Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

Workplace Violence

4 Nurses were Awarded a $ 7.8 Million Dollar Settlement, after they were attacked in 2017 at Northwestern Medicine Delnor Hospital

The four nurses sued  Kane County, Illinois; Deputy Shawn Loomis, who was guarding the inmate, identified as Tywon Salters; and Apex 3 Security LLC, the hospital’s security contractor over the 2017 incident.

The inmate, had been hospitalized for surgery after he ate a plastic jail sandal.  He had been in restraints, but Deputy Loomis had unshackled him to use the restroom.  The inmate went to the restroom, and Loomis failed to re-shackle him when he returned.  Salters overpowered the Deputy and took his gun.  

Nurse Taken Hostage
He then took Nurse #1 hostage at gunpoint, taking her to an office and demanding she give him her clothes. Then Nurse #2 entered the room, and Salters took her hostage. He took both women to the first floor ambulance bay. When Salters saw police arriving, he forced her into a decontamination room, where he held her for several hours at gunpoint. According to the lawsuit, Salters hit Nurse #2 with the gun, threatened to kill her, and raped her.

Inmate Prisoner Killed by Police
The police records said he used Nurse #2’s smartphone to call his relatives and to talk to the police.  When the  officers heard him fire the gun, they ran into the room and killed Salters.  In the settlement, Nurse #1 received $ 7.2 million dollars;  Nurse #2 received $ 650,000, and two other nurses, who were on the third floor, each received $25,000.  The nurses were never publically identified.

In court, the nurses claimed that the hospital and Kane County deputies, and the security company knew that Salters was a danger to himself and others, because he had been hospitalized the week before for swallowing hydrogen peroxide at the jail and had been placed on suicide watch.  The lawsuit said that Salter previously served time in prison for armed robbery, he knew if he was convicted of another felony he would face a sentence of six to 30 years.

A Danger to Himself & Others
They also said that in the days before the incident, nurses had seen Kane County deputies using their personal cellphones and laptop computers when they were watching Salters, and that one had been caught sleeping.  They also said that when Deputy Loomis was attacked, he did not report it, but hid in a hospital room.

1.  Inmates who are being treated in a hospital frequently try to use violence to escape.  They make the calculation that it’s much easier to escape from a lightly guarded hospital, than a secured jail or prison.
Deputies and security officers need to maintain a high level of vigilance.


For more information and a free subscription:  write to:  caroline@riskandsecurityllc.com    We provide security and risk assessments, and certify Hospital and Healthcare Facilities for Active Shooter Assessments,  Active Shooter Training and Tabletop Drills, as well as Healthcare CMS All-Hazards Hospital & Healthcare Facility Risk Assessments and more. Find out more at  www.riskandsecurityllc.com .

Chicago Hospital Ordered to Pay More than $10 Million Dollars to a Female Doctor and 6 Nurses who Filed a Lawsuit for Two Separate Harassment Incidents Including Being Choked by a Doctor, and Another Doctor who installed a Toilet Cam in the Women’s Locker Room

RISKAlert  Report #1073                                      Sept. 19, 2018                                       Chicago, Illinois

The former employees of Advocate Illinois Masonic Medical Center in Chicago won a lawsuit against the
hospital after reporting that hospital doctors harassed them.  The Chicago Tribune reported that the hospital received
reports about violent incidents but did nothing.  The women accused the hospital of failing to act
when violations of the hospital own written policies were reported and then ignored

$7 million of the total amount was awarded to Dr. Caroline Ryan, an anesthesiologist who was choked and
pushed by Dr. Stephen F. Laga, in 2013. The attack was witnessed by several hospital staff members

and also by patients.  Dr. Ryan was asked by hospital administration to drop her report against Laga, who
had a “long and documented” history of violent behavior, says the complaint.   Laga was never disciplined.

The following year, a hidden camera was found on the toilet (Potty Cam?) in the women’s locker room where
women changed clothes and used the restroom.  The camera was planted by Dr. Robert Weiss, an eye surgeon
at Illinois Masonic, who viewed and possibly shared the content.
Weiss was arrested when the camera was
discovered. Although aware of his arrest, the hospital delayed suspending Weiss’ medical privileges

The women’s complaint also pointed out that the hospital had ignored previous reports of inappropriate
sexual behavior from Weiss.  The six women were awarded $1.75 million for violations of their privacy and
an additional $2 million for punitive damages. The jury was sending a clear message”, said the women’s
attorney, Jeffrey Kulwin.  He said he believes doctor misconduct has been tolerated because of the money the
doctors bring in to the hospitals.

