, consisted of one of the shifts’ veteran officers sitting with the new security employees and covering several department and hospital-specific policies along with administrative topics. Additionally, the new officers would be given several commercially produced security training videotapes to view, after which they were required to complete the associated tests. Following the completion of the tapes and review of the policies and administrative procedures, officers would go through brief hands-on training for certain subjects such as the use of force and pepper spray.</p><p>Once they completed these tests and training sessions, the officers would then begin their on-the-job training. Officers have historically stayed in the on-the-job phase of training between three and five weeks, depending on how quickly the officers learned and were comfortable with command center operations. When the officers completed their training program, they had to pass the protective services cadet training test as well as a test on command center procedures.</p><p>Training council. To help devise a better training program, the security director chose several members of the staff to sit on a training council. The group, which included the director, three shift managers, and the shift sergeants, met to discuss the current training program and what could be done to enhance it.</p><p><br>Through discussions with new employees, the council learned that the existing program was boring. The council wanted to revitalize the training to make it more interesting and more operationally oriented. The intent was to emphasize hands-on, performance-oriented training. The council also wanted to improve the testing phase so that the program results could be captured quantitatively to show the extent to which officers had increased their knowledge and acquired skills. <br> <br>Phases. The council reorganized training into four phases: orientation, site-specific (including on-the-job), ongoing, and advanced. Under the new program, the officers now take a test both before training, to show their baseline knowledge, and after the training, to verify that they have acquired the subject matter knowledge; they must also successfully demonstrate the proper techniques to the instructors.</p><p>Orientation training. The orientation training phase begins with the new employees attending the hospital’s orientation during their first day at the facility. The security department’s training officer then sits down with the new officers beginning on their second day of employment. This training covers all of the basic administrative issues, including what the proper clock-in and clock-out procedures are, when shift-change briefings occur, and how the shift schedules and mandatory overtime procedures function.   </p><p>The training officer also administers a preliminary test to the new officers that covers 12 basic security subjects including legal issues, human and public relations, patrolling, report writing, fire prevention, and emergency situations. New employees who have prior security experience normally score well on the test and do not need to view security training tapes on the subjects. The officers must receive a minimum score of 80 percent to receive credit for this portion of the training. If an officer receives an 80 percent in most topics but is weak in one or two subjects, that officer is required to view just the relevant tapes, followed by associated tests.</p><p>All officers, regardless of the amount of experience, review the healthcare-specific tapes and take the related tests for the specific subjects including use of force and restraint, workplace violence, disaster response, bloodborne pathogens, assertiveness without being rude, and hazardous materials. Also included in the orientation training phase are classes covering subjects such as pepper spray, patient restraint, defensive driving, and the hospital’s protective services policies.</p><p>Site-specific training. During site-specific training, officers learn what is entailed in handling specific security reports. The shift manager, shift officer-in-charge, or the training officer explains each of the reports and has the new employee fill out an example of each. Examples of reports covered in site-specific training include incident reports, accident reports, field interrogation reports, fire reports, motorist-assist forms, ticket books, safety-violation books, broken-key reports, work orders, bomb-threat reports, and evidence reports.</p><p>On-the-job training is also part of the site-specific training phase. The new employee works with a qualified security officer for a period of two to three weeks following the first week of orientation training with the departmental training officer. The new employee works through all of the various posts during this time. At least one week is spent in the command center. The site-specific phase of training culminates with both the security officer cadet training exam and the command center exam, which were also given in the original program.