accountability

What Went Wrong at Fort Hood? Another Active Shooter?

Posted on April 8, 2014 5:43 pm by Caroline Ramsey-Hamilton Comment

RISK Alert Alert #530 – Fort Hood Active Shooter-April 2, 2014

Dateline: April 5, 2014

Shock and grief were the reactions when the news said, for a second time, a shooter
inside Ft. Hood near Killeen, Texas had killed 4 and injured 13 in another Active Shooting
Incident. Everyone remembered the first major shooting attack in November 2013, when
a major killed 13 and injured 43 because he did not want to be deployed to Afghanistan.

A total of 73 injured and/or killed in the two incidents!

How could this have happened? The Department of Defense had implemented many of
the recommendations of its internal, and independent review panels, and the changes had not
been enough to prevent another active Shooter incident.

The 34-year old shooter had apparently been denied a leave form, and asked to come
back the next day and he came back, with a .45-caliber Smith & Wesson semiautomatic
handgun, recently purchased at Guns Galore, and started shooting. He eventually turned
the gun on himself, after firing 35 rounds in two buildings over a 2 block area. He had a
history of mental issues, and had recently been transferred to Fort Hood.

What We Learned: The After Action Review “Protecting the Force” had detailed 89
recommendations, but by Sept. .2013, only 52 had been
implemented and none included an Active Shooter Risk Assessment.

A comprehensive Active Shooter Risk Assessment has to be the first recommendation
after any Active Shooter event. Recommendations from the previous shooting were concentrated
on new policies and procedures, mental health screening, education and training programs but
those controls did not directly influence PREVENTION of incidents.

A Review of the Most Important Active Shooter controls would have been more
likely to prevent a future shooter event, like:

Tightened Access Controls for Facilities
- Panic Alarms
- Tracking of Potential Troubled Individuals
- Metal Screening for Weapons
- Policy on Personal Weapons on Base
  
  After the Navy Yard shooting in September 2013, another round of recommendations
  were made to improve security at all DOD installations, however, a Pentagon official
  said on Thursday, April 4th, that the new recommendations had not yet been put into
  effect at Fort Hood. Unfortunately, at Fort Hood, very little had changed from 2009
  regarding security procedures for soldiers at the entrance gates.
  
  Stay Alert and make sure that any Security Incidents are reported IMMEDIATELY!

Loss of Malaysian Airlines Flight Points Out Airline Security Weaknessess

Posted on March 24, 2014 12:02 pm by Caroline Ramsey-Hamilton Comment

Monday, March 25, 2014.

This morning the Malaysian Government stated that based on all their “new”
calculations, they have concluded that Flight 370 went down in the southern
Indian Ocean.

Has terrorism been counted out for this flight – no. Until the whole story is known,
it will be impossible for anyone at this point to say that this happened because of pilot
error, mechanical failure, bad weather, or anything else. However, as we watched
the near continuous news coverage of this ill-fated flight, it was impossible to ignore
the many security weaknesses that were revealed as the drama played out, and
experts proposed possible new theories, even alien abduction!

The airlines around the world, and even the Federal Aviation Administration (FAA),
have always maintained their unique security standards, unlike other industries
which have generally accepted security practices that are used worldwide. This
standardization of security elements has made it easier for multinational corporations
with offices worldwide, to secure their supply chains, ensure improved safety and
security for their employees, contractors and vendors, and, in my opinion,
contributed to making the world a safer place.

Unfortunately, this uniformity and standardization of security practices is not
mirrored in the airline industry globally, and even blatantly ignored by other
airlines, operating in other countries.

International travelers often see the little sign that says something like: THIS
AIRPORT HAS BEEN CLASSIFIED AS UNSAFE. Of course, because these
airports are often the only airport in the country, they are used anyway.

But the fate of Flight 370 has shocked some security experts by uncovering the
lack of security at a respected airport, generally thought to be safe and secure.

