asis 2018 ASIS NewsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-01-01T05:00:00Z<h4>​Shifting into High Gear</h4><p>Enterprise security risk management (ESRM) activity at ASIS is moving into high gear. The ASIS Board of Directors approved a plan for ESRM principles to be infused into the DNA of the Society. Designating ESRM a priority strategic initiative, the ASIS Board created the ESRM Commission in July 2016. In the year plus since, the commission inventoried ESRM content, identified subject matter experts, developed a primer, and interviewed members on how ESRM should be worked into ASIS's activities.</p><p>For the first time, in 2017, the ASIS Annual Seminar & Exhibits featured a full track of sessions devoted to ESRM. Sessions included a preseminar program on IT security for physical security professionals and an intensive interactive two-hour tabletop exercise in which attendees represented various departments of an organization and used ESRM principles to deal with an evolving crisis scenario. Earlier in the year, ASIS Europe 2017 focused on enterprise-level risks and featured master classes on implementing integrated enterprisewide security teams. </p><p>On November 15, the board approved the commission's request to transform into four workstreams that will develop appropriate ESRM material for their particular areas. The workstreams cover standards and guidelines, education and certification, marketing and branding, and creation of a digital maturity model tool. Each workstream includes a board member sponsor, an ASIS staff member, an ESRM subject matter expert, and a team of member volunteers.</p><p>Are you an avid ESRM advocate? Have you put ESRM into practice? There's still room in the workstreams for your expertise. Please contact Chief Global Knowledge and Learning Officer Michael Gips at <a href=""></a>.​</p><h4>Adams to Lead 2018 Professional Certification Board</h4><p>The ASIS Professional Certification Board (PCB) will be led in 2018 by Dana Adams, CPP, director of corporate security for TELUS, a telecommunications company headquartered in Vancouver, Canada. Adams has served on the PCB for six years and was the board's vice president in 2017. William Moisant, CPP, PSP, will assume the role of vice president in 2018.</p><p>The PCB oversees the ASIS board certification program and ensures that the domains of knowledge and the exams reflect the duties and responsibilities of security professionals. Adams succeeds 2017 President Per Lundkvist, CPP, PCI, PSP. </p><p>"I would like to thank Per for his able leadership of the PCB, as well as for his guidance, support, confidence, and friendship," Adams says. "In 2018, priorities include continuing the work to establish an entry-level certification, maintaining the leadership role of ASIS board certifications across our profession, and ensuring global representation and diversity of the PCB."</p><p>New to the PCB in 2018 are Kevin Peterson, CPP, president, Innovative Protection Solutions, LLC; Jeffrey Leonard, CPP, PSP, area vice president, Securitas Critical Infrastructure Services, Inc.; and Vasiles Kiosses, CPP, PSP, physical security services manager, Schlumberger Oilfield Services. ASIS extends its thanks to departing PCB members, James Bradley, CPP, PCI, and Ann Trinca, CPP, PCI, PSP.​</p><h4>ASIS Europe 2018: From Risk to Resilience</h4><p>Now is the time to register for ASIS Europe 2018, taking place 18-20 April in Rotterdam, The Netherlands. The event focuses on securing organizations in the era of IoT and highlights how enterprise security risk management approaches can protect an organization's full range of physical, digital, and human assets.</p><p>The "From Risk to Resilience" event format, launched in Milan in March 2017, will be repeated, with its mix of conference, training, technology and solutions, exhibition, career center, and exclusive networking.</p><p>At the conference, themed "Blurred Boundaries—Clear Risks," attendees will tackle the impacts of Big Data and artificial intelligence, and examine up-to-date risk outlooks, case studies, and analysis across the full range of key security management issues. </p><p>ASIS Europe will help attendees navigate a broad sweep of risks, from the malicious use of the latest emerging technologies to the threat of low-tech attacks, particularly on soft targets in public spaces. </p><p>Conference highlights include:</p><p>•             Opening keynote on Big Data, automation, and artificial intelligence from a business perspective</p><p>•             Digital asset valuation and risk assessments by Carl Erickson, CPP, and Gal Messinger of Philips Lighting</p><p>•             The EU General Data Protection Regulation (GDPR) by Axel Petri of Deutsche Telekom and Christoph Rojahn of PricewaterhouseCoopers</p><p>•             Jihadi terrorism trends in Europe by Glenn Schoen of Boardroom@Crisis </p><p>•             Virtual security operation center transformation by Michael Foynes of Microsoft</p><p>•             Public spaces as the front line against extremist violence by Thomas Vonier, CPP, of the American Institute of Architects</p><p>•             Understanding business resilience by Laura Poderys of Danske Bank</p><p>The conference is geared towards professionals who need to understand the full spectrum of physical and cyberthreats. Both established and aspiring security leaders can create learning paths through the program.</p><p>Register at Advance rates are available until March 8, and group packages are also available. Contact directly for more information.​</p><h4>New ASIS Website, Community</h4><p>Digital transformation is at the forefront of many organizational discussions, and the need for innovation has never been greater. Remaining relevant in today's on-demand, content-driven world means that associations must be hyper-connected and agile. </p><p>With a clear directive to transform the organization through the strategic use of technology, ASIS is currently engaged in a broad range of innovative projects—including a major redesign of its primary website,, and the underlying technologies that support online and mobile experiences.</p><p>This month, ASIS launches Phase One of a multiyear project focused on improved and personalized content access, user-centric search and commerce, online community, and integrated systems for learning and certification. </p><p>One of the key strategies driving the new site is to create a powerful search function that will unify content from a variety of ASIS sources, including Security Management offerings and Seminar sessions. By creating a search-centric site that allows users to filter results, ASIS will meet its goal of helping members at their "moment of need." The website facelift includes a more graphical and modern interface for both desktop and mobile devices.</p><p>It is important to understand that this is just Phase One of the process. With a critical emphasis on design, taxonomy, search, and commerce, both functionality and content are priorities. Additionally, some functionality will be moving to other platforms, such as the new community site, launching in February. Two other phases are planned for 2018.</p><p>ASIS is also upgrading the membership database, including new functionality for engagement, certification, profile management, and data analytics. The system will be tightly integrated with the website to ensure a seamless user experience across platforms. As a part of the new launch, ASIS will be engaging members to fully update their online profiles, both to help drive online personalization and to comply with the EU General Data Protection Regulation in 2018. </p><p>When the online community is launched, ASIS will provide security professionals with a secure platform to network, share ideas, access resources, and stay connected with peers, chapters, ASIS staff, and industry thought leaders.