Category Archives: Risk Assessment & Compliance

An overview and information source for risk analysis and requirement compliance for IT and online security systems to ensure compliance with regulations such as: FFIEC, NERC, GLBA, BSA, NCUA, ISO 17799, ISO 27001 and many others.

4 Nurses were Awarded a $ 7.8 Million Dollar Settlement, after they were attacked in 2017 at Northwestern Medicine Delnor Hospital

The four nurses sued  Kane County, Illinois; Deputy Shawn Loomis, who was guarding the inmate, identified as Tywon Salters; and Apex 3 Security LLC, the hospital’s security contractor over the 2017 incident.

The inmate, had been hospitalized for surgery after he ate a plastic jail sandal.  He had been in restraints, but Deputy Loomis had unshackled him to use the restroom.  The inmate went to the restroom, and Loomis failed to re-shackle him when he returned.  Salters overpowered the Deputy and took his gun.  

Nurse Taken Hostage
He then took Nurse #1 hostage at gunpoint, taking her to an office and demanding she give him her clothes. Then Nurse #2 entered the room, and Salters took her hostage. He took both women to the first floor ambulance bay. When Salters saw police arriving, he forced her into a decontamination room, where he held her for several hours at gunpoint. According to the lawsuit, Salters hit Nurse #2 with the gun, threatened to kill her, and raped her.

Inmate Prisoner Killed by Police
The police records said he used Nurse #2’s smartphone to call his relatives and to talk to the police.  When the  officers heard him fire the gun, they ran into the room and killed Salters.  In the settlement, Nurse #1 received $ 7.2 million dollars;  Nurse #2 received $ 650,000, and two other nurses, who were on the third floor, each received $25,000.  The nurses were never publically identified.

In court, the nurses claimed that the hospital and Kane County deputies, and the security company knew that Salters was a danger to himself and others, because he had been hospitalized the week before for swallowing hydrogen peroxide at the jail and had been placed on suicide watch.  The lawsuit said that Salter previously served time in prison for armed robbery, he knew if he was convicted of another felony he would face a sentence of six to 30 years.

A Danger to Himself & Others
They also said that in the days before the incident, nurses had seen Kane County deputies using their personal cellphones and laptop computers when they were watching Salters, and that one had been caught sleeping.  They also said that when Deputy Loomis was attacked, he did not report it, but hid in a hospital room.

1.  Inmates who are being treated in a hospital frequently try to use violence to escape.  They make the calculation that it’s much easier to escape from a lightly guarded hospital, than a secured jail or prison.
Deputies and security officers need to maintain a high level of vigilance.


For more information and a free subscription:  write to:    We provide security and risk assessments, and certify Hospital and Healthcare Facilities for Active Shooter Assessments,  Active Shooter Training and Tabletop Drills, as well as Healthcare CMS All-Hazards Hospital & Healthcare Facility Risk Assessments and more. Find out more at .

Four (4) Dead in Shooting Rampage at Mercy Hospital, Chicago. Victims included Young Police Officer, an Emergency Room Doctor, a Pharmacist, and the shooter. Witnesses Report Total Chaos as the Doctor’s ex-Fiance Attacked and Killed Her

RISKAlert Report #1094 November 20, 2018                                                                    Chicago, Illinois 

A young Chicago police officer, an ER Doctor and Pharmacist were killed in an attack at a South Side hospital Monday afternoon that sent medical personnel and police running through the hospital’s halls, stairwells and even the nursery in search of victims and the shooter before he was found dead from a gunshot to the head.

Police had been called to the hospital after the ex-finance,  Juan Lopez, 32, confronted emergency room doctor Tamara O’Neal, apparently over a “broken engagement,” sources said.   By the time police arrived on the scene,  Lopez had shot O’Neal repeatedly, standing over her as he fired the last shots, according to police sources and witnesses.  “When they pulled up, they heard the gunshots, and they did what heroic officers always do — they ran toward that gunfire”, said Police Superintendent Eddie Johnson.

