Category Archives: RiskAlert

New Active Shooter App Announced on October 20, 2013

FOR IMMEDIATE RELEASE

New Active Shooter app released to reduce likelihood of an Active Shooter Incident.

Active Shooter incidents have increased both in the number of incidents, as well as the number of people killed and injured in the last five years.  As an aspect of  workplace violence, the active shooter has become is a serious recognized occupational hazard, ranking among the top four causes of death in workplaces during the past 15 years. More than 3,000 people died from workplace homicide between 2006 and 2010, according to the Bureau of Labor Statistics (BLS). Additional BLS data indicate that an average of more than 15,000 injuries were annually during this time.

The latest figures show that high-risk organizations like hospitals, schools, malls, universities, military installations and even hair salons have experienced an active shooter incident and are likely to have a dramatically increased risk for experiencing an active shooter incident in the future.

Risk & Security LLC has released a new web-based app, Active Shooter Risk-Pro©, which offers an easy to use risk assessment program that assesses your organizational risk of an active shooter incident, as well as recommending solutions to prevent an incident from occuring in the future.

In additional to using the Department of Homeland Security (DHS) Guidelines on Active Shooter Response, the OSHA standard 3148 (Guidelines for Preventing Workplace Violence for Health Care, the FBI and Secret Service Guidelines on Active Shooter Incidents, and the new OSHA Inspection Directive, Enforcement Procedures for Investigating or Inspecting Incidents of Workplace Violence, from September, 2011, are both included in the new, easy-to-use application.

The program has been tested on some of the largest organizations in the US, and runs on a laptop, PC or tablet, and even on a smartphone!.  Active Shooter Risk-Pro©  is built to be affordable and simple to use.

The web 2.0 program, includes newly compiled, updated threat databases, new active shooter incident analysis metrics, and automated web-surveys based on the DHS Guidelines..

The new program gives human services and security professionals a quick and easy way to conduct a active shooter, or general workplace violence that will recommend that will pass an audit!

The Risk-Pro©  model has been used for easy software applications by the Department of Defense and over hundreds of organizations, hospitals, and local, state and federal government agencies.

About Risk & Security  LLC

Risk & Security  LLC is a security risk assessment and risk analysis company with over 30 years of combined expertise in security risk assessment. It develops specialized programs and applications which are easy to use, affordable and which help organizations assess their risk, the likelihood of becoing a target, and which recommend cost-effective solutions.

Risk & Security offers full service consulting on critical risk assessments including HIPAA Risk Analysis, Facilities Security Assessments, Hospital Security Assessments, Workplace Violence, Active Shooter Incident Assessment, Environment of Care and more.  Risk & Security partners with security companies around the world to provide state-of-the-art security expertise to analyze risk and recommend cost-effective security controls justified by return on investment metrics.

The team of risk and security experts is led Caroline Ramsey-Hamilton, who has created more than 40 software programs, and conducted more than 200 specialized security risk assessments in a variety of environments, including companies in the United States and around the world, including in Abu Dhabi, Hong Kong, Japan, South Africa and Qatar.

Contact Information:

Caroline Ramsey-Hamilton, CHS III

Email:  caroline@riskandsecurityllc.com

Phone:  301-346-9055

Twitter:  www.twitter.com/riskalert

 

DOD-OIG Report on Security Weaknesses at the Navy Yard

The recently released 56-page report by the Department of Defense, Office of the Inspector General found that the Navy Access Control System did not adequately control the risks to the Washington DC Navy Yard and other sites under their control.

NCACS did not effectively mitigate access control risks associated with contractor installation access. This occurred because Commander,
Navy Installations Command (CNJC) officials attempted to reduce access control costs.

As a result, 52 convicted felons received routine, unauthorized installation access, placing military personnel, dependents, civilians, and
installations at an increased security risk.

Additionally, the CNIC N3 Antiterrorism office (N3AT) misrepresented NCACS costs. This occurred because CNIC N3AT did not perform
a comprehensive business case analysis and issued policy that prevented transparent cost accounting of NCACS. As a result, the Navy
cannot account for actual NCACS costs, and DoD Components located on Navy installations may be inadvertently absorbing NCACS costs
.
Furthermore, CNIC N3AT officials and the Naval District Washington Chief Information Officer circumvented competitive contracting
requirements to implement NCACS. This occurred because CNIC N3AT did not have contracting authority. As a result, CNIC N3AT
spent over $1.1 million in disallowable costs and lacked oversight of, and diminished legal recourse against, the NCACS service provider.

