Episode 3: We discuss what it takes to Secure a Major Healthcare Facility. How Hospitals use technologies like Access Control & Visitor Management Systems to Secure their Patients while not Restricting Access to Doctors. The collaboration a Security Professional Must Have with other Departments to Improve the Culture of Security and much more…
Certifications in Healthcare Security Administration
Good afternoon, everyone. My name is Tom Carnevale. Now I’m here at the GSX event in Chicago. It is the Global Security Expo. In 2019 and it just so happens to be in my hometown of Chicago. This is Episode 3 of Security in focus, and I’m super honored to have Myron Love who is the director of security services from world-renowned Children’s Hospital in Chicago. As we’ve spoken about before- I have a very personal connection to the Hospital through my son who had a severe medical issue, and we went to dozens of doctors and finally landed at Children’s.
So Myron Love has been the security industry for several years. He is a CHPA. So we are talking talk about that and what that is in a second. He is also a CPP, PSP, PCI. And you’re also, Myron, Correct me if I’m wrong involved in a Security Group that is specifically related to healthcare. Let’s start there.
Myron Love: Absolutely. And thank you so much. I really appreciate being able to talk to you on this. This is terrific. So I am a member of the International Association for Healthcare Security and Safety. That is an organization that’s based out of Chicago. As a matter of fact, but it is an international association of and they work very hard to develop best practices standards and guidelines for healthcare security – a very terrific organization. And I have a certification with them as a Certified Healthcare Protection Administrator.
Thomas Carnevale: And that is unique to that group? What are the key learning objectives for this certification?
Myron Love: It is. Yes. So basically that is the kind of certification that if you really, want to go up in the reigns within healthcare security that is something that you get what to meet, a major, key learning objectives in that kind of certification. You’ll see more and more healthcare organizations and healthcare security systems are looking for leadership that has a CHPA because it demonstrates specialized knowledge in healthcare security. So in addition, to a CPP which is an excellent ASIS International Certification. The CHPA itself is very specialized. So it’s going to be more healthcare administration knowing how patient care functions within the organization and how Security relates to that for overall protection of customers, visitors, patients, and a lot of the other groups you mentioned that go into this certification.
Regulations and Audits of Healthcare Security
Thomas Carnevale: So I assume there are a lot more regulations and learning objectives around HIPA? How does that tie into the certification with being a Healthcare Security Professional?
Myron Love: This is very true. This is very true. So in healthcare, we have a couple of organizations that are going to come in and survey us. We have the Joint Commission which is an organization that is regulated by the federal government and Joint Commission will come in and survey us by various standards. And that is what a healthcare organization depends on to maintain our Medicaid reimbursement. So if an organization ends up not passing your annual or biannual surveys or not getting the sign off Joint Commission (because they may have come in and found some sort of an infection problem or a patient abduction and elopement risk or something like that) that they assess that we’re not meeting standards they could make a recommendation to the federal government that we lose our Medicaid reimbursements. And there have definitely been health care organizations that have lost that. And as a result of the shutdown either temporarily or permanently.
Thomas Carnevale: So a lot at stake.
Myron Love: OH yeah definitely. And with that specialized health care certification, it helps show the leadership that I have a deeper understanding of regulatory agencies involved with our organization.
Thomas Carnevale: Just thinking about the ramifications of that healthcare facility shutting down for even one day. Especially the prominence that your facility has- Shutting down for one day could mean millions of dollars lost not to mention all the patients not getting the proper care they deserve.
Myron Love: It’s huge. And then Joint Commission cares deeply about patient care and providing a safe environment. So they’ll come in with an expectation that we show our evidence of compliance. The Joint Commission standards and guidelines and we have to show performance indicators show that we meet certain benchmarks in a lot of this is dependent on life safety code requirements and it gets very in-depth.
The Organizational Structure for Healthcare Security Departments.
Thomas Carnevale: So you’ve had a really strong long career in healthcare security. There’s a lot of layers in departments of Security. That. Report to you. Right. So there’s going to be health and safety. There’s going to be patrol officers security guards. There’s going to be people that are monitoring security technologies. And I’m sure creating a culture of Security. In multiple departments. It’s something that you value every day. Sure. Can you. Generally speaking not necessarily with specifics to Children’s but to. What a large health care system. Breakdown what some of those roles are and how they report to.