</p><p>Ongoing training. The ongoing training includes refresher training in which shift managers have their officers review selected films covering healthcare security and safety subjects. The training occurs during shift hours. The officers also receive annual refresher training covering topics such as using pepper spray and employing patient-restraint methods.</p><p>Another type of ongoing training, shift training, is conducted at least weekly. Managers conduct five-to ten-minute meetings during duty hours to refresh the security staff on certain subjects, such as customer service. These sessions are not designed to deal with complex topics. Managers can tie these sessions to issues that have come up on the shift.</p><p>Advanced training. Advanced training includes seminars, management courses, and sessions leading to professional designations and certifications. Qualified personnel are urged to attend seminars sponsored by several professional societies and groups such as ASIS International, the International Healthcare Association for Security and Safety, and Crime Prevention Specialists. Staff members are also encouraged to attain the Crime Prevention Specialist (CPS) certification, the Certified Protection Professional (CPP) designation, and the Certified Healthcare Protection Administrator (CHPA) certification.</p><p>Staff members are urged to pursue special interests by obtaining instructor certification such as in the use of pepper spray or the use of force. This encouragement has already paid off for the hospital. For example, the department’s security systems administrator has trained officers on each shift in how to exchange door lock cylinders, a task that would previously have required a contractor. Officers are currently being trained to troubleshoot and repair CCTV, access control systems, and fire alarm equipment problems.</p><p>Training methods. A special computer-based training program was developed to help quantify and track the success in each of the training modules. Additionally, a program was developed to present training subjects during shift changes.</p><p>Computer training. Security used off-the-shelf software to create computer-based training modules and included them in the site-specific training and ongoing training phases, both of which occur during shift hours. The training council tasked each shift with creating computer-based training modules for the various security officer assignments on the hospital’s main campus and off-campus sites. These training modules cover life safety, the research desk, the emergency department, exterior patrols, foot and vehicle patrols, and the command center.</p><p>The training council asked officers to participate in the creation of the computer-based training modules. The officers produced the training modules during their respective shifts when it did not interfere with other responsibilities.  </p><p>The group participation paid off. For example, the officers who created the command center and the emergency-department training modules not only spent several hours discussing what information should be included in the modules, but then allowed their creativity to flow by using the software to make these modules interactive. These particular modules include test questions of the material, and the program will respond appropriately to the employees as they answer the questions correctly or incorrectly. The volunteers also created tests for before and after an officer goes through each of the computer modules to track the effectiveness of the training.</p><p>Shift-change training. A major question with ongoing training is how to fit it into the officer’s routine. For most industries using shift work, difficulties arise when trying to carve out enough training time without creating overtime. The training council decided to take advantage of downtime that occurs as officers come to work ready for their shift to begin. They are required to show up six minutes before the shift. This time is now used for training.</p><p>The shift-change training is used to cover specific topics—already covered in some of the training phases—that can be easily encapsulated into a six-minute program. For example, some topics include departmental policies, radio communication procedures, command center refresher sessions, self-defense subjects, confronting hostile people, proper report writing, and temporary restraint training. By implementing the shift-change training sessions on a weekly basis, the department created an additional five hours of training per year for each officer.</p><p>One of the security supervisors created a six-minute training binder to house all of the lesson plans. Each shift supervisor uses the same lesson plan so that the training is consistent across the shifts. As with all other training, the before-and-after tests are given to quantitatively document changes in subject knowledge or skills.