Category Archives: Threat Assessment

5 Tips to Prevent Workplace Violence

Posted on by 0 Comments

After studying the twenty-seven state guidelines and also new guidance from
OSHA on how to prevent workplace violence incidents,

Here are 5 tips of what areas to work on in your organization:

1.  Redo Policies – Make sure you have a clear ‘no weapons’ policy and make
     employees sign a pledge when they join the organization.

2.  Dynamic Awareness Training   – Make sure that EVERY employee attends
     a training program about workplace violence issues,  whether it’s 1 hour or
     4 hours  annually.  But boring computer training is not enough.

3.  Do a Baseline Violence Assessment   – See where your organization
     rates compared to other companies and see how closely you match to
     new standards and guidelines on Workplace Violence issues.

4.  Require Employees to Report Every Incident – Communicate to employees
     that they are required to report EVERY incident, whether it is domestic
     violence at work,  Patient violence, or anything else.  Be tough!

5.  Use Incident Tracking  – Work with both Security and HR to make sure
     every incident is tracked for analysis, and all employees know where and how
     to report incidents

Using Risk Assessments as a Business Process

Posted on by 0 Comments

Risk assessments are increasing in utility and popularity – being used for everything from compliance to safety assessments, and used by financial institutions, healthcare organizations, manufacturers, government of the world and think tanks. 

Many regulators require formal risk assessments on everything from gauging political risk in an unstable country, to protecting consumer financial information, to assessing workplace violence potential.  

Here’s a definition of a risk assessment:   A process to determine what controls are necessary to protect sensitive or critical assets both adequately and cost-effectively. Cost effectiveness and Return On Investment (ROI) are required elements of a risk assessment.  

A risk assessment is not a democratic process where the most popular answer wins.  It is not consensus driven.  Instead, it is a business process that manages a security function.   Security is very process centered.  Because security often consists of many different elements which are critically important, such as managing network access,   it makes sense to manage it as a process.

According to the statistics, risk assessments are way up in popularity in 2011.  Maybe
it’s economics – maybe it’s result of the previous economic downturn, but the requirements for risk assessments have never been broader, and there have never been more of them than there are now.  Here’s a partial list:  

The Joint Commission
HIPAA, HITECH, NIST 800-66
FFIEC, BSA-AML,
ISO 27001 and 27000 series; NIST 800-53
Red Flags Identity Theft
NCUA Part 748
FEMA 426, FEMA 428

The exercise of doing a risk assessment affords a level of protection which is related to how many other people actually contribute to the risk assessment results.   Using an online compliance survey as a participatory measure takes the onus of absolute responsibility away from the manager/analyst and distributes it throughout the organization where it belongs.

Obviously people are a critical component of information security.  In a risk assessment, people are also important to include because they are able to report what’s going on in their workplace every day.  How can one analyst know enough to do the entire risk assessment by themselves?  They would have to be everywhere at once – in the morning, late at night, on the weekends, and also be able to channel the work of everyone from the newest tech support person to the director of the data center.   And the inclusion of a variety of individuals adds weight and power to the risk assessment.

The true value of the risk assessment is in the cost benefit analysis, which details what controls need to be implemented, how much they cost and how much they would protect the organization by either prevent threats from occurring or by mitigating the impact of the incident if it occurs. 

While the analysts may be accountable for the reporting or analysis of potential risk, the responsibility for any action that needs to be taken is up at the C level, or with the Board of Directors.  In fact, in the FFIEC IT (Federal Financial Institutions Examination Council Information Technology ) Handbook, they spell out, “The Board is responsible for holding senior management accountable”.  Often we have found that the actual President of a bank or credit union doesn’t always KNOW that he is going to be held responsible – this information is down another level in the organization.

