Healthcare for Personal DataGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a43444652019-03-01T05:00:00Z, Lilly Chapa<p>​Over the 15 years that Epiphany Healthcare has helped doctors view and manage medical test results, data transfer processes and privacy laws have evolved—and the company is evolving with them. </p><p>Epiphany’s Cardio Server supports more than 950 hospitals around the world by aggregating and managing electrocardiograms and other cardiopulmonary test results in a browser-based application that can be accessed by healthcare teams anywhere. It allows doctors to use diagnostic tools to interpret and sign off on the tests, which are then sent off to a patient’s electronic medical record.</p><p>“Time is tissue in the world of cardiac care; it’s important that we get the study information to the doctor as quickly as possible where they can read and provide the diagnosis and treatment for that patient,” says Joe Noto, vice president of strategic alliances, partnerships, and marketing at Epiphany Healthcare. </p><p>There are dozens of testing device manufacturers in the cardiopulmonary field, and each has its own way of exporting test data. Because of this, Epiphany must be able to gather all types of personal health information (PHI) in a secure and efficient way. To migrate the data, vendors would have to zip and password protect the file to send it via email, and, if the file were too large, Epiphany would send the vendor a secure hard drive to complete the exchange—a process that involved its own set of security challenges.</p><p>“That whole process was really consuming time and money,” says Chad McQuarrie, system administrator at Epiphany. “With [regulatory] restrictions, we had to be aware of exactly where the drive was, who sent it out, and who had access to it. It was a very long procedure.” </p><p>And if vendors needed support with the transfer of the data, McQuarrie and other back-end employees had to take extra precautions to make sure they never opened files with PHI while troubleshooting. The support team also had to direct customers to take extensive measures to keep sensitive data secure.</p><p>“For our support team to go through that, [the customer would] have to email us a visual of what’s going on,” McQuarrie notes. “We’d explain that they still need to zip that part up and password protect it before they could send it to us.” </p><p>To simplify the secure transmission of PHI to Epiphany, McQuarrie began the search for an updated solution that would make the transfer of sensitive data easier and more secure for both Epiphany and its customers. McQuarrie says he considered about 20 options, looking for a solution that worked with the organization’s system and would replace its FTP server. </p><p>He found the answer in Egress Software, which met all of Epiphany’s requirements, especially when it came to the back end—most similar solutions required the use of a Microsoft Exchange server, but Epiphany uses Gmail.</p><p>“One of the key factors we needed was something that didn’t change our daily procedures, that could be incorporated into our email, so that I didn’t have to retrain the whole company on how to handle PHI,” McQuarrie explains. “Egress was the only one I found that incorporated into the email system that we already have.”</p><p>With guidance from Egress’s experts, McQuarrie was able to seamlessly integrate encryption capabilities into the organization’s Gmail interface to protect the transfer of PHI over email. </p><p>“I didn’t have to stop the flow of anything to kick this off,” McQuarrie notes. “I could do all of this in the background and test it out, make sure it works, and then let everybody know how to do it through training. It’s pretty self-explanatory—a few settings in Google, a few tests here and there, and that’s it.”</p><p>Another benefit of the Egress system is one McQuarrie hopes will make the use of the external hard drives obsolete—a secure Web form where vendors can upload large files straight to Epiphany, where it’s now stored in the cloud.</p><p>“Customers could go to a Web page, literally upload their data, which is encrypted, and we get the email to pull it down and decrypt it,” McQuarrie explains. “In the past, if your email can’t handle the files, we’re going to have to send you a drive. Now, if you don’t want to wait for the drive, we can send you to this website and you can upload there. It’s something new we can offer.”</p><p>Epiphany also allows customers to upload data via a computer application. McQuarrie notes that they will still use the external hard drives, but only if a customer’s own firewall won’t allow them to send the data via one of the three methods. And now that the files are cloud-based, Epiphany does not need to store the data.</p><p>“Because the data is in a cloud </p><p>atmosphere, if something were to happen to our data center, you don’t have to redo all your data that you sent to us,” McQuarrie says. “Before, we were holding the data and after six months deleting it. We don’t have to do that now.”