Myron Love: Yeah. Happy to. I’ll start off with the security operations side. So this is what we’re talking about our security staffing. So we have proprietary security officers in my Hospital. We also have contract support to augment our staff when necessary. So, on the security operations side- I’ve got a team of security ops managers that directly oversee or sites support and then we have lieutenant’s sergeants and or general rank structure security officers. On our security systems side, we maintain all of our access control systems and video monitoring. Basically, anything that comes under the technical side which also includes your dispatch center. So we maintain 24/7 emergency response dispatching. In addition to that, we also have the security training side and this is where we get into a lot of cultural changes as an organization, where we are now trying to do a much better job of educating staff on their personal awareness and personal responsibility to contribute to a safety and security culture. And. So that’s crucial for us because unlike most organizations there’s only so many security staff to handle things where you have thousands of other medical and clinical staff that also happen to take some sort of responsibility to help with the overall security for your organization. And we also have our security investigation side. So there we’re helping our corporate compliance department human resources or I.T. department with other investigations. So we also help with fraud investigations, waste investigations, workplace violence investigations. So Yeah, we wear a lot of hats in our security department.
Access Control Systems for Hospitals
Thomas Carnevale: It’s so interwoven into all departments essentially so beginning I guess with the tech part of the thing you know. Just because you know Security doesn’t mean you know the tech which is tools essentially to help, you run a hospital. Some of those are visitor management systems; some are access control systems; some are video management systems. I wanted to talk to you specifically about this because they see so often. Manufacturers who make a product or service say oh well this is really good we’re commercial buildings. “Oh, your a Hospital- Well this is great for hospitals too.” And I’ve just seen this a lot for decades, and I wish it changed more. I don’t think it changes enough and it’s not talked about enough how- End users in specific vertical markets like healthcare are utilizing technology because there is not a one size fits all for that.
So I guess let’s start with access control systems. How did you establish that program that technology from the start with your organization or did you inherit it?
Myron Love: I actually inherited a system that was in desperate need of being replaced. For background my organization at the interoperability choice hospital Chicago five years ago we were Children’s Memorial Hospital. And we were in Lincoln Park here in Chicago and five years ago we built a brand new twenty-three story skyscraper in the heart of Chicago in Streeterville. So. We had. To migrate our systems at some of our other locations that weren’t moving from an old antiquated access control system to the modern access control system we were putting in our main Hospital. So I’ve been able to see both sides of what the new implementation was and how the old system was maintained. And it’s still an ongoing project. I’m even five years later, you can do everything at once. But I think over time of talking to different vendors looking at what we’re implementing. You’re right. A lot of them are things that are put in place and it’s great for a retail establishment or you know somewhere or a business that may not necessarily work in a hospital. You know one good example of that was the implementation of offline card readers that weren’t integrated with our online access control system or. Needing to put in card readers that might have been better if they had a put in prox. card readers as opposed to swiping bar code readers. That way if we have. Staff pushing a patient on a gurney will a bit worried but a trigger that prompts from a distance.
Dual-Authentication Access Control
Thomas Carnevale: That dual-authentication is going to be too time-consuming and could cause more chinks in the armor, especially when you’re taking patients throughout multiple areas. I do see dual authentication being a very important variable in healthcare. I think I know the answer but why would you say that dual-authentication and access control in healthcare is super important?
Myron Love: Well. So we use it for areas like MRI where you absolutely need to be able to ensure that you have a tighter level of access control into that space. So you may have general staff that has training on MRI safety but you have to have specialized training programs in place. Mandatory education for staff to have access to that suite because the last thing you want is for facilities employees with equipment to walk into the MRI suite. So they may have access to that card reader but you would probably want to have it scheduled to make sure that they have that additional credential level of access.
Active Directory Integration with Access Control Systems
Thomas Carnevale: We’ve talked offline about some of my past health woes so I’ve seen my fair share of hospitals. So I’m curious because there’s management and operations software when you’re checking the patient in or you’re updating a digital record. There’s always a reader on these portable devices. They can be a tablet; they can be a part that’s plugged into the wall. So is there an access control database that is shared with the devices in the logging time of a certain credential holder’s capabilities and inputs data with an Active Directory database integration on the whole? How it works.
Myron Love: Yeah absolutely. That is a technology I use at my Hospital we try to use that Active Directory database to integrate between various systems whether it’s human resources, patient care, patient record tracking or visit management system.
