Author: Gregory Schmidt, CPP, PSP, CHSS

Gregory M. Schmidt, CPP, PSP, CHSS of Eagle/ Trident Security is board certified in Security Management, Physical Security, and Healthcare Security supervision. He has over thirty years of experience developing dynamic security programs, plans and policies for businesses in Indiana, Kansas and Florida. His conversation-style personal safety seminars are highly regarded and always in demand. Mr. Schmidt is a member of ASIS International, the International Association for Healthcare Security & Safety and the American Society for Healthcare Engineering.

Violence Against Health Care Workers Captures Regulators’ Attention

From “Violence Against Health Care Workers Captures Regulators’ Attention”
Business Insurance (04/26/17) Gonzalez, Gloria. Reprinted by ASIS.

The U.S. Occupational Safety and Health Administration (OSHA) is “paying close attention” to workplace violence against health care workers, according to Safety National Casualty Corp.’s Mark Walls. In 2015, there were more than 11,000 violent incidents against employees in the health care and social assistance sector — a number that is nearly as high as all other industries combined. The California Division of Occupational Safety and Health Administration Standards Board unanimously adopted the first workplace violence prevention standard for health care workers in the United States last year, with the standard taking effect April 1. General acute care hospitals, acute psychiatric hospitals, and special hospitals must report incidents of workplace violence at their facilities to Cal/OSHA. The safety regulators are then required under Senate Bill 1299 to post a report each January on the total number of incidents reported, the names of the hospital facilities, the outcomes of inspections or investigations, the citations levied against a hospital based on a violent incident, and recommendations for the prevention of violent incidents in hospitals.

Cybersecurity Firm Warns That Hackers Can Take Control of Cars

From “Cybersecurity Firm Warns That Hackers Can Take Control of Cars”
Wall Street Journal (04/13/17) Dawson, Chester. Reprinted by ASIS International.

An Israeli cybersecurity firm is raising fresh concerns about hackers taking control of moving cars, remotely shutting down an engine with the help of a smartphone app, a Bluetooth connection, and a type of device commonly plugged into ports located under vehicle dashboards. On 13 April, Argus Cyber Security Ltd. said it was able to use a so-called dongle, a device often installed by insurance companies to monitor driving patterns or by owners wanting in-vehicle Wi-Fi, to crack into a vehicle’s internal communication system. The firm triggered a signal meant to disable the fuel pump, something that normally would happen only after a collision. Argus didn’t disclose the model of car it hacked, but the breach is the latest in a series of high-profile hacks, including an incident two years ago staged by two security researchers who controlled a Jeep Cherokee via a wireless internet connection.

IBM Report Details 2017 Tax Scams as IRS Filing Deadline Nears

From “IBM Report Details 2017 Tax Scams as IRS Filing Deadline Nears”
eWeek (04/05/17) Kerner, Sean Michael. Printed by ASIS International.

IBM Security is warning of an increase in tax-related spam email and related fraud scams that aim to exploit tax filers as the April 18 tax filing deadline nears. IBM’s “Cybercrime Riding Tax Season Tides: Trending Spam and Dark Web Findings” report, released on April 5, details how attackers are increasing their efforts ahead of the deadline. IBM X-Force security researchers have tracked a 6,000 percent increase in tax-related spam emails from December 2016 to February 2017. Limor Kessem, executive security advisor at IBM Security, says that this is the first year that IBM is seeing campaigns targeting businesses. “Last year, consumer tax fraud was the most common illicit activity linked with compromised taxpayer information,” she says. “This year, things are getting bigger and bolder.” She went on to say that attackers have several different ways to get taxpayer information, depending on their technical skill levels. “The more technically inclined may breach a company’s infrastructure to steal data directly from their internal servers,” she explains.

Homeland Security’s Terror Warning for NJ Hospitals and Hotels

From “Homeland Security’s Terror Warning for NJ Hospitals and Hotels”
New Jersey 101.5 (03/27/2017) Matthau, David. Reprinted by ASIS.

As authorities continue to investigate last week’s terror attack outside the British Parliament, homeland security officials in the United States are advising the public to be vigilant. The New Jersey Office of Homeland Security and Preparedness is calling on hospitals, hotels, and motels to keep an eye out for anything out of the ordinary. Eric Tysarczyk, the director of policy and planning for the New Jersey Office of Homeland Security and Preparedness, stressed no specific, credible threat has been made against any of these areas in New Jersey. However, hospitals are considered potential terror targets because they have open access and they are mass gathering sites. Tysarczyk notes some hospitals have chemicals and devices that could interest terrorist attackers, and hospitals play a prominent role in prevention and protection, which might also catch the attention of those planning an attack. He says the public should remain vigilant and report anomalies such as people wearing bulky coats inappropriately and congregating around delivery docks when they are not making deliveries. He says the first point of information should be either the security guard or the local police, adding that it is better to report a situation that does not pose a threat than to fail to report an actual threat.

Workplace Violence: Prevention and Response

From “Workplace Violence: Prevention and Response”
CSO Online (03/08/17) Wackrow, Jonathan. Reprinted by ASIS.