</p><p>Egress gave McQuarrie the tools to make the transfer of PHI all but foolproof. He notes that the Web page allows vendors to choose the recipient of the data from a dropdown menu to avoid any mistakes. </p><p>And if a problem arises during the transfer, Epiphany’s back-end employees now have an easier way to identify the issue—Egress creates a detailed report of every transfer, so McQuarrie can see when the data was sent, who had access to it, and more. This bird’s eye view of the problematic transfer gives employees enough information to identify the problem without having to work around sensitive documents.</p><p>“I have an overview of everything, but I can’t see the data, even with an overview to the whole system,” McQuarrie explains. “If someone can’t get to their data, I can redirect it. If they want to cancel it, I can go in, cancel, and make a report about where it went and who accessed it. Having that capability was immensely positive for any of the audits that we go through.”</p><p>Because Epiphany manages PHI, it is  audited by many organizations. McQuarrie says one of the biggest benefits of using Egress for the Cardio Server is the seamless auditing process thanks to the in-depth reports.</p><p>“It’s on us to prove that sensitive data was not touched or seen,” he explains. “There are reports on when it was accessed, the IP address, the exact time and day of when they opened it. Having that in a report to drop was huge—I can tell you nobody has touched it, and the customers could know exactly how things were done.” </p><p><br> </p><p><br> </p><p><br> </p><p><br> </p>

Healthcare for Personal Data Intoxication Issue After Heroism to Investigate #MeToo Ways to Improve Healthcare Security Five Challenges in Healthcare Control for Healthcare and Nursing Facilities Review: Healthcare Emergency Incident Management Are People First for Help Service: How Security Is Helping Camden County’s Children Dirty Secret of Drug Diversion Safety to Violence in Healthcare News April 2017 Chain Strategies Remedies Top Ten Challenges for ED Security in 2016 and Beyond Guns & Healthcare Surveillance

 You May Also Like... Review: Hospital and Healthcare Security, Sixth Edition<p>Earlier editions of <i>Hospital and Healthcare Security</i> have long been a staple in the library of hospital security professionals, and this sixth edition will be no exception. Practitioners who are looking for proven solutions to old or new security problems should start with this reference.  </p><p>The authors continue to focus on the issues that are at the core of the healthcare market, and they have stayed abreast of the changes in the industry and the required changes in facility security programs. New developments such as the use of body cameras for security officers and trends in arming security personnel are addressed in this updated edition.  </p><p>Best practices from throughout North America and the United Kingdom are highlighted in this book. The authors have done a wonderful job with the presentation of security program management and program delivery, identifying best practices and areas of concern and providing real-world examples, procedures, and policies. They have addressed staffing, operations, tools, and equipment.</p><p>The authors have even touched on the needs of healthcare facilities beyond the traditional hospital setting and in off-campus facilities. They have addressed security design philosophies and practices as well as systems and equipment and how they are best employed at a healthcare facility.  </p><p>The material is well organized and written and will be an invaluable resource to hospital and healthcare security professionals, to consultants, and even to facility administrators.  </p><p><em><strong>Reviewer: Michael Preece</strong>, PE (Professional Engineer), PSP, CxA (Certified Commissioning Authority), is a principal with Smith Seckman Reid and runs the company’s Washington, D.C. office. Preece has been providing planning, design, start-up, consultation, and commissioning services for security systems over the last 15 years, much of it concentrated on hospitals and healthcare facilities. He is a member of the ASIS International Healthcare Security Council. </em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 for Help<p>​With more than 420,000 annual visits from patients from four states, Seattle Children's Hospital serves the largest region of any children's hospital in the United States.</p><p>The organization, made up of a research arm, a foundation, and the hospital, strives to provide robust security while making its stakeholders feel welcome and cared for.  </p><p>"As a security team, our goal is really to ensure the mission of our hospital, which is to treat patients and find cures for diseases," says Dylan Hayes, CPP, manager of the physical security program at Seattle Children's. "We do that by interfacing with our families and our patients…we're a customer-service oriented team." </p><p>A security officer staffs the emergency department around the clock, and officers also operate a security operations center for the entire hospital that is open from 6:00 a.m. to 10:00 p.m.