Today’s verdict against Advocate sends a strong message to Advocate, and employers everywhere,
that violence in the workplace cannot be tolerated, especially at a place as important as a hospital


1.  Having, and Enforcing a strong policy against workplace violence and harassment is a critical
     component of creating a safe workplace, no matter who is being violent against others!

2.  The hospital lost the lawsuit because they blatantly refused to enforce their OWN POLICIES! 


For more information write to:  caroline@riskandsecurityllc.com
We provide the best Facility Risk Assessments, as well as Active Shooter Assessments, Training,
Workplace  Violence Assessments, and  & CMS All Hazards Risk Assessments, Facility Drills &  Training.

www.riskandsecurityllc.com                                                           www.caroline-hamilton.com

#RiskAssessment                                       #CMSImmediateJeopardy                                       #HospitalViolence

NJ Hospital Battles OSHA on Assault Report

Dateline: Paramus , New Jersey,  September 15, 2015

RISK Alert   Case Study   #780

Bergen Regional Medical Center to Hires Law Firm to Fight OSHA on Proposed Fine
for High Number of Workplace Violence Incidents against the Hospital Staff.

Bergen Hospital has been investigated by OSHA (Occupational Safety and Health Administration)
in the past.  In 2014, OSHA found that management “had not developed or implemented adequate
measures to protect workers from assaults

nurse-bruiseOSHA noted that there were 45 incidents of workplace violence in 2013 and 10 in the first quarter of 2014.  OSHA announced the citation this month and a proposed fine of $13,600.

Incidents cited in the OSHA report included:

       A lab tech trying to draw blood was punched.

A security guard was kicked and bitten.

A nurse was pushed to the floor after she intervened when a
patient on patient attack

A mental health assistant was trapped in a room with a patient,
who barricaded himself in his room after he charged and threatened employees.

The OSHA investigation and proposed fine at Bergen Regional mirrors the experience of staff members in hospitals, clinics, and behavioral health organizations around the country, who are all affected by the new OSHA 3148 regulations, which were introduced in 2015 to fight the rising violent incidents occurring in hospitals around the U.S.

The recent update of OSHA 3148 requires Annual Workplace Risk Assessments.
Read the entire text of OSHA 3148, Guidelines for Preventing Workplace Violence at https://www.osha.gov/Publications/osha3148.pdf

Lessons Learned:

1.  Any organization that accepts money from any Federal agency has to attest
     that they are up to date with all Federal requirements, including OSHA 3148.

2.  Bergen Regional Medical Center may end up spending more on lawyers
    than the cost of the fine ($13,000).

     WEBINARS at www.riskandsecurityllc.com

RISKAlert® is a publication of Risk & Security LLC

To subscribe to #RISKAlerts® and never miss a #RISKAlert–
write to:  info@riskandsecurityllc.com


How Risk-Based Security Can Reduce Violence in Healthcare

reprinted with permission from www.securityinfowatch.com

Using Risk-Based Security to Stem the Tide of Violence
in Hospitals and Healthcare

Created by:   Caroline Ramsey Hamilton

Date: May 22, 2014

Hospital and healthcare security is experiencing a major increase in violence,
instigated by patients, patient families and even healthcare staff.  Just last year,
there was an active shooter incident in Reno, Nev., in which two physicians were
shot, and in Houma, La., 
a hospital administrator was shot to death by a terminated
nurse. As recently as Easter Sunday in California, two nurses were stabbed at the
hospitals, where they worked.  One was stabbed in both the upper and lower torso
and is in critical condition. These two incidents add to the more than 100 
incidents in 2013 and the first half of 2014.

Since 2010, violence in healthcare has skyrocketed. As a result, the Joint Commission has
issued a “Sentinel Event Alert” on the issue and contributed to numerous articles on shootings
in U.S. hospitals. The Department of Homeland Security and a consortium of state and local
hospitals recently released 
a standard for active shooters in healthcare. These all point to the
conclusion that the current law enforcement-based hospital security model is not working.

Changes in Healthcare
The changes in healthcare, including the increase in insured Medicaid patients and increased
traffic to emergency departments, highlights the fact that very well-intentioned people are
working with an outdated security model that hasn’t evolved to address a changing healthcare
environment. The change in billing and reimbursements for healthcare organizations, such as
tracking of readmission rates, has squeezed hospital profits causing reductions in funding in many
security departments at a time when violent events are steadily increasing.

