Using Technology to Step Up Post-COVID Security: Prevention & Action

Law enforcement agencies have seen a sharp uptick in the number of mass shootings in recent years. According to a USA Today analysis, mass shootings surged with a 47% increase in 2020 over the previous year. This was happening before the pandemic, but part of it clearly seems to be due to COVID-19 and the psychological and logistical impacts of lockdowns, lost jobs and changing political landscapes.

 

COVID or no COVID, long gone are the days when you could see a horrible news story and believe it will never happen to you or your organization. You can’t just sit around and wait for it to happen. Especially if your organization is welcoming employees and customers back to physical venues after the pandemic.  This sudden new intensity is a perfect time to devote generous attention to security plans.

 

Modern technology and training reduce the likelihood of a violent event and reduce the potential impact. According to Prime Communications, Inc., COO and security expert, Jamie Bumgardner, the most effective defense you can offer your organization is the institution of a well-thought-out two-step approach: prevention and action. This includes assessing protocols, technology and training, as well as making sure your staff knows the correct actions to take, and when.

 

Many organizations have plans in place for these kinds of events, but both plans and technology are often outdated. In some cases, equipment has gone unused for a long time, has never been tested and no longer functions. In the most egregious cases, subpar disaster plans involve contacting someone who no longer works at the company!

 

Prime Communications partners with safety training firm, Safe Passage Consulting to assist organizations in upgrading security and developing comprehensive steps for effective safety plans. In this article, we outline the basics as a baseline to help you bring your own organization up to speed.

STEP 1: Preparation

The best thing you can do for your organization to effectively mitigate potentially violent events is to be prepared. This seems obvious, but it’s often taken for granted—and it’s not always true even if you believe you are prepared.

 

With proper, up-to-date technology and training, you may be able to prevent an attack from occurring in the first place. If the event itself cannot be prevented, updates will give everyone the best chance at survival, and that, of course, is the bottom line. “You can use technology and training as a force multiplier to keep people as safe as possible,” Bumgardner said.

Technology

Security technology experts work hard day after day, developing new ways to keep people safe and fine-tuning existing tech so it’s more efficient and reliable. If you are a security professional or company leader, it behooves you to also keep up with available technology to keep your people safe. The most heartbreaking part of any disaster is realizing too late you could have done more to save lives.

One example of recent technology advances is license plate readers. These have come a long way in function and reliability. A well-positioned camera can automatically check license plates of vehicles and cross reference them with databases of bad actors. If a vehicle belongs to a past offender or someone else who’s likely to cause trouble (e.g., a disgruntled former employee), you can be notified before they reach the building and potentially stop the problem there.

 

If the worst-case scenario happens and a shooting occurs, a gunshot detection system can quicky provide a wealth of information about the event. It can tell you where a weapon was fired, the direction the shooter was moving and even the caliber of the weapon. These systems are finely tuned to only register gunshots and won’t mistake a dropped pallet or other loud noise for a real emergency—even firing a blank won’t set them off.

 

Once you know a violent event is in process, a mass communication system can keep everyone informed of what’s happening, where it’s happening and what actions to take. You cannot only send messages to staff, but you also can equip phones with a panic button to notify security staff and law enforcement of threats. With the press of a button, a phone can turn into a video and audio recording device to capture and relay valuable information. This system can be useful in other dangerous situations such as earthquakes or fires.

Training

With mass shootings and other violent events occurring more frequently, most of us have at least idly considered what we would do in a dangerous situation. Whether your daydreams feature you heroically engaging an attacker in hand-to-hand combat or leaping out a window to a quick escape, people who are thrust into real situations rarely have the skills to execute these plans.

 

Furthermore, in a building with a large number of people present, even if each individual’s plan would work, everyone reacting to their own ideas at once creates chaos. What’s more, many organizations are still following outdated or inaccurate training, and it’s getting people hurt. To do everything you can to keep people safe, you need an up-to-date, standard, practiced plan that allows you to effectively communicate.

 

An integration team can help identify vulnerabilities in your plan (and in your technology), mitigate the problems, write a new plan, then train staff on equipment, protocols AND execution of the plan during a violent event.

 

Safe Passage’s Dustin Randall says the most effective aspect of training is often scenario practice. The team will train members of your staff, then put them into realistic situations to help them internalize what they have learned, increasing the odds that they’ll act appropriately when needed.

 

“It is often the debriefing that is the most valuable, when people look back on the scenario and realize what they could have done differently—and discuss the plan with colleagues,” Randall said.

Step 2: Action

To have the best chance at survival, it’s necessary to take action of some kind. Theodore Roosevelt said “In any moment of decision, the best thing you can do is the right thing, the next best thing is the wrong thing, and the worst thing you can do is nothing.”