I recommend getting management to sign off on the basic assumptions,  in writing,  in the course of completing the risk assessment – and of course, on the final reports. Areas where senior management can review and approve include: 

  • Calculation of asset values, including the value of the organization in total
  • The potential costs of implementing different controls, singly or in combination.
  • Validating which controls are currently in place and how well they are working.
  • The conclusions from the draft report, and the final report.

The analyst is just the messenger, doing the work of assembling the risk elements and calculating their potential results.  But senior management makes the final decisions on each element.   There’s nothing like a signature on a piece of paper to foster a climate of accountability. 

Risk Assessments have the potential to save corporations and governments millions of dollars by making decision-making based on real analytics, instead of just guesses – plus they are an essential element of compliance.  These are good reasons to evaluate whether it’s time for you to do a Risk Assessment!

Arming the Office – What Happens When We Let Employees Bring Guns to Work

Posted on by 0 Comments

One of my colleagues wrote to me so passionately about the terrible gun violence he witnesses every day, that I wanted to share it with all of you.  You can call it a ‘Guest Blog’ from the Field — a Hospital Security Director in a Major U.S. City.

The gun lobby had several recent legal “wins” for the gun rights advocates in Texas, Indiana, and Tennessee.   Apparently lawmakers and gun rights advocates find it a sane and reasonable  policy to open up the workplace to armed employees.

It t is also clear that our lawmakers are not satisfied with our current national gun carnage. Currently, we shoot to death about a 100 people a day in the United States, including 25 children killed every three days.  And this tally accounts for only those killed by guns.

This doesn’t include all those I see on a daily basis who are shot, crippled, maimed and ruined by the daily shooting gallery in the USA.   In order to continue to make money and sell more guns, the gun rights advocates, and  the legislators they have paid off, corrupted and stripped of reason,  are intent on even greater carnage and human tragedy.

Every day I witness the extreme becoming mainstream, and even commonplace.  
Guns are now finding their way into the workplace, brought into churches, brought into our colleges and universities. They are brought to hospitals, and shot off over highway bridges.

The logic is totally missing.  We are already a nation awash in fear and loathing.  We hate people  we don’t know and don’t understand.  The answer to this problem is NOT to arm EVEN MORE people and have guns readily available to everyone.

Obviously, the recent horrors of Arizona and the slaughter of innocent people in a Safeway parking lot,  has already been forgotten by security professionals and criminologists.  There is no condemnation or follow up  about a terminally troubled young man and the ease in which he purchased a semi-automatic pistol and 30 shot clips.

There has been no rallying cry to address the ease in which tormented and troubled and dangerous individuals on the margins of our society can easily obtain weapons of human mass destruction.   These realities are not relevant and cannot be discussed. And in today’s political climate to even MENTION this makes one a pariah, or a “liberal”, or a “communist”.

 I have been in the Security and Prevention profession for over 35 years, so I can easily dismiss the attacks from gun rights advocates and zealots.  And in fairness,  I have found many gun rights people to be in fact reasoned and decent and willing to engage in reasoned discourse.

What troubles me, and why I wanted to write directly to YOU,  is that the vast majority of professionals in the Security profession totally bypass, ignore and in fact, minimize the reality and tragedy that is our national gun slaughter.   As a profession,  we have done nothing to challenge these trends,  or address them, or at the very least,  debate the current flood of laws designed to turn American work places into armed camps.  

And this in my view is nothing less than a tragedy.

Does Being on TV Make Us Better World Citizens?

Posted on by 0 Comments

Does Being on TV Make Us Better World Citizens?

To quote the character in the 1995 movie, “To Die For” — “You’re not really anybody in America unless you’re on TV… ’cause what’s the point of doing anything worthwhile if there’s nobody watching?  So when people are watching, it makes you a better person.” So if everybody was on TV all the time, everybody would be better people.

A minor statistic – that the recent tsunami in #Japan got CNN its highest ratings since Obama’s inauguration!   What can beat the reality of earthquakes and rising water, followed almost immediately by nuclear power plants with seawater cannons blasting?   And then add the airstrikes over #Libya – all delivered in breathtaking color.