You can read the entire report at:  http://www.dodig.mil/pubs/documents/DODIG-2013-134.pdf

 

Courtesy Caroline Ramsey-Hamilton at Risk and Security LLC

caroline@riskandsecurityllc.com

 

 

 

 

Planning an Active Shooter Drill, Why Once is Not Enough

Almost every day I get a note that a hospital or corporate facility is planning to have an Active Shooter Drill.  That is always good news because it is a critical part of preparedness that protects not only against an active shooter incident, but also prepares the staff for other emergencies, but it may not be enough.

I’ve found that to be really effective, drills need to be supplemented with short training sessions, and also awareness programs that teach staff to be on their toes, or “situationally aware”.   Security awareness training doesn’t have to be a full time job and it doesn’t have to be expensive.

One of the best ways to create an on-going security awareness program is to make a 12-month calendar, with an activity for each month, or better yet, every two weeks.   Here’s a list of activities I use:

1.  Start with a one page newsletter.  You can have the marketing department help, or use WordPress to design your
own newsletter and email it out to all the staff.  Whether your staff is 100 people or 6000 people, it’s a great way to promote the security program.

2.  Send out very short emails highlighting news items about security incidents at other companies, especially ones in your industry, for example, hospitals.  If there’s a terrible incident at another hospital, cut and paste the story and email it to everyone.  In fact, if you’re an IAHSS or ASIS member, their publications have great stories about different security situations.

3.  Use seasonal reminders.  Now that it’s late October and daylight savings time is almost over, send an email reminding staff how to stay alert when they leave the facility after dark and head for their car.  How to use the escort service, if that’s available, or how to use your keys as a weapon in a potential incident.

4.  Buy posters to put in the cafeteria, or in the elevators that serve as reminders about the concept of staying alert and aware of your surroundings at all time.

I have interviewed more than 8000 staff members in the last 10 years, and they welcome these reminders and feel more secure just because you are keeping awareness up.   Remember, it also reminds everyone that there is a Security Department, and that is working every day to keep them safe.

The Department of Homeland Security also provides free brochures and charts you can print out and give to employees, or you can email them for the staff member to print out and put in their purse.  There are wallet sized cards, and lots of other great information you can use in your own active shooter awareness program.

Check out the preliminary OIG Report, which was leaked to Time Magazine on their swampland.com site at

Read more: http://swampland.time.com/2013/09/16/exclusive-navy-yard-dropped-its-guard-pentagon-inspector-general-says/#ixzz2f6qWCshc

 

 

What’s Your Active Shooter Risk? How to Assess the Threat!

Just the idea of an Active Shooter in your organization, whether you’re a military base, like Fort Hood, and the Washington Navy Yard, or a school like Sandy Hook, a beauty shop, a cracker factory in Philadelphia, a retail mall, a movie theatre, a grocery store parking lot, or a hundred other places, is a terrifying thought.

I lived about 3 miles from one of the shooting sites, a gas station, used by the Beltway Snipers back in October, 2002.  They killed ten people, totally at random, and critically injured three others.   Both of the snipers were sentenced, and John Muhammad was killed by lethal injection in 2009.

If you lived in the DC area, do you remember how scary it was just to pump gas into your car,  people were huddled against the side of their cars in the gas stations, and hidden by their shopping carts at the local Home Depots.

The fear of the Active Shooter comes from the seeming randomness of the action, which means there’s no way to prevent it, unless you give up, stay home, and hide under the bed all day.

But there are things you can do.  Instead of thinking of an Active Shooter incident as a totally unique situation, it’s really a form a Workplace Violence, Gas Station Violence, Parking Lot Violence and other related forms of random violence.   In fact, the Department of Homeland Security has identified quite a few steps you can take to keep yourself safer if you are in the vicinity of an active shooter (http://www.dhs.gov/active-shooter-preparedness).

Most of the shooters are mentally ill.  Normal individuals do not enjoy planning and killing strangers, and it is usually a last ditch effort, with the suicide of the shooter as the grand finale.   Their actions can sometimes be identified early, and the police can be alerted, or the Human Resources group at work, or even the local Sheriff can intervene before it gets to the actual shooting.