</p><p>Visitor management is important to Seattle Children's, and the security team screens everyone who walks through the door to ensure that they have a purpose to their visit. Visitor identification is processed by a database that checks for sexual offenses and other criminal records. </p><p>"We have security teams at five different entrances during the day that greet people as they come in, find out where they are going, give them directions, and make sure that they are badged to do so," Hayes says. In addition to the daily pass, family members and loved ones who make frequent patient visits are given weekly passes. </p><p>Seattle Children's trains its employees on active shooter protocols, and has lockdown procedures in place in the event of an emergency. </p><p>"Our entrances are actually equipped to scan a badge that will lock that specific entrance, or a different badge can lock down all the entrances at the hospital," he says. "We're using a lot of security technologies these days to improve our business operations." </p><p>One of those technologies is a call tower intercom model from Vingtor-Stentofon by Zenitel, which allows anyone in distress to contact the hospital's security desk with the push of a button. In addition to contacting the security desk via a speakerphone, a flashing light is activated on the top of the tower. ​</p><p>The hospital uses call tower boxes from Talkaphone and Code Blue, which used to work over a standard telephone line. Zenitel works over an IP network, and integrates with the organization's access control system, OnGuard by Lenel. </p><p>Seattle Children's originally installed the towers in 2012, and it upgraded to a newer model of the intercom technology, called Turbine Intercoms, in May 2017. There are approximately 55 towers located around the hospital grounds, mainly situated in parking lots and other outside public areas. </p><p>"We've upgraded about a third of our phones and we're in the process of upgrading the rest of them," Hayes says, noting that the Turbine model provides a clearer connection from the tower to the emergency operator. "With the older equipment the clarity is not there—you can't make out what's going on," he says. "The Turbine stations really allow for clear communication when you're in critical situations." </p><p>As far as incident types, "anything goes with these towers," Hayes says. When security receives a call, it assesses the situation and decides how to respond, usually either deploying a security officer or contacting law enforcement. Hayes adds that it's rare that police have to get involved. </p><p>"People report their cars have been damaged, or we've had reports of fires in the garage," he says. "There are so many great uses of those towers, it's just open-ended."</p><p>The integration with Lenel allows any cameras in the area to pan, zoom, and tilt toward the call tower's location, allowing security to view the scene live via monitors. Lenel also displays a map in the alarm monitoring screen that shows which tower and where the incident occurred. </p><p>Hayes says he welcomes the opportunity to improve business operations via security technology, and he was delighted when the hospital's emergency department wanted to collaborate with security by responding to any medical incidents from the call towers. </p><p>"If somebody pushes one of those buttons, our plan is to send out a security person with a respiratory therapist and an emergency department nurse if they need medical care," Hayes says. </p><p>Recently, for example, a woman fell down a flight of stairs and was injured. "The emergency call station was activated and a hospital response team, including security, responded," Hayes explains. Security brought a wheelchair and assisted the woman to the emergency room for follow-up care. </p><p>"When our emergency operations team comes to us and says, 'We want to use your technology to better serve our people,' that's a great thing to hear," he notes. "We do have an expectation to provide care because we are a hospital." </p><p>Another benefit of the Vingtor-Stentofon network is the ability to push prerecorded audio messages over the security team's two-way radios, alerting officers to any alarms such as panic buttons or door-forced-open alerts.</p><p> "When we're out in the field, we don't have that ability to do extensive alarm monitoring, and we didn't have a way to quickly get a message to our security team in an automated fashion," he says. "So, we set up Stentofon to be configured with our Motorola MOTOTRBO radio system." </p><p>Because alarm locations are preset in Lenel, the prerecorded message that goes out indicates the type of alert and where it occurred. The responding officer alerts the rest of the team that the situation is being handled. </p><p>"We could have alerts go to a pager, but then there's a two-minute delay," he says. "If we have it go to the radio, then it's instantaneous." </p><p>Hayes adds that the many uses of the call towers, along with the radio and alarm integration, have all helped improve the security team's ability to respond to incidents rapidly and effectively.</p><p>"Having that crystal-clear communication is so important to be able to deploy the right emergency response team," he says.