Does showing these images on TV make people more sympathetic to the plight of the rest of the world?   I think it probably does – and that it does make us better people for caring.

The social media has contributed greatly to this – working hand in glove with TV – expanding coverage to new audiences and flashing breaking news around the world.  The immediacy of Twitter and email make us seem empathetic because we are sending the news out to our social circles. 

The middle east uprisings are possible not because of just the media, but because people around the world weigh in and give political support to the protesters.  They know the world is watching and because they know they are not alone anymore, they are empowered to stick with their protests. 

And look at the payoff – the rebels in Libya make their case and the world comes to their aid.  Obviously there are other critical factors at play here, but the TV makes it all possible. 

Just five years ago, people were wondering when the One World concept would finally catch hold and we would collectively realize that we’re really all people on this tiny planet – Pax Humana, aka World Peace. 

It looks like that day has come – not because of highideals or harmonic convergence, or universal values, but because we can tweet pictures to our friends about other people on the other side of the world.  This is true reality TV and it’s going to be a game changer for businesses and governments everywhere.

Not with a Bang…. The Japanese Nuclear Disaster

Posted on by 0 Comments

Too late to run a formal risk assessment on the dismal situation at the Japanese nuclear plants.  Obviously, the switch has been turned to ‘survival mode’.  But risk decisions are still being made, individually and collectively.

The bravery of the nuclear plant workers who stayed to continue at their posts and try to avert a full catastrophe reflects 50 individual risk decisions  by people risking their own lives for the elusive greater good. 

One of the U.S. TV morning shows talked about the risk calculation being made about whether to continue to build nuclear plants when “stuff happens”, as this double play of earthquake-tsunami proves.  

The assets which are generated by nuclear energy are large amounts of relatively ‘clean’ energy.  The risks have been underwritten by governments which support the growth of these plants by sharing the risk with the electric companies to encourage them to build. 

The threats to these plants have been addressed dozens of times and right at the top of the list are both international and domestic terrorists; followed by natural disasters, including earthquakes, tsunamis (we added tsunamis into our threat matrix in 2002),  tornados and hurricanes; followed by sabotage by insiders who work in the plants themselves. 

Personnel working in these plants are heavily investigated and also undergo continuing scrutiny of their lifestyles, checking accounts, etc., because of the sensitivity of the work they do.    US National Public Radio (NPR) reported yesterday that U.S. nuke plants have a failure rate of 40% on security inspections – and that’s when they get TWO WEEKS ADVANCE NOTICE of the inspections.  What if they got no notice?  What kind of results would we see?

One of the major risk correlations in formal risk assessment is the Threat-Asset ratio, which means, for example,  don’t build a nuclear plant on an earthquake fault line.  If the threat is too high, it increases the probability that the asset (the plant) will be compromised and could experience a loss, based on a threat occurring.

The standard list of controls are also analyzed and these can range from specific security controls to having multiple backup power sources (that DO NOT DEPEND on electricity).    Obviously, when this control was no longer viable due to the natural disasters, that’s when things started to go rapidly downhill.

Without electricity to keep the cooling activities running, you have to start to look at the possible losses that could result from the event.   The nuclear power equation is especially worrisome because radioactivity is not only instantly fatal, but it can be blown around, and it is FOREVER.  It doesn’t burn itself out in a few days like a fire, or dry up like a flood when the sun comes out.

The risks/potential losses can include:

Loss of life of plant employees
Loss of life of the surrounding population – to 5 miles, 50 miles, 100 miles, farther?
Loss of the electricity that cannot be generated and what that means to a country.
Loss of the plant itself – as a replacement cost of billions of dollars.

The problem with the nuclear power risk equation is that the biggest potential loss is the contamination of one, two or multiple countries, possible permanent radioactive contamination of the ocean, or, in a very worst case, loss of the planet.