</p><p>Get ready, the launch of a new digital ASIS will be here soon!</p><p>Note: The ASIS website may be inaccessible for a few days at the end of January to facilitate the launch.​</p><h4>MEMBER BOOK REVIEW</h4><p><em>The Manager's Handbook for Corporate Security</em>, Second Edition. By Edward P. Halibozek and Gerald L. Kovacich. Butterworth-Heinemann;; 498 pages; $120.</p><p>Whether the reader is an aspiring security management student or a seasoned veteran, the second edition of <em>The Manager's Handbook for Corporate Security </em>provides a comprehensive look at the past, present, and future of the security industry—a world that experiences both operational and functional changes at light speeds. Using a mythical organization called International Widget Corporation to illustrate problems and solutions, it creatively brings theory to life as it transforms the difficult concepts of "what should be" into "what is." Throughout the book, risk management is enlisted to transform security from a reactive process to a dynamic proactive endeavor.  </p><p>The authors do a masterful job of taking the reader on a journey through various contingencies, and stress the importance of being proactive through key loss prevention programs, security awareness training, and developing strategic, tactical, and annual plans to combat risk and mitigate losses. Chapter after chapter, the authors emphasize that planning and preparedness strengthen the organization's overall security program and keenly integrate all layers within the organization. This approach helps solidify the security department's role in asset protection and keeps the security department where it should be—leading the effort. Adding value to an already solid effort, the authors consider new elements such as background checks, insurance, training, and cybersecurity—functions that are increasingly becoming part of the security department's portfolio. </p><p><em>The Manager's Handbook for Corporate Security</em> is a must for any serious security professional and would be a valued addition to any security leader's professional bookshelf.  </p><p>Reviewer: Terry Lee Wettig, CPP, is an independent security consultant who served 10 years as director of risk management with Brink's Incorporated. A retired U.S. Air Force chief master sergeant, he is currently a doctoral candidate specializing in organizational psychology. He is an ASIS member.</p>

asis 2018 ASIS News Event Security,-CPP.aspx2018-01-01T05:00:00ZCertification Profile: Darin Dillon, CPP Leading Through Change Back: A Year of Change,-III,-CPP.aspx2017-11-01T04:00:00ZWilliam J. Powers, III, CPP 2017 ASIS News,-Artificial-Intelligence.aspx2017-10-01T04:00:00ZOctober 2017 ASIS News: ASIS Europe to tackle Big Data, Artificial Intelligence,-CPP.aspx2017-10-01T04:00:00ZCertification Profile: Caress Kennedy, CPP Chapter Volunteer is Recognized Discuss Concerns in Town Hall the Newest ASIS Board Members Names Security Book of the Year Winner Scholarship Recipients Named Cares Aids the Dallas Community Change Management Program Prepares Executives for Challenges CPP Turns 40 Strategic Plan to Guide Direction of the Society and Upward

 You May Also Like... Your Team<p>​</p><p>Whether the action is on the battlefield or the basketball court, you can be certain that the winning team owes its success in large measure to extensive training. Recognizing the importance of training to any team’s performance, the Cincinnati Children’s Hospital Medical Center set out to makes its own training program better. </p><p>The existing training program, which the director of protective services felt lacked specificity, consisted of one of the shifts’ veteran officers sitting with the new security employees and covering several department and hospital-specific policies along with administrative topics. Additionally, the new officers would be given several commercially produced security training videotapes to view, after which they were required to complete the associated tests. Following the completion of the tapes and review of the policies and administrative procedures, officers would go through brief hands-on training for certain subjects such as the use of force and pepper spray.</p><p>Once they completed these tests and training sessions, the officers would then begin their on-the-job training. Officers have historically stayed in the on-the-job phase of training between three and five weeks, depending on how quickly the officers learned and were comfortable with command center operations. When the officers completed their training program, they had to pass the protective services cadet training test as well as a test on command center procedures.</p><p>Training council. To help devise a better training program, the security director chose several members of the staff to sit on a training council. The group, which included the director, three shift managers, and the shift sergeants, met to discuss the current training program and what could be done to enhance it.</p><p><br>Through discussions with new employees, the council learned that the existing program was boring. The council wanted to revitalize the training to make it more interesting and more operationally oriented. The intent was to emphasize hands-on, performance-oriented training. The council also wanted to improve the testing phase so that the program results could be captured quantitatively to show the extent to which officers had increased their knowledge and acquired skills. <br> <br>Phases. The council reorganized training into four phases: orientation, site-specific (including on-the-job), ongoing, and advanced. Under the new program, the officers now take a test both before training, to show their baseline knowledge, and after the training, to verify that they have acquired the subject matter knowledge; they must also successfully demonstrate the proper techniques to the instructors.</p><p>Orientation training. The orientation training phase begins with the new employees attending the hospital’s orientation during their first day at the facility. The security department’s training officer then sits down with the new officers beginning on their second day of employment. This training covers all of the basic administrative issues, including what the proper clock-in and clock-out procedures are, when shift-change briefings occur, and how the shift schedules and mandatory overtime procedures function.   </p><p>The training officer also administers a preliminary test to the new officers that covers 12 basic security subjects including legal issues, human and public relations, patrolling, report writing, fire prevention, and emergency situations. New employees who have prior security experience normally score well on the test and do not need to view security training tapes on the subjects. The officers must receive a minimum score of 80 percent to receive credit for this portion of the training. If an officer receives an 80 percent in most topics but is weak in one or two subjects, that officer is required to view just the relevant tapes, followed by associated tests.</p><p>All officers, regardless of the amount of experience, review the healthcare-specific tapes and take the related tests for the specific subjects including use of force and restraint, workplace violence, disaster response, bloodborne pathogens, assertiveness without being rude, and hazardous materials. Also included in the orientation training phase are classes covering subjects such as pepper spray, patient restraint, defensive driving, and the hospital’s protective services policies.