Signs that someone is having trouble negotiating their life, especially if that someone is a gun fanatic, with their living room full of AK-47 assault weapons and hollow point bullets, is not hard to spot, because these individuals often leave lots of warning signs, like:

  • Irrational Posts on Facebook or inappropriate tweets.
  • Threats made against friends and family.
  • A dropoff in personal hygiene, as the person gets more obsessed.
  • Problems negotiating their personal life.
  • Demonstrating signs of isolation and groundless paranoia

Organizations can protect themselves from an potential active shooter through a combination of specific controls that include elements like access control, continuous monitoring of cameras, employee awareness and training programs, clear cut evaluation routes, regular active shooter drills, and hardening of facilities, to name a few.

One of the best preventive measures is to conduct an Active Shooter Risk Assessment, which is similar to other security analyses, except that it is focused on a particular set of threats related to an Active Shooter Incident.   As part of my annual Threat Trend Reports, I’ll be releasing a new set of threat data about the Active Shooter, to help organizations calculate their risk of
having such an incident.   For example, did you know that the number of active shooter incidents has jumped from 1 in 2002
to 21 incidents in 2010?

ActiveShooterIncidentsbyYear

 

 

 

 

 

 
Locations have changed, too, and we found that

About 25% of active shooter incidents occur in schools,
About 25% in retail locations, and
About 37% in workplaces.

In future blogs, we’ll be looking at each element of the active shooter incident, and providing more information to keep
your organization safe.

 

 

Chemical Security Programs Affected by Government Shutdown

CFATS is an essential defensive program to monitor the security of the chemicals used in the U.S. CFATS stands for the Chemical Facility Anti-Terrorism Standards. The program is run by the Department of Homeland Security and is vitally important because chemicals can be used in bombs and chemical attacks.

To avoid giving terrorists and possibly drug dealers access to the raw materials that are used in the manufacture of chemicals, chemical facilities, like manufacturing plants, distribution centers, etc., are supposed to be actively monitored by security personnel who are trained in chemical security.

Fertilizer chemicals were purchased to blow up the Oklahoma City Murrah Federal Building. Chemicals are in every medication you take, including sensitive heart medication, and other pharmaceuticals that mean life or death to those to take them.

Rep. Bennie Thompson (D-Miss.) said in a statement to Global Security Newswire Friday that the incident at a fertilizer plant in West, Texas, “brought into focus the need to secure dangerous chemicals against accidental or malicious release or detonation.

Imagine if a terrorist was able to insert a poisonous ingredient in a statin manufacturing plant – over 15 million Americans now take statins to reduce their cholesterol.   Or imagine a poison ingredient put into pool chemicals, or something like putting water into jet fuel. Think catastrophe!

In fact, CFATS was just geared up because of a Presidential Executive Order issued in August, 2013, after the deadly blast in West, Texas that killed 14, most of them firefighters.  The order instructed federal agencies to review safety rules and create new strategies for plants that store hazardous materials. The order also included a review of potential new guidelines to improve storage and handling of ammonium nitrate, the explosive material that caused the West. Texas fertilizer plant explosion in April 2013.

Already this week, chemical companies that had DHS inspections scheduled for this week received notice that the site visits would be postponed indefinitely. Likewise, the review of security plan documents is also expected to be frozen, as DHS employees who normally do this work have been furloughed.

A critical meeting scheduled for this week, which included industry leaders, DHS, EPA and Occupational Safety and Health Administration officials  was canceled as a result of the government shutdown, which creates prolonged uncertainty for industry regarding what new regulations they might have to comply with and whether companies will have another opportunity to weigh in on possible changes.

Now the program has been shutdown and critical employees furloughed.

Chemical security is a critical chokepoint because of the potential for major disasters, whether accidental or intentional.

Security programs should be immune from political shutdowns that threaten the safety and security of the entire country.

 

 

 

Capitol Hill Security Incident Scares Congress- Could it Happen To You?

The Capitol Hill Security Chase and Shooting yesterday gave a bad scare to everyone – including Senators, Congresspeople, tourists, furloughed federal employees and staff who still have their jobs.

The atmosphere on Capitol Hill was already so toxic that almost everyone jumped to the (incorrect) conclusion that it was
a disgruntled voter, and so there was shock when:

1.  It was a young WOMAN
2.  There was a 1 year old child in the back seat
3.  The driver of the car was not armed and mentally ill, (probably schizophrenic).

