The Importance of Adopting a Proactive, Intelligence-Led Approach to Safeguarding Your Healthcare Organization

This is the fourth and final article in a series offering a fresh perspective for healthcare executives and security professionals on their physical security strategies. The articles are based on the expertise and perspectives I have gained through over 40 years of safeguarding U.S. national security agencies and private sector organizations.

In 1949, humorist Richard Armour stated, “Most people’s hindsight is 20/20.” This wisdom has repeatedly proven itself over the decades that followed. Throughout history, we have seen many examples of so-called “intelligence failures" in the national security arena: Pearl Harbor, the bombing of the USS Cole, 9/11, and numerous other terrorist attacks. Often referred to as a failure to “connect the dots,” these prognostication shortfalls aren’t limited to the government. It's clear that we cannot predict the future. Nevertheless, that hasn’t stopped people from trying. In response to repeated intelligence failures, the discipline of risk management has evolved into a formal process. I served at the Central Intelligence Agency in the early 1990s when risk analysis was officially adopted within the Office of Security. Often misunderstood or misapplied, risk management also has its limitations.

In its most basic form, risk management is a process that identifies threats or undesirable events that an organization seeks to prevent. It assigns values to represent the likelihood of the threat occurring and the potential impact on the organization if it does. Healthcare organizations are already conducting risk management, and the Joint Commission (TJC) requires it as part of its accreditation process. However, there is considerable disparity among healthcare systems regarding its implementation and effectiveness. This is particularly true concerning the organization’s security program.

While TJC requires every healthcare facility to create a security management plan based on a risk assessment process, deficiencies in that process may undermine the plan's effectiveness. Often in healthcare, there may be a lack of security “intelligence.” This is somewhat surprising, considering that healthcare has a strong culture of delivering evidence-based clinical care. This same culture must be applied to security.

Establishing an evidence-based practice is impossible without data. This starts with creating meaningful security performance metrics that are aligned with the security management plan. By continually collecting data and receiving feedback on specific performance measures, it becomes possible to take action to enhance or customize security services.

With an effective metrics-based data collection process, it’s possible to take the next step of transforming the data into proactive intelligence. This vital step in an organization’s risk management maturity parallels how healthcare organizations are shifting toward proactive healthcare delivery models. Anticipate the consequences of patients not maintaining a healthy lifestyle and make adjustments in time to prevent disease rather than treating it afterward. In terms of security, it involves continuously monitoring the risk environment to detect indicators of the threats that concern the healthcare organization, and taking preemptive action to either prevent undesirable events from occurring or to mitigate their negative impact before escalation. In a sense, it’s like extending your vision “over the horizon.” While it’s still true that nobody can predict the future, organizations with an effective security intelligence program improve their accuracy in forecasting the likelihood and impact of threats, thereby enhancing the effectiveness of resource allocation to mitigate those threats. In an era where healthcare systems compete on operational excellence and brand trust, an intelligence-led security model increasingly distinguishes industry leaders from laggards.

There are capable tools and technology systems that enhance an organization’s ability to proactively monitor the risk environment and, through analysis, transform this information into valuable intelligence. Best practice organizations conduct the intelligence process collaboratively with other stakeholders, often within a Security Operations Center (SOC) environment, facilitating a multidisciplinary approach. Different departments within healthcare organizations typically collect similar types of threat information simultaneously, so establishing a SOC can also lead to resource savings at the system level while improving both effectiveness and the quality of intelligence generated. An example includes the need for the healthcare organization to monitor public-facing social media as well as the deep and dark web. In addition to the benefits of identifying physical security threats against the organization, the cybersecurity department needs to monitor for cyberattack indicators and compromised personal health information, while the public or patient relations department is interested in social media sentiment and brand reputation.

Establishing an SOC also gives the healthcare organization an advantage during its transition from intelligence collection to incident response. A single reporting channel and a standardized, centralized escalation process greatly enhance the incident command process.

The future, while uncertain, will undoubtedly present new challenges to security. The rapid advancement of technology, especially artificial intelligence, offers the potential for significant benefits as well as catastrophic consequences. One strategy to address the rapidly changing risk environment is to create a system-wide, proactive, intelligence-led approach to safeguarding your healthcare organization. The path to proactive security doesn’t require massive investments in capital and operational expenses, but it does necessitate a shift in mindset, leadership engagement, and the right strategic partners.

--

Ken Senser is the Chief Strategy Officer and a partner at Corporate Security Advisors, an AHA preferred cybersecurity and risk service provider. He is a subject matter expert in several disciplines, possessing over 40 years of experience in global security program governance, structure, and operations, incident response, and crisis management. During his more than 15 years as Senior Vice President at Walmart, Ken led global programs in Global Security, Investigations, Corporate Aviation, and Corporate Travel. Before joining Walmart, he served as a CIA officer detailed to the FBI as the Assistant Director of the Security Division. Following the Hanssen espionage arrest, Ken transformed the FBI's security program by establishing and overseeing the day-to-day operations of the first division in the FBI’s history focused on security. He began his federal career with the CIA in 1983, holding various executive positions and serving in roles related to physical, technical, protective, and personnel security.

All statements of fact, opinion, or analysis expressed are those of the author and do not reflect the official positions or views of the US Government. Nothing in the contents should be construed as asserting or implying US Government authentication of information or endorsement of the author's views.

‍