Michael Davenport, Mercy’s chief medical officer, said the hospital had conducted an active shooter drill last month. About 200 patients were being treated in the hospital on Monday, but authorities only evacuated the emergency room. The hospital’s emergency plans include barricading doors and ensuring patient safety. 

Witnesses reported total confusion initially; when it was unclear how many people had been shot, how many police were there, and how many shooters there were.  As dispatchers and responding officers tried to make sense of the scene, reports came in of an officer shot somewhere in the lobby, a woman and an assistant also wounded. Finally, there was word of the gunman apparently shot in the head.


1.    Hospital reported it held Active Shooter training last month, but the scene was still total
chaos as the shooter ran into the hospital, firing randomly.

2.    The hospital incident response plan was not effective in controlling the panic that ensured,
with hospital staff, visitors in the ER,  and others were left terrified


For more information and a free subscription:  write to: 
We provide and certify the best Facilities Active Shooter Assessments,  Active Shooter
Training and Tabletop Drills, as well as HIPAA Risk Analyses, and Healthcare CMS All-Hazards
Hospital & Healthcare Facility Risk Assessments.

Find out more at .


RISKAlert Report # 1060  Updated:  Aug. 17, 2018                                                 Houston, Texas


The New England Journal of Medicine  included an editorial by a group of physicians, including senior author, Kenneth Mattox, MD affiliated with Baylor College of Medicine and Houston-based Ben Taub Hospital, said he hopes the modified strategy will become a national campaign, led by the American College of Surgeons and the Department of Homeland Security.

The physicians want the Department of Homeland Security slogan, Run-Hide-Fight, replaced by a new
strategy for hospitals, which they called, “secure, preserve, fight.”  

According to the group of physicians, For professionals providing essential medical care to patients who cannot run, hide, or fight owing to their medical condition or ongoing life-sustaining therapy, a different set of responses should be considered — secure the location immediately, preserve the life of the patient and oneself and fight only if necessary,” according to the editorial.

The physicians who wrote the editorial studied past active shooter events, and were concerned that many patients in a hospital are not able to evacuate due to their medical issues.  They did say that physicians, staff, patients and visitors should follow the “run, hide, fight” strategy if they can, the authors argue, the strategy does not work for incapacitated patients who may die if abandoned by caregivers who have an ethical duty not to abandon their patients.

One of the challenges they discussed include the actual hospital facility designs, which they said can also present a problem, with reliance on elevators and narrow stairwells, “target-rich chokepoints for a shooter” and large common areas with little furniture, intersecting walls or equipment to hide behind.

The authors recommended a “secure, preserve, fight” strategy that focuses on preparation, with designated areas having devices that can lock and secure doors and entry points. Lifesaving kits to treat excessive bleeding should also be placed throughout the facility.


1.  Hospitals should discuss the care of these immobile patients in an active shooter incident
      and evaluate adding the secure, preserve, fight strategy.

2.  Every hospital should realize that violent is now endemic in healthcare, and should position
lifesaving supplies throughout the healthcare facility, nursing home, or nursing facility.


For more information and a free subscription:  write me at:

We provide and certify the best CMS All-Hazards Facility Risk Assessments &  Active Shooter Assessments and Training, and Tabletop Drills.  Find out more at

#Hospitalshooter                                           #ViolenceHospital                                    #ViolenceHealthcare


RISKAlert Report Updated:  July 15, 2018                                                                                

Guam Memorial Hospital is at risk of losing CMS Medicaid reimbursements, unless dozens of deficiencies
are fixed include medical issues and facility issues by July 25th according to scathing 78-page report

The island’s only public hospital could lose Medicare funding for the Skilled Nursing Unit (SNU)  by July 25th
and its main facility if it fails to achieve “substantial compliance” with the federal participation requirements
for nursing homes participating in the Medicare and/or Medicaid programs by July 25. It will deny to reimburse
admissions, and If substantial compliance is not achieved by Oct. 25, CMS will terminate the provider agreement.