A new risk-based model for hospital security is emerging that is less linear and more cyclical.
It uses technology to a greater extent, employs forecasting and statistical models to predict the
likelihood of future incidents, and is proactive instead of reactive, focusing money and energy on
preventing events instead of simply responding to them. This model also uses risk assessment
formulas to quickly assess the current security profile of a hospital, clinic, hospice, or behavioral
health facility, factoring in heightened threat-risk environment, not only for the facility in question,
but also adding in the wealth of healthcare data that’s now available.

Risk –Based Security Focuses on Continual Assessment
A major focus of this model is the continual assessment and evaluation of preventive security
controls, which are reviewed quarterly, semi-annually, or annually to discover gaps in controls,
and to fix gaps as soon as they are identified. This dovetails nicely into the assessment models
already required by the Joint Commission, OSHA and new CMS standards.

Looking at recent high-profile security events that took in place in hospitals shows that incidents
happen because of exploited gaps in the existing security of the healthcare facility. In the past,
security officers successfully worked hard to reduce response time so that often officers could
arrive in under two minutes, but it’s still too long.  In the Reno shooting, response time was under
two minutes, but that was long enough to kill two doctors.

Focusing on prevention makes sense for healthcare, much in the way the Joint Commission
focuses on patient safety, by continually assessing controls, reducing discovered gaps in controls,
and mitigating gaps by reassessing and tightening security, which creates a cycle of continual
improvement in the healthcare security environment.

Taking Advantage of Technology
The healthcare risk-based security model takes advantage of technology. Instead of waiting
for manual recording of security incidents every day, software programs allow hospital security
officers to enter data at the end of each shift, and that means security directors can map what’s
happening in the hospital or facility on a daily, weekly, monthly and yearly basis.  This can go a long
way to identifying trends early and help facilities make appropriate changes in controls so that
negative trends can be reversed 
quickly and both patient and staff security is increased.

In addition to automating incident collection and analysis, the healthcare security risk assessments
must be automated too.  Risk assessments are too time-consuming and labor intensive to be done
By the time the risk assessment is over, the environment has changed again.  By
automating the risk assessments, including environment of care and hazard vulnerability,
it produces data that can be used instantly to analyze and recommend the most cost-effective
controls, and rank them by their return-on-investment (ROI).

The role of security in hospital and healthcare organizations is changing too. Security organizations
should no longer be isolated without intensive interaction with others in the organization, including
the human resources department, the facilities managers, safety managers, and the emergency
management staff.

New DHS Guidelines for Active Shooters in Healthcare
With DHS issuing new guidelines for active shooters in healthcare, hospital emergency managers
are now required to prepare for active shooter incidents, as well as storms, hurricanes, tornadoes,
power interruptions and other events related to natural or man-made disasters.  This creates a
natural partnership between the emergency management staff and the security program,
because the skills of both functions are needed to properly prepare an organization for any disaster.

Instead of existing in a vacuum, healthcare security directors and managers should cheer at
this development because it expands the importance of security inside the hospital or healthcare
facility, and underscores its value in protecting the organizational assets –  the physical facility,
patients, visitors and staff –  to proprietary information, including the HIPAA mandated PHI
(Protected Health Information), vehicles, security systems, high-value healthcare equipment
and the healthcare provider’s reputation.

Security budgets have always suffered because security costs are seen as operating
expenses, not an income source, but by tying the security expenses more closely to loss
prevention and protection of the organization, it creates a cost justification for hospital and
healthcare security.

Risk-Based Security Links to Hospital Compliance Standards
A risk-based security model also links security to myriad compliance standards that affect healthcare
and this also supports and justifies the costs related to security. For example, hospitals are required
to have a variety of security controls in place related to tagging of newborns, posting of no-weapons
signs, and environment of care issues. Any healthcare organization accepting funds from Medicare
or Medicaid must comply with the new mandate for annual security risk assessments. 

OSHA 3148 also requires hospitals and healthcare organizations to do annual workplace violence
assessments, and more than 33 states also require enhanced protection of hospital and healthcare staff.

As security incidents continue to increase and violence in healthcare escalates, making the
switch to a risk-based security program will provide better protection for hospitals and healthcare
organizations, making more effective use of existing security personnel, as well as justifying and
expanding healthcare security budgets.


For more information:  contactCaroline Ramsey-Hamilton at caroline@riskandsecurityllc.com


RISKAlert – May 2014 Shooting at VA Medical Center, Dayton, Ohio


Terminated Employee Shoots Staff Member during Card Game
at Veterans Affairs Medical Center in Dayton, Ohio

Allowing terminated employees to have access to a hospital or facility where they
worked before is a questionable decision, because not only anger at the organization,
but also a
nger at individuals and former co-workers may turn into an incident as this report

In early May, a terminated housekeeper at the Veterans Affairs Medical Center in Dayton, Ohio came back to the hospital to play cards in a hospital break room with a group of current VA staff.   The perpetrator, Neil Moore, had also brought a handgun to the hospital.  Neil was upset because he thought another VA staff member was having a relationship with his wife, so he pulled out the gun, and as a result, one person was shot in the ankle.