As this latest disaster proves, the potential loss is so high, that even twenty years of extra electricity don’t seem worth the risk, especially if the calculation includes plants built-in areas susceptible to the list of potential threats exactly like earthquakes.

We’re running a set of scenarios that will continue to evolve as the situation stabilizes or possibly gets even worse. It seems that Mother Nature is controlling events now.

After Arizona, Does Congress Need Gun Legislation, or Just More Effective Security Risk Assessments?

Posted on by 0 Comments

The terrible shooting in Tucson this week was widely seen as a wake-up call for members of Congress who probably spent at least part of the weekend wondering if their security was enough.

 I can answer their question – it is probably NOT enough.  The morphing of politicians into celebrities (call them Pol-ebrities??) is great as long as you get lots of TV time and the cameras are flashing and the contributions are rolling in.   The downside is the same one that led to John Lennon’s death – Celebrities draw the crazies.  Now that elected officials are becoming Pol-ebrities – they are becoming targets.

With proposals rolling in from all quarters, including putting a giant Plexiglas shield around the House floor, limiting the distance a constituent can stand in relation to a congressperson or senator, and many other ideas, it is clear me that what is missing is the use of standardized Threat/Risk Assessments.

 Security is always a trade-off.  How much money to spend to protect a public servant and legislator?  Is it worth an extra $25,000 per year per person, or should it be $100,000 per person per year – or should it be a million dollars?

Ask the potential target and I guarantee they are voting for the $100,000 solution.  Ask a beleagured taxpayer and they would think maybe $5000.00.  The problem is that it is impossible for an individual to do a true cost benefit analysis and decide how much money is enough?

Enough to provide ‘adequate” and ‘reasonable’ protection. 

Enough for a ‘normal event’?  What about a high-profile event?

Can you analyze it based on the numbers of people who attend a certain event?

All these questions are about 1/15th of a security risk assessment. 

Like the Department of Homeland Security – the executive protection should move to a more quantitative, risk-based model.  Traditional executive protection checklists are no longer enough.

There are so many elements that go into a threat risk assessment of an public, or private event.  We can look at the Tucson shooting and see that if the usual checklists were used, someone might have:

Checked the crime rate around the location (which turned out not to be at all relevant.)

Checked to see if any other congressperson had ever been attacked
at a town hall meeting in the last twelve months (perhaps more relevant).

These are just a few of the many checks that would have been performed prior to the event, but whether these were done partially, completely, or not at all, they are not risk-based, instead, the classic protection model is more threat-based than risk-based, when what you need is a combination of the two.

If we can create a standardized risk-based scenario for protection of these high profile Pol-ebrities, it would include all the basic information, plus data on the number of phone threats received by that individual legislator; and also, an aggregate of threats received by all legislators.  It would include blog and web searches to see how many times a particular name was mentioned or cited in a negative way.  (And yes, finding a web site that includes a rifle target signal over your district counts).

In addition, it’s interesting to get a historical perspective to see how many government representatives have been threatened, shot, stabbed or murdered in the last five years, and to see whether that trend is increasing or decreasing.

The shooting in Tucson was a workplace violence incident by a totally deranged person who had total access to his victims.   There was no advance screening, no physical barriers, no bodyguards waiting in the wings in case something went wrong.

Many of these missing elements, along with others, can be used to create useful threat risk assessments that can be standardized,   and automatically generated for all our high profile public servants to provide much more effective security for the people who need it most.  

Instead of treating each of these violent incidents as a completely isolated event, society needs to recognize these patterns that are emerging as legislators become celebrities, and that there is an increasing acceptance of violent solutions to individual problems.  These patterns need to be watched, tracked, and applied to each individual’s protection profile to improve personal security and prevent future violent attacks.

January 1st, 2011 Wake Up Call – Another Hospital Workplace Violence Incident.

Posted on by 0 Comments

My happy 2011 celebrations were marred by another workplace violence homicide in my home state of Maryland.   I guess it’s not always ‘the most – wonderful time of the year’!