In a scathing 78-page report, regulators reported the results of an unannounced survey which was done
for recertification, complaint revisit and complaint investigation and uncovered issues including not checking
credentials for medical personnel, not reporting medical errors, and medical issues that put patients in an
immediate jeopardy situation.

The report said GMH failed to ensure that its performance improvement activities tracked adverse patient events, analyzed the cause of the adverse event, and implemented preventive action, the survey report states. Major
adverse events that hurt patients were not reported even 12 months after the event had occurred.

The CMS survey took issue with egress doors that had locks that do not meet federal requirements. “Failure to provide egress doors as required increases the risk of death or injury due to fire,” the survey stated.  The facility also lacked proper emergency lighting. An emergency power supply location was not provided with battery-powered emergency lighting, and the primary generator did not have battery-powered light. A Battery-powered light in a secondary generator room was not functional when tested during the survey.


1.  Losing CMS Certification may reduce the Guam Memorial Hospital’s revenue by 50-70%.
Make sure to keep your CMS Certification current  to avoid a financial crisis!

2.  Many deficiencies were blatant and cite recurring problems that MUST BE CORRECTED
IMMEDIATELY to avoid more problems.

For more information and a free subscription:  write to:
We provide the best CMS Facility All-Hazards Risk Assessments, as well as Active Shooter Training,
Workplace Violence Assessments, and Mass Casualty Drills & Training Programs.   and


I WAS SHOCKED AND DISMAYED AS I WATCHED THE BREAKING NEWS:  ACTIVE SHOOTER IN ANNAPOLIS, MD YESTERDAY.   I teach Active Shooter Training, perform Active Shooter Drills and do Active Shooter Risk Assessments every week, but this one was different because I used to have an office right next to the Capital Gazette on Bestgate Road.

This horrific shooting had all the hallmarks of the other Active Shooters we have seen.  The shooter was mad over something that had been written about him 7 years ago, so he thought about it every day, and fantasized about getting even, and then one day, he picked up his gun and headed to the Capital Gazette newspaper office.

He used his shotgun to shoot out the front glass doors, walked inside and started shooting.  The extent of the carnage was kept out of the news for several hours, but then the Governor announced that five staffers had been killed and 3 other injured.  

AGAIN, THE SHOOTING WAS OVER BEFORE THE POLICE ARRIVED.  They eventually had 105 law enforcement officers on the scene within two minutes, but it was too late to save anyone.

Because Annapolis is the capital of Maryland, and a relatively small town, this was another case of IT CAN’T HAPPEN HERE!  The newspaper office had no security in place.

Even though the shooter (who’s name I won’t use) had made many threats to the newspaper and its staff, the threats were not taken seriously, and there was minimal, if any, security at the Capital Gazette Office.  There was no security presence in the office, or the building, no panic alarm, and no case management program had been set up to track and attempt to manage the shooter’s threats.

 Effective Security is the only thing standing between YOUR STAFF and an Active Shooter.

1.  Effective Security is the only thing standing between YOUR STAFF and an Active Shooter.

2.  Even the most basic security threats, such as having a solid, bullet-proof door (not glass),
having a safe room for staff, can make the difference in saving a life.

3.  The newspaper had decided NOT to get a restraining order against him, thinking it would
make things worse, but instead, ignoring the threats is what inflamed the shooter.


For more information and a free subscription:  write to: 
We provide the best Active Shooter and Facility Risk Assessments & Training Programs. Find out more
at .







77-Year Old Man in a Senior Care Retirement Home Fatally Shoots One Firefighter and Injures Another in Long Beach, California

RISKAlert Report # 1149         Updated:  June 27, 2017                                                    Long Beach, California

A 77-year-old retirement home resident identified as Thomas Kim, has been accused of intentionally setting a fire Monday morning to lure first responders to the facility.  After the firefighters entered the Home and
put out the fire, Kim fired on the men, killing one firefighter and wounding another.

