Category Archives: Risk Assumptions

New Active Shooter App Announced on October 20, 2013

Posted on by 0 Comments

FOR IMMEDIATE RELEASE

New Active Shooter app released to reduce likelihood of an Active Shooter Incident.

Active Shooter incidents have increased both in the number of incidents, as well as the number of people killed and injured in the last five years.  As an aspect of  workplace violence, the active shooter has become is a serious recognized occupational hazard, ranking among the top four causes of death in workplaces during the past 15 years. More than 3,000 people died from workplace homicide between 2006 and 2010, according to the Bureau of Labor Statistics (BLS). Additional BLS data indicate that an average of more than 15,000 injuries were annually during this time.

The latest figures show that high-risk organizations like hospitals, schools, malls, universities, military installations and even hair salons have experienced an active shooter incident and are likely to have a dramatically increased risk for experiencing an active shooter incident in the future.

Risk & Security LLC has released a new web-based app, Active Shooter Risk-Pro©, which offers an easy to use risk assessment program that assesses your organizational risk of an active shooter incident, as well as recommending solutions to prevent an incident from occuring in the future.

In additional to using the Department of Homeland Security (DHS) Guidelines on Active Shooter Response, the OSHA standard 3148 (Guidelines for Preventing Workplace Violence for Health Care, the FBI and Secret Service Guidelines on Active Shooter Incidents, and the new OSHA Inspection Directive, Enforcement Procedures for Investigating or Inspecting Incidents of Workplace Violence, from September, 2011, are both included in the new, easy-to-use application.

The program has been tested on some of the largest organizations in the US, and runs on a laptop, PC or tablet, and even on a smartphone!.  Active Shooter Risk-Pro©  is built to be affordable and simple to use.

The web 2.0 program, includes newly compiled, updated threat databases, new active shooter incident analysis metrics, and automated web-surveys based on the DHS Guidelines..

The new program gives human services and security professionals a quick and easy way to conduct a active shooter, or general workplace violence that will recommend that will pass an audit!

The Risk-Pro©  model has been used for easy software applications by the Department of Defense and over hundreds of organizations, hospitals, and local, state and federal government agencies.

About Risk & Security  LLC

Risk & Security  LLC is a security risk assessment and risk analysis company with over 30 years of combined expertise in security risk assessment. It develops specialized programs and applications which are easy to use, affordable and which help organizations assess their risk, the likelihood of becoing a target, and which recommend cost-effective solutions.

Risk & Security offers full service consulting on critical risk assessments including HIPAA Risk Analysis, Facilities Security Assessments, Hospital Security Assessments, Workplace Violence, Active Shooter Incident Assessment, Environment of Care and more.  Risk & Security partners with security companies around the world to provide state-of-the-art security expertise to analyze risk and recommend cost-effective security controls justified by return on investment metrics.

The team of risk and security experts is led Caroline Ramsey-Hamilton, who has created more than 40 software programs, and conducted more than 200 specialized security risk assessments in a variety of environments, including companies in the United States and around the world, including in Abu Dhabi, Hong Kong, Japan, South Africa and Qatar.

Contact Information:

Caroline Ramsey-Hamilton, CHS III

Email:  caroline@riskandsecurityllc.com

Phone:  301-346-9055

Twitter:  www.twitter.com/riskalert

 

DOD-OIG Report on Security Weaknesses at the Navy Yard

Posted on by 0 Comments

The recently released 56-page report by the Department of Defense, Office of the Inspector General found that the Navy Access Control System did not adequately control the risks to the Washington DC Navy Yard and other sites under their control.

NCACS did not effectively mitigate access control risks associated with contractor installation access. This occurred because Commander,
Navy Installations Command (CNJC) officials attempted to reduce access control costs.

As a result, 52 convicted felons received routine, unauthorized installation access, placing military personnel, dependents, civilians, and
installations at an increased security risk.

Additionally, the CNIC N3 Antiterrorism office (N3AT) misrepresented NCACS costs. This occurred because CNIC N3AT did not perform
a comprehensive business case analysis and issued policy that prevented transparent cost accounting of NCACS. As a result, the Navy
cannot account for actual NCACS costs, and DoD Components located on Navy installations may be inadvertently absorbing NCACS costs
.
Furthermore, CNIC N3AT officials and the Naval District Washington Chief Information Officer circumvented competitive contracting
requirements to implement NCACS. This occurred because CNIC N3AT did not have contracting authority. As a result, CNIC N3AT
spent over $1.1 million in disallowable costs and lacked oversight of, and diminished legal recourse against, the NCACS service provider.