This incident brings up again the question of how to keep our hospitals and their employees, safe in the new year.  In a recent Wall Street Journal article, they brought the hospital workplace violence problem up to a management level – reporting that many doctors now say they feel unsafe at work.

In upscale Bethesda, Maryland, just a minute north of Washington DC, a 40-year old male employee of Suburban Hospital (part of the Johns Hopkins Health System since July 2009), was found dead in a non-patient area of the hospital on January 1 at 10 a.m.

Here are the details (from the Suburban Hospital press release, from January 2, 2011):

Yesterday morning, a Suburban Hospital employee was assaulted in a non-patient-care area of the hospital.  Despite the heroic efforts of the hospital’s emergency response team, attempts to resuscitate the employee were not successful.  He died at the hospital as a result of traumatic injuries sustained to his upper body.

The victim has been identified as Roosevelt Brockington, Jr.  He was 40 years old and he had been employed at Suburban Hospital since August 2006.    Mr. Brockington was a Lead Engineer in the hospital’s Plant Operations Dept,   where he was responsible for operating and maintaining the heating, ventilation and air conditioning systems.

Because of the ongoing police investigation, no further information about Mr. Brockington is being released by the hospital at this time.  Suburban Hospital is fully operational today and remains open to patients and visitors.

This incident was a little different from some of the other incidents which have been in the news lately.   First, it was not an inner-city hospital, but instead, a hospital in a very affluent area.  In fact,   Bethesda is one of the most affluent and highly educated locales in the country, placing first in FORBES list of America’s most educated small towns and eleventh on CNNMoney.com’s list of top-earning American towns.

Another difference was that it occurred in mid-morning – 10 a.m., not late at night. News reports about the incident surmised that it was not patient-related, but no one really knows at this early stage in the investigation.

 The victim, Roosevelt Brockington, Jr., was a resident of Lusby, Maryland.  For those who aren’t familiar with Lusby, it is a small town of less than 3,000 people in southern Maryland, over 70 mile commute from Bethesda. 

Having been to over twenty hospitals in 2010, I am struck by the difference between the northern east coast hospitals and the south Florida hospitals.   Many of the hospitals in south Florida have effective visitor management systems in place.  I visited a hospital in Florida just before Christmas, and they had the local choir singing carols in the background, while I took out my drivers license, had my photo taken, and received a visitor’s badge.

There seems to be a mind set in some of the northeast hospitals against trying to manage visitors.  This includes a lack of metal detectors, and a lack of visitor sign-in procedures.  I wonder if this is a cultural attitude – because many of the north east hospitals are older than their south Florida counterparts and may be more entrenched in their attitudes. 

The epidemic of workplace violence in hospitals is only starting to gain national attention since the Journal of the American Medical Association published a research paper on the increase in violence in U.S. hospitals in December 2010, and included the statistics from

The Centers for Disease Control and Prevention/National Institute for Occupational Safety and Health, summarizing Bureau of Justice Statistics data, estimate 1.7 million injuries per year due to workplace assaults, accounting for 18% of all violent crime in the United States and the rate of workplace violence in healthcare setting is about 4 times the national average.

There are a plethora of workplace violence prevention strategies that can be put in place and maybe this New Year’s Day wake up call will result in every hospital examining their Workplace Violence Prevention plans.

TSA – Why pat-downs are ridiculous and after 9 years – they still can’t spell R*I*S*K management. Follow the money.

Posted on by 0 Comments

Every fifteen minutes, the media is full of images of children being patted down at the airports. The media is stirring up the porridge on this story.  But think for a moment – TSA is spending 90% of it’s budget, resources and energy on passengers who are not and will never be a threat.  And that leaves only 10% to spend on legitimate and potentially dangerous travelers.  This raises several questions.

