Fast and Reliable Communication Key to Effective Security Incident Management

The key to having an effective system of security incident management in a healthcare environment is having a fast and reliable system of communication.

Healthcare facilities are exposed to many different security threats which can vary according to the facility’s location and the nature of services provided. For example, a healthcare facility in Florida is more likely to be exposed to threats attributable to extreme weather than a healthcare facility in California, but the opposite would apply if we were discussing threats attributable to wild fires. Similarly, a maternity hospital is at greater risk of a child abduction than a facility specializing in mental health, but less likely to experience physical assaults on healthcare professionals.

To complicate the issue, security incidents can originate from both inside and outside a healthcare facility. The theft of hospital equipment and medical suppliers can be equally attributed to employees as to external actors and hospital visitors. Data breaches – although usually associated with cybercriminals – can be attributed to the deliberate or negligent actions of an employee; and even physical assaults are not exclusively “external actor on healthcare worker” events. One study in 2015 found a high prevalence of incidents in which both the perpetrator and victim were employed by the healthcare facility.

Security Incident Management and the CMS’ Emergency Preparedness Plan

In addition to the unique challenges faced by each healthcare facility, those in receipt of payments from the Centers for Medicare and Medicaid Services (CMS) also have to comply with the CMS’ Emergency Preparedness Plan. The objective of the Emergency Preparedness Plan is to prepare healthcare facilities for incidents that might affect not only its own operations and employees’ wellbeing, but that may also have an impact on the surrounding community and neighboring healthcare facilities who may be unable to cope with an increase in demand.

Around 85 percent of healthcare facilities in the U.S. receive Medicare or Medicaid funding, and therefore the majority of healthcare facilities have to comply with CMS regulations. With regard to security incident management for events not covered by CMS’ Emergency Preparedness Plan (i.e. active assailants and child abductions), it can be beneficial to follow the CMS’ “Four Core Elements of Emergency Planning” –

  • Conduct a risk assessment to identify potential security incidents, take steps to reduce their likelihood, and plan how the facility will respond to and recover from an incident.
  • Develop a communications plan to initially alert personnel, security, and outside agencies to the incident, and then ensure a collaborative emergency response to the incident.
  • Establish policies to address issues found in the risk assessment, and establish primary and secondary lines of communication for security incident management.
  • Train every individual likely to be involved in a security incident so they are aware of what their responsibilities are and what actions they should take.

Communication a Common Theme in Security Incident Management Planning

Throughout the CMS’ Emergency Preparedness Rule and security incident management planning, there is a great deal of focus on communication. How will alerts be raised? Whose responsibility will it be to alert emergency services, or state and local emergency managers? How will orders to take cover, evacuate, or search and rescue be given? How will it be possible to manage a security incident if primary lines of communication are inoperable? How will the facility communicate with neighboring facilities if it exceeds its surge capacity?

To address these issues, many healthcare facilities are adopting communication solutions based on mobile technology. Systems that integrate mobile panic buttons with mass notification systems and web-based incident command centers generally have fast and reliable two-way multi-modal communication capabilities in order to raise situational awareness. Not only can the solutions be used to quickly raise alerts when a security incident occurs, but their speed and redundancy facilitates more effective security incident management.

Mobile-based solutions have a number of advantages for security incident management inasmuch as most end-users are familiar with the technology, there is minimal investment required (as most end-users simply download apps onto their existing mobile devices), and the systems are compatible with web-based Emergency Operations Centers (i.e. FEMA’s WebEOC). It is also simpler to train individuals about their responsibilities and what actions they should take when the training is conducted via personal mobile devices.