It’s the first time we have seen anything like this said, Mike Duree, Long Beach Fire Chief..

Around 4 a.m. Monday morning, firefighters Capt. Dave Rosa and Ernesto Torres responded to reports of a fire, followed by an explosion and the smell of gasoline, at the Covenant Manor senior care facility, Duree said. As they approached the high-rise building, the firefighters noticed that the windows of one unit had been blown out and that the sprinklers were on.

After extinguishing the fire, Rosa and Torres remained inside the building to investigate the gas smell and explosion, the chief said. Ten minutes later, gunfire erupted and police received reports of an active shooter. Rosa, a 45-year-old veteran of the Long Beach Fire Department, was killed in the attack. Torres and another man, a civilian resident of Covenant Manor, were injured and taken to a local hospital.

Long Beach Police arrested 77-year-old Thomas Kim, who lived in the facility, in connection with the fire and the shooting.

They booked Kim  on suspicion of murder, as well as two counts of attempted murder and arson, and is being held on $2 million bail.  It is not known about where he got his weapon and how he started the high-rise fire.

Not much was immediately known about Kim, police said he was arrested years ago for auto theft and that detectives are looking into reports of erratic past behavior.  His family said that they were stunned to find out the suspect was alive, living in Long Beach, and was a suspect in the murder and arson investigation.


  1. Retirement facilities should institute a No-Weapons Policy for Residents. 
  2. Firefighters place themselves in danger every day, but didn’t expect to encounter
    a killer in the retirement home!

    ©For more information and a free subscription:  write to: 
    We provide the best Active Shooter and CMS Facility Risk Assessments & Training Programs. Find out more at

$ 3.5 Million Dollar Fine for Fresenius Medical Care North America (FMCNA) to settle potential violations of the HIPAA Privacy and Security Rules for FIVE different breaches.

RISKAlert Report Updated: Feb 2, 2018

FMCNA, a German company with US Operations based in  Waltham, Massachusetts, has agreed to pay a hefty $ 3.5 million dollar fine that covers 5 separate HIPAA Violations.

FMCNA is a provider of products and services for people with chronic kidney failure with over 60,000 employees that serves over 170,000 patients. Their facilities include dialysis facilities, outpatient cardiac and vascular labs, and urgent care centers, as well as hospitals and post-acute care providers.

US Dept. of Health and Human Services said the company failed to heed HIPAA’s risk analysis and risk management rules. FMCNA is also required to adopt a Comprehensive Corrective Action Plan. DHHS’ Office of Civil Rights,(OCR) investigation into the data incidents found that FMCNA covered entities failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI.

The breaches spanned three states including Florida, Alabama, and Georgia. Each provider had specific
deficiencies and the Agreement calls out each deficiency by provider. You can read the entire Resolution Agreement at

Fresenius Medical Care’s corporate headquarters is in Bad Homburg, Germany. The North American headquarters is in Waltham, Massachusetts and the Asian-Pacific headquarters is located in Hong Kong.


1. All providers need to have a current Risk Analysis that identifies potential threats,
     analyzed solutions, and provides a concrete plan to fix any deficiencies. The Risk Analysis
     must adjust to new threats, such as Ransomware attacks.

2. Covered entities like FMCNA are responsible for all the providers in their network.


For more information and more great content: or

For a no-cost subscription, write to




RISKAlert Report # 1005                            January 25, 2018                                   Benton, Kentucky



A 15-year old teenage boy, armed with a handgun, opened fire on Tuesday inside Marshall County High
School, killing two classmates and wounding 18 others. He has not been named yet, but the Assistant Country
Attorney Jason Darnall said he will be charged as an adult.

I talked to a mother with children at the high school, and she described the extreme panic and fear that gripped
the community, where parents didn’t know whether their child was dead or alive.