</p><p> For more information: Kelly Lake, [email protected],, 800.654.3140</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 Against Violence<p>​<span style="line-height:1.5em;">Sixty percent of all documented workplace violence occurs in a healthcare setting, according to the American Nursing Association, which also suggests that the actual percentage is probably much higher. Violence has become an epidemic in healthcare, and I have seen it firsthand in my role at the Athens Regional Medical Center in Athens, Georgia.</span></p><p>Athens Regional offers a full spectrum of medical services to 17 surrounding counties, and its level-2 trauma center treats more than 70,000 patients annually. Despite its small size, Athens is an action-packed city that boasts a vibrant music and arts scene, robust manufacturing, and the University of Georgia, which swells the county population to more than 150,000 when in session.</p><p>The Georgia Bureau of Investigation’s most recent report shows that the Athens metropolitan area has an average crime rate for the state, coming in eighth out of 15 metro areas. However, Athens-Clarke County reports that 33.5 percent of its population lives below the poverty level—more than twice the national average. </p><p>Although the Athens Regional facility sits between two historic Athens districts that have some of the lowest crime rates in the county, the medical center still deals with an operational environment that is increasingly prone to acts of violence against its staff. </p><p>These environmental issues along with the national trends of violence in healthcare have led the security management team at Athens Regional to take steps beyond the “stand your post” and “roving patrol” security models towards a more dynamic approach to healthcare security. </p><p>This move spawned the development of three essential tools designed to com­bat rising violence and shift the strategic paradigm from reactive security strategies to proactive security strategies: putting time into effective internal investigations, conducting comprehensive threat assessments, and crunching the data to identify criminal trends as they occur.​</p><h4>Internal Investigations</h4><p>The reports that security officers write and submit are a gold mine of information for organizations. Security managers can use incident reports for internal trending and criminal activity tracking. They can also be used for threat assessment and analysis, and for instructing staff how to serve customers.</p><p>A thorough initial incident investigation is key to both successful reporting and successful customer service. Every report filed constitutes an initial investigation of the incident. Once the scene is safe, the responding security officer should identify and interview the complainant, subjects, and witnesses. </p><p>At Athens, the security officers make notes of all times, dates, conditions, and other details that may prove important for follow-up investigations. Officers are trained to collect every possible piece of information available to create the most accurate picture of the incident for security, administration, and investigations.</p><p>Additional information may often come after an incident has occurred and the initial report has been filed. It is important to establish a supplemental report process so security officers have a mechanism to add additional information to their incident reports. This ensures that every report is as complete as possible, and that officers are not limited in their ability to gather information about an incident.</p><p>Once an initial report is filed and supplemental information has been gathered, it’s crucial to conduct a follow-up investigation. Handing the report over to a trained investigator allows the organization to look more deeply into an incident, gather evidence, evaluate threats, and conduct complete customer service. </p><p>Investigators have the ability to conduct follow-up interviews, collect photographic and video evidence, and liaise with local law enforcement, if necessary. Investigators are also able to connect the dots across the various departments within the organization.</p><p>For example, at Athens Regional, officers take reports from patients who have lost property. These reports are handed off to an investigator for follow-up. In most cases, the investigator will call the complainant and discover that the individual found the property at home, closing the case.</p><p>Recently, however, investigators be­gan noticing a trend in lost property cases where items went missing from the same floor and were not found. Security began to suspect that an employee was taking these items, and security decided to investigate more intently, gathering lists of employees working on that floor, conducting interviews, and suggesting an increase in security officer patrols on the floor.