For example, right after 9/11, the FAA moved quickly to security the cockpit of
U.S. planes, and keep them locked and secure during flight. So it was quite a
surprise to have a young girl smiling and telling CNN how she partied with the
co-pilot in the cockpit during a recent flight.

“The FAA rule sets new design and performance standards for all current and
future airplanes with 20 or more seats in commercial service and all cargo
airplanes that have cockpit doors. Specifically, the rule:

Requires cockpit doors to remain locked. The door will be designed to prevent
passengers from opening it without the pilot’s permission. An internal locking device
will be designed so that it can only be unlocked from inside the cockpit.

Controls cockpit access privileges. Operators must develop a more stringent
approval process and better identification procedures to ensure proper
identification of a jump seat rider.”

As the tragedy has unfolded day by day, security experts can see vulnerabilities
in the way security controls are both either not required or are not correctly and
consistently implemented on planes around the world.

The “Tombstone Mentality” of the airline industry and civil aviation organizations now
have the tombstones for 370 individuals, and everyone hopes that even though we
don’t know know exactly why this flight went down, we can all see that there are
weaknesses in international security that need to be addressed in the aftermath of
this tragedy.

After Action report on LAX Shooting Recommends Risk Assessments

Posted on March 19, 2014 1:26 pm by Caroline Ramsey-Hamilton Comment

The Los Angeles World Airports (LAWA) released the long-anticipated After
Action Analysis on the LAX Active Shooter Incident in 2013.

The 83-page report was written by an independent consultant who analyzed
all aspects of the Shooting incident and includes a list of “Major Observations
and Recommendations.” The recommendations are “to provide focus for
LAWA’s efforts toward continuous improvement in it’s security and emergency
preparedness programs.

These areas were highlighted in the report as “7 priority observations that merit
special consideration.

Recommendation 1.1: Evolve the LAX Security Program to reflect a more
integrated assessment of security risk and provide for the ongoing development
and management of mitigation measures.

Recommendation 1.2: Based on the RISK ASSESSMENT and updated security
plan, consider the focus and structure of security functions to determine whether
realignment and integration are needed.

Recommendation 1.3: With the benefit of recent vulnerability and risk assessments,
take a risk-based approach to evaluating current security programs and explore
intelligent use of technology.”

Once again, doing frequent Security Risk Assessments and managing the security
program and enhancements to follow the recommendations of the Risk Assess-
ment are the first recommendations in the After Action Analysis of an Active
Shooter Incident.

In my experience, in most organizations, Facility Security Risk Assessments are
not conducted correctly, are not reported to senior management, and not used as a
tool to ADJUST AND FOCUS the security program based on RISK.

Why aren’t security risk assessments done more often?

1. People don’t have the right expertise to do a full risk assessment.

2. Security managers view Security Risk Assessments are too difficult
to undertake.

3. Law enforcement personnel still do not understand the concept of risk
assessments and instead, tend to rely on checklists of controls or
security elements, rather than integrating all the information to
create a true Risk-Based model for security.

The solution to this problem is to use affordable, easy to use software tools, like
the Risk-Pro Application for Facilties Security Assessment and their Risk-Pro
Application for Active Shooter Incident to simplify the process of doing more
frequent risk assessments and using them as a management tool to focus
security so it will be able to recommend the security enhancements that are
needed, and not only how MUCH to spend, but actually dictate the order
of necessary controls.

Far from being a boring, intellectual exercise, well done security risk
assessments can dramatically reduce the possibility of an active shooter
event, and also mitigate the many negative consequences that come
from such disruptive incidents.

Putin Analyzes his Risk on Invading Crimea

Posted on March 3, 2014 9:40 pm by Caroline Ramsey-Hamilton Comment

The invasion of Ukraine’s Crimea region by Putin’s “un-labeled” troops
illustrated two major principles of a Risk Assessment.