</p><p>Site-specific training. During site-specific training, officers learn what is entailed in handling specific security reports. The shift manager, shift officer-in-charge, or the training officer explains each of the reports and has the new employee fill out an example of each. Examples of reports covered in site-specific training include incident reports, accident reports, field interrogation reports, fire reports, motorist-assist forms, ticket books, safety-violation books, broken-key reports, work orders, bomb-threat reports, and evidence reports.</p><p>On-the-job training is also part of the site-specific training phase. The new employee works with a qualified security officer for a period of two to three weeks following the first week of orientation training with the departmental training officer. The new employee works through all of the various posts during this time. At least one week is spent in the command center. The site-specific phase of training culminates with both the security officer cadet training exam and the command center exam, which were also given in the original program.</p><p>Ongoing training. The ongoing training includes refresher training in which shift managers have their officers review selected films covering healthcare security and safety subjects. The training occurs during shift hours. The officers also receive annual refresher training covering topics such as using pepper spray and employing patient-restraint methods.</p><p>Another type of ongoing training, shift training, is conducted at least weekly. Managers conduct five-to ten-minute meetings during duty hours to refresh the security staff on certain subjects, such as customer service. These sessions are not designed to deal with complex topics. Managers can tie these sessions to issues that have come up on the shift.</p><p>Advanced training. Advanced training includes seminars, management courses, and sessions leading to professional designations and certifications. Qualified personnel are urged to attend seminars sponsored by several professional societies and groups such as ASIS International, the International Healthcare Association for Security and Safety, and Crime Prevention Specialists. Staff members are also encouraged to attain the Crime Prevention Specialist (CPS) certification, the Certified Protection Professional (CPP) designation, and the Certified Healthcare Protection Administrator (CHPA) certification.</p><p>Staff members are urged to pursue special interests by obtaining instructor certification such as in the use of pepper spray or the use of force. This encouragement has already paid off for the hospital. For example, the department’s security systems administrator has trained officers on each shift in how to exchange door lock cylinders, a task that would previously have required a contractor. Officers are currently being trained to troubleshoot and repair CCTV, access control systems, and fire alarm equipment problems.</p><p>Training methods. A special computer-based training program was developed to help quantify and track the success in each of the training modules. Additionally, a program was developed to present training subjects during shift changes.</p><p>Computer training. Security used off-the-shelf software to create computer-based training modules and included them in the site-specific training and ongoing training phases, both of which occur during shift hours. The training council tasked each shift with creating computer-based training modules for the various security officer assignments on the hospital’s main campus and off-campus sites. These training modules cover life safety, the research desk, the emergency department, exterior patrols, foot and vehicle patrols, and the command center.</p><p>The training council asked officers to participate in the creation of the computer-based training modules. The officers produced the training modules during their respective shifts when it did not interfere with other responsibilities.  </p><p>The group participation paid off. For example, the officers who created the command center and the emergency-department training modules not only spent several hours discussing what information should be included in the modules, but then allowed their creativity to flow by using the software to make these modules interactive. These particular modules include test questions of the material, and the program will respond appropriately to the employees as they answer the questions correctly or incorrectly. The volunteers also created tests for before and after an officer goes through each of the computer modules to track the effectiveness of the training.</p><p>Shift-change training. A major question with ongoing training is how to fit it into the officer’s routine. For most industries using shift work, difficulties arise when trying to carve out enough training time without creating overtime. The training council decided to take advantage of downtime that occurs as officers come to work ready for their shift to begin. They are required to show up six minutes before the shift. This time is now used for training.</p><p>The shift-change training is used to cover specific topics—already covered in some of the training phases—that can be easily encapsulated into a six-minute program. For example, some topics include departmental policies, radio communication procedures, command center refresher sessions, self-defense subjects, confronting hostile people, proper report writing, and temporary restraint training. By implementing the shift-change training sessions on a weekly basis, the department created an additional five hours of training per year for each officer.</p><p>One of the security supervisors created a six-minute training binder to house all of the lesson plans. Each shift supervisor uses the same lesson plan so that the training is consistent across the shifts. As with all other training, the before-and-after tests are given to quantitatively document changes in subject knowledge or skills.</p><p>Results. After implementing the training program, the training council wanted to check the initial results to see whether the training was effective. There were numerous quantifiable measurements that the council could use to evaluate the new training program, such as tracking the rate of disciplinary actions from the previous year to the current year. However, since the council desired to have a quick assessment of the training program changes, it decided to compare the after-training test scores to the before-training test scores for the computer-based training modules as well as the scores of the six-minute training tests. </p><p>To the council’s surprise, the initial tabulated scores resulted in an average before-training test score of 93 percent and an after-training test score of 95 percent. The council also found in many of the officers’ tests that they missed the same questions on both the before and after tests.</p><p>Based on these results, the council decided to make several changes. First, the test questions were reviewed and tougher questions were added. Based on the preliminary test score, the council felt that the questions were not challenging enough and might not indicate how competent the officers were with the subject matter. </p><p>The training council assigned each shift the task of revising the tests for their computer-based training modules as well as the six-minute training tests. The goal was to make the tests more challenging and to obtain more accurate assessments of the effectiveness of the training program. </p><p>The training council also reviewed how the different shifts were conducting the six-minute lessons. Managers noted that the shifts initially followed the schedule of the six-minute subjects from week to week, but then they began to conduct their own lessons without an accepted lesson plan or to forgo training altogether. </p><p>To avoid this problem, the training council determined that the training program needed to be more structured. The group created a schedule to indicate which class would be covered each week. One of the shift supervisors volunteered to take over the six-minute training program and formally structure it so that each shift would conduct training in a consistent manner.