You can read the entire report at:  http://www.dodig.mil/pubs/documents/DODIG-2013-134.pdf

 

Courtesy Caroline Ramsey-Hamilton at Risk and Security LLC

caroline@riskandsecurityllc.com

 

 

 

 

What’s Your Active Shooter Risk? How to Assess the Threat!

Posted on by 0 Comments

Just the idea of an Active Shooter in your organization, whether you’re a military base, like Fort Hood, and the Washington Navy Yard, or a school like Sandy Hook, a beauty shop, a cracker factory in Philadelphia, a retail mall, a movie theatre, a grocery store parking lot, or a hundred other places, is a terrifying thought.

I lived about 3 miles from one of the shooting sites, a gas station, used by the Beltway Snipers back in October, 2002.  They killed ten people, totally at random, and critically injured three others.   Both of the snipers were sentenced, and John Muhammad was killed by lethal injection in 2009.

If you lived in the DC area, do you remember how scary it was just to pump gas into your car,  people were huddled against the side of their cars in the gas stations, and hidden by their shopping carts at the local Home Depots.

The fear of the Active Shooter comes from the seeming randomness of the action, which means there’s no way to prevent it, unless you give up, stay home, and hide under the bed all day.

But there are things you can do.  Instead of thinking of an Active Shooter incident as a totally unique situation, it’s really a form a Workplace Violence, Gas Station Violence, Parking Lot Violence and other related forms of random violence.   In fact, the Department of Homeland Security has identified quite a few steps you can take to keep yourself safer if you are in the vicinity of an active shooter (http://www.dhs.gov/active-shooter-preparedness).

Most of the shooters are mentally ill.  Normal individuals do not enjoy planning and killing strangers, and it is usually a last ditch effort, with the suicide of the shooter as the grand finale.   Their actions can sometimes be identified early, and the police can be alerted, or the Human Resources group at work, or even the local Sheriff can intervene before it gets to the actual shooting.

Signs that someone is having trouble negotiating their life, especially if that someone is a gun fanatic, with their living room full of AK-47 assault weapons and hollow point bullets, is not hard to spot, because these individuals often leave lots of warning signs, like:

  • Irrational Posts on Facebook or inappropriate tweets.
  • Threats made against friends and family.
  • A dropoff in personal hygiene, as the person gets more obsessed.
  • Problems negotiating their personal life.
  • Demonstrating signs of isolation and groundless paranoia

Organizations can protect themselves from an potential active shooter through a combination of specific controls that include elements like access control, continuous monitoring of cameras, employee awareness and training programs, clear cut evaluation routes, regular active shooter drills, and hardening of facilities, to name a few.

One of the best preventive measures is to conduct an Active Shooter Risk Assessment, which is similar to other security analyses, except that it is focused on a particular set of threats related to an Active Shooter Incident.   As part of my annual Threat Trend Reports, I’ll be releasing a new set of threat data about the Active Shooter, to help organizations calculate their risk of
having such an incident.   For example, did you know that the number of active shooter incidents has jumped from 1 in 2002
to 21 incidents in 2010?

ActiveShooterIncidentsbyYear

 

 

 

 

 

 
Locations have changed, too, and we found that

About 25% of active shooter incidents occur in schools,
About 25% in retail locations, and
About 37% in workplaces.

In future blogs, we’ll be looking at each element of the active shooter incident, and providing more information to keep
your organization safe.

 

 

Capitol Hill Security Incident Scares Congress- Could it Happen To You?

Posted on by 0 Comments

The Capitol Hill Security Chase and Shooting yesterday gave a bad scare to everyone – including Senators, Congresspeople, tourists, furloughed federal employees and staff who still have their jobs.

The atmosphere on Capitol Hill was already so toxic that almost everyone jumped to the (incorrect) conclusion that it was
a disgruntled voter, and so there was shock when:

1.  It was a young WOMAN
2.  There was a 1 year old child in the back seat
3.  The driver of the car was not armed and mentally ill, (probably schizophrenic).