</p><p>Results. After implementing the training program, the training council wanted to check the initial results to see whether the training was effective. There were numerous quantifiable measurements that the council could use to evaluate the new training program, such as tracking the rate of disciplinary actions from the previous year to the current year. However, since the council desired to have a quick assessment of the training program changes, it decided to compare the after-training test scores to the before-training test scores for the computer-based training modules as well as the scores of the six-minute training tests. </p><p>To the council’s surprise, the initial tabulated scores resulted in an average before-training test score of 93 percent and an after-training test score of 95 percent. The council also found in many of the officers’ tests that they missed the same questions on both the before and after tests.</p><p>Based on these results, the council decided to make several changes. First, the test questions were reviewed and tougher questions were added. Based on the preliminary test score, the council felt that the questions were not challenging enough and might not indicate how competent the officers were with the subject matter. </p><p>The training council assigned each shift the task of revising the tests for their computer-based training modules as well as the six-minute training tests. The goal was to make the tests more challenging and to obtain more accurate assessments of the effectiveness of the training program. </p><p>The training council also reviewed how the different shifts were conducting the six-minute lessons. Managers noted that the shifts initially followed the schedule of the six-minute subjects from week to week, but then they began to conduct their own lessons without an accepted lesson plan or to forgo training altogether. </p><p>To avoid this problem, the training council determined that the training program needed to be more structured. The group created a schedule to indicate which class would be covered each week. One of the shift supervisors volunteered to take over the six-minute training program and formally structure it so that each shift would conduct training in a consistent manner.</p><p>The training council has plans to further hone the training program in the near future. The council plans to analyze the program us­ing other quantitative evaluative instruments such as an employee survey and a comparison of disciplinary action data from previous years. </p><p>In battle, it is said that an army fights as it has trained. Thus, commanders know the value of training. In the businessworld, though the stakes are different, training is no less critical to the success of the mission.</p><p>Ronald J. Morris, CPP, is senior director of protective services at Cincinnati Children’s Hospital Medical Center. Dan Yaross, CPP, is manager of protective services. Colleen McGuire, CPS (crime prevention specialist), is sergeant of protective services. Both Morris and Yaross are members of ASIS International.</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Take-No-Chances.aspxTake No Chances<p>​Security processes are working properly if nothing happens, as the adage goes—much to the chagrin of the security manager looking for buy-in from the C-suite. But if something does go wrong at an organization, the error lies in either the company's risk profile or its implementation of mitigation procedures. Using risk management principles to create a risk profile and implement procedures to mitigate those risks should leave no gray areas for an incident to occur, says Doug Powell, CPP, PSP, security project manager at BC Hydro. Security Management sat down with Powell, the 2017 recipient of the Roy N. Bordes Council Memb er of Excellence Award, to discuss how to create a mitigation program that only gets stronger after a security incident.​</p><h4>Weigh the Risks…</h4><p>A basic tenet of risk management principles is understanding what risks an organization faces by conducting a thorough risk assessment. "For me, nothing should happen in the security program in terms of making key decisions around protection principles until you've been through your risk management exercise, which will do two things for you: tell you where you have gaps or weaknesses, and what the priority is for addressing those," Powell says. </p><p>Look for the risks that are high-probability, low-impact—such as copper theft—and low-probability, high-impact—such as a terror attack—and build a protection plan that primarily addresses those, Powell says. </p><p>"You use that prioritization to get funding," he explains. "I tell people there's a broad spectrum of risks you have to consider, but there are two that you focus on that I call the board-level risks—the ones the board would be interested in because they could bring down the company."​</p><h4>…And Use Them to Build a Strategy</h4><p>Establishing those risk categories will not only help get buy-in from the C-suite but frame the company's security strategy.</p><p>"You should never say something like, 'well, the copper losses are so small that we're not going to deal with this at all,' in the same way you're not going to say that you'll never likely be attacked by terrorists so let's not worry about it," Powell says. "With that in place, you should have an effective mitigation strategy on the table."​</p><h4>Flesh Out the Baseline…</h4><p>While getting buy-in may rely on emphasizing the impact a risk can have on business operations, the security team needs to have a well-rounded understanding of the risk itself. Powell illustrates the distinction by using an example of how protesters might affect critical infrastructure.