#1 – Secure your Critical Assets First

It’s not about the citizens of Crimea, not about the Ukraine wheat fields, or
even it’s use as a pipeline pass-through area. It’s all about the Black Sea
Ports. These ports are absolutely critical to Russia (and also to PUTIN
– the EGO), because they are a critical place to ship gas and oil from,
and they also give Russia their only access to the Mediterranean,
in case Putin urgently needs a gelato!

The second principle of a risk assessment is

#2 – Analyze all the Potential Threats

I read a great article over the weekend about how Putin had sized up the
EU and the European bankers, and calculated that the threat of any interruption
of the Russian-European banking relationship was zilch – zero. Bankers are
not going to reduce their profits by refusing to do business with Putin.

The next potential threat is U.S. retaliation or sanctions. Putin correctly
calculates that the US didn’t get out of Iraq and almost out of Afghanistan
to immediately send any boots on the ground to Crimea or eastern Ukraine.
We can threaten to curtail his trips to Vegas and Disneyland, but the U.S.
is not going to start a war over this.

Putin did his risk calculation and decided that his chance of getting in any
serious trouble was VERY SMALL and his potential gain was VERY HIGH:

1. He gets to look like a tough guy again.

2. He gets lot of media attention from the whole world (doesn’t care what
media writes about him, as long as they spell P*U*T*I*N correctly and
gets him back on the world stage again.

3. And, the clincher is that he can pull the troops out anytime he wants,
send them back home, and no real harm done.

But I did pay attention in my history class, and I am hoping out loud that
we are not on the precipice of another war!

3 Killed, 4 Others Injured at Columbia, MD Mall Shooting

Posted on January 26, 2014 9:42 am by Caroline Ramsey-Hamilton Comment

Saturday morning at the Columbia Mall, in this neat, planned community was cold and many people decided
to go to the mall! Columbia, Maryland is a large mall, situated between Washington DC and Baltimore
in the Maryland suburbs. I’ve been there frequently – in fact, last month.

Unfortunately, at 11:15 in the morning, a young man entered the mall and started shooting. Some witnesses
said he was shooting down into the Food Court from the 2nd Level. The shots were centered in a surf, skateboard
and snowboarder store called Zumiez.

Two young people were killed, store employees, Brianna Benlolo, 21, of College Park, MD; and Tyler Johnson
25, of Ellicott City, MD, and a man police identified as the shooter. He had killed himself, but was wearing more
ammo and had more ammo around him.

A bystander was shot in the foot, and others were injured in the chaos that started when the 8-10 shots
were fired and someone yelled, “There’s a man shooting”. But these injuries were judged to be minor.

ONE MORE ACTIVE SHOOTER. ONE MORE YOUNG MAN WITH NO MOTIVE. Seven families devastated
and looking for answers.

Again, we look at access control, and due to the NRA effect, making it ridiculously easy to carry a gun, even
a concealed gun almost anywhere, we have to start with what kind of access we should allow to public places,
like schools, malls and airports.

In a risk and reward calculation, it’s basically, does the right of an individual to take a loaded gun anywhere
they want, supersede my right to safely shop at the local mall on a Saturday morning? I think it does.

Now the burden is on the mall owners about how many of these shootings it’s going to take before we start
seeing armed guards at malls, and access control devices like metal detectors, at entrances to the larger malls.
Because think of what the mall owners lost – they lost their reputation as a “SAFE” place to go. They lost
almost a whole day of sales, and maybe they will lose another day.

The local police and county Executive were on TV saying police arrived within 2 minutes of the shootings.

and the SWAT team entered the Mall and did a store by
store search, while the media trucks assembled in the parking lot.

If people want to take loaded guns everywhere and society
thinks that’s great – then store owners are going to have to
increase security and be able to have tools to exclude these
people.

Guns are for hunting, not for shopping!

Terrible day for Columbia Mall and it’s customers, I guess it’s a wonderful day for the security industry that will sell
lots more metal detectors, cameras, monitoring, panic alarms and more. Because that’s what we need to keep
the public safe.

