Massachusetts Hospital Makes Security Changes After Nurse Stabbed 11 Times

From “Massachusetts Hospital Makes Security Changes After Nurse Stabbed 11 Times”
Campus Safety Magazine (09/27/2017) Brennan, Amy

Harrington HealthCare System’s Southbridge, Mass., hospital began implementing new security measures in September following the June stabbing of a nurse by a former patient. Elise Wilson was working as an emergency room nurse on June 14 when 24-year-old Conor O’Regan stabbed her 11 times. Doctors say Wilson almost died from tremendous blood loss. Investigators say O’Regan picked Wilson at random and was seeking revenge for what he considered to be unsatisfactory treatment at the hospital three weeks prior for a wrist injury. He told court physicians that he heard voices telling him to “be a warrior.” Hospital administrators say the new security measures include limitation of visitors in emergency departments and mandatory bag searches at Harrington’s Southbridge and Webster locations. Each patient in the emergency departments will be limited to two visitors. Added public safety officers will manage visitors as they arrive. Public safety officers will also now carry batons, pepper spray, and handcuffs. “There are very strict guidelines and circumstances under which these tools would be used, and that is being communicated during the training being taken by our Public Safety Department,” says Harrington vice president Harry Lemieux. Many hospital employees, including public safety staff, will participate in de-escalation training and defensive tactics. On-site training and drills will also be rolled out with department and building-specific protocols. Two walk-through metal detectors have also been placed at emergency room entrances and additional security cameras and panic buttons have been installed throughout the hospital.

Mitigating Active Shooter Risks

From “Mitigating Active Shooter Risks”
PropertyCasualty360 (08/16/17). Posted by ASIS.

Security professionals should prepare their companies for the possibility of an active shooting, as the number of incidents involving active shooters has risen steadily over the last 15 years. Keith Plaisance of Global SHE Solutions says implementing an active shooter program is similar to preparing for a fire drill, and survival depends on having a plan with three specific options: run, hide or, fight. Preparing for an active shooter scenario involves the development of a workplace violence policy and plan, emergency response plans, training, and exercises. For the workplace violence policy, the employer should establish acceptable workplace behavior, affirm the company’s commitment to take action and provide a safe workplace for employees, and address physical violence as well as threats, bullying, harassment, and weapon possession. Plaisance says a reporting mechanism should be in place letting employees know who to approach with concerns. He also recommends creating a threat assessment team within the company. Companies should test plans to determine effectiveness and identify potential problems, presenting plans to employees in regular training. Companies should also conduct a detailed physical security assessment, with the goal of denying unauthorized access and protecting property, personnel, and operations.

Microsoft PowerPoint Used as Attack Vector to Download Malware

From “Microsoft PowerPoint Used as Attack Vector to Download Malware”
Neowin (08/15/17). Reposted by ASIS.

Trend Micro researchers have discovered that a vulnerability in the Windows Object Linking Embedding (OLE) interface is being exploited by cybercriminals through Microsoft PowerPoint in order to install malware. The interface is commonly exploited by the use of malicious Rich Text File (RTF) documents. The attack starts with a phishing email that contains an attachment. The message appears to be some sort of order request, with the attached file supposedly containing shipping details. The provided document is a PPSX file, which is a type of PowerPoint file that only allows the playback of the slideshow, and is not editable. Should the victim download and open it, the content will only display the text “CVE-2017-8570,” a reference to a different vulnerability for Microsoft Office. Instead, the file will launch an exploit for the CVE-2017-0199 vulnerability, and will then begin to infect the host computer with malicious code being run through PowerPoint animations. A file called “logo.doc” will then be downloaded, an XML file with JavaScript code that runs a PowerShell command to download a new program called RATMAN.exe, a trojanized version of a remote access tool called Remcos.

Fears of Hackers Targeting U.S. Hospitals, Medical Devices for Cyber Attacks

From “Fears of Hackers Targeting U.S. Hospitals, Medical Devices for Cyber Attacks”
ABC News (06/29/17) Harris, Dan; Kapetaneas, John; Zepeda, Robert; et al. Posted by ASIS.