Thomas Carnevale: I see that it’s such a compounding value for a healthcare facility because you’re pulling data. How can you turn if you are? That data collection. Into an operational or patient benefit overtime. I think I know the answer: You can monitor how long it takes to do a specific category of intake or diagnostic or test. And you measure that again and again from employees to departments. And you’re getting this data that could translate to further training. Would translate to increasing patient care or operations and cutting costs in some ways. Are you part of those conversations?
Myron Love: Yes and without getting too into the weeds on the vendor selection process or what we’re using data for. We absolutely do. We are getting a better idea of what that Active Directory integration allowed us to do. It is so important for us, and with our electronic visitor management system we’re looking not just for visitors but we’re looking for ways to better identify patients when they are coming in. So whether it’s an inpatient or an outpatient appointment being able to input that patient you know get that information from that patient record to assign visitors to their room for example. Or see how that patient is transferred. OK well that patient has no insurance for it from the emergency department to our inpatient floor and be able to track that in the system to automatically update various systems from even yet our from our electronic visitor management system to our epic record to be able to just put all that in one place- is just it’s amazing. It’s amazing to be able to do that and we’re finding you know it’s still a work in progress for us but I think over the past year or so.
Thomas Carnevale: You’re creating Big Data.
Myron Love: Yes we’re learning from it. But we see so many more opportunities to put this technology into place. It’s great.
Managing a Large Access Control System
Thomas Carnevale: So a couple of other touches on access control systems. What are some of the challenges you have with managing A staff of thousands of people with access control? The training of using it. And what are some of the lessons learned in implementing this newer technology to your team?
Myron Love: I think. My immediate answer is probably the same one most health organizations that give you a human error. And the inherent kindness of people to allow people into your space. I would say no matter what system we put in place if we cannot ensure proper training and awareness for staff to simply “not open the doors to people” just because they say “hey, can you grab that door for me?” Or you know when you’re trying to be nice and someone doesn’t have a badge it’s it’s always someone’s first thought to just hold the door open. That is what I would say is probably our number one issue.
Other than that. From a technical standpoint. We do run into issues and healthcare generally with people not understanding different Access Rights. So for example, you may have a group of clinical employees that are receiving access to spaces where they don’t really need it because it’s the thought that “it’s all patient care space” and as a result you may have staff that have access to a department or a space that they don’t really need access into. So when you’re running an investigation, you’re pulling your reports on how many people have access to that space. You sometimes have to call that list a little bit deeper than you normally would think you would because the access group is just so wide. So it’s kind of not in the healthcare culture sometimes that kind of put in restrictions and multiple layers of access control for a general populace of staff. That becomes an issue when you have conference rooms. For example, they need to be accessed by a large number of people, but it’s inside of a “clinical space” that would technically be more high risk, and you always want to keep that list limited. And that’s tricky.
Thomas Carnevale: And there are so many different layers. I would think that and now that I’m thinking about this your type of operation is so much more complex compared to almost anything else so much more complex because of profiles. You have to create some areas in space in which people can go and you have to define different types of credential access or group profiles?
Myron Love: So it keeps my systems team very busy, especially when clinical or medical staff have so many different specialties. The nursing staff get a lot more education and become advanced practice nurses where they now have greater levels of responsibility to access greater areas of the Hospital. You kind of have to open it up a little bit, and roles change constantly, it can get very, very tricky to figure out exactly what groups people should be in.
Thomas Carnevale: I’m sure that’s a quarterly review you’re always evaluating and tweaking some of these group permissions. Because what most companies do is they set the rules and like OK you’re hired for “this job” that’s your access. With your business more than any other you have to be constantly be evaluating because of all the people, rolls and geography and the complexity is very high as it relates to group permissions. Does it seem there is no one size fits all?
Myron Love: We do. Absolutely. And there’s no one size fits all when it comes to access control and it takes. You have to do your diligence you really have to dig into it and you have to make sure you keep this information updated continuously. Which is one great benefit to that Active Directory Integration discussion we’re having, and how employee records are tied into the H.R. database to make sure when roles are department assignments are changed they automatically update that way our Access Control Team gets that information in real-time. And if we need to go into our system and manually remove him, we can. But if the system is functioning as we’re hoping it would just simply be able to just remove or change the access for us and then set us a report to let us know that it was done.
Anti-Passback for Access Control Systems
Thomas Carnevale: So does anti-passback (for access control systems) help with that problem we discussed earlier with door propping and door opening. As you said, it’s still the training piece of course, but How do hospitals use anti-passback for access control systems?