Where are you going today on a beautiful Fall Friday?  Almost anywhere you’re planning to go has had a
major security incident in the past three years…. whether it is:

A school
A movie theatre
A mall
A hospital
The office
A public building
A hair salon

And if a security incident did happen where you were, are you confident you’d know what to do?

That brief incident at the Capitol showed how in literally one minute, the situation goes from what
passes for normal at the Capitol, to total chaos, fear and terror.   The situation was handled correctly.

The communications systems were in place to send out a quick “Shelter In Place” order, and to keep
people updated.   The poor tourists and staff who were walking in the area were laying on the ground,
hiding behind trees, and had no idea what was going on – so they probably experienced the greatest fear.

The Capitol Hill police, the first responders, were probably not expecting to have the driver be a woman
with no political agenda, if you see a car trying to rush a barracide, the logical assumption is that they
have an explosive device and are trying to get closer to the target, but that was no true in this case.

So before you venture out for the weekend, keep these tips in mind, write them down and keep them in your purse or wallet.

1.  Be Situationally Aware – note where you at all times, how close a door is, or an alternate route for
your car when you’re in traffic.

2.  Spend 30 minutes deciding how you would react in an emergency shooter situation, and make a plan,
like deciding to use your car keys as a weapon, or keeping pepper spray in your purse.

3.  Remember to turn the sound off on your cell phone, if you’re caught in a developing security incident.

4.  If police are on the scene, follow their directions quickly and exactly.

5.  Have a local emergency number pre-set in your phone so you can call for help.

As they find out more about the Capitol Hill incident, this will probably be catalogued as an isolated incident,
which took place at a very inappropriate time, and a very inappropriate place, but it’s another wake up
for everyone.

Everything can change in a New York minute — be ready, just in case it changes for you!

 

 

Has it Been Only Two Weeks since the Navy Yard Shootings?

 

When i wrote my blog about the Shootings at the Washington Navy Yard on September 16th, I got some nasty notes about “Why did you have to write about this so soon after it happened?”

Well – I guess the fact that after about 15 days, no one can even remember the incident (8 people shot to death); the name of the shooter (Aaron Alexis), or much of the details.  It seems that people have decided that it was a mentally distributed person, so couldn’t have been prevented.  This is completely wrong.

One of the issues that security directors have is how to make their organization aware of the active shooter threat without terrifying them.  How do you get a large group of people out of the “It can’t happen here” mindset?   One of the main ways to bring an issue back home is by using the incident as a security awareness notice.

Write a “Lessons Learned” email and send it to everyone in the organization.  Follow it up with a purse and wallet card with reminders on what to do when faced with an Active Shooter situation.

NavyYard-smallKeep everyone informed on what happens after the incident – how the injured are doing, and more importantly, what changes the organization has made to ensure that it won’t happen again.

Try doing a simple threat-risk assessment to illustrate to management what the chances of having an active shooter incident actually are, based on the industry, the region, and the number of problems/complaints that employees have expressed in the past.

Don’t let anyone forget that this can happen to any organization, no matter how well funded, or how secure they think they are.  Remember, if it could happen in a DOD military facility – it could happen to YOU!

Why HIPAA Compliance is Related to Federal Contracts

Most healthcare organizations take Federal money – whether it’s reimbursement for Medicare services, or if it’s a federal grant for
providing special care or even addiction treatments, or whether they are part of an NIH trial, or receiving grant money for research.

If your organization is part of state government, county government or even city government, your organization probably takes federal money too.

When the hospital, clinic or treatment center gets that Federal check, they have to first sign a contract saying they verify that they are in compliance WITH ALL FEDERAL LAWS, RULES AND GUIDELINES.  In the old days, this may have meant that you didn’t discriminate in your hiring policies, or that you complied with the Americans with Disabilities Act (ADA), or that you complied with federal reporting requirements, like for a GSA Contract, or for billing protocols.

But HIPAA is also a law, and a Federal Rule, and so when you signed that contract, you attested, or ‘represented’ that your organization was in compliance with all the HIPAA laws and rules, too.

I recently talked to a CEO of a large hospital that, as a Level 1 trauma center, received millions of dollars each year from the Federal government – and he wasn’t aware of their HIPAA status!  He didn’t know if a HIPAA risk analysis had been done (it hadn’t), or whether they had amended all their business associate agreements (hadn’t even started), and also had no idea that some of these HIPAA Rules had elements that needed to be formally approved by the Board.

