Similarities Between Healthcare Security and the Protection of Sensitive Government Agencies Like the FBI and CIA

I began my security career over 40 years ago, dedicating roughly half of my service to the federal government at the CIA and FBI, and the other half to the private sector.

In the government, we expected to face sophisticated threats aimed at CIA and FBI secrets, while the private sector handled more routine issues. This was especially true for healthcare, where the main goal is helping others. Unfortunately, it’s now common to see headlines like this:

• “FDA Office of Criminal Investigations Agents Catch Doctor Who Poisoned Patients with Tainted IV Bags.” ¹
• “1 officer dead, 5 others injured in shooting at Pennsylvania hospital.” ²
• “Ransomware Attacks on Hospitals Have Changed.” ³

The world has changed significantly in the past 25 years, and so has the approach to security needed to mitigate risk. A major transformation in risk management began after the tragic attacks on September 11, 2001. This shift originated within the U.S. government and has extended to the private sector, spreading at varying rates across different industries. Healthcare has been a relatively late adopter but is catching up quickly. For example, more healthcare systems are recognizing the benefits of establishing intelligence-driven physical and cybersecurity practices that include the ongoing threat exchange between the private sector and the federal government.

While there are certainly differences, today’s healthcare risk environment is more similar to that of the FBI or the CIA than one might expect. Potential attacks from terrorists targeting critical infrastructure, compromises of sensitive information, cyberattacks, ransomware, insider threats, and workplace violence pose threats that impact both healthcare systems and national security agencies. Healthcare organizations strive to create a compassionate and healing environment for their patients. This effort can make healthcare facilities an attractive, “soft” target. Balancing a welcoming atmosphere with a robust physical security posture is challenging yet achievable.

For many healthcare organizations, these deficiencies often go unnoticed, frequently hiding in plain sight. What are some potential indicators of an ineffective physical security program?

• High staff turnover or absences due to safety concerns.
• Rising numbers of staff injuries due to incidents of workplace violence.
• Increasing reports of thefts on the healthcare facility campus.
• Identification of unauthorized individuals in restricted areas.

The consequences of failing to address physical security deficiencies can be severe and may risk the safety of patients and staff. Conversely, tackling these challenges directly can yield significant benefits, with one of the most valuable results being reduced staff turnover, which leads to lower system costs and improved patient outcomes.

It's logical to conclude that risks comparable to those faced by the FBI or CIA necessitate a similar security philosophy and approach. This doesn’t mean simply adding more “gates, guards, and guns.” Effective security programs today require a more sophisticated, strategic, and systematic method for identifying, prioritizing, and mitigating risks. A best-in-class approach recognizes security as a business imperative, delivering value for investment and assisting the healthcare system in achieving its goals. Security-related risks should be integrated into the Enterprise Risk Management process.

Security programs must be tailored to fit specific system structures and operational needs. Nevertheless, all security programs should contribute to delivering the following common services:

• Proactive, intelligence-driven threat identification, assessment, and dissemination to prevent incidents before they occur or to mitigate their impacts when they do happen.
• Initial background screenings for employees and vendors, along with continuous monitoring and threat management processes. These may be organized as part of a broader Insider Threat Program.
• Workplace violence prevention and measures focused on protecting patients, visitors, and healthcare staff.
• Protective measures for healthcare personnel, including executives, facilities, and their assets.
• Emergency management and business continuity.

Security programs cannot operate effectively in isolation; they must actively engage as partners within the Environment of Care team. Security does not need to oversee all programs. Collaboration with various stakeholders, including safety, human resources, legal, compliance, privacy, and clinical staff, is essential. Furthermore, a strong relationship must exist between the executive responsible for physical security and the Chief Information Security Officer. Many healthcare systems have transformed regulatory security requirements into checklists, which is understandable for ensuring compliance. However, today's complex risk environment surrounding healthcare systems demands a more thoughtful and nuanced approach.

In the coming weeks, three additional articles will offer a fresh perspective for healthcare executives and security professionals regarding their physical security strategies. In these upcoming articles, we’ll explore how healthcare organizations can detect and manage insider threats, adopt proven crisis preparedness models drawn from national security agencies, and develop proactive security intelligence programs that anticipate emerging threats before they escalate. There is no need for panic or paranoia. However, a strong business case exists for making wise investments in physical security.

--

Ken Senser is the Chief Strategy Officer and a partner at Corporate Security Advisors, an AHA preferred cybersecurity and risk service provider. He is a subject matter expert in several disciplines, possessing over 40 years of experience in global security program governance, structure, and operations, incident response, and crisis management. During his more than 15 years as Senior Vice President at Walmart, Ken led global programs in Global Security, Investigations, Corporate Aviation, and Corporate Travel. Before joining Walmart, he served as a CIA officer detailed to the FBI as the Assistant Director of the Security Division. Following the Hanssen espionage arrest, Ken transformed the FBI's security program by establishing and overseeing the day-to-day operations of the first division in the FBI’s history focused on security. He began his federal career with the CIA in 1983, holding various executive positions and serving in roles related to physical, technical, protective, and personnel security.

All statements of fact, opinion, or analysis expressed are those of the author and do not reflect the official positions or views of the US Government. Nothing in the contents should be construed as asserting or implying US Government authentication of information or endorsement of the author's views.

‍

‍

1. https://www.justice.gov/archives/opa/pr/dallas-anesthesiologist-convicted-tampering-iv-bags-sentenced-190-years-prison#:~:text=into%20a%20crowd.-,Dr.,the%20Northern%20District%20of%20Texas
2. https://6abc.com/post/multiple-injuries-reported-shooting-upmc-memorial-pennsylvania-law-enforcement/15945873/
3.  https://www.aha.org/center/cybersecurity-and-risk-advisory-services/ransomware-attacks-hospitals-have-changed

‍