</p><p>"It's one thing to say that there's risk of work being disrupted or of a pipeline being taken out of service by protesters, but it's quite another thing to say that in the context of who these protesters are," according to Powell. </p><p>"You have one level of protesters who are just people concerned about the environment, but all they really do is write letters to the government and show up and carry picket signs to let you know they are concerned. The more extreme groups are the ones that would come with explosives or physically confront your workers or who would blockade machinery," Powell explains.</p><p>While these two groups of people both fall under the protester category, the risks they present—and how to respond to them—are vastly different.</p><p>"You have to understand the characteristics of your adversaries before you can adequately plot the seriousness of the risk," Powell explains. "Would it be serious if our pipeline got blown up? You bet it would. But who has the capability to do that? Are they on our radar? And what's the probability that we would ever interact with them? There's a bit more than just saying it's a bad thing if it happens."​</p><h4>…And Keep It Updated</h4><p>Don't let an incident be the impetus for conducting a new risk assessment. Creating a governance model will facilitate regular reviews of the risk assessment and how it is conducted.</p><p>"If you do it well at the head end, you should be mitigating to those standards," Powell says. "Risk doesn't happen once a year, it's an ongoing process where you establish the baseline, mitigate to the baseline, and start watching your environment to see if anything bad is coming at you that you should be taking seriously because the world is dynamic."</p><p>Consistent monitoring of threats allows the mitigation strategy to be adjusted before weaknesses are discovered and exploited.</p><p>"The monitoring aspect is critical, and after an incident you might say that the reason your mitigation plan failed is you simply didn't monitor your environment enough to realize there were new risk indicators you should have picked up," Powell says. "The risk management process is dynamic, it never stops, it's continually evolving, and whether something happens to cause you to reevaluate or whether you reevaluate because that's your normal practice, that has to happen."</p><h4>Establish a Process…</h4><p>Through risk management, a security incident occurs when the risk assessment was not accurate, or the mitigation processes were not properly carried out. After an incident, security managers should never feel blindsided—they must identify the shortcomings in their processes.</p><p>"When something critical happens, the first thing you will do is go back to your risk profile and ask yourself some key questions," Powell advises. "Did we get it right? Did we miss something? How did this incident occur if in fact we had our risk profile correct? Or did our mitigation planning not match well with the risk profile we had developed? If we had this assessed as low-risk but it happened anyway, maybe we got something wrong. If it was high-risk and it happened anyway, what was the cause?"</p><p>If the security program matches the risk profile and an incident still occurred, it's time for the organization to change the baseline.</p><p>"Did we understand our adversary?" Powell asks. "Was it someone we anticipated or someone we didn't anticipate? If it was someone we anticipated, how did they get in to do this thing without our being able to stop it or understand that they were even going to do it? Do we have the right security in place, did we do the right analysis on the adversarial groups in the first place? What did we miss? Are there new players in town? Is there something going on in another country that we weren't aware of or ignored because we didn't think it impacted us over here in our part of the world?"</p><p>And, if it turns out that the risk profile was inaccurate despite proper governance and maintenance, don't just update it—understand why it was wrong. "Look at whether your intelligence programs or social media monitoring are robust enough," Powell suggests.</p><p>"If you had 10 or 100 metal theft incidents in a month, you want to go back and ask why this is continuing to happen," Powell notes. "We've already assessed it as a risk and tried to mitigate it. For me, the two things are intrinsically connected. If you're performing risk management well, then your mitigation programs should mirror that assessment. If it doesn't, there's a problem, and that's what this review process does, it gets you into the problem."​</p><h4>…And Use It Consistently</h4><p>Whether it's copper theft or a terrorist attack, the incident management process should be carried out in the same way.