What the Government Taught Me About Trust, Access, and Human Risk Factors

This is the second of four articles in a series offering a fresh perspective for healthcare executives and security professionals on their physical security strategies. The articles are based on the expertise and perspectives I have gained through over 40 years of safeguarding U.S. national security agencies and private sector organizations.

‍
On February 18, 2001, FBI special agents arrested Robert Philip Hanssen as he was dropping off classified documents at a park near his home in Vienna, Virginia. The documents were intended for the SVR, Russia’s equivalent of the CIA. Hanssen, a special agent of the FBI himself, had been spying for the Soviet Union and, later, for Russia for over two decades by the time of his arrest. His betrayal inflicted significant damage on the security of the United States. In total, Hanssen’s compromise of sensitive FBI information may have contributed to the deaths of at least three assets working for U.S. intelligence and resulted in more than $100 million in lost investments by the U.S. government in offensive intelligence operations directed against Russia. Five months after his arrest, Hanssen pleaded guilty to fifteen counts of espionage, ultimately dying in prison 21 years later.

‍
While security threats are often viewed as coming from external sources, a “trusted insider”—an employee with established physical access to an organization’s facilities and sensitive information—can cause significant harm to the organization and its stakeholders. This type of threat is not limited to government entities; it is also a major concern for healthcare organizations. A recent case involved Raynaldo Riviera Ortiz Jr., a Dallas anesthesiologist, who was criminally charged in September 2022 and later convicted of injecting dangerous drugs into patient IV bags. Ortiz Jr.’s actions resulted in the death of one patient and caused medical complications for several others.¹

‍
What is the common denominator in all insider attacks? The risk factors related to being human. Typically, humans exhibit patterns of behavior that reveal their level of trustworthiness. However, there is always an element of unpredictability. Additionally, over time, the mental state, judgment, and reasoning of humans may change.^{2, 3}  
‍

At the time of Hanssen’s arrest in 2001, I was “on loan” to the FBI from the CIA. The FBI Director at that time, Louis Freeh, asked me to help understand what went wrong and to lead the effort to transform security at the FBI to prevent a compromise of this magnitude in the future. Is it possible to stop a government employee from becoming a spy or, for that matter, a healthcare employee from acting against the best interests of the organization or their patients? Of course not, but the risk can be mitigated by implementing processes aimed at identifying what is often referred to as an insider threat. Furthermore, if an employee chooses to act against the interests of their employer—specifically, a healthcare organization, a patient, visitor, or coworker—it may be feasible to recognize and address their hostile intentions more promptly, potentially preventing such actions from occurring.
‍

What lessons can we learn from the Hanssen case?

1. All organizations face risks from insiders. Every workforce is made up of human beings who experience both good times and challenges in their lives. Life stresses—whether they arise from poor relationships, financial pressures, mental health issues, or perceived injustices—can lead to harmful actions. According to statistics from 2022 published by the National Institute of Mental Health, 23.1% of U.S. adults—59.3 million people—experienced a mental illness, and per the Substance Abuse and Mental Health Services Administration, 6% of U.S. adults—about 15.4 million people—faced what is described as a serious mental illness.^{4, 5} Hanssen’s main motivation for committing espionage was financial. However, he also felt that his FBI coworkers did not appreciate his intelligence and abilities. Ortiz Jr. was disgruntled. Evidence presented at trial revealed that Ortiz was facing disciplinary action at the time for an alleged medical mistake during one of his surgeries and that he potentially risked losing his medical license. Both felt compelled to strike out at others.

   ‍
2. Deterrence is vital. Those thinking about acting negatively must realize they will be identified and face appropriate consequences. President Ronald Reagan famously quoted the Russian proverb “Trust, but verify.” Hanssen told FBI agents after his arrest that he wouldn't have betrayed his country if he didn’t think he could get away with it. Healthcare organizations need a strong background screening process before hiring to understand the risks linked to potential candidates. But that shouldn’t be the only step. Since risk factors change throughout an employee’s career, ongoing monitoring and vetting might be necessary.