Once you’ve done everything you can ahead of time to give the people in your organization the best chance at preventing a violent event, you need to think about what everyone needs to do when an actual event occurs. According to Randall, staff should be trained to take these actions in this order:

1 - Accept the Inevitable

Some people, when caught in violent incidents, will do anything to deny what’s happening. They may hear a gunshot and immediately assume it’s a car backfiring or fireworks—even if they have the experience to know the difference. It’s important to acknowledge when a threat is real and respond appropriately. Good training makes it more likely staff will act in a way that saves lives.

2 - Run the Opposite Way

Many people freeze when faced with a threat they didn’t expect. But doing nothing is likely to get you hurt. Many existing plans tell staff to hide in a violent situation, but Randall explains that more people die if everyone hides instead of running. Remove yourself from the situation as fast as you can, find a safe place (hopefully, a pre-arranged meeting point) and contact police. Police responses have gotten much faster since active shooter situations have increased, but there’s no guarantee officers will immediately be able to find a shooter or obstruct the shooter’s path, so your priority is to leave.

3 - As a Last Resort, Fight

No one expects your staff to be heroes—fighting an attacker is a last, desperate option. Safe Passage training teaches you to stay calm and take actions that give you a chance to live. If you find yourself facing an attacker, they suggest first throwing something at the attacker to distract them and then run as they duck. If all other options are gone, grab the gun by the barrel and face it away from you. “Always remember, there are usually more of you than them. You can band together and pile on an attacker to subdue them,” Randall said.

Keep the Security Update Cycle Going - Indefinitely

The combined Prime/Safe Passage expert team suggests continually renewing these steps over time—whether during a pandemic, after an uptick in violence, or any time. Then you’ll know for certain you and your staff have done everything you can to make efficient use of the technology and training available. If, heaven forbid, you and your organization ever have to face a real situation, imagine how rewarding it will feel to know you’ve done everything you could do to reduce the odds of disaster.

Prime &​ Safe Passage ​Partnership​ Lifecycle​

For more information about our combined technology and training services, please contact Prime Communications at 402-289-4126 or sales@primecominc.com. We are happy to have a preliminary discussion with you about your security and training needs.


Healthcare Cybersecurity Best Practices: Don’t Forget About the Physical Side of Digital Security

[checklist]

Like many other market sectors, the healthcare world was forced into cybersecurity adjustments and advancements by the COVID-19 pandemic. For example, it was suddenly not a good idea to use touchscreens and keypads to identify users and gain access. At a blinding speed in some cases, IT professionals have worked to deploy new solutions — some of which had been in process already or were being used in other industries and some were completely new.

 

With these technology advancements, it has become more important than ever to identify physical and digital/logical security weaknesses and be proactive about mitigating them to keep staff, patients and visitors (and their personal data) safe.

 

Evolving cybersecurity best practices are especially important in healthcare settings, because hospitals and other healthcare venues are technology-heavy, super-sensitive to privacy, and carry unique potential for harm when technology fails.

 

Jeff Broz, Prime Communications Inc. VP of Infrastructure Operations, pointed out that these concerns are particularly important in the growing world of the healthcare Internet of Things (HCIoT). “There is typically a well-established process for adding new devices to an enterprise network. The challenge is that the technology is changing so quickly, that keeping up is a daunting task for the IT security team.”

Healthcare cybersecurity: What could go wrong?

“When critical systems are compromised, not only is the data within those systems at risk, but the care team is impacted by forcing alternate workflows to ensure the quality of care and patient safety are not impacted.”

Jeff Broz, VP Infrastructure Operations, Prime Communications, Inc. Tweet

Some cybersecurity breaches are legendary in the healthcare world. For example, ransomware attacks and hacking through environmental controls. In a worst-case scenario, a nefarious actor can take down an entire network, locking users out or injecting viruses, causing gaps in patient monitoring and care.

Especially with some of the beefed-up collaboration technology being used through the pandemic to electronically replace in-person patient and family touchpoints, an increased number of potential breaches can deprive caregivers of access to vital information about their patients.

“It is pretty straightforward,” Broz said. “When critical systems are compromised, not only is the data within those systems at risk, but the care team is impacted by forcing alternate workflows to ensure the quality of care and patient safety are not impacted.”

This healthy fear of gaps in care have even led to an unhealthy avoidance of updating systems for some organizations. However, using legacy systems with only-partially-effective updates eventually results in more potential cybersecurity issues and — you guessed it — gaps in a hospital’s control over care. When word gets out about gaps in care, it can affect an institution’s ability to maintain its reputation and compete against institutions that allocate time and money to proper updates and upgrades.

