Case study: Vulnerability analysis of a health care facility

A vulnerability assessment uncovered gaps at a federal health care building

By Ryan Searles May 19, 2022
Courtesy: IMEG Corp.

As a security consultant I was part of a team that was hired to perform a vulnerability/gap analysis of the resiliency of a large Department of Defense hospital. Our team focused on the organization’s crisis management, operational security posture and policy and procedures in relation to mitigation of and response to various types of malevolent threats.

Like all such projects, the assessment started with physical security design and technologies that can be used to prevent a certain percentage of events from happening.

We next assessed other key aspects of organizational preparedness and resilience:

  • Policy and procedures.
  • Training in awareness of and response to events.
  • The ability of the facility’s crisis management team to respond accurately to a variety of emergency events.

Figure 1: Tabletop exercises are an important component of vulnerability analyses. The exercises include dry runs on numerous emergencies as well as identification of the roles and responsibilities of an organization’s crisis management team. Courtesy: IMEG Corp.

The assessment uncovered gaps in all these areas.

The first step in addressing the identified gaps was to develop improved and more detailed policy and procedures, making sure the organization had thorough plans for responding to all types of malevolent events that could occur in the region. To accomplish this, our security team worked closely with a variety of stakeholders, including the civilian government service leadership, military leadership and the DOD police department, which would respond to numerous types of events and help secure the hospital and triage areas, control evacuations and be the outside agency liaison.

We then closed the awareness and preparedness gaps by training the employees and stakeholders in the new and approved policies for response. Part of this training included tabletop exercises, which are dry runs on any type of emergency to test the responses of the hospital’s crisis management team and identify gaps in processes. This included identifying numerous roles and responsibilities that needed to be filled by personnel on the crisis management team.

We then tirelessly drilled and rehearsed all types of emergencies with a crawl, walk, run approach — starting with lesser events and gradually ramping up the type and size of emergency. These drills started with weather-related events and ended with a complex active shooter event and mass casualty.

The whole project from start to finish took 12 months. By the end, the hospital administrators and stakeholders felt that their facility was much more secure and ready to respond in time of crisis. We also instructed the organization to review their emergency operations protocols yearly and address any new or emerging threats (e.g., COVID-19) that might require new procedures, policies and responses.

By always assessing their resilience to emergency situations and taking steps to eliminate any gaps, health care organizations can help ensure that even in time of simultaneous crises they will be able to continue to serve their community.

IMEG is a CFE Media content partner.

Author Bio: Ryan Searles is a senior security consultant at IMEG Corp.