</p><p>The training council has plans to further hone the training program in the near future. The council plans to analyze the program us­ing other quantitative evaluative instruments such as an employee survey and a comparison of disciplinary action data from previous years. </p><p>In battle, it is said that an army fights as it has trained. Thus, commanders know the value of training. In the businessworld, though the stakes are different, training is no less critical to the success of the mission.</p><p>Ronald J. Morris, CPP, is senior director of protective services at Cincinnati Children’s Hospital Medical Center. Dan Yaross, CPP, is manager of protective services. Colleen McGuire, CPS (crime prevention specialist), is sergeant of protective services. Both Morris and Yaross are members of ASIS International.</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 Dirty Secret of Drug Diversion<p>​Controlled substances were going missing at Hennepin County Medical Center (HCMC), and the hospital’s security investigator, William Leon, was determined to get to the bottom of it. So, at 11 p.m. on a Friday, Leon settled in for a night of observation at the Level I trauma center in Minneapolis, Minnesota. He kept a trained eye on one registered nurse who was suspected of stealing hydromorphone, an opioid pain medication, for her personal use.</p><p>HCMC has cameras set up in the medication room to monitor controlled substances, and Leon watched as the nurse began gathering prescribed medication for a patient in the emergency department. The process, called wasting, requires the healthcare worker to take a fresh vial or syringe full of medication and then dispose of the excess, leaving only the correct dosage—all with a witness present. Leon observed the nurse dispense a syringe of hydromorphone from the medicine cabinet, and, while a fellow nurse was signing off on the withdrawal, she placed the syringe in her pocket and pulled out an identical syringe, which Leon later learned contained saline. The nurse held up the saline syringe and wasted the required amount, tricking her fellow nurse, and left the room.</p><p>At this point, Leon knew exactly what was going on, and watched with increasing alarm as the nurse headed to a patient’s room in the orthopedic area of the hospital. “In that area, I knew immediately, this patient could have a broken bone—they were in intense pain and requiring this medication,” Leon says. “I see a lot of doctors standing around and I’m thinking ‘uh oh, this patient is going to get saline.’”</p><p>Leon raced to the room and saw that the doctors had given the patient the saline the nurse had brought up. “The patient was still screaming in pain and the doctor was frantically asking the nurse, ‘Are you sure you got the right dosage? Are you sure it was hydromorphone?’ and she was insisting she had,” Leon says. He called the doctor and the nurse into the hall and explained that the patient had just gotten saline and still needed the proper pain medication because the nurse had diverted the hydromorphone in the medication room. The doctor went to properly treat the patient and Leon called the nurse manager and the local sheriff’s detective in to begin an official investigation into the nurse’s actions.</p><p>Drug diversion in the United States is a nebulous problem that is widespread but rarely discussed, experts say. Whether in manufacturing plants, retail pharmacies, hospitals, or long-term care facilities, healthcare workers are stealing drugs—typically for their own personal use—and putting themselves, patients, and coworkers at risk. </p><p>“I hate to tell you, but if you have controlled substances and dispense narcotics, you’ve got diversion going on,” says Cherie Mitchell, president of drug diversion software company HelioMetrics. “It’s just a question of whether you know it or not.”</p><p>The scope and frequency of drug diversion is almost impossible to grasp, due in large part to how diversion cases are addressed. A facility that identifies a diversion problem might bring in any combination of players, from private investigators and local law enforcement to state accreditation boards or the U.S. Drug Enforcement Agency (DEA). There is no overarching agency or organization that records every instance of drug diversion in the United States.</p><p>Controlled substance management is dictated by a number of laws, including the U.S. Controlled Substances Act of 1971, which classifies substances based on how they are used and the potential for abuse. It also dictates how the substances are dispensed, and a facility may be fined if it does not comply. </p><p>The closest estimates of drug diversion rates come from people or organizations who dig up the numbers themselves. The Associated Press used government-obtained data in its investigations on drug diversion at U.S. Department of Veterans Affairs (VA) medical centers. Reported incidents of diversion at about 1,200 VA facilities jumped from 272 in 2009 to 2,926 in 2015, the data revealed, and the VA inspector general has opened more than 100 criminal investigations since last October. John Burke, president of the International Health Facility Diversion Association, extrapolated data he obtained from facilities in Ohio to estimate the presence of 37,000 diverters in healthcare facilities across the country each year. </p><p>Mitchell points out that any statistic derived from officially collected data still wouldn’t accurately reflect the extent of drug diversion in the United States. “There’s a lot of people investigators really suspected were diverters but had to be chalked up to sloppy practice due to a lack of concrete evidence, so any statistic is talking about known diverters who are fired for diversion,” she tells <i>Security Management</i>. “Even if you did have a statistic, it would be off because how do you incorporate those so-called sloppy practicers, or diverters who thought they were about to get caught so they quit on you and left? No matter what number you come to, it’s probably bigger in reality.”​</p><h4>Addiction and Diversion</h4><p>Although more people are paying attention to drug diversion due to recent high-profile cases and the current opioid epidemic in the United States, experts say they have been dealing with the same problems their entire careers. </p><p>“I can personally tell you that I dealt with the same issues 15 or 20 years ago that the healthcare arena is facing today, specifically in the drug abuse and diversion by their own hospital healthcare employees,” says Charlie Cichon, executive director of the National Association of Drug Diversion Investigators (NADDI) and a member of the ASIS International Pharmaceutical Security Council. “There are different drugs today, of course, than there were 20 years ago.”</p><p>Susan Hayes has been a private detective for healthcare facilities for more than a decade and says the opioid epidemic has magnified the drug diversion problem in recent years. “The opioid addiction in America has lit my practice on fire,” she says.</p><p>It’s no secret that opioid addiction has reached epidemic levels in the United States. In 2010, hydrocodone prescriptions were filled 131.2 million times at retail pharmacies alone, making it the most commonly prescribed medication, according to the Mayo Clinic. However, those are just the numbers that were legally prescribed—about 75 percent of people who take opioids recreationally get them from a friend or family member. According to the U.S. Centers for Disease Control and Prevention (CDC), approximately 52 people in the United States die every day from overdosing on prescription painkillers.