It was not a typical active shooter scenario, but it does point outVAMC-DaytonOH
the access control problem in hospitals, and also questions the
ability for anyone to walk into a hospital with a loaded gun


 1.  Access to former employees should be prohibited or at
least limited on a case by case basis.

 2.  Visitors should not be allowed to bring guns into a hospital.
      Metal detectors should be used to screen for weapons.


Moore, a former employee at the Veterans Affairs hospital, told police that he was going to a regular card game with
his former co-workers.  He said he went to the hospital Monday intending to brandish the handgun to intimidate two former co-workers he believed were involved in relationships with his wife and daughter, both of whom reportedly work at the hospital.  Moore planned to “hold the ex-co-workers at gunpoint while he punched them with his right hand,” according to court documents.

The hospital complex has beds for about 450 people and provides veterans with medical, mental health and nursing home care. It doesn’t have metal detectors at its entrances, but it does have its own security force.

VA spokesman Ted Froats said the force conducts active shooter training four times a year and showed outstanding response Monday. He said in a statement Tuesday that the hospital will consider additional steps to ensure safety, while making sure that any new measures won’t impede the hospital from providing care to veterans as quickly as possible.

RISKAlert®  is a publication of Risk & Security LLC at www.riskandsecurity.com

How long does it take for OSHA to develop standards – like for Workplace Violence?

Why OSHA standards take so long to develop

The Government Accountability office reports to Congress on items of interest to Congress and their constituents.  One area that was recently examined was how long it takes OSHA to update standards, or develop new standards.  Here’s a look at the results:

By:         David LaHoda  April 30th, 2012

A report by the U.S. Government Accountability Office (GAO) on why OSHA standards take, on average, more than seven years to complete found that “increased procedural requirements, shifting priorities, and a rigorous standard of judicial review” contributed to the lengthy time frame.

In responding the GAO report, Randy Rabinowitz, OMB Watch’s director of regulatory policy said: “In the years since its creation, OSHA’s charge to protect workers from harm has been undermined by Kafkaesque demands for additional reviews of existing rules mandated by new statutes and executive orders,” according to The Hill. While OSHA’s internal inability to remain focused on priorities and regulatory follow-through was the counter argument presented by the U.S. Chamber of Commerce.

“While some of the changes, such as improving coordination with other agencies to leverage expertise, are within OSHA’s authority, others call for significant procedural changes that would require amending existing laws,” according tot he GAO report.

The GAO report recommended that that OSHA and NIOSH improve collaboration on researching occupational hazards. In that way OSHA could better “leverage NIOSH expertise in determining the needs for new standards and developing them.”

To access the entire 55-page report, go to: http://www.gao.gov/products/GAO-12-330

Outlook on Risk & Security Compliance in 2012 – What to Expect.

This New Year’s Eve, I thought at times my neighbors were using a rocket launcher and several assault rifles to shoot up the New Year.  Lucky for me,  I spent the awake time to contemplate the outlook for risk, threat and security issues for 2012 and here’s what I see for 2012.

1.  Government-Mandated Compliance Is Here to Stay for the Healthcare Industry.

I remember when the IT departments are many hospitals thought George W. was going to revoke the HIPAA Security Rule.  It never happened, and this year, for the first time, there is a regulatory body in place that is intent on REAL ENFORCEMENT.

The Dept. of Health & Human Services, Office of Civil Rights,  has expanded HIPAA Security and Privacy Rules to include “Business Associates” including lawyers working in healthcare, and the infamous “3rd Party Providers” who do everything from warehouse data to taking over the IT function of a hospital, and this trend will continue as pressure builds from consumers who’s medical and financial data continues to be compromised.

2.  Workplace Violence Prevention will become an OSHA mandate, if not in 2012, at least by 2015.  Based on the slug-like pace of OSHA, who only recently provided directives for high risk industries, and the pressure from the more than 30 states who have passed their own regulations,  the pressure to stop the number of incidents and to lower their intensities will increase and management will be forced to address it as a major corporate issue.

3.  Pressure on the financial industry to protect consumer information will increase.
  Like many other areas, pressure is increasing to prevent the enormous data breaches we saw in 2011, like Tricare, the recent Stratfor hack by Anonymous, Wikileaks and HealthNet breaches.  Consumers are the squeaky wheel and they want the convenience of plastic and internet use, and they will not tolerate breaches, and they are all registered voters!