</p><p>"That should always be a typical incident management process for any kind of event," Powell says. "What varies is input, but the methodology has got to be identical. If it's metal theft, it's a pretty simple thing—we have some thieves, they broke into a substation, removed ground wires, and as a result this happened. What can we do to mitigate that happening at other substations in the future? </p><p>If it's a terrorist attack, of course a lot more people will be involved, and you'll be asking some very challenging questions. The process becomes a lot more complex because the potential for damage or consequence value is much higher, but the methodology has to be the same all the time."</p><p>"Overall, whether you're looking at a security breach that happened because you exposed your cables and the bad guys were able to cut them or whether it was a new, more dangerous group coming at you that you weren't aware of, or because you neglected to identify the risk appropriately—all of this has to go into that evaluative process after something happens," Powell says. "Then you have to reestablish your baseline, so you're going back into that risk analysis and move to mitigate it according to what that new baseline is. If something bad happens that's what you do—go back to the baseline and discover what went wrong, and once you know, you seek to mitigate it to the new baseline." </p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Threats-to-Health.aspxThreats to Health<p>​<span style="line-height:1.5em;">Joseph Sweeney served as a New York Police Department officer for 21 years and ran his own security company—witnessing the full range of crimes and sticky situations that the Big Apple has to offer—but he never guessed what challenges were in store when he became the director of hospital police at Bellevue Hospital Center in 2010. “You can’t shut the doors and walk away. You have to deal with whatever happens. It’s a 24-7 business, and you can’t turn anybody away,” Sweeney says. “It’s like being in charge of a small city.”</span></p><p>Today, healthcare security directors like Sweeney are in charge of small cities with growing crime rates. According to a 2014 crime survey conducted by the International Association of Healthcare Security and Safety (IAHSS), the rate of violent crime in American healthcare facilities rose by 25 percent from 2012 to 2013, and the rate of disorderly conduct jumped by 40 percent. </p><p>Jim Stankevich, a past president of IAHSS, tells Security Management that the survey results reflect the need for comprehensive physical security in hospitals, especially visitor management systems—a tool that he admits isn’t always conducive to the open environments of traditional hospitals.</p><p>“Every hospital technically should know every person that enters a facility, why they’re there, and where they’re going, whether it be a contractor, vendor, patient, or visitor,” Stankevich says. “The problem is many hospitals are over 50 years old, and they probably have up to 50 entrances on the ground level, which makes it kind of impossible for them during normal business hours to really control that access.”</p><p>Sweeney points out that the hospital industry—even the security aspect—is a customer service business. “There’s an emphasis on the patient experience, and we’re a part of that,” he says. The balance between creating an open, customer-oriented environment and keeping those customers safe is a challenge, Sweeney notes.</p><p>The increase in active shooter scenarios, crime numbers, and the routine threats hospitals face on a day-to-day basis all combine to make physical security at healthcare facili­ties more important than ever. Whether it’s at a metropolitan hospital, a network of nonprofit healthcare facilities, or a research-based medical center, security directors have to employ a combination of training and technology to keep their small cities secure. ​</p><h4>Medicine in Manhattan </h4><p>Bellevue Hospital Center was founded in 1736 and is the oldest continuously operating hospital in the United States. In 2013, it housed 828 beds, and more than 115,000 people visited its emergency room. More than 80 percent of Bellevue’s patients are from New York’s medically underserved population.</p><p>Sweeney, who oversees the peace officers stationed throughout Bellevue, says the hospital’s open atmosphere presents a number of challenges when it comes to securing the facility. Many buildings in New York require identification and screening upon entering, but Bellevue’s open environment during daytime hours allows people to come and go freely, he explains.</p><p>“In a sense, we’re the softest target left, especially in Manhattan,” according to Sweeney. “You go to any other building in Manhattan and it’s difficult to get into, but the hospital is the one place that’s open. That’s the philosophy here, and I don’t disagree with that. But it does make it more challenging for security.”</p><p>Hundreds of patients, visitors, doctors, and staff move in and out of Bellevue every day, and Sweeney says one of the most difficult parts of keeping everyone safe is managing the wide variety of people who come and go. </p><p>“These are folks who are outpatients or they’re presenting themselves to the hospital for some type of service, but they have some sort of psychiatric issue, and it’s very challenging to deal with, but we can’t turn them away.” Sweeney notes. “I’d say the biggest challenge for anybody in the healthcare industry is dealing with somebody who’s emotionally disturbed or even just upset—people are sick and dying, their loved one is sick or in pain or dying, and it’s a very challenging environment.”