Myron Love: I can give you an example from my last organization. Actually, we had a building it was (actually formerly a hotel) that we converted into a medical office building. It was in a fairly decent part of town but there was still a desire for the staff working and ability for the dedicated security person at the lobby because we had a lot of people that would come into the building lost or they would think the building was you know another hospital’s building. So they were just walking and going up the Elevator and now they’re inside the building lost- that happened quite a few times. So we were looking into an anti-passback revolving door would be it with the explanation that we don’t need a security person to manage the people coming in. We actually just need to put in access control with a system, where we don’t have an inside pass that eliminates the problem, and we thought we would see a huge, cost savings over putting in a security person with hourly benefits..
Thomas Carnevale: That resource going to other areas.
Myron Love: Yeah absolutely. So that was great for us because unfortunately a lot of times when people think they need Security it’s always we need guards, we need security officers, we need a body there, and it’s like maybe you don’t. We need to have staff awareness and access control technology and to solve that problem for us.
Visitor Management Systems for Healthcare
Thomas Carnevale: Sometimes taking a little bit of process can help but use the human eyes and instincts in the right places to be successful. So I think any transitioning to Visitor management systems they know that’s something that’s kind of a hot plate for you right now. I don’t know that it’s new in healthcare but the reality is there’s still a lot of health care facilities with pen and paper visitor management systems. Yes, there’s still a lot of health care facilities. You know using proprietary unshared databases that do not work with access control. When did you start thinking about visitor management for your health care facility and Hospital, what we’re some of your goals?
Myron Love: Great question. So we implemented Electronic Visitor Management 13 months ago so it’s still relatively early for us.
A couple of the problems we were having. Was my knowledge that we were not doing. Well. I was going to say not a great job. We were doing No Job whatsoever when it comes to screening for sex offenders coming into our Hospital. With us being a Pediatric Health Organization we felt they were very important. Previously, if we received information from law enforcement or the Department of Child and Family Services then we would be able to take action on that. But we didn’t have anything in place to screen every visitor which was a problem for us so we decided that we were going to limit that. We also before we put in this new electronic vision management system we were using pen and paper. So all visitors would receive a paper pass. That our concierge staff would write the law that they’re going to after checking if they actually have an appointment. Now the problem with that is when families leave we were kind of only on our old system on the honor system hoping that they would turn our passes in and many families did and they would walk out of the Hospital and just kind of just toss it out.
Thomas Carnevale: Guilty. I’ve done that very same thing visiting my Son at your Hospital.
Myron Love: It’s human nature, to go in there many times a week it’s human nature, and our Hospital was located a block away from Michigan Avenue two blocks away from the John Hancock tower. So it’s a major tourist area and there would be many times we would have people walking down Michigan Avenue would find one of our passes (on the ground) which would allow them entry to the Hospital and we would write the date on the pass but still you know you’re hoping that the security officer is able to read the badge and catch someone trying to come back in. So we had a couple of times when people who should not have been returning did come back into the Hospital as well. So with the new electronic visitor management system, we eliminated all of that. So we worked to eliminate the pen and paper passes actually take photos of all the visitors running a sex offender check their driver’s license automatically, populating their name and more information onto a pass that we would then print and give to them. So they’re wearing their photo on their badge to walk through the Hospital. Then for inpatient units, we locked all of those down 24/7, and all authorized visitors are given an access card that allows them entry to the unit. That way we can track visitors that are coming into the unit when the visitors are leaving, and if there’s an issue we can cut their access, and they are not able to enter back in.
Thomas Carnevale: Fantastic! So they do get a credential?
Myron Love: Yes they do. For inpatient visits, they do get a credential.
Thomas Carnevale: So patients are restricted to the floor where they’re visiting specifically visiting. They can go up to the floor and I’m sure before they get into the patient wing is another checkpoint, Correct?
Myron Love: Yes there is.
Thomas Carnevale: Because that’s not going to just give them free access, but it’s going to give them at least Elevator access to the floor. To the checkpoint and then it can swipe them in.
Myron Love: And because it’s integrated with Active Directory if the patient’s information is changed so they’re assigned to a different floor or a different unit, for example between NICU or ICU or from the Elevator up to or wherever the case maybe it will change their access in the system automatically so they don’t need to come back to get another access card.