</p><p>Healthcare workers are not immune to the draw of opioids. In fact, up to 15 percent of healthcare workers are addicted to drugs or alcohol, compared to 8 percent of the general population, according to the Mayo Clinic. </p><p>“Healthcare providers are in very stressful jobs,” Hayes says. “They all have problems. Nurses have emotional attachments to patients that they see die. Even orderlies have very stressful physical jobs, they’re lifting patients. Pharmacists can make mistakes that mean life or death. You have people that are already in very stressful situations, and now you give them access to drugs…. I think the combination is almost deadly.”</p><p>While a bottle of 30mg oxycodone tablets can sell on the street for up to 12 times its price in the pharmacy, most drug diverters are addicts using the drugs themselves. Because of this, diversion shouldn’t be considered just a security concern but a patient safety concern, Cichon says. He references several high-profile diversion cases in which the diverters used the same syringe full of medicine on both themselves and their patients, spreading bacterial infections and hepatitis. In one especially egregious case, a traveling medical technician with hepatitis C would inject himself with his patients’ fentanyl and refill the same syringe with saline, ultimately spreading the virus to at least 30 people in two states.</p><p>Unfortunately, experts acknowledge that most diverters don’t get caught until they have been diverting for so long they start to get sloppy. “The people who are your real problem are the people who are hiding in the weeds, not doing enough to get caught, and those are the ones you want to find,” Mitchell says. “The people they are finding now are the people that have the needle in their arm or somebody has reported them. You want to try to find them before that.”​</p><h4>Out of the Loop</h4><p>Hayes details the path of drugs through a hospital: a pharmacy technician orders the medication from a wholesaler, who will deliver them to the hospital pharmacy. The drugs are sorted and stocked in the pharmacy, where they will remain until they are brought up to the patient floors and stored in various types of locking medicine cabinets. When a patient needs medication, a nurse goes to the medicine cabinet and dispenses the drug for the patient. </p><p>Another ASIS International Pharmaceutical Council member—Matthew Murphy, president of Pharma Compliance Group and former DEA special agent—describes this as the closed loop of distribution. “Once a drug is outside of the closed loop, when it gets dispensed from a pharmacy or administered by a doctor, it’s no longer in the purview of DEA rules and regulations,” he explains. Drugs are most likely to be diverted during those times when they are in transit or exchanging hands, outside of the closed loop.</p><p><strong>Wholesalers.</strong> When fulfilling a pharmacy’s request for medication, wholesalers have just as much of a responsibility to notice if something is amiss as the pharmacy does. Whether it’s a retail pharmacy or a hospital pharmacy, wholesalers are responsible for cutting them off if they start to request unusually high amounts of opioids. </p><p>In 2013, retail pharmacy chain Walgreens was charged $80 million—the largest fine in the history of the U.S. Controlled Substances Act—after committing record-keeping and dispensing violations that allowed millions of doses of controlled substances to enter the black market. Cardinal Health, Walgreens’ supplier, was charged $34 million for failing to report suspicious sales of painkillers. One pharmacy in Florida went from ordering 95,800 pills in 2009 to 2.2 million pills in 2011, according to the DEA. </p><p>Hayes says the fine against the wholesaler was a wake-up call, and now suppliers use algorithms to identify unusual spikes in orders of opiates. Wholesalers can even stop the flow of medication to pharmacies if they believe diversion is occurring—which can be disastrous to a trauma center, Hayes notes.</p><p><strong>Pharmacies.</strong> To restock the shelves, pharmacy technicians compile lists of what medications they are low on to send to the wholesalers at the end of each day. Hayes notes that many pharmacies do not conduct a retroactive analysis on what is being purchased—which is why wholesalers must pay attention to any unusual changes in orders. She stresses the importance of constantly mixing up the personnel who order and stock medications. </p><p>“If you’re both ordering and putting away drugs, that’s a bad thing because you can order six bottles when you only need five and keep one for yourself,” Hayes notes. </p><p>Similarly, it is important to rotate who delivers the drugs to the patient floors. “John the technician has been taking the drugs up to the floors for the last 20 years,” Hayes says. “Well gee, did you ever notice that John drives a Mercedes and has two boats and a house on Long Island? He makes $40,000 a year, did you ever do any investigation into why?”</p><p><strong>On the floor. </strong>Experts agree that the most egregious diversion occurs during the wasting and dispensing process in scenarios similar to the incident Leon witnessed at HCMC. Mitchell explains that all hospitals have different wasting procedures—some require nurses to waste the medication immediately, before they even leave the medication rooms, while others may have a 20-minute window. Other hospitals may prohibit nurses from carrying medication in their pockets to prevent theft or switching. ​</p><h4>Investigations</h4><p>Any company involved with controlled substances, whether manufacturing, distributing, or dispensing, must be registered with the DEA and must adhere to certain rules and regulations—which aren’t always easy to follow.</p><p>Murphy, who worked for the DEA for 25 years, now helps companies follow mandates he calls “vague and difficult to interpret.” For example, DEA requires anyone carrying controlled substances to report “the theft or significant loss of any controlled substance within one business day of discovery.”</p><p>“This hospital had 13 vials of morphine that ‘went missing’ and someone called me in to find out why,” Hayes says. “They asked me, ‘Are 13 vials substantial or not? Do I really need to fill out the form?’ I counsel them on what’s substantial because the language is very loose.”</p><p>Depending on the frequency or significance of these or similar forms, the DEA may open an investigation, Murphy explains. “DEA will look at these recordkeeping forms and determine if in fact everything has been filled out correctly, that they have been keeping good records,” he says. “If DEA determines that they are lax or have not been adhering to requirements, there could be anything from a fine to a letter of admonition requiring corrective actions.” In more serious cases, DEA could revoke the registration because the activity or behavior was so egregious that it was determined that the facility is not responsible enough, Murphy explains. If a facility loses its DEA registration, it cannot dispense controlled substances.</p><p>However, DEA does not get involved in every suspected case of diversion. “There are only so many DEA diversion investigators, so they have to prioritize what they get involved with,” Murphy says. “It has to be pretty egregious for them to get involved to seek a revocation or fine.”</p><p>That’s where people like Hayes come in. “They want me to come in instead of DEA or law enforcement,” she explains. “I’m a private citizen, I understand law enforcement procedures, and I can help them get at the root of the problem before they call in law enforcement.” </p><p>After an investigation into a diverter is opened, it is unclear what happens to the offender. Hayes says that she typically gathers evidence and gets a confession from diverters, at which point her client calls in law enforcement to arrest them. Leon, who was in charge of diversion in­vest­igations at HCMC for 20 years before becoming a consultant for HelioMetrics, was able to investigate but not interview suspected diverters. He tells <em>Security Management</em> that he would call in a sheriff’s detective to interview the suspect.