Issue link: https://securitytechnologyexecutive.epubxp.com/i/282968
31 SECURITY TECHNOLOGY EXECUTIVE • February/March 2014 www.SecurityInfoWatch.com place proper mitigation strategies." Foreman: " The most challenging issue in information security is in not knowing what you don't know. After all, you can't develop controls to cover your blind spots if you don't know that the risks exist." Scott: "In the current heath care environ- ment we are seeing mergers and re-alignments with many health care systems. As these new entities move forward together, the disparity of security technology systems requires constant assessment and adjustment. As we approach each new opportunity, we have to continually refine the desired end result. Reviewing varied processes and procedures and ensuring a uni- form approach to risk assessment and security process management are the initiatives that are always on my mind." Romagnoli: "The safety of our employees, guests and visitors. The recent increase in seri- ous workplace violence issues, specifically active shooter scenarios is of great concern. After 34 years in law enforcement and security I am hard pressed to explain this unfortunate phenom- enon. With that being said, we have rolled out an employee education program which in part, explain to the employee what he or she needs to due in such an event. In addition we are pilot- ing visitor control systems in our facilities so we have the opportunity to screen visitors." STE: What is your number one security and/ or risk management issue you envision for 2014 and how to you plan to approach it? Foreman: "Passwords still represent a weak- ness in the overall information infrastructure. Passwords can be guessed, cracked, or social engi- neered. Two-factor authentication represents potential risk mitigation, but many people find these solutions inconvenient. We are investigating alternative solutions to address this risk including risk based and location based authentication." Scott: "For the healthcare setting I believe that the number of workplace violence incidents will continue to rise. These increases can be attributed to many things. Incidents of patient violence against staff may have gone unreported in the past. The rationale for the erroneous or omission of reporting past incidents includes that the violence was seen as a "part of the job". The victim may have also felt embarrassed to report any incidents for fear that they would be perceived as not controlling their patient. An increase in the number of Mental Health Mental Retardation (MHMR) patients being treated due to economic conditions, drug abuse, and the general aging of the overall population. Government programs that were handling many of the MHMR patients have had cost cutbacks or elimination of programs. From 2009 to 2011 alone, cutbacks exceeded 4 billion dollars. These cutbacks oftentimes force the MHMR patient to utilize the Emergency Room as their primary care portal. The past decades specialization of disease treat- ment methods fosters an environment of "silos" where the different hospital specialties and dis- ciplines utilize a communication method or ver- nacular that is specific to their site (or even within their unit). This type of environment creates a communication gap that hinders the true reporting of incidents and hinders the processes needed to manage workplace violence. It is imperative that we reach out to these varied disciplines." Romagnoli: "The safeguarding of patient and employee database information {is a big concern}. Hospitals and healthcare systems, by the nature of the business hold a tremendous amount of a person's personal and financial information, as required by the government agencies that regu- late this industry. Although we have a robust IT security team, and breaches are virtually nonexis- tent -- though attempts occur frequently, the safe- guarding of hard copy data has become a focus of our security awareness and education programs. While we are steadily moving to an electronic health record, paper will never be totally elimi- nated. The theft of those hard copy files has been on the rise and we have been victimized through the theft of that data. Our investigative division has been quick to identify the perpetrators and we enjoy an excellent working relationship with law enforcement and prosecutors" Bellino: "Workplace violence and active shoot- er situations {are our biggest concerns}. We are establishing active shooter policy and procedures, training, and then exercising the plan/procedure. I will use a similar approach that I used at my last employer. We will assemble a multidisciplinary team from across the health system. Together we will craft a policy and procedure over a set period of time with established milestones. The policy/pro- cedure will then be presented to various stakehold- ers at the various campuses for review and com- ment. Implementation dates along with training of staff will commence with rollout of the Active Shooter-Extreme Workplace Violence Response plan. Finally, exercises will be completed under very stringent security and safety protocols. This pro- cess will take 18-24 months to fully implement." STE: Considering recent shootings in big city emergency rooms, how do you pre- pare to meet the challenge of protecting staff and patients in an environment that "In the current heath care environment we are seeing mergers and re-alignments with many health care systems. As these new entities move forward together, the disparity of security technology systems requires constant assessment and adjustment." STE_30-33_0314 Lasky Roundtable.indd 31 3/14/14 11:14 AM