The unnamed student entered the school’s common area are started shooting, before entering the main building.
According to student Bryson Conkwright, a junior at the school, said he was talking with a friend on Tuesday
morning when he spotted the gunman walking up near him. “It took me a second to process it,” Mr. Conkwright, 17,
told law enforcement.

“One of my best friends got shot in the face, and then another one of my best friends was shot in the shoulder.”
He said he was part of a group of students who fled, kicked down a door to get outside and ran.

This was the 16th mass shooting in the U.S. in 2018!


1. Every school should be required to have instant lockdown. This shooter was
    able to fire his weapon over and over, from outside to inside the school.

2. The school’s communication system was deficient. It should have sent
     texts to all students directing them to an area of refuge, and updating
     frantic parents.



For more information and more great content: or


To subscribe: write to

We provide in-depth security risk assessments, Active Shooter assessments,
emergency preparedness risk assessments for clients around the world, that
meet compliance requirements and directly reduce liability!




Shooting at University of Cincinnati Medical Center Ends in Suicide

“I thought he was going to kill everyone”, said the witness taking her child to Cincinnati Children’s
Hospital and Medical Center, before a 20-year-old shot and killed himself after shooting a University of
Cinncinnati Health security guard inside the UC psychiatric emergency services facility.

The man the witness saw was Isaiah Currie, 20, who eventually shot himself after shooting a UC Health security
guard inside the psychiatric emergency services facility on Burnet Avenue.

“He was focused. It was, ‘I’m here to do what I need to do and that’s it,'” she said. “I see him do this and
then drop (the gun) down and then I see the concrete come up, where the bullet had hit the concrete.
I thought he was on his way into the facility and I thought, ‘Oh, my god, he is going to kill everybody

At this point, the witness called 911 to report the suspect. Authorities didn’t know where or how Currie
obtained the two handguns he carried into the lobby Wednesday at UC Medical Center’s Emergency Psychiatric
Services. Cincinnati Police Eliot Isaac said at news conference Thursday that one of the guns had been
reported stolen in Kentucky.

Currie, 20, who had a history of mental illness, shot the security officer twice in the torso, before turning the gun on himself. The officer was reported to be seriously injured.


1. Even when the witness saw the shooter advancing on the hospital, and called 911 – IT WAS ALREADY TOO LATE! Police could not get there in time to prevent the shooting. For an Emergency Psychiatric
facility, use of metal detectors is a MUST HAVE.


For more information and more great content:

#ActiveShooter #RISKAlerts #riskandsecurityllc

Patient Killed at Hospital


RISKAlert Report Updated:  Jan. 15, 2018

A 46-year old patient, identified as Andrew Merryman, was in a hospital treatment room with his wife on the 14th floor of the Center for Advanced Medicine at 10 a.m. Friday morning.

According to St. Louis Police Lt. Col. Rochelle D. Jones, Merryman pushed his way out of the om and pulled out two pocket knives, she said. As Merryman came down the hall, Jones called security and two officers responded.    Two officers arrived and ordered Merryman to drop the knives. He refused, so both officers fired their guns, killing him. He died at the scene.

Police commented that Mr. Merryman was suicidal and had been treated for depression. Lt. Col. Jones said the guards were being questioned by police as part of the investigation.

Kara Price Shannon, a spokeswoman for Barnes-Jewish Hospital, said police are handling the investigation and directed all questions to them.  “There is no threat to the public or our patients,” she told the Post-Dispatch shortly after the shooting.



  1.  All incoming patients in emotional distress, should be wanded with a metal detector as
    a condition of treatment.  Weapons can be returned as the patient leaves the hospital.

2.  A recent study by Johns Hopkins, discovered that most hospital shootings take
place in the Emergency Room (29%), and only 19% in a patient room.



For more information and more great content: or

#activeshooterhospital #hospitalsecurity #patientshot