Hospital computers and medical devices are potentially vulnerable to hacking, according to cybersecurity experts. Among the U.S. computers affected in the Petya ransomware attack that quickly spread to countries around the world Tuesday were hospital computers. Last month, the WannaCry ransomware shut down 65 hospitals in the United Kingdom, affecting not just computers but storage refrigerators and MRI machines, and last January, Hollywood Presbyterian Hospital in Los Angeles paid out $17,000 after hackers took control of its computers. To combat this problem, doctors, security experts and government employees recently converged at the University of Arizona Medical School in Phoenix to witness the first-ever simulated hack of a hospital. “Anything that is plugged in,” whether it has a Wi-Fi connection or not, can be vulnerable to hacking, and lots of medical devices, such as pacemakers and ventilators, are connected to the Internet for the benefit of the patients, says Dr. Jeff Tully, a pediatrician and self-proclaimed hacker who organized the event and staged the cyberattack with Dr. Christian Dameff, an emergency medicine physician. Cybersecurity expert Josh Corman, who recently served on a congressional task force for the U.S. Health and Human Services Department to investigate health care systems, said these systems are easy to hack because often the computers are running “on very old, unsupported systems.” Also, hospitals need to invest more in qualified cybersecurity personnel. Corman’s team conducted a yearlong investigation and found that at least 85 percent of hospitals do not have a single qualified [cyber]security person on staff.

Violence Against Health Care Workers Captures Regulators’ Attention

From “Violence Against Health Care Workers Captures Regulators’ Attention”
Business Insurance (04/26/17) Gonzalez, Gloria. Reprinted by ASIS.

The U.S. Occupational Safety and Health Administration (OSHA) is “paying close attention” to workplace violence against health care workers, according to Safety National Casualty Corp.’s Mark Walls. In 2015, there were more than 11,000 violent incidents against employees in the health care and social assistance sector — a number that is nearly as high as all other industries combined. The California Division of Occupational Safety and Health Administration Standards Board unanimously adopted the first workplace violence prevention standard for health care workers in the United States last year, with the standard taking effect April 1. General acute care hospitals, acute psychiatric hospitals, and special hospitals must report incidents of workplace violence at their facilities to Cal/OSHA. The safety regulators are then required under Senate Bill 1299 to post a report each January on the total number of incidents reported, the names of the hospital facilities, the outcomes of inspections or investigations, the citations levied against a hospital based on a violent incident, and recommendations for the prevention of violent incidents in hospitals.

Workplace Violence: Prevention and Response

From “Workplace Violence: Prevention and Response”
CSO Online (03/08/17) Wackrow, Jonathan. Reprinted by ASIS.

Almost 2 million Americans are the victims of workplace violence every year. The Occupational Safety and Health Administration says that corporations spend over $36 billion each year on remediating the after effects of such incidents. Studies have shown that training and implemented policies to prevent threats and violence significantly decrease the incident rate. The best risk management strategy includes a combination of sound protocols, access to expert professional resources, and quality insurance coverage. The most effective prevention methods identify and address potential problems early. Workplace violence generally breaks down into four broad categories: violence by unknown individual with criminal intent, violence by known customer, violence by employee, and violence by associated party. Organizations should also implement a hiring process that emphasizes pre-employment screening and background checks. Understanding the risk factors can also prove extremely beneficial. In the event of an incident, crisis response plans are most effective when tailored to the needs and resources of a particular employer and workforce.

Hospital Shooting: Florida Facilities Beef up Security With Armed Guards, Random Bag Checks

From “Hospital Shooting: Florida Facilities Beef up Security With Armed Guards, Random Bag Checks”
Fierce Healthcare (07/25/2016) Minemyer, Paige. Reposted by ASIS

Central Florida hospitals are bolstering their security in the wake of a deadly shooting at an area facility. The shooting at Parrish Medical Center earlier this month has sparked security concerns in the area. Parrish itself has reportedly increased security in its emergency department and main entrance, instituting random bag checks, and restricting access at certain locations within the facility. Health First, a system that owns four other hospitals in the same county, is also implementing those measures, as well as employing armed guards, which has some worried patient safety will be endangered. Orlando Health, the hospital that treated the majority of patients injured in the Pulse nightclub shooting, is now screening people entering its hospitals with wand and bag checks. Hospitals across the country are increasingly planning for active shooter situations in their facilities, or to handle a sudden overflow of patients should a shooting occur elsewhere.