The FFIEC has already tightened up on both risk assessment standards, as well as
authentication guidelines for all financial institutions.


There will be a increase in requirements for risk assessment as an accountability feature to force managers to maintain better security in all areas of their organizations. 

Accountability means that individual managers will be held responsible for the decisions they make regarding other people’s:

1.  Financial Data

2.  Medical Records

3.  Safety from both Violence & Bullying in their workplaces.

Budgets can be cut, and staff can be reduced but consumers are demanding protection of their information, and themselves, and the regulators will make sure they get it in 2012!

Webinar Looks at New OSHA Workplace Violence Directive

Workplace Violent Incidents have been on the rise in several specific organizations, including hospitals, home health organizations, social workers who do in home visit, and also late-night retail stores.

On September 8, 2011, OSHA suddenly released their internal Directive on what their OSHA investigators look for when they go to an organization to investigate a Workplace Violence incident.

Whether the incident involves a domestic violence incident, like when a husband shoots his wife at work; or whether it is patient violence against the Emergency Room nurses, it is a big problem that has been increased over the last 8 years.

We have set up a special no-cost webinar to review the new directive and see what it means for employers. Join us to look at how to protect your organization and make sure your staff, and patients stay safe.

Risk Assessment: How about Giving Guns Back to Former Mental Patients

A recent New York Times article explained that a provision tucked in a bill to make it harder for people diagnosed with mental illness to possess firearms, actually restores the rights of mental health patients to get their firearms back. The legislation was passed after the massacre at Virginia Tech in 2007.

One of the main elements of risk assessment is a quantitative (meaning = real numbers) on what has happened in the past. Looking at 2 or 3 years of incident reports, for example, show how many times there has been an incident involving gun violence in a particular neighborhood, city or organization.

Another element is the history of a particular individual to see whether individuals with a diagnosed history of mental illness are MORE OR LESS likely to trigger (forgive the pun) – a violent incident.

If we run that scenario, we will find that individuals who previously had a violent incident with a firearm are MORE LIKELY than the standard population to have another incident.
And that especially holds true if other threat indicators are present, for example:

Termination from a Job
Romantic Difficulties
Difficult Economy

There is a ‘risk multiplier’ effect that takes place that makes the risk higher. By combining different sets of threat categories with areas of weakness, we are create general predictions on the likelihood of repeated violent incidents.

Do the math – it doesn’t make sense for people with a history of mental illness to
get their guns back!

The 5 Missing Elements of Most Workplace Violence Prevention Programs

The 5 Missing Elements of Most Workplace Violence Prevention Programs

After working with a variety of organizations on a baseline Workplace Violence assessment, there are several areas that seem to be common problems for most organizations.  These elements are not expensive, and not timing-consuming, so they are natural candidates for improvement.

A baseline workplace violence assessment is a survey of employees in different roles, combined with a threat analysis and an analysis of existing controls and a historical incidents that can be reviewed and aggregated.

Here are the top 5 most common missing elements, with potential solutions.

1.  Missing workplace violence awareness/training programs.  Many organizations report that they have set these up, that they have sent out emails to all employees, but we consistently find that the employees didn’t read the emails, didn’t know the training was available, or that it wasn’t included in their initial company orientation.

2.  Mis-categorization of workplace violence incidents.   There is a mistaken (in my opinion) idea that domestic violence incidents that happen at work should not be categorized or reported as a Workplace Violence incident.  This is a mistake, and leads to bad information about the true nature of the problem.  If someone comes and shoots her significant other at work (IN THE WORKPLACE) – it is a workplace violence incident.

3.  Staff feels subtle pressure from management not to report every incident.
In my research, management wants every incident reported, every time, but
staff members report that their own direct supervisors may discourage them by not taking time to discuss these pre-incidents, and also by chalking up comments as merely office gossip.

4.  Not linking Human Resources with Security on the issue of Workplace Violence Prevention.  This is a management issue, but organizations that create bridges between HR and security are way ahead because this is one issue where cooperation makes a big difference in results.  HR can’t do a security assessment and security can’t write termination policies and set up employment screening. They are both absolutely necessary.

5.   Not doing an Annual Workplace Violence Assessment.  Since late 2008, when the economy suffered major job losses,  the number of workplace violence assessments have increased dramatically, especially in the healthcare field.  Annual assessments are best way to stay on top of the ‘potential’ for violence in your organization.

Check out one of our regularly scheduled webinars to learn more about this important issue.


REMEMBER – Workplace Violence is the one threat that is PREVENTABLE!


                                        — Caroline Hamilton