</p><p>Although most diverters are fired when their actions are discovered, they are not always arrested—it’s often at the discretion of their employer. Depending on the diverter’s role, state accreditation boards—such as those that license nurses and pharmacists—would be notified and could potentially conduct their own investigations. </p><p>Cichon cautions that some hospitals hoping to avoid bad press and DEA scrutiny may look for loopholes. “We found out through the course of investigations that if someone resigns and was not sanctioned it may not be a reportable action,” he says. “If we allow this person to resign rather than take action against him, then we don’t have to report it.”</p><p>Murphy notes that DEA typically has no role in individual cases of diversion. “If the diverter has a license from one of those state agencies, usually it’s required that they be reported, and then it’s up to the board how they proceed with the personal license of the individual,” he says. The DEA doesn’t regulate the personnel—that’s up to the state and the facility. </p><p>Cichon notes that the lack of standards when addressing diversion makes it more likely that offenders could slip through the cracks and move on to continue diverting drugs at another facility. “Unfortunately, there are different laws and statutes in every state that set up some sort of reporting requirements,” he says. “There are medical boards, nursing boards, pharmacy boards, and not every worker even falls under some sort of licensing board for that state.” ​</p><h4>Staying Ahead</h4><p>Due to the stigma of discovering diverters on staff, many hospitals just aren’t preparing themselves to address the problem proactively, Cichon explains.</p><p>“This is something that is probably happening but we’re not finding it,” he says. “The statistics I’ve seen at hospitals that are being proactive and looking at this are finding at least one person a month who is diverting drugs in their facility. If a 300-bed hospital is finding one person a month, and Hospital B has the same amount of staff and beds and is finding nothing…”</p><p>NADDI has been providing training for hospitals to develop antidiversion policies. Cichon notes that many hospitals throughout the country have no plan in place to actively look for diverters. “As big as the issue is, many of them are still just not being that proactive in looking at the possibility that this is happening in their facility.”</p><p>Cichon encourages a team approach to diversion that acknowledges diversion as a real threat. “Not just security personnel should be involved with the diversion aspect,” he says. “Human resources, pharmacy personnel, security, everyone is being brought into this investigation, because the bigger picture is patient safety. The diverting healthcare worker typically isn’t one who’s going to be selling or diverting his or her drugs on the street, but they are abusing the drugs while they are working.”</p><p>Leon worked hard on diversion prevention at HCMC after discovering a surprising pattern: almost all of the diverters he investigated wanted to be caught. “What got me on this path of prevention was observing the nurses as they would admit to what they did,” he explains. “More often than not the nurses would say, ‘I wanted somebody to stop me. I needed help, didn’t know how to ask for it, and I was hoping somebody would stop me.’ That’s pretty powerful when you’re sitting there listening to this on a consistent basis.”</p><p>Leon implemented mandatory annual training for everyone in the hospital—from food service workers to surgeons—to recognize the warning signs of drug diversion. “If a nurse or anesthesiologist or physician is speaking with you and telling you they are having these issues, then you should say something,” Leon explains. “It’s not doing the wrong thing—you’re helping them, and that’s the message we sent out. Look, these individuals are not bad individuals. Something happened in their lives that led them down this path.”</p><p>Leon also had cameras installed throughout the hospital that allowed him to observe diversion but also kept his investigations accurate. “We had a nurse who was highly suspected of diverting,” he says. “With the cameras I was able to show that she wasn’t diverting, just being sloppy. The employees appreciated the cameras because it showed they weren’t diverting medication, they just made a mistake.”</p><p>Over time, HCMC personnel became more comfortable coming forward with concerns about their coworkers. Before the facility started the annual training, Leon caught at least one diverter a month. Before he retired, he says, that number had dropped to one or two a year.</p><p>“The success of our program at HCMC was the fact that we paid more attention to educating rather than investigating,” Leon says. “You have to keep those investigative skills up, but you have to spend equal amount of time on prevention and awareness.”</p><p>Mitchell points to algorithmic software that can identify a potential diverter long before their peers could. Taking data such as medicine cabinet access, shift hours, time to waste, and departmental access allows software to identify anomalies, such as a nurse whose time to waste is often high, or a doctor who accesses patients’ files after they have been discharged. </p><p>“Most people are using the logs from the medicine cabinets trying to do statistical analysis,” Mitchell explains. “You find out 60 days or six months later, or you don’t see that pattern emerge by just using one or two data sets. That doesn’t help. The goal is to identify these people as quickly as possible so they are no longer a risk to themselves or the patients or anyone they work with.”</p><p>Murphy encourages facilities to be in full DEA compliance to mitigate diversion. “If somebody wants to steal or becomes addicted, they are going to find a way to do it, and sooner or later they are going to get caught, but then there’s a problem because the hospital has to work backwards to determine how much was stolen and reconcile all that,” he says. He also notes the importance of following up internally on each diversion case and figuring out what went wrong, and adjusting procedures to address any lapses. </p><p>“Every entity that has a DEA program should have diversion protocols in place because if they don’t they are playing Russian roulette with theft and loss and their DEA registration,” Murphy says.  ​</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 After Paris<p>​<span style="line-height:1.5em;">When a disaster occurs, crisis and continuity plans are thrown into flux, no matter how soundly they have been written or practiced by a business. In the case of a terror attack, the added stress of violence and shock pose serious challenges for companies as they scramble to ensure that employees are safe. And on many unfortunate occasions, employees must deal with the painful loss of coworkers and friends. </span></p><p>Such was the case for many businesses around the globe during the events of November 13, 2015, in Paris, France. A staggering 130 people lost their lives in a series of gun and bombing attacks around the city, and hundreds of others were wounded. All 11 attackers were operating under loyalty to the Islamic State of Iraq and Syria (ISIS). It was Europe’s worst terror attack in 11 years. </p><p>Parisian businesses and companies operating in France faced a monumental challenge in the wake of the events, and had many more questions than answers. When should they reopen? Should they ban travel? How should they handle executives who were traveling abroad? Did they need to hire more security officers? How should they communicate with stakeholders and the media?