Almost 2 million Americans are the victims of workplace violence every year. The Occupational Safety and Health Administration says that corporations spend over $36 billion each year on remediating the after effects of such incidents. Studies have shown that training and implemented policies to prevent threats and violence significantly decrease the incident rate. The best risk management strategy includes a combination of sound protocols, access to expert professional resources, and quality insurance coverage. The most effective prevention methods identify and address potential problems early. Workplace violence generally breaks down into four broad categories: violence by unknown individual with criminal intent, violence by known customer, violence by employee, and violence by associated party. Organizations should also implement a hiring process that emphasizes pre-employment screening and background checks. Understanding the risk factors can also prove extremely beneficial. In the event of an incident, crisis response plans are most effective when tailored to the needs and resources of a particular employer and workforce.

The Intruder in the Brigham OR – How Did She Get There?

From “The Intruder in the Brigham OR – How Did She Get There?”
Boston Globe (02/05/17) Kowalczyk, Liz. Re-posted by ASIS.

A former surgical resident impersonated a physician and gained access to restricted areas to observe operations and attend patient rounds at Brigham and Women’s Hospital in Boston. Cheryl Wang, previously dismissed from a residency program in New York City, wandered into operating rooms in official Brigham scrubs she may have obtained from a previous visit. Although Brigham staff are required to scan their identification badges to enter operation rooms, Wang slipped into the surgical suites by walking in behind other employees who were holding the door open for each other. Following the security breach, the hospital says it has strengthened its policy for allowing observers into its operating rooms. Physicians now are required to verify that a doctor-in-training is in good standing with his or her educational institution. The hospital also plans to educate staff about the dangers of “tailgating,” or letting people follow staff into restricted areas without scanning an ID card. Electronic card access and surveillance cameras are considered security best practices, but hospital security experts are considering other safeguards, including turnstiles, security officers, and biometric systems.

Share Facebook  LinkedIn  Twitter  | Web Link | Return to Headlines

Can You Hear Me? Just Say “NO!” (Or Hang Up)

Reports have surfaced about a new scam using a familiar line.  Scammers call, identify themselves by name and company and during the momentary pause that follows, the scammer says, “Can you hear me?”  Of course we all respond, “yes,” and then we hang up or say we’re not interested or let loose a string of expletives.  You get my point.  But no matter how you respond– the damage is done.

The scammer records your yes response and neatly places it in a recording making it sound like you answered yes to ordering various goods.  When you later call to complain, you are met with the sound of your own voice verifying the purchase.  As a matter of fact, these folks are bold enough to threaten to sue you if you don’t pay for your “order.”

There are so many creative scams out there it is important to remember a few simple rules that might eliminate a great deal of inconvenience (or money loss) later:

DO NOT answer calls from numbers you don’t recognize.

DO NOT verify your phone number with anyone you didn’t call.

DO NOT give out personal information on any call you did not initiate.

It is not likely we can avoid all scammers– but let’s not make it easy for them!

 

A Hospital’s Safety Lessons

From “A Hospital’s Safety Lessons”
Security Management (10/16) Abdulaziz Al Essa, Ibrahim. Printed by ASIS.

A deadly fire that broke out at Jazan General Hospital in Saudi Arabia last December has been attributed to negligence by hospital and Ministry of Health officials as well as poor design and implementation of the building. The fire, which killed 25 people and injured 124, was caused by an electrical short circuit on the first floor of the hospital. Hospital staff members were able to evacuate all patients on the first floor, but the resulting smoke density and escalation to the hospital’s upper floors caused deaths due to asphyxiation. Defects in the building’s fire isolation and alarm system and faulty oxygen extension pipes also facilitated the fire’s spread. The Ministry indicated that the hospital staff’s lack of security and safety training led to an increase in deaths and injuries during the evacuation process. The hospital did not have an incident command team, mechanisms to control emergency exits, or fire extinguishing systems. The evacuation process was further hampered by cars and bystanders congesting the area outside the hospital. Hospital officials ignored the warnings of the Saudi Arabia Civil Defense Agency prior to the facility’s opening in 2009, including concerns that the contractor hired to construct the building committed several engineering errors.

 

Yahoo Says Information on at Least 500 Million User Accounts Was Stolen

From “Yahoo Says Information on at Least 500 Million User Accounts Was Stolen”
Wall Street Journal (09/23/16) McMillan, Robert. Posted by ASIS.

Yahoo Inc. reported Thursday that hackers backed by an unnamed foreign government had stolen personal information from more than 500 million of its users’ accounts. Hackers penetrated Yahoo’s network in late 2014 and stole personal data on more than 500 million users. The stolen data included names, email addresses, dates of birth, telephone numbers, and encrypted passwords, Yahoo said. Yahoo said it believes that the hackers are no longer in its corporate network. The company said it did not believe that unprotected passwords, payment-card data, or bank-account information had been affected. In July, Yahoo began investigating claims by hackers who were offering to sell what they said were 280 million Yahoo usernames and passwords. Yahoo said it concluded the information for sale was not legitimate, but the company decided to broaden its probe, eventually determining that it had been breached by “a state-sponsored actor.” Yahoo did not say how the hackers broke into its network or which country sponsored the attacks. The intrusion, in 2014, came during a period when many computer attacks were believed to be the work of China. More recent hacks, however, including of the Democratic National Committee earlier this year, have been blamed on Russia. Both countries have denied involvement in the hacks. The Yahoo breach appears to be the largest ever disclosed, based on the number of users affected, said Paul Stephens, director of policy and advocacy with Privacy Rights Clearing House.