Thomas Carnevale: I assume you’ve not given them key fobs but lower-cost thin plastic cards?
Myron Love: Absolutely yes. That’s a way to do it because it’s got to be a disposable item.
Thomas Carnevale: Is there a time clock. Is there an amount of do you eliminate that credential authorization based on restricted designated time.
Myron Love: We do twenty-four hours for parents after four hours if you’re a parent.
Thomas Carnevale: What about swipes. What did you find that they’re swiping more times than they should? I mean yes, of course, they’re only restricted to an area. The more times they try or if they attempt. Multiple times in unauthorized areas. What how does this how do you think about that and plan for that?
Myron Love: We actually did think about that and in the layout of our hospitals a little bit different us being a skyscraper. So I know some hospitals I’ve visited. You have your main cafeteria might be off of a public corner source our cafeteria is actually on our 12th floor inside the Hospital. So we did think about if we wanted to limit how visitors. We would move between those floors but we. I decided not to do that because it’s not uncommon for families to go back and forth multiple times. Oh absolutely. And we do want to encourage your families to take their patients for a walk to get out of the unit if it’s you know if it’s medically possible for them to do that so they can feel some of our longer-term patients get a little cabin fever.
Thomas Carnevale: Well what a night and day from pen and paper to electronic visitor management. And it’s much easier to manage. It sounds like it’s better for the visitor and the patients as well. And it gives them that sense of freedom without — too much freedom. I know you’re thinking and always dreaming about new technologies and ways to advance the Hospital’s Security. What things or areas are you thinking about implementing for Security whether it’s a process technology or it’s a training teaching moment. What areas are you experimenting with new innovations?
Myron Love: Definitely. Well, right now we’re looking at ways to capitalize on a foundation we’ve got with this electronic visitor management system. So one thing that we’re looking at that I’m very excited about is self-check-in visitor management kiosks. So we have two areas where you have to pass by Security to get into the Hospital. One is our main entry after you checking with registration staff, and you get your card you go past Security. Another is on our 11th floor. And the next one would be on our 11th floor where you also have to walk past a security officer, that takes you up to our inpatient floor. So we’re looking into putting in a visitor management kiosk there. I’m sorry a security turnstile there. So once you get your badge and your access card, you would actually be able to tap to go into the inpatient floors as well (through the security turnstile). And what excites me about that is the opportunity to use that to restrict patients from escaping out of our inpatient floors. For patient allotment or abduction medication of risk. So if it’s a patient that doesn’t have an access card that somehow manages to get off of the locked unit, but they make it down to the 11th floor there would be a kiosk that would physically stop them from passing if they don’t have an access card. So that’s one technology we’re really excited about. Also, the other would be pre-registration functionality with mobile devices.
Thomas Carnevale: A self-check-in mobile app?
Myron Love: Absolutely. And kiosks that we can use for self-check into registration- once you arrive for your appointment (which we’re hoping)we are going to be able to integrate to notify the floors that your “patient has arrived.” That way we can accommodate for the time it takes to check-in go to our Elevator and make your way up to our inpatient floors.
Thomas Carnevale: You know, something that’s really resonating for me in this conversation is a healthcare security professionals. We need to have more customer service integration in Security combined into one because they go so much in the same area.
Myron Love: Yes definitely.
Thomas Carnevale: It’s giving easier faster more caring customer service to your patients. You are creating more of a culture of Security within your organization. I get that tone from the mindset you have so much that you are really focused on integrating both of those (Security and Patient Service/Care). What other final thoughts do you have for the Security In Focus audience?
Myron Love: I think. One thing that we want to leave everybody with is an understanding both on the end-user side and on the vendor side is look at patients and families first when looking at the implementation of technology in a healthcare environment. Because ultimately they’re the ones that are impacted, so if we put in a visitor management system that’s too restrictive, that’s too time-consuming, that could make our family’s late for their appointments the negative perception is that it’s “too much Security”. However, if you can make something like that. Feel seamless feel as effortless as possible but still be able to give you the tight Security that you need. The value in that is tremendous, and families really appreciate that and the families and the health care they’re our most prominent advocates for implementing higher levels of security in many cases.
Thomas Carnevale: Amazing. This was a really great talk & I knew it would be. Thank you for joining me.
Myron Love: Yeah- thank you for having me.
Thomas Carnevale: Live from the Security GSX conference, this has been another episode of Security in focus.