Joint Commission Reports on Shootings in Hospitals

Posted on November 12, 2013 2:08 pm by Caroline Ramsey-Hamilton Comment

Some of the most horrific shootings we see occur in hospitals. Because most people still think of hospitals as “places of refuge”, it is always a big shock when some kind of violence or shooting occurs in a hospital, especially gun violence.

With so many active shooter incidents in the US in recent months, the Joint Commission recently released information about the number of shootings in hospitals, and found that,

They analyzed a total of 154 hospitals shootings, which took place between 2000 and 2011. They found that 59% of the incidents took place inside the hospitals, and 41% took place outside on the hospital grounds.

Of the 59% of incident that happened INSIDE the hospital, not surprisingly, about 30% took place in the Emergency Department, and 19% in the patient rooms. We all remember the John Hopkins incident that occurred in a room where the shooter shot his mother’s doctor, and then locked the door and killed his mother and then committed suicide.

Of the 41% of incidents that took place outside, but on the hospital’s ground, 23% took place in the parking lot, which underscores how important it is to have a designated manager for the parking facilities. We have seen stories about a man in Tennessee who had a meth lab IN HIS CAR in the hospital parking garage, and the poor baby tossed off the roof of a parking garage.

The 154 hospital shootings resulted in a total of 235 people who were Injured or who died in the incident. The most common
victim was the perpetrator (shooter) and that accounted for 45% of the people injured or killed.

Another 20% of the victims were the hospital employees, including physicians (3%) and nurses (5%).

Another interesting highlight of the report, was that 50% of the shootings that took place in the

emergency departments were the result of the shooter taking the security officer’s gun!

The dramatic increase in Active Shooter incidents, including the Washington Navy Yard Shooting, the LAX
shooting and the Sparks middle school shooting all illustrate that the trend is moving toward more incidents per year, and more people dead or injured in each incident.

For example, from 2000 to 2004, there was, on average, only 3.8 active shooter incidents per year. Then,
from 2005 – 2010, the average number of incidents per year increased to 11 incidents a year, and from
2011 to 2013, it jumped again to an average of 17 incidents per year, which is over a 300% increase from 2000.The statistics clearly show the trend of increasing gun violence in our society, and until society can find a way to reverse
the trend, hospitals will be looking at the possibilities to stop the violence at the door to their emergency department.

Source for hospital shooting data: Hospital-Based Shootings in the United States: 2000 to 2011 by Gabor D. Kelen, MD, Christina L. Catlett, MD, Joshua G. Kubit, MD, Yu-Hsiang Hsieh, PhD

DOD-OIG Report on Security Weaknesses at the Navy Yard

Posted on October 18, 2013 10:11 am by Caroline Ramsey-Hamilton Comment

The recently released 56-page report by the Department of Defense, Office of the Inspector General found that the Navy Access Control System did not adequately control the risks to the Washington DC Navy Yard and other sites under their control.

NCACS did not effectively mitigate access control risks associated with contractor installation access. This occurred because Commander,
Navy Installations Command (CNJC) officials attempted to reduce access control costs.

As a result, 52 convicted felons received routine, unauthorized installation access, placing military personnel, dependents, civilians, and
installations at an increased security risk.

Additionally, the CNIC N3 Antiterrorism office (N3AT) misrepresented NCACS costs. This occurred because CNIC N3AT did not perform
a comprehensive business case analysis and issued policy that prevented transparent cost accounting of NCACS. As a result, the Navy
cannot account for actual NCACS costs, and DoD Components located on Navy installations may be inadvertently absorbing NCACS costs
.
Furthermore, CNIC N3AT officials and the Naval District Washington Chief Information Officer circumvented competitive contracting
requirements to implement NCACS. This occurred because CNIC N3AT did not have contracting authority. As a result, CNIC N3AT
spent over $1.1 million in disallowable costs and lacked oversight of, and diminished legal recourse against, the NCACS service provider.