</p><p>Within a month, Athens Regional went from 30 to zero lost property reports on the floor in question. While security was unable to identify the thief, the unwanted activity stopped, and suspects were identified to monitor for future thefts. </p><p>Athens Regional would never have seen this trend without follow-up investigations carried out by trained investigators. Also, the follow-ups allowed security to take the first step in predictive patrolling, allowing investigators—who have a bird’s eye view of internal incidents within organizations—to aid security in targeting patrolling efforts to mitigate potential criminal trends, like recurring thefts.</p><p>Another key benefit of follow-up investigations is the ability to identify risk and threat potential in an incident. Different security officers working different shifts may not realize they are continually dealing with the same threatening patient, or that the patient’s behavior is escalating with every visit. A follow-up investigation allows the organization to see these patterns more clearly and to determine the level of threat involved.</p><p>Additionally, follow-up investigations on suspicious person reports, theft reports, or lost property reports may expose a risk to the organization that was previously missed, and allow the organization the opportunity to mitigate it.​</p><h4>Threat Assessment</h4><p>Healthcare professionals are all too familiar with patients or visitors who repeatedly attack staff members. Reporting on these individuals is the key to successful threat analysis. Security officers who interact with these subjects can file incident reports based on the situation, and from that baseline the organization can begin tracking all the interactions the individual has within the facility. </p><p>A relevant threat analysis combines internal reports with external criminal background checks to create a more comprehensive picture for security. Many organizations employ outside agencies to conduct external background investigations. However, this strategy can become expensive.</p><p>Instead, for those who want to keep costs at a minimum—like Athens Regional—effective background investigations can include a simple Internet search using background report sites like PeopleSmart or Checkmate, open source sites from a department of cor­rections or local law enforcement agency, or other Internet sites, like Athens Regional has been successfully using this approach to conduct background investigations.</p><p>Background checks, no matter what method is used, fill in more information about the subject and give security a greater understanding of what kind of threat the individual presents. For instance, Athens Regional noticed that it had recurring internal reports on an aggressive female visitor. When a background check was conducted, security realized she had a criminal history that included assault. She may not have been violent in the facility—only disruptive and threatening—but security was now aware that she had been violent in the past, elevating the potential threat.</p><p>Once recurring reports are gathered, background checks completed, and a threat level assigned (see box for more on threat levels), the work has only just begun. Continued tracking now becomes paramount to maintaining a successful watch over this known threat. Athens Regional must continue to monitor the incident reporting from security staff and the subject’s involvement with local law enforcement to maintain an active understanding of the threat the subject presents.</p><p>Lastly, there must be a plan to mitigate the threat. Establishing an interdisciplinary threat team to look at and create plans to address threatening subjects who present themselves for medical treatment or accompany patients is a great way to get buy-in from clinical staff, as well as from administrators. </p><p>At Athens Regional, security chairs an interdisciplinary threat team comprising representatives from public safety, risk management, the emergency department, medical, and administration. This team discusses recurring personalities that present a threat and sets the parameters under which care will be provided, ensuring that the patient’s rights are protected and that the hospital complies with federal laws, such as the Emergency Medical Treatment and Labor Act. This group has been successful in establishing a plan to mitigate any threats presented.</p><p>For example, earlier this year the emergency department at Athens Regional filed a report on a man for disorderly conduct. Two weeks later, an information booth attendant filed another report involving the same man. The same man harassed a social worker a week later. These recurring reports triggered a more comprehensive threat analysis of the individual.</p><p>The threat analysis was then presented to the interdisciplinary threat team. For this subject, the team agreed to assign a high-level threat rating. The team determined that the subject would only be seen in the emergency department, and that registration staff would summon security officers if they spotted him.</p><p>The officers would then respond immediately with multiple personnel, and at least two would stay with the subject throughout treatment. The man would only be treated in a room equipped with video and audio monitoring. He would also be triaged immediately and evaluated by medical staff as quickly as possible.