First – why?  When the DHS espouses it’s emphasis on RISK MANAGEMENT – it’s clear that they don’t follow it.  The private company that runs the screening programs makes substantially more money by screening everyone, if they only had to screen real suspects – their income (which is over $8 Billion per year) could be cut in half!

By applying the risk management principles that are in their charter – they would be able to spare the poor traveling public and spend more time and more resources on checking and double-checking the potential terrorists. 

Most rational people can watch an airport scanner line for two hours and realize it is an enormous waste of resources for very little results and testers can routinely smuggle in knives, lighters and whatever else they want.

The inability of TSA to adopt a rational approach to airport screening – and remember – they still don’t’ screen the cargo riding on the same plane – is just lining pockets including the lobbyists who have been pushing the extra-expensive full body scanners.

The justification for this big expenditure is that is avoids the dreaded “profiling”.  We should be profiling – we should be checking people who like to visit Yemen for Easter.  We should be doing intense screening of young men between the ages of 18 and 30 who have recently traveled in or out of Pakistan.

 Here’s a partial list of who we shouldn’t waste time and resources screening:

 Children under 10
Active and Retired Military
Civilian Federal Employees
Civilian Federal Partners
Members of a ‘Preferred Traveler Program’
Individuals who opt for an intensive background check
Senior Citizens over 70

But you know what they say – Money Talks… and it’s talking to me this Thanksgiving week.

The Risk Assessment – Live – and Cross-Cultural

Posted on by 0 Comments

I just got back from a great trip to the Middle East.  I spoke at a State Department conference (ISAC) Conference in Doha, Qatar and then did a full risk assessment of a large hospital in Abu Dhabi.   Besides that I loved the food, and loved the people, and came home with lots of beautiful earrings and bangles and perfume.

The great insight I got on this trip was that security problems are exactly the same everywhere… they are not based on sex, race, nationality, gender, religion, hair color, height,  politics, or anything else.   Maybe this is why the TV show “The Office” is a worldwide hit.   Organizations work the same way all over the world.  As a person who got her degree in cultural anthropology of all things — I am amazed less at the differences than I am in the similarities between organizations.

This is my 17th country that I have visited to do a security risk assessment and they all come down to these basic steps: 

1.  Identify what you want to assess.   Many times you need to cut down the proposed assessment, it doesn’t need to include things that are 10 miles away.

 2.  Write up a Project Plan to show other people what you’re doing to do – and give management a time line to work with.  (It keeps me focused – a value add).

3.  Find the dollar VALUE for whatever you are assessing, for example — How much is the facility worth?   What’s the value of one patient record – two dollars or two thousand dollars?

4.  Come up with a realistic threat profile that includes the local crime rate, some historical data for crime, cyber crime, natural disasters, fire, etc.

 5.   Ask other people in the organization how they handle security.   I like using our automated surveys because it captures more immediate data from individuals.  You can use a translator if you don’t speak the language and I guarantee you’ll be amazed at the results.  The more people you interview – the more amazing the results will be.

6.   Examine all the existing controls and see how they are being used in other areas of the organization,  are they 100% implemented?   80%?   50?  Even less?

7.  Analyze the results with good math.  This is commonly done by software, but you can also use a regression analysis model with a database program like Access –   don’t guess.    Let the numbers do the talking.

8.   Write up a simple report, illustrated with lots of color graphs and photos, so someone  can just page through the report and understand what the assessment revealed.

The best risk assessment report in the world is a waste unless it comes up with actionable results — the list of what the organization needs to do NEXT.  Some people call them After Action Reports, maybe they are called Corrective Action Reports, maybe they are called a Task List.  The name doesn’t matter, but the results matter.

The report should cover the basics of what you did, what areas you reviewed, who you talked to (or got answers from with a survey), and what you recommend should be done, based exactly on the risk assessment.  In banking and financial companies, the regulators already get the last risk assessment and ask the organization to show “where in the risk assessment did it say you should add a stronger firewall?  add a better camera system to the Emergency Department?  do background checks when you hire new people?