</p><p>The following is an inside look at what companies in Paris did after the attacks to resume business as usual. Then, experts relate how businesses can apply best practices when building and activating crisis and continuity plans. ​</p><h4>Response</h4><p>The impact of the attacks in France were far-reaching, but Parisian businesses faced a unique struggle in the wake of so much bloodshed. The events took place on a Friday, which gave some companies a small window to get their bearings. But the question of how to carry on with business as usual in spite of the disruptions loomed large. </p><p>Nicolas Le Saux, CPP, chair of the ASIS European Advisory Council, tells Security Management that security representatives from some of those companies came together after the deadly attacks to plan and discuss business continuity. </p><p>He says that when various parties reached out to the ASIS council for advice on business continuity, a lightbulb went off. “We realized over that weekend—actually Saturday—that we lacked information on how to restore business as usual,” according to Le Saux, who is also an ASIS regional vice president. “So we started to talk to each other….if you do it the right way and you share good ideas, best practices, you might be able to get things moving back on track more rapidly.” </p><p>Council members began conducting weekly conference calls to address the vast array of challenges companies faced in restoring continuity. Participants included ASIS chapter representatives, members of the CSO Roundtable, and various security professionals from around the United Kingdom and other parts of Europe. The first call, which took place just days after the attacks, brought in 40 participants. Some calls included representatives from law enforcement and the French Minister of the Interior.  </p><p>“Everyone was trying to establish what the other businesses were doing,” says Le Saux. “Should they ban international travel, should they send their American staff back home? We realized that every one of us needed to know what the other was doing.” </p><p>Le Saux, who is a past chair of the ASIS France Chapter, explains that if a security executive pleads a case to the CEO on his own, that’s one thing. However, “It’s very different if you say, ‘I had a conference call this weekend, and this is the same positon that all the other organizations in Paris are taking.’ That worked very well,” he notes.</p><p>For example, banks were not sure whether it would be appropriate to reopen the first business day after the attacks, which would be a Monday. While all decided to remain closed Monday, there was discussion on whether to reopen on Tuesday. Two CSOs from major French banks were on the call, and they together made the decision to begin conducting business again on Tuesday. “Because they reopened, every other bank reopened as well,” Le Saux notes. “This is the power of the idea that, if you have five big banks and two of them decide to reopen on Tuesday, the others will follow suit.” </p><p>The question of outfitting security guards with bulletproof vests was also raised, especially since businesses were being contacted left and right about these quick-fix solutions. “What you get after a crisis like this is everybody and his dog trying to peddle stuff to security providers,” Le Saux points out. After much discussion, participants decided against outfitting security with such vests because they might make patrons and other staff members anxious. </p><p>Many businesses were also considering hiring additional security staff. In France, security personnel have to obtain special licensing from the state, which makes it costly for the organization bringing them on. </p><p>Le Saux says that members of the nation’s licensing board were actually on the call during the guard discussion, and they pointed out that there were a limited number of guards available, far fewer than would be required for full staffing. “Rather than putting pressure on security firms to get more guards, running the risk of obtaining unlicensed people and, therefore, poor security or even worse, we were able to convince members on the call to take a different approach.” </p><p>Participants on the call suggested sealing off multiple entrances to a business and placing more security personnel at the door or doors they decided to keep open. </p><p>“Because we were able to talk among ourselves, especially those working in the defense industry who had a lot of pressure from their managers to implement that kind of idea, they were able to come back to their bosses and say ‘look, we had this conference call over the weekend and we did a canvas of these 40 security managers and CSOs and we all think it’s a bad idea, and here are the reasons why.’”</p><p>Interest in these information-sharing sessions has only been growing. Security executives from the United Kingdom invited Le Saux to participate in a session in early December put on by London First, a nonprofit organization for business leaders. They discussed the impact of the French attacks on businesses across Europe, and Le Saux says that after the session he was flooded with requests from people wanting to participate in the weekly calls. </p><p>“It’s extremely rare [in Europe] to share information, especially for security,” he says, “and that’s probably one of the outcomes from this tragedy, it’s actually forcing people to mutualize and cooperate….We have to stick together, and cut time and costs if we can, to be able to face the challenge.” ​</p><h4>Planning</h4><p>Like many of those on the conference calls, businesses in Paris found themselves activating their crisis communications plans after the attacks. In a statement, Disneyland Paris announced it was temporarily closing “in light of the recent tragic events in France and in support of our community and the victims of these horrendous attacks.” Similarly, the Eiffel Tower announced it would remain closed the Saturday after the massacre. The Louvre said it planned to reopen Saturday with additional security, but the French Ministry of Culture ordered it to remain closed to observe a national day of mourning. </p><p>“It’s amazing how an event like [Paris] exposes your continuity planning vulnerabilities,” says Dr. Robert Chandler, a crisis communications expert who has authored several books on the topic, and is professor of communications at Lipscomb University in Nashville. “It’s all the little details that it’s hard to think about until you’re right in the middle of it and you look at the confusion, the questions that people have.” </p><p>Chandler’s advice to companies: plan for an entire lifecycle of a disruption, from the first time news of the event is received to anywhere from a few days to a few weeks later. This applies to crisis planning, communications, and business continuity practices. “So whether you’re running a corner bakery or a major international amusement park, the question is, are you prepared to keep all of this stuff as coordinated as you possibly can to manage the disruption, and address the uncertainty and anxiety among all of your target audiences?”</p><p><strong>Communication. </strong>Issues surrounding communication arise in everyday business practices, Chandler points out, even among well-meaning individuals. So those problems are only amplified by a crisis. “Even in the best of times we have misunderstandings,” he says. “Throw in a little bit of fear, a little bit of adrenaline, a little bit of active-gunman panic and, poof, now I’m misunderstanding everything, I’m not even focused, I’m not hearing what you’re saying.”