You can read the entire report at: http://www.dodig.mil/pubs/documents/DODIG-2013-134.pdf

Courtesy Caroline Ramsey-Hamilton at Risk and Security LLC

caroline@riskandsecurityllc.com

What’s Your Active Shooter Risk? How to Assess the Threat!

Posted on October 15, 2013 4:54 pm by Caroline Ramsey-Hamilton Comment

Just the idea of an Active Shooter in your organization, whether you’re a military base, like Fort Hood, and the Washington Navy Yard, or a school like Sandy Hook, a beauty shop, a cracker factory in Philadelphia, a retail mall, a movie theatre, a grocery store parking lot, or a hundred other places, is a terrifying thought.

I lived about 3 miles from one of the shooting sites, a gas station, used by the Beltway Snipers back in October, 2002. They killed ten people, totally at random, and critically injured three others. Both of the snipers were sentenced, and John Muhammad was killed by lethal injection in 2009.

If you lived in the DC area, do you remember how scary it was just to pump gas into your car, people were huddled against the side of their cars in the gas stations, and hidden by their shopping carts at the local Home Depots.

The fear of the Active Shooter comes from the seeming randomness of the action, which means there’s no way to prevent it, unless you give up, stay home, and hide under the bed all day.

But there are things you can do. Instead of thinking of an Active Shooter incident as a totally unique situation, it’s really a form a Workplace Violence, Gas Station Violence, Parking Lot Violence and other related forms of random violence. In fact, the Department of Homeland Security has identified quite a few steps you can take to keep yourself safer if you are in the vicinity of an active shooter (http://www.dhs.gov/active-shooter-preparedness).

Most of the shooters are mentally ill. Normal individuals do not enjoy planning and killing strangers, and it is usually a last ditch effort, with the suicide of the shooter as the grand finale. Their actions can sometimes be identified early, and the police can be alerted, or the Human Resources group at work, or even the local Sheriff can intervene before it gets to the actual shooting.

Signs that someone is having trouble negotiating their life, especially if that someone is a gun fanatic, with their living room full of AK-47 assault weapons and hollow point bullets, is not hard to spot, because these individuals often leave lots of warning signs, like:

Irrational Posts on Facebook or inappropriate tweets.
Threats made against friends and family.
A dropoff in personal hygiene, as the person gets more obsessed.
Problems negotiating their personal life.
Demonstrating signs of isolation and groundless paranoia

Organizations can protect themselves from an potential active shooter through a combination of specific controls that include elements like access control, continuous monitoring of cameras, employee awareness and training programs, clear cut evaluation routes, regular active shooter drills, and hardening of facilities, to name a few.

One of the best preventive measures is to conduct an Active Shooter Risk Assessment, which is similar to other security analyses, except that it is focused on a particular set of threats related to an Active Shooter Incident. As part of my annual Threat Trend Reports, I’ll be releasing a new set of threat data about the Active Shooter, to help organizations calculate their risk of
having such an incident. For example, did you know that the number of active shooter incidents has jumped from 1 in 2002
to 21 incidents in 2010?

Locations have changed, too, and we found that

About 25% of active shooter incidents occur in schools,
About 25% in retail locations, and
About 37% in workplaces.

In future blogs, we’ll be looking at each element of the active shooter incident, and providing more information to keep
your organization safe.

Chemical Security Programs Affected by Government Shutdown

Posted on October 7, 2013 4:30 pm by Caroline Ramsey-Hamilton Comment

CFATS is an essential defensive program to monitor the security of the chemicals used in the U.S. CFATS stands for the Chemical Facility Anti-Terrorism Standards. The program is run by the Department of Homeland Security and is vitally important because chemicals can be used in bombs and chemical attacks.

To avoid giving terrorists and possibly drug dealers access to the raw materials that are used in the manufacture of chemicals, chemical facilities, like manufacturing plants, distribution centers, etc., are supposed to be actively monitored by security personnel who are trained in chemical security.