   ‍
3. Collaboration and communication offer significant benefits. Programs designed to identify insider threats are often discussed in the context of cybersecurity. However, insiders can jeopardize any corporate asset, whether physical or virtual. Furthermore, the target of an insider threat could be another employee, creating potential synergies between workplace violence prevention and insider threat initiatives. This supports an “All Hands on Deck” approach. The most effective programs involve collaboration among physical and cybersecurity efforts, along with participation from human resources, legal, compliance, privacy, and risk departments. Additionally, employees who act out often “leak” information, foreshadowing their hostile acts. Coworkers notice their antisocial or unusual behavior and require a mechanism for reporting their concerns. Hanssen was commonly known as the “Mortician,” based on his attire and mannerisms.⁶  There were other risk indicators that were not thoroughly investigated or pursued through human resources channels.

Healthcare systems can gain valuable insights from national security agencies that have faced significant breaches caused by trusted insiders. For healthcare executives, unchecked insider threats can lead to catastrophic costs: patient harm, litigation, reputational damage, and long-term financial exposure. These potential consequences warrant consideration of this risk at both the executive leadership team and board levels, as it is genuinely a governance issue for the healthcare organization.
‍

Proactive measures can be implemented through the creation of a multidisciplinary program focused on identifying and mitigating risks posed by insiders with malicious intent. Many healthcare leaders are surprised to learn that effective insider threat programs can often be implemented with existing resources if the organization commits to cross-functional coordination. This approach is no longer limited to governments seeking to prevent espionage; it can also significantly benefit healthcare organizations as well.
‍
--
‍
Ken Senser is the Chief Strategy Officer and a partner at Corporate Security Advisors, an AHA preferred cybersecurity and risk service provider. He is a subject matter expert in several disciplines, possessing over 40 years of experience in global security program governance, structure, and operations, incident response, and crisis management. During his more than 15 years as Senior Vice President at Walmart, Ken led global programs in Global Security, Investigations, Corporate Aviation, and Corporate Travel. Before joining Walmart, he served as a CIA officer detailed to the FBI as the Assistant Director of the Security Division. Following the Hanssen espionage arrest, Ken transformed the FBI's security program by establishing and overseeing the day-to-day operations of the first division in the FBI’s history focused on security. He began his federal career with the CIA in 1983, holding various executive positions and serving in roles related to physical, technical, protective, and personnel security.

‍
All statements of fact, opinion, or analysis expressed are those of the author and do not reflect the official positions or views of the US Government. Nothing in the contents should be construed as asserting or implying US Government authentication of information or endorsement of the author's views.

‍

‍

‍

1. U.S. Department of Justice. 2024. “Dallas Anesthesiologist Convicted of Tampering with IV Bags Sentenced to 190 Years in Prison.” Justice.gov. November 20, 2024. https://www.justice.gov/archives/opa/pr/dallas-anesthesiologist-convicted-tampering-iv-bags-sentenced-190-years-prison
2. National Institute on Aging. n.d. “How Aging Brain Affects Thinking.” NIA. Accessed September 16, 2025. https://www.nia.nih.gov/health/brain-health/how-aging-brain-affects-thinking
3. Inquiries Journal. n.d. “Decision-Making Factors That Influence Decision-Making Heuristics Used and Decision Outcomes.” Accessed September 16, 2025. http://www.inquiriesjournal.com/articles/180/decision-making-factors-that-influence-decision-making-heuristics-used-and-decision-outcomes
4. National Institute of Mental Health. n.d. “Mental Illness — Statistics.” NIMH. Accessed September 16, 2025. https://www.nimh.nih.gov/health/statistics/mental-illness
5. Substance Abuse and Mental Health Services Administration. 2023. Key Substance Use and Mental Health Indicators in the United States: Results from the 2022 National Survey on Drug Use and Health. https://www.samhsa.gov/data/sites/default/files/reports/rpt42731/2022-nsduh-annual-national-web-110923/2022-nsduh-nnr.htm
6. Surovtseva, Masha, and John Kalathil. 2001. “From Dour Mortician of FBI to Suspected Russian Superspy.” New York Times, February 21, 2001. https://www.nytimes.com/2001/02/21/us/from-dour-mortician-of-fbi-to-suspected-russian-superspy.html