Where are you going today on a beautiful Fall Friday?  Almost anywhere you’re planning to go has had a
major security incident in the past three years…. whether it is:

A school
A movie theatre
A mall
A hospital
The office
A public building
A hair salon

And if a security incident did happen where you were, are you confident you’d know what to do?

That brief incident at the Capitol showed how in literally one minute, the situation goes from what
passes for normal at the Capitol, to total chaos, fear and terror.   The situation was handled correctly.

The communications systems were in place to send out a quick “Shelter In Place” order, and to keep
people updated.   The poor tourists and staff who were walking in the area were laying on the ground,
hiding behind trees, and had no idea what was going on – so they probably experienced the greatest fear.

The Capitol Hill police, the first responders, were probably not expecting to have the driver be a woman
with no political agenda, if you see a car trying to rush a barracide, the logical assumption is that they
have an explosive device and are trying to get closer to the target, but that was no true in this case.

So before you venture out for the weekend, keep these tips in mind, write them down and keep them in your purse or wallet.

1.  Be Situationally Aware – note where you at all times, how close a door is, or an alternate route for
your car when you’re in traffic.

2.  Spend 30 minutes deciding how you would react in an emergency shooter situation, and make a plan,
like deciding to use your car keys as a weapon, or keeping pepper spray in your purse.

3.  Remember to turn the sound off on your cell phone, if you’re caught in a developing security incident.

4.  If police are on the scene, follow their directions quickly and exactly.

5.  Have a local emergency number pre-set in your phone so you can call for help.

As they find out more about the Capitol Hill incident, this will probably be catalogued as an isolated incident,
which took place at a very inappropriate time, and a very inappropriate place, but it’s another wake up
for everyone.

Everything can change in a New York minute — be ready, just in case it changes for you!

 

 

Navy Yard Shooting Highlights Effect of Cuts to Navy Security

Posted on by 0 Comments

Security professionals around the entire were shocked and dismayed when they turned on the news and saw the historic Washington Navy Yard locked down, surrounded by emergency vehicles, and looking for an active shooter.

All the shock, the outrage, the Defense Department reaction, the involvement of the overlapping law enforcement jurisdictions, has apparently been already forgotten by the public, moved to the virtual ‘old story’ pile by the latest news of a mall shooting in Kenya, meeting at the UN, and the politics as usual in Washington DC.

If you graph it online, you can see the dramatic spike and then the dramatic drop-off in interest by the general public. This highlights what the security community has to deal with, in the context of a 24 hour news cycle.

My perspective on the event was personal because one of my very best friends was in Building 197 that day, a former navy commander, now a contractor, who went to work at 5 am that morning, and finally returned home at 9 pm that night.  Unlike many shootings, the PCs, smartphones were all up and operational during the event, so people were instantly able to communicate with friends and relatives as the event unfolded.

NavyYard-smallRumors ran rampant that it was terrorism related, that there were three shooters, then that rumor switched to two shooters and eventually to only one shooter, Alexis Aaron, a mentally disturbed young man who had previous events of gun violence and yet had a top secret security clearance at the time of the shooting.

If we took a poll three weeks ago and asked people which facility would they judge to be the safest, the results
would probably look something like this:

1. Military Base in the U.S.
2. Hospital
3. Regional Mall
4. Police Station

Unfortunately – this is more like a list of the places where a shooting is more likely to take place.  As all the work in workplace violence statistics shows, a domestic Military Base has been the site of two mass shootings in only the last 4 years.  This includes the twelve killed and eight wounded at the Washington Navy Yard, as well as the thirteen killed and twenty injured at the Fort Hood shooting in late 2009.  That’s an average of 6 killed each year, and 8 injured, and doesn’t take into account any random shootings, training-related injuries, only the mass shootings.

Hospitals have increased in violent incidents every year for the last ten years, and we just witnessed a mass shooting at a Kenyan Mall.

However, the hospital and the mall are both completely OPEN, they want people to come in, they don’t control access at all.
This is what is so surprising about the Navy Yard shootings, the lack of security, lack of enough armed guards, lack of current background checks, lack of metal detectors, lack of retina scanners, and every other usual form of security control.

Speculation is that the key controls were missing because of budget cuts, which means that the Navy made the decision to reduce security controls, instead of cutting other, less critical programs.  The incident makes a strong case for examining the potential Return on Investment for security controls!

Even if the shooter’s background check was “current”, it certainly had not been updated based on his own recent events, and brushes with the police, and, of course, the anger and mental health problems appears again, and is shrugged off as too tough to manage and track.