Fertilizer chemicals were purchased to blow up the Oklahoma City Murrah Federal Building. Chemicals are in every medication you take, including sensitive heart medication, and other pharmaceuticals that mean life or death to those to take them.

Rep. Bennie Thompson (D-Miss.) said in a statement to Global Security Newswire Friday that the incident at a fertilizer plant in West, Texas, “brought into focus the need to secure dangerous chemicals against accidental or malicious release or detonation.

Imagine if a terrorist was able to insert a poisonous ingredient in a statin manufacturing plant – over 15 million Americans now take statins to reduce their cholesterol. Or imagine a poison ingredient put into pool chemicals, or something like putting water into jet fuel. Think catastrophe!

In fact, CFATS was just geared up because of a Presidential Executive Order issued in August, 2013, after the deadly blast in West, Texas that killed 14, most of them firefighters. The order instructed federal agencies to review safety rules and create new strategies for plants that store hazardous materials. The order also included a review of potential new guidelines to improve storage and handling of ammonium nitrate, the explosive material that caused the West. Texas fertilizer plant explosion in April 2013.

Already this week, chemical companies that had DHS inspections scheduled for this week received notice that the site visits would be postponed indefinitely. Likewise, the review of security plan documents is also expected to be frozen, as DHS employees who normally do this work have been furloughed.

A critical meeting scheduled for this week, which included industry leaders, DHS, EPA and Occupational Safety and Health Administration officials was canceled as a result of the government shutdown, which creates prolonged uncertainty for industry regarding what new regulations they might have to comply with and whether companies will have another opportunity to weigh in on possible changes.

Now the program has been shutdown and critical employees furloughed.

Chemical security is a critical chokepoint because of the potential for major disasters, whether accidental or intentional.

Security programs should be immune from political shutdowns that threaten the safety and security of the entire country.

Categories:
accountability
Budgeting for Security
CFATS
Compliance
Risk
risk assessment
RiskAlert
www.caroline-hamilton.com

Why HIPAA Compliance is Related to Federal Contracts

Posted on August 21, 2013 6:21 pm by Caroline Ramsey-Hamilton Comment

Most healthcare organizations take Federal money – whether it’s reimbursement for Medicare services, or if it’s a federal grant for
providing special care or even addiction treatments, or whether they are part of an NIH trial, or receiving grant money for research.

If your organization is part of state government, county government or even city government, your organization probably takes federal money too.

When the hospital, clinic or treatment center gets that Federal check, they have to first sign a contract saying they verify that they are in compliance WITH ALL FEDERAL LAWS, RULES AND GUIDELINES. In the old days, this may have meant that you didn’t discriminate in your hiring policies, or that you complied with the Americans with Disabilities Act (ADA), or that you complied with federal reporting requirements, like for a GSA Contract, or for billing protocols.

But HIPAA is also a law, and a Federal Rule, and so when you signed that contract, you attested, or ‘represented’ that your organization was in compliance with all the HIPAA laws and rules, too.

I recently talked to a CEO of a large hospital that, as a Level 1 trauma center, received millions of dollars each year from the Federal government – and he wasn’t aware of their HIPAA status! He didn’t know if a HIPAA risk analysis had been done (it hadn’t), or whether they had amended all their business associate agreements (hadn’t even started), and also had no idea that some of these HIPAA Rules had elements that needed to be formally approved by the Board.

If you’re the HIPAA Compliance Officer, the Privacy Officer, the Information Security Officer, or any functional title that means, the HIPAA Buck stop with you — you need to explain this to your manager or director. This will get any administrator’s attention, because they don’t want to have to give any of that money back, and they also don’t want to get into a lawsuit over a compliance issue.

So keep talking about that HIPAA Compliance deadline of September 23, 2013, and you’ll get the support you need, and maybe the budget you need to keep all your HIPAA activities in full swing!