</p><p>Chandler, who studies the effects of stress and hyper-stress on the human brain, explains that cognitive capabilities become narrowed in a crisis, making everything harder to manage. And on top of that, he says the actual communication method affects how messages are perceived and acted upon by the recipient. “Your actual decisions are different depending on the modality, the duration, and the preparedness you have to communicate,” he notes. For example, sending an e-mail may be the best method to communicate with executives who tend to be near their desktop throughout the day, but phone calls could be better suited for lower-level employees who are more mobile. “You have personnel who are probably out and about, you have grounds crews, you have people in business meetings,” says Chandler. “Reaching people and getting them to pay attention to a message will vary based on where they are…whether they’re high-mobility or low-mobility employees.” </p><p>Businesses can plan for the types of messaging they want to use and map out a framework for disseminating that information beforehand. He recommends planning for both “push” and “pull” communications. “Push communications capabilities are your ability to reach out and tag and touch and communicate with someone,” says Chandler. A mass-notification application that sends a text message, e-mail, or automated phone message is an example of push communication. </p><p>On the other hand, a pull communication is when stakeholders can obtain information on their own volition. These pull communications are planned in advance, and can go live on a website in the event of an emergency. An 800 number can be available for callers to access information, for example. Having both push and pull communications that are well-planned in advance is a critical step for communicating with employees, vendors, suppliers, and other stakeholders.  </p><p>When writing any crisis communication messages, Chandler recommends applying the 3-3-30 rule: three short sentences that convey three key messages in 30 words or less. “You might not write it down to the granular, but you should have talking points,” he notes. </p><p><strong>Contingency planning.</strong> In the event of a major disruption, basic but important questions arise from employees directly or indirectly affected by the incident. Chandler, who was in Europe for a series of conferences during the Paris attacks, experienced this with many of the clients and coworkers he was in contact with. “The questions people were literally asking,” Chandler notes, “were ‘If I can’t go to this meeting, do I go to my normal shift, do I go home? And if I go home, do I get paid?’ I know this sounds like a minor issue in the middle of a catastrophe, and I don’t want to downplay that—but they were real questions.”</p><p>He says that business contingency plans should start with the company’s employees—where employees should report to work, how they report to work, and the best way to adjust their schedules and shifts. Having an alternative site where mission critical operations can be conducted is also crucial. </p><p>Next there should be plans in place for dealing with inventory if shipments or deliveries are disrupted. Again, he emphasizes that effective communication plans are critical in all of these scenarios. “You can have the most brilliant inventory supply chain management policy that’s ever been invented,” Chandler notes. “But if you can’t talk to anybody or let them know or activate them or reroute them…you’re not really managing the event.” </p><p>In the case of the Paris attacks, it became critical for U.S. companies to pay attention to messages coming from embassies and agencies like the U.S. Department of State, says Tom Blank, a former acting administrator of the U.S. Transportation Security Administration and now a consultant at Gephardt Government Affairs.</p><p>He adds that having secure transport available for executives may be advisable in the event of an emergency. “Traveling executives should have drivers that are arranged by their security consultants, and reliable vehicles that should be checked, [so they don’t have to] rely on local taxis or local transportation vendors.” </p><p>Blank notes that establishing a relationship with a local security consulting firm, one that is knowledgeable about the economic, political, and cultural climate, can help companies prepare for unexpected incidents. “In one part we’re talking about resilience, which is getting back to normal as a way of defeating or thwarting the bad guys, but the other side of the coin is preparation,” he says.</p><p>A system should also be in place for employees to be accounted for in a timely manner. “Recovery has to be built into your emergency plans,” says Dr. Michael J. Fagel, a crisis management expert and editor of Crisis Management and Emergency Planning: Preparing for Today’s Challenges. “Whether it’s repatriation, or maybe a toll free number where people call you and you say, ‘I’m okay I’m home now’…. It’s a networking system where you are able to escape and report back to security managers.” </p><p><strong>The media.</strong> The death of an employee is a company’s worst scenario, and having to discuss it publicly with the media is tricky and sensitive. After the Paris attacks, several organizations found themselves with just this daunting task. </p><p>The first step in dealing with the media on such sensitive topics is understanding your audience, Chandler says. If employees are hurt or killed, he recommends concentrating on common sensibilities: focus on the people involved, focus on the consequences, and express both sympathy and empathy for those involved. “The way you talk to the media should come from your own sense of values,” he says. “That this is not a pretend thing, but that you genuinely feel compassion.” </p><p>He adds that such statements should say what the company is doing in response, why they’re doing it, and that they are committed to seeing those tasks through. He emphasizes that media statements are not the place to start shifting the blame. “When the Gulf oil spill happened, nobody cared that BP was blaming a subcontractor and who the subcontractor was blaming—people just wanted to know what’s being done to fix the leaking oil and who’s taking responsibility.” </p><p>In the case of any incident, businesses should carefully adhere to policies, laws, and regulations when divulging information to the media. Still, they can use those opportunities to stay on message. For example, under healthcare privacy laws hospitals can’t always share specific information on patient conditions. “If a reporter asks about a specific patient’s condition, a hospital can say, ‘federal law says I can’t tell you this, but let me tell you what we do for patients in our hospital,’ and you get back to your messaging.” </p><p>On alert. Ultimately security managers must plan for the worst, says Fagel, because there is no silver bullet for stopping attacks on a place of business. “I do not have an answer on how to prevent these types of attacks—I just don’t know,” he concedes. </p><p>He emphasizes the importance of moving swiftly when an emergency does occur. “The key is early notification. Whatever the event might be, as soon as one of your people finds out that there’s something untoward going on, they need to activate the emergency plan,” he says. “And the emergency plan can be the phone call, it can be the notification, but what it needs to do is invoke the emergency plan itself.” </p><p>And all the preparation that goes into crisis planning is only effective if the plans are well practiced. “Your plans will fail if they’re not practiced, and they will fail if they’re not bought into by all the people at your organization,” says Fagel. “If you don’t practice, plan, and prepare, the system will fail.”  ​</p>GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465