</p><p>Indeed, the IAHSS report found that 93 percent of assaults in healthcare facilities were directed at employees by patients or visitors. This is why Belle­vue’s security officers are thoroughly trained to de-escalate almost any situation, Sweeney explains.</p><p>“We’re a part of the patient experience, and we’re a part of making sure that these people get the care that they need,” he says. “At the same time, we’ve got to keep the place safe.”</p><p>When Sweeney first came to Bellevue, no identification was required to access any area of the hospital. Over the past five years, he’s helped implement restricted access areas within the hospital with the help of access control technology while still committing to providing a positive experience for visitors, he explains.</p><p>“We couldn’t survive without the technology,” he says. “It’s really allowed us to focus our people where they need to be, and that’s important to have a good balance because this is a people business.”</p><p>For example, areas in the hospital with psychiatric patients are equipped with silent panic buttons that alert security officers of an incident. “When you’re dealing with a psychiatric patient, you don’t want to escalate the situation,” Sweeney notes. “You don’t want to call and say, ‘Hey, police, this guy is getting aggressive, come and help me.’ Just saying that makes the person more aggressive.”</p><p>Access control technology also helps keep vulnerable patients safe. Patients in Bellevue’s brain injury unit who are unable to make informed decisions for themselves are fitted with electronic tags, and security officers are notified if a patient attempts to leave his or her designated area. The hospital also uses the tags on infants in the maternity ward to track where they go and automatically lock the nursery doors should someone attempt to leave with a baby. </p><p>When it comes to preparing for out-of-the-ordinary incidents, Sweeney says he puts more emphasis on training security officers to think outside of the box rather than to follow specific protocols for a certain emergency, whether it’s a natural disaster, active shooter, or bioterrorism incident. </p><p>“We have that ‘what if’ mentality, so that if something happens we’re not totally taken by surprise,” he explains. “Those real-life drills of what we’ve done in those circumstances have trained us for the next one.”</p><p>And Bellevue has certainly seen its fair share of real-life drills. Sweeney recalls closing and evacuating the hospital during Hurricane Sandy in 2012, working around power outages and staffing shortages caused by blizzards, and more recently, housing a patient infected with the Ebola virus. </p><p>“A lot of the different things we had to deal with during Sandy, we had already had little pieces happen before, whether it was a telecommunications failure, or a power failure, or elevators knocked out,” he explains. “We’re trained to take each experience, whether it’s a real experience or a drill, and put it in our toolbox and make it adaptable so that when something similar comes along we know how to handle it.”</p><p>And although staff and security were given additional training on how to deal with potential Ebola patients, Sweeney says a lot of the same protocols—creating clean zones and hot zones and suiting up in personal protective gear—were brought over from previous bioterrorism training.​</p><h4>Pittsburgh’s Provider</h4><p>Jeff Francis jokingly calls the University of Pittsburgh Medical Center (UPMC) “one of the biggest companies that people have never heard of.” UPMC is a nonprofit network of 21 full-service hospitals and hundreds of ancillary facilities throughout western Pennsylvania. The hospitals treat more than 690,000 emergency patients annually and have more than 5,100 beds. </p><p>Francis, the security director of UPMC’s facilities, was a police officer in the Pittsburgh region before he joined UPMC a decade ago. Like Sweeney, he says he was surprised by the wide variety of threats that needed to be managed.</p><p>“Hospitals are the confluence of pretty much every risk factor that can exist as far as the propensity of violence is concerned,” Francis says. “In a hospital, you have a lot of controlled substances, you have a lot of behavioral health issues, and a hospital by its nature is a very high-stress environment in terms of patients, their families, and even the staff.”</p><p>UPMC’s security team is made up of more than 500 security professionals, including 130 armed police officers—the organization’s campuses have their own police departments. Francis is in charge of developing and maintaining the infrastructure needed to keep staff, patients, and visitors safe. </p><p>Security is assessed on a facility- by-facility basis, and Francis says he relies on access control and analytics systems to keep each location secure. Some facilities, like UPMC’s children’s hospital and behavioral health facilities, are 100 percent access controlled and have multiple layers of screening, he explains. </p><p>“Every visitor is screened by metal detectors, as well as assuring that you are registered there ahead of time so you have a reason to be there, so we confirm that there is a patient for you to see and a patient is expecting you,” Francis says. “In those cases, everybody gets a badge, you have to check in, check out, and you’re monitored pretty closely.”