If you’re the HIPAA Compliance Officer, the Privacy Officer, the Information Security Officer, or any functional title that means, the HIPAA Buck stop with you — you need to explain this to your manager or director.  This will get any administrator’s attention, because they don’t want to have to give any of that money back, and they also don’t want to get into a lawsuit over a compliance issue.

So keep talking about that HIPAA Compliance deadline of September 23, 2013, and you’ll get the support you need, and maybe the budget you need to keep all your HIPAA activities in full swing!

 

Is Extreme Heat a New Deadly Threat?

We are currently in the grip of a terrible heat wave in the western states.  Death Valley, California almost beat it’s previous record of a 130, with a National Weather Service Thermometer recording 129.9.   The highest temperature ever recorded on Planet Earth is 132.

Despite all the news coverage of hurricanes, homes torn apart by tornadoes, and tropical storms, the deaths from excessive heat kill more people annually than almost all the other natural disasters (except for tsumanis and 7.0 and above earthquakes).

Deaths from excessive heat include both cardiac arrest and breathing issues.  “Heat-related illnesses and deaths are preventable. Taking steps to stay cool, hydrated and informed in extreme temperatures can prevent serious health effects like heat exhaustion and heat stroke,” said lead author Ethel Taylor, a researcher who works with the CDC.

Because extended heat waves put a strain on electrical loads and may trigger power outages, it is important for companies to have a Plan for Extended Extreme Heat.
Plan for a situation without electricity for 3 or more days.

Having just survived a week in south Florida without AC, and growing in Los Angeles, also
without air conditioning, here are a few tips to stay cool:

1.  Stay wet to facilitate evaporate cooling.  Wear a wet T-shirt and keep your clothes
damp.

2.  Make sure pets are ALWAYS in a shady place and give them plenty of cool water.

3.   Buy ice and use it to rub on children’s arms and legs to keep them cool.

4.   Use fans and swamp coolers if electricity is available.  Coleman makes fans that
run on batteries if electricity goes out during a heat wave.

5.   Wake up earlier and use the cooler morning hours for outside tasks and stay
indoors during the heat of the day.

And, if it’s blistering hot where you are — DO NOT USE FIREWORKS.  Areas that
are already dry, including shake roofs, will burn more easily under such extreme heat!

AND wherever you are, STAY COOL.

 

Oklahoma Tornado, Boston Bombing, Young Soldier Killed – It’s time to do a Security Risk Assessment!

More Tornado victims will be buried this week.   Including many children who died at their schools because the school district didn’t spend the extra $3000 to have a storm cellar/safe room available.

One month ago, we watched as victims of the Boston Marathon Bombings were buried.

Yesterday, we watched an Islamic Jihadist savagely kill a  young British soldier with knives.

What other events do we have to witness before we start taking security assessments seriously?   How many more grieving parents do we have to watch crying on TV and, in my opinion, the casualities did not need to be so high and the aftermath so catastrophic.

If you group all these disasters together, you can that at the root of each one, is the feeling that, “IT CAN’T HAPPEN HERE”…..    Britain, for example, has tolerated mosques preaching hate, thinking that nothing like the knife attack could happen in civilized London.

In Moore, Oklahoma, people thought, “we already had a major tornado, so IT CAN’T HAPPEN AGAIN”!  Well, surprise – it happened again.  While forecasters cannot dictate the exact path of a tornado, they can get close, and with just fifteen minutes advance warning, there is  time to get everyone into storm cellars, safe rooms and underground shelters.  BUT IF THERE IS NO SHELTER AT A SCHOOL…….

Many obvious solutions-controls-safeguards were missed in these recent tragedies because proper, formal security risk assessments weren’t done effectively.  If they had been done, perhaps the London police could have picked up someone who touted murder and hate.

If a risk assessment had been done in Moore, OK, maybe the high risk of a tornado would have allowed the schools to all add the safe rooms they needed, and in Boston, the older brother Boston bomber, should have been in jail already for his participation in a previous murder – or at least actively monitored based on his facebook postings.

The clues are all there, and, looking backwards, you can see the pieces that SHOULD HAVE BEEN ENOUGH TO PROMOTE some kind of action to either:

        1. Eliminate the threat  or, 

              2. Reduce the severity of a potential threat in case it occurred.

Security risk assessments gather the numbers and the information organizations need to make better choices about how to protect people’s lives, facilities, and organizations.  I hope these events will prompt more Security Directors to take an objective and unbiased look at their own organizations, and the controls they have in place, before you end up on CNN!