These are just examples,  any improved control could be used – but you will need to show the regulator exactly WHERE in the risk assessment it said you should do this or that.     In the follow up Blog – I’ll talk about how to present your findings to your management.

JOHNS HOPKINS HOSPITAL MURDER/SUICIDE IS TOO CLOSE TO HOME!

Posted on by 0 Comments

My summer vacation is over so I jumped right back into work by doing four webinars on workplace violence in the last four days.   I have been very concerned about the trend toward violence toward healthcare and hospital workers.

Having just researched and presented on this subject two days ago, I was greatly saddened to see it AGAIN, 30 miles from my home, at the prestigious Johns Hopkins Hospital.   Local media and CNN covered it extensively because the man shot his mother’s doctor in the stomach, apparently after his mother was paralyzed as a result of spinal surgery.  He then barricaded himself into his mother’s hospital room and eventually shot and killed her and then shot himself.

With a staff of over 30,000,  this was a major incident.  I would love to calculate how much the hospital might have lost from having the staff vacate the building for at least two hours.

This incident once again opens the debate about how to ‘secure’ hospitals, or at least to have a better way to ensure the safety and security of both the staff and the patients.  Hospital administrators continue to maintain an ‘open environment’, and don’t seem to understand that this problem will continue to increase, if there is not way to better manage access in hospitals.

On the radio today, I heard that Baltimore City Council President Bernard C. “Jack” Young said that John Hopkins security is adequate and that using metal detectors would create a hazardous situation for patients entering the building.   “Why would they want metal detectors going into the hospital?” Young said. “People go to the hospital because they got shot. People wouldn’t go to the hospital because of the metal detectors. They would stay away and die rather go through metal detectors.”  He also mentioned during the same interview that the hospital has over 80 entrances.

This exact problem is raging at hospitals all over the country, because violence is dramatically increasing in healthcare.  The NIOSH study from 2004 reported that  violence in hospitals was over four times the national average for non-healthcare workplaces.  Of course, it is now 2010 and that is a long way from 2004 – AND – we have had a terrible recession raging since 2008….

The results of an Emergency Nurses Association survey released in 2009 found that more than 50% of ER nurses had experienced violence by patients on the job and more than 25% had experienced 20 or more violent incidents in the past three years. Research showed long wait times, a shortage of nurses, drug and alcohol use by patients, and treatment of psychiatric patients all contributed to violence in the ER. 

There has been only sporadic interest in this phenomenon and no standard has emerged.  For example, a NIOSH (National Institute for Occupational Safety and Health) Publication in 2004 is called Guidelines for Preventing Workplace Violence for Health Care and Social Services . OSHA Publication 3148-01R (2004). This guide describes the special considerations surrounding workplace violence in the environments of health care and social services.

After my last column on Workplace Violence issues in healthcare, I got a few angry letters from associations and organizations saying they had been working on creating standards for this – FOR THE LAST FOUR YEARS… but amazing, they have not been published.  

There is NO standard or requirement for preventing workplace violence, only the vague requirement for employers to maintain a safe workplace.   Twenty-seven states have come up with their own ‘guidelines’.  Remember – standards are Required, guidelines are only recommended.  That means if the incident happens, the management has no liability because they did not disregard a requirement.

My regular readers will remember that I recently visited a hospital that had a murder about two years ago and even two years later, it was still having a traumatic impact on the staff who witnessed the incident. 

I am a big believer in risk assessments and I think having a workplace violence assessment REQUIRED of every hospital, and having that information aggregated nationwide and studied, would be a big step that improve our knowledge of why this continues to increase, and would also point to more effective solutions to safeguarding our hospitals.

Maybe people will start to press hospitals on this issue – after all – they may end up in a hospital some day, and probably would like to be safe and secure during their visit.

Maybe the aging baby boomers will finally demand more security in their hospitals.  I hope so.