</p><p>On top of those precautions, the chil­dren’s hospital screens each visitor against a sexual offender registry upon entry. </p><p>Francis notes that finding a balance between protecting vulnerable patients and allowing visitation can be tricky. “We can’t lock these things down like a prison,” he says. “If someone is coming to visit a sick relative in a hospital, they don’t want to be treated the same way as if they’re going to visit a prisoner. So we have to maintain this balance between this open therapeutic environment [and managing] all these risk factors that make hospitals dangerous.”</p><p>Facilities with fewer at-risk patients are more open, Francis says. During business hours, people can walk in freely, and during off hours visitors must sign in and out. </p><p>With such a wide variety of healthcare facilities to secure, Francis relies on data-driven decision making. UPMC hospitals use D3 Security incident management software that tracks not only security and police activity, but also specific statistics, such as the number of people who enter through metal detectors, the percentage of those people who carry in banned items, and what those items are. This type of data allows Francis and his team to address trends in individual hospitals or throughout the UPMC system. </p><p>“Training topics are determined by the types of issues that we’re seeing in tracking,” Francis explains. “We’ll see spikes in certain incident types through our informational analysis, and we know we need to address that through training or other remediation processes.”</p><p>UPMC also uses risk assessment tools on individuals suspected of being a danger, Francis says. “If we have a reason to suspect that this person is prone to a violent act, technology is at the forefront for our risk assessment of that person,” he explains. “Have they been violent in the past? Do they have a criminal record? How many incidents do we have across the system that might involve that patient?”​</p><h4>Research and Recovery</h4><p>St. Jude Children’s Research Hospital in Memphis, Tennessee, is more than just a healthcare facility. The 27 buildings on its 62-acre campus house cutting-edge medical research teams and equipment, a convention center, 67,000 young patients annually, and extended-stay housing facilities for the families of those patients. </p><p>St. Jude is 100 percent donor funded and it treats children with cancer at no cost to the family. Shawn Young, the security systems coordinator at St. Jude, says he tries to be a good steward with the donor money while keeping the unique campus secure.</p><p>The combination of vulnerable patients, visitors, and researchers coming and going at all hours makes access control and visitor management vital to campus operations, according to Young. The entire campus is fenced in, and guests must check in with a security officer. Visitors are encouraged to preregister, and once they’re approved, their credentials are taken, they receive a badge, and are escorted to the correct building. </p><p>More than 600 doors at St. Jude are fitted with card readers, and Young says a staffed control room monitors entry and exit points at all hours. Guards are also present at the three extended-stay facilities on campus. </p><p>St. Jude uses video cameras for both security and treatment, which can be challenging in hospital environments due to the Health Insurance Portability and Accountability Act (HIPAA) privacy laws. Doctors and technicians use live video feeds to keep an eye on patients who need extra supervision. “We’re not recording any of it, but it’s really the first time in the history of the hospital that we’ve actually used video for any kind of clinical care and monitoring any kind of treatment,” Young says. </p><p>In the six years since Young started working at St. Jude, the campus’s video footprint has doubled—more than 400 cameras are coordinated throughout the campus. “We’re large and it looks like we’re going to get even larger,” he says. </p><p>In fact, a new combination research and treatment building partially opened last year. The first floor serves as a convention and collaboration center, the second floor is a traditional surgery and intensive care facility, and higher floors will house a computation biology department and a proton therapy unit—one of 14 in the United States. Young says the multiuse building presented some unique safety challenges, but he’s been involved in the security design from the start. This collaboration allowed Young to lay out the placement of cameras and card readers, he explains.</p><p>“We have a great relationship with our design and construction department, and we’re lucky to be pulled into these before we have a set plan in place,” Young says. “We were involved almost from the very beginning.”  </p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465