However, it is a wake up call for the U.S. Navy, the Department of Defense, the U.S. Capital Police, and a variety of other organizations who “Secure” the Washington DC Capitol zone, and it leads to more questions than answers.

Already, the questions are starting about what controls SHOULD be in place for all military bases, and, naturally, re-examining the background check process and how it could be updated and improved.

Let’s not forget this time.

 

 

 

 

Is Extreme Heat a New Deadly Threat?

Posted on by 0 Comments

We are currently in the grip of a terrible heat wave in the western states.  Death Valley, California almost beat it’s previous record of a 130, with a National Weather Service Thermometer recording 129.9.   The highest temperature ever recorded on Planet Earth is 132.

Despite all the news coverage of hurricanes, homes torn apart by tornadoes, and tropical storms, the deaths from excessive heat kill more people annually than almost all the other natural disasters (except for tsumanis and 7.0 and above earthquakes).

Deaths from excessive heat include both cardiac arrest and breathing issues.  “Heat-related illnesses and deaths are preventable. Taking steps to stay cool, hydrated and informed in extreme temperatures can prevent serious health effects like heat exhaustion and heat stroke,” said lead author Ethel Taylor, a researcher who works with the CDC.

Because extended heat waves put a strain on electrical loads and may trigger power outages, it is important for companies to have a Plan for Extended Extreme Heat.
Plan for a situation without electricity for 3 or more days.

Having just survived a week in south Florida without AC, and growing in Los Angeles, also
without air conditioning, here are a few tips to stay cool:

1.  Stay wet to facilitate evaporate cooling.  Wear a wet T-shirt and keep your clothes
damp.

2.  Make sure pets are ALWAYS in a shady place and give them plenty of cool water.

3.   Buy ice and use it to rub on children’s arms and legs to keep them cool.

4.   Use fans and swamp coolers if electricity is available.  Coleman makes fans that
run on batteries if electricity goes out during a heat wave.

5.   Wake up earlier and use the cooler morning hours for outside tasks and stay
indoors during the heat of the day.

And, if it’s blistering hot where you are — DO NOT USE FIREWORKS.  Areas that
are already dry, including shake roofs, will burn more easily under such extreme heat!

AND wherever you are, STAY COOL.

 

My Pool got Hit by Lightning – Are You Next?

Posted on by 0 Comments

My swimming pool got hit by an adjacent lightning strike!   The lightning strike hit a tree about 6 houses down from my home in Maryland.  I heard the lightning strike at the time (midnight), and I still remember that it was so loud the beagles dived under the bed.

But the next morning, when I woke up, I looked out from my 2nd floor window and saw something that looked like two fried eggs floating in the pool.  It took me about 2 minutes to realize that they were the pool lights, floating in the pool, still tethered by the electrical lines.

The lightning strike was so sharp and close that it broke the lights out of their plaster enclosures and now there they were, fully electrified, floating right in the water.  It took me eight calls to find someone who would come and fix the lights, turn off the electricity and get the lights out of the pool.

If a lightning strike could do that from 6 houses away, what could it do to a person? Because it’s Lightning Safety Week, I looked up some interesting stats from the National Weather Service – check out these stats:

Your chance is being struck by lightning in your lifetime is 1 in 3000!

From 2006 – 2012, about 2300 people were struck by lightning and 238 people were struck and killed by lightning in the US.

2/3rds of the deaths were to people enjoying outdoor leisure activities.

82% of all fatalities were to men.

70% of the lightning deaths occurred in the months of June, July, and August.

Only 10% percent of people struck by lightning actually die, but 70% of those that survive

a lightning strike have serious long-term effects from the strike, including fear, depression and debilitating physical injuries.

STAY SAFER THIS SUMMER, and teach these tips to your kids, too.

  • Get out of pools, away from beaches, lakes or ponds.

  • Never stand by a tall tree during a lightning storm

  • Drop or get away from metal objects like golf clubs, umbrellas, etc.

  • Get indoors or into your car if you can’t get inside.

  • Stay indoors for 30 minutes after the last flash you see.

 

And have a wonderful, active summer?