</p><p>The team also decided that if the physician identified no medical issues, the man would be discharged and escorted off the property by security officers. If he issued threats or if other problems occurred during the visit, security would then contact local law enforcement and file a report. Athens Regional would then file charges based on the issues presented by the man during his visit.​</p><h4>Criminal Activity Trending</h4><p>Security managers must have a historical understanding of what crimes have occurred at their facility and in the surrounding area. This is a critical first step in the development of external intelligence, as well as in trending and predicting future criminal activity.</p><p>A simple way that Athens is doing this is by learning about the crimes that have occurred in our area over time. This is done by asking basic questions, such as how many robberies have occurred over the last five years? In which months do most robberies occur? Is that pattern static over the full five years? Does a pattern develop in geographic movement of robberies over time? </p><p>Security managers can obtain this information by using open source reporting by local law enforcement agencies. Access to sites like, local law enforcement media releases, and one-on-one liaising with law enforcement can provide a great deal of information about the criminal trends in the area.</p><p>Athens Regional’s local police department has a Crime Analysis Division with officers dedicated to the analysis of criminal trends in the city. Liaising with these officers has proven invaluable to the organization as Athens conducts assessments of potential new building sites for future facilities.</p><p>This information can then be put together to map crimes and document trends, allowing security managers to take proactive steps to prevent crime. Predicting criminal activity can be difficult, but once security understands what crime is occurring, when it’s occurring, and where it’s occurring, reasonable estimations of future criminal activity can be developed. </p><p>For example, Athens Regional recently focused on robberies in the neighborhood. Studying the robberies over time, the hospital learned that an average of 2.6 robberies occurred per month within a 3-mile radius of the facility over the previous several years. Since February 2015, robberies have spiked from the average of 2.6 per month to an average of 12 per month in February, March, and April.</p><p>This obvious trend points to a new and aggressive offender operating right at the hospital’s doorstep. To study the trend spatially, security managers plotted each robbery on a map and watched how those robberies moved over time—witnessing a pattern of robberies moving east and north, and coalescing in a more concentrated pattern just miles from the facility.</p><p>From this research, the hospital reasonably predicted that the risk of robbery occurring in or around that geographic cluster was significantly elevated, and it adjusted strategies to help mitigate this threat. Having this knowledge allows Athens Regional to provide security for staff and visitors from a proactive standpoint by adjusting patrols, installing more targeted physical barriers, and, most importantly, by educating staff on the threat and giving them the knowledge they need to defeat it. </p><p>One of the most successful ways Athens did this was by issuing a Critical Incident Watch (CIW) to all staff members. This document serves the purpose of a Be On the Look Out (BOLO), but is specific to a circumstance or situation rather than a person or a vehicle. </p><p>The CIW went out to all staff, and was published on Athens’ internal Web page. It offered information about the incident and what steps could be taken to prevent such robberies. It also reminded staff to report suspicious activity.</p><p>Since the implementation of these strategies, the number of robberies has dropped significantly, but more importantly, the customers Athens Regional serves have praised the proactive security approach. The assurance of their personal safety was a critical success for the security program. </p><p>The challenge faced by all security managers in the healthcare environment is learning to include data-driven strategies in their ever-expanding skill sets to see threats in real time and take proactive steps to mitigate those threats. Using these simple strategies, security managers can begin to meet this challenge to provide the kind of information needed for security officers to operate effectively and for their organization’s staff and patients to feel secure.  </p><p>--</p><p><em><strong>Charles Hodges</strong> is a public safety training coordinator and shift supervisor for the Athens Regional Health System in Athens, Georgia. He is a certified healthcare security supervisor and a veteran of the U.S. Army, earning two commendations from the FBI and a Humanitarian Service Medal for operational support after Hurricane Katrina. He is a member of both ASIS International and the International Association for Healthcare Security and Safety.</em></p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465