Increased use of smart devices complicates cybersecurity, Broz pointed out, because they often do not include embedded security when they are acquired and implemented. This can lead to human error, from poor configuration to incomplete user protocols. It’s great to have devices such as smart pumps available to monitor distribution of pharmaceuticals, and many healthcare institutions have implemented them. However, do IT teams really understand the vulnerabilities that come along with such devices?

This matters in part because hackers are getting smarter. A number of breaches have occurred in recent years through laptops accessing environmental systems. IT and security staff now have a better understanding of how those breaches happened, but for a variety of reasons they don’t always take comprehensive steps to mitigate such possibilities in their own systems.

 

According to a Verizon data breach report, 59% of healthcare institution data breaches come from internal actors, whether intentional or unintentional. This often happens due to problems with un-segmented networks or missing security controls. In cases where damage is intentional, it can happen because credentials are too easy to steal, among other things.

Of course, if you oversee security or information technology in a healthcare institution, you have no doubt done your research and know all of this. If you are like many organizations, you have put cybersecurity protections in place and you are ready for the next attack. However, also like most healthcare institutions, you may have forgotten about or too-lightly addressed one particular area of cybersecurity: physical deployment and maintenance.

Broz puts in a nutshell just how critical physical security is to cybersecurity: “All of the sophisticated, deep cybersecurity protocols, software and processes you implement could be taken down in an instant if a bad actor gains access to a server closet through a door left ajar by third-party technician.”

Bones of an effective cybersecurity plan

Any institution’s cybersecurity plan includes a myriad of small security mitigations protecting the many parts of the system. However, without a well-thought-out, comprehensive structure to support full security coverage, all of those small solutions still could leave your organization vulnerable. Just as a building needs a framework to hold up the walls (the bones), a cybersecurity plan is the framework that holds up a system’s components.

An effective cybersecurity plan begins with assessment of every component in your system and every potential security breach scenario. Your assessment should include determination of physical ways bad actors could access systems (e.g., through unlocked doors), or where inadvertent actions could compromise the system (e.g., accidentally activating on/off switches). A comprehensive risk assessment should be created before any new components are purchased or programs are put in place.

The bones of your cybersecurity plan should follow emerging standards, including ever-changing best practices for encryption, data tracking, human error mitigation, awareness programs, and incentives for reporting phishing, for example. “Part of establishing digital security in a healthcare institution is knowing what the most current standards are and understanding how to follow them,” Broz advised. He said many institutions lean on third-party experts. However, if your team members are not already, they should get on the mailing lists of cybersecurity industry organizations, such as the Healthcare Information and Management Systems Society, Inc. (HIMSS), so they can receive timely updates and tips. Even with reminders from experts, Broz suggested many companies are forgetting about the physical side of digital security.

We’ve included a checklist of some of the most easily forgotten physical aspects of cybersecurity at the end of this article to help flesh out your cybersecurity plan. 

Overall, an effective cybersecurity plan must:

  • Include integrated digital and physical cybersecurity solutions pathways (“You can’t have one without the other,” Broz said.)
  • Take into account how your healthcare cybersecurity initiatives will affect profitability and other aspects of your institution, including efficiency, staffing and budgets
  • Identify unsupported legacy systems and realistically determine when the potential for ongoing vulnerabilities outweighs the costs of upgrading
  • Account for third-party devices that will be connected to your network by patients, families, employees and contractors — some exposure through third-party devices is intentional and some may be unintentional
  • Incorporate partnerships with trusted third-party service and equipment providers who know the specific business of healthcare cybersecurity
  • Prioritize to ensure that the most important, or most foundational, aspects of cybersecurity are managed first
  • Include an incident response plan, so your team knows exactly what to do when a breach happens
  • Outline built-in protocols for continual testing and updating your healthcare cybersecurity systems without any gaps in care
  • Integrate input, needs and concerns from other teams in the organization and align with high-level organizational goals and processes
  • Include detailed steps for continual training, information sharing across departments, and plan updating

Healthcare venues present unique, and oftentimes critical, potential cybersecurity issues. Most hospitals and other healthcare institutions hire experienced, educated inhouse information technology and security professionals who know how to create and carry out a plan. The key is to make sure your professional staff is given the time and resources for proper planning, implementation and management of cybersecurity — including ensuring comprehensive coverage, with no gaps, by addressing the physical side of digital security.

Physical Cybersecurity Plan Checklist

For more information about or assistance with both the digital and physical sides of your cybersecurity plan, contact Prime Communications Inc., 402-289-4126 or sales@primecominc.com.


Empathy: A Secret Weapon for Security Challenges

Prime Communications continually tests, recommends and implements security hardware, software and processes across many different industries and venues. But security is much more than that. Over the years, we’ve learned one security element is more important than all the others combined. You can’t buy it, package it or wire it. We are talking about empathy.