Why HIPAA Risks are Growing Every Day

Posted on by 0 Comments

If you’re a healthcare employee, you already know alot about the HIPAA Rules. You’ve probably received training on how to protect Health information, and have heard about all the fines being levied against everything from small hospices to the largest hospitals (like Massachusetts General Hospital).
Because HIPAA is a federal law, there are expensive penalties involved in HIPAA mistakes (breaches). Fines have ranged from millions of dollars to $50,000. Here are just a few of the recent fines.

Shasta Regional Medical Center –            $ 275,000, June 2013

Hospice of Northern Idaho                         $ 50,000, January, 2013

BCBS Tennesee –                                 $ 1,500,000 March 2013

State of Alaska –                                   $ 1,700,000, June 2012

Phoenix Cardiac Surgery –                        $ 100,000 April 2012

Mass General Hospital –                         $ 1,000,000 February 2011

There have been dozens of other fines, many in the millions of dollars, and, with the passage of the new HIPAA Omnibus Rule, which takes effect on September 24, 2013, there will be many more.

If you are a healthcare organization, you need to address the risk of a potential HIPAA Fine. And the fines not the worst part, because the “resolution agreement” you sign, forces your organization to file all sorts of quarterly reports, meet with regulators for years to come, and those ongoing activites are even more expensive than the fine!

The Office of Civil Rights (part of the U.S. Dept. of Health and Human Services), is self-funded from these fines, and they use the money from the fines to start even MORE enforcement activities.

The basics you need to have in place to reduce the risk of a HIPAA fine include 1) having a Risk Analysis done in the past 12 months, 2) having HIPAA Training conducted annually for EVERY employee, 3) Updating all your Business Associate agreements, 4) developing a robust security awareness program, just to name a few.

HIPAA compliance-related fines are a risk that should be considered by every healthcare organization, no matter how big or how small, because your bottom line, AND your reputation may depend on it!

 

Benghazi Hearing Demonstrates Attack Uncovered A Fatal Lack of Coordination & Funding for Embassy Security

Posted on by 0 Comments

Just two weeks ago, we were talking about the lack of coordination between DHS agencies and known intelligence on the brothers responsible.

Now we have the Benghazi Senate hearings, and here is the same problem again – lack of coordination between different parts of the State Department, and with the Defense Department, AND with the CIA and the intelligence community.

Add to this, the appalling cuts in funding for diplomatic security, and a flawed process about what needs to be done about security and protection to our embassies around the world.

“In these tight budget times, the committee has had to make some tough choices to prioritize funding.”, said a GOP aide in The Hill article (GOP cuts to embassy security draw scrutiny), by Alexander Bolton on September 18, 2012.   In spite of the uncertainly of the Arab Spring, the demonstrations every Friday in streets from Bahrain to Tunesia, the embassies had their budgets cut.

Of course, security experts are used to this, security doesn’t directly generate revenue, and it is often one of the first functions on the chopping block.  However, to cut funding to the critical embassy functions in this volatile environment, is obviously a very bad decision on the part of the GOP.

For example, the security risk assessment which are routinely done on these embassies are not done on a systematic basis.  As a risk expert, these security risk assessments should be done WEEKLY, and they should be automated so they can instantly be compared to environments in other embassies, and comparisons made by month, by year, and trends can be tracked.

If we can’t afford to do these assessments and just as important, if we can’t afford to fix the problems that assessments reveal, then we should not have embassies in these places.

The security risk assessments that are done properly must also include complete threat assessments.  “We need to develop a paradigm for managing risk“, said Gregory Hicks, a Foreign Service Officer who testified today on Capitol Hill.

These paradigms for managing risk already exist and they have been totally ignored by the State Department, which makes it almost impossible to get a clear, unfiltered view of the security situation at any embassy, at any point in time.

At least both sides of the political aisle agree, we do not want this to happen again!  Benghazi is not a political problem, it is a massive security failure problem!

 

Man Wants to Commit Suicide at Hospital to Donate his Organs!

Posted on by 0 Comments

Suicidal Man Triggers an Evacuation in Denton, Texas.

The emergency department at Texas Health Presbyterian Hospital was evacuated after an armed man threatened to shoot himself in the hospital’s parking lot, as reported in a newspaper article. The man had sent suicidal messages to his ex-wife. She contacted police, who in turn began tracking the man’s cell phone. He was found in his vehicle, which was parked in front of the hospital’s ED. Police cleared the ED while they negotiated with him for about 45 minutes. The man told police he chose the hospital because he wanted to donate his organs after he killed himsel