John Riggi (Host): Hello everyone, and thanks for joining today. I'm John Riggi, your National Advisor for Cybersecurity and Risk at the American Hospital Association. Welcome to AHA Preferred Cybersecurity and Risk Providers Bringing Value, a podcast from the American Hospital Association. Today's topic is Security As a Strategic Advantage. Building, high performing physical security programs in healthcare.

First, a little bit about the American Hospital Association. We represent nearly 5,000 member hospitals, health systems and other healthcare organizations. Our clinical partners consist of over 2 million nurses and more than 270,000 affiliated physicians.

There's a reason why I've focused on our caregivers and clinicians within our hospitals. For the past several years, unfortunately, healthcare workers across the nation have experienced a sharp increase in incidences of workplace violence with no sign that this trend is receding. Despite the diligent efforts of hospitals and health systems to prevent violence and protect their staff, healthcare workers remain five times more likely than any other type of worker, outside of law enforcement, to be physically attacked on the job, according to the US Bureau of Labor and Statistics. When I came here from law enforcement after having spent 28 years at the FBI, I was amazed and incredibly disappointed at that statistic. In Law enforcement, we expect resistance and acts of violence.

That's our job is to engage in adversarial confrontations often, but for nurses and healthcare workers whose only intent is to help those in need and serve their communities; for them to be assaulted is truly to despicable. However, despite the proliferation of workplace violence and it's negative effects on our healthcare system, no federal law protects the healthcare workforce from assault or intimidation.

That's why at the time of this recording, bipartisan legislation strongly supported by the American Hospital Association Senate Bill 1600 and HR House of Representatives 3178, known as Save Healthcare Workers Act, modeled after federal statutes protecting aircraft and airport workers would make it a federal crime to assault a hospital employee with enhanced penalties applicable to acts that involve the use of a deadly or dangerous weapon. This bill would also direct the government accountability office to study the effect of these provisions on workplace violence in healthcare settings. That's why I'm so pleased to have with me today, Jeremy Bauman, President and Chief Executive Officer of Corporate Security Advisors, one of our newest preferred cybersecurity and risk providers.

Jeremy to start off today, can you tell our listeners about your professional background and really what led you to founding Corporate Security Advisors?

Jeremy Baumann: Yeah. First of all, John, thank you for having me today. It's a pleasure to be here with you on the podcast. I started my career in local law enforcement in central Illinois, and after spending five years on the job, I had a mentor guide me towards a career in corporate security.

Throughout my time in corporate security, I held senior global security roles at organizations like Takeda Pharmaceuticals, Discover Financial Services, where my focus was building and leading high performing enterprise security programs and teams. I repeatedly ran into the challenge throughout my career of hiring multiple vendors for every niche of security need that there might be.

And realized through my time there that there was a gap in the market around a single full service strategic security partner, and that's really why we founded CSA and developed that as CSA's Mission.

Host : Jeremy, when healthcare executives reach out to you to assess whether their security programs are resilient and compliant while also meeting their business needs, how do you advise them?

Jeremy Baumann: First and most importantly, we want to emphasize that there is a need to align security performance with the organization's needs and really focusing on the mission of patient care. And what do we mean by that? Well, security actually needs to be contributing to that patient care mission and when it's running optimally, it is truly contributing to patient care. It's not just protecting the facilities and the people who work there, but actually is part of that care mission. So from our standpoint, we begin by running a full diagnostic. What's working with the security program? What's not? What components are suboptimal and what components are missing entirely?

While we do benchmark against, uh, regulatory expectations, the supportiveness of the patient care mission is really at the center of what we do, and aligning that with the overall organization's risk tolerance. Each healthcare organization has a little bit of a different mission, has a little bit of a different risk tolerance based on its position in the market.

And what we really want to do is help clients see where their resources should best be focused to have an impact on their overall effectiveness within the marketplace, along the goals of being able to contribute as much as possible to the mission of patient care.

Host : Thanks, Jeremy. So interesting to hear you talk about patient care and safety. Usually when we think of physical security in hospitals, we're thinking about protecting buildings, right? We have cameras and physical access control devices, magnetometers, but really it's about the patients. We cannot deliver care without a safe, tranquil working environment. Again, not only to protect the staff, but to protect the patients that we are entrusted with their care and safety.

Your team focuses a lot on the strategic aspects of security. As you know Jeremy, I speak to CEOs quite often, often every day, in fact, and often what we do here is that there is this tension between finances and other clinical needs. Even when I deal with cybersecurity, the executives look at this and say, well, it's a cost, and yet we have to provide care and we have to hire workers, and it's sometimes difficult to demonstrate the value of what appears to be a cost center, something that doesn't raise revenue or directly contribute to care. Can you give us an overview on how you and your team assist organizations setting a strategic direction for strengthening their cybersecurity organizations while demonstrating the value of the expenditures involved in physical security?

Jeremy Baumann: Absolutely, John, and what I would say, just even before getting into the process, is that there's perhaps an over-reliance on technology and not understanding the proper deployment. Many of the organizations we meet with think that weapons detection is going to be a panacea. They think that if they install hundreds of cameras that it's going to, to make a difference in the overall safety and security of the organization, but they don't understand necessarily how those tools need to be implemented effectively so that they get the maximum return on their security investment.

So it's important for us to start with the understanding of the organization's mission, their current state, their risk appetite, how well is security performing with the tools and technologies and processes that they have in place today. Then we need to build a strategic roadmap that prioritizes the most critical areas for investment.

It's really important to understand what the mitigation you're purchasing with any security investment is. For example, cameras don't stop bad things from happening. So if we're spending a lot of money on, on technology like cameras, we have to understand that those are investigative tools and we're not really buying prevention.

We like to work with an organization to understand how much of their security dollar they want focused on prevention and how much they want focused on response and investigation. From there, that helps us focus on those outcomes, how those investments are going to drive measurable risk reduction. So, for example, we might guide a team through implementation of a security program where we shift security's overall mission from being first responders to actually having them involved in the patient care continuum when deescalation is needed.

The highest performing programs that we see are the ones where security is the deescalation expert at the healthcare organization, where healthcare workers, when they start to feel that escalation, they're huddling early, they're bringing security into the picture, and security then is able to deescalate and stop that from converting into a situation where there's some sort of attack or physical violence on a healthcare worker.

This is really where security starts contributing the most value. And they do that not just in terms of the patient care continuum, but in terms of the clinical staff and their overall satisfaction. When they understand that they can rely upon security to be those deescalation experts, that allows them not only to focus on clinical care, but to feel safe in their environment.

We might guide an organization through an implementation along those lines where they're actually converting the security team from being those first responder mentality to actually being experts in deescalation where they're leading the training for deescalation, training for the clinical staff, and helping them understand how they can work together as a care team to be able to focus on the best outcome for the patient.

Host : Thanks for all that, Jeremy. So really interesting to hear you talk about, just like with any other business function in a hospital, you have to make the business case you're talking about ROI, just like a business leader would and really, really important points you made that technology will not solve the problem on its own.

And it's the human force that's behind that, both on the clinician side, your trained security professionals as well, deescalation a uh, concept you and I know well from our law enforcement days. All law enforcement officers, whether federal agents or local law enforcement, uniformed law enforcement, want to prevent an attack. We, and when I was on the job and you were on the job, would rather prevent an attack, rather respond to some act of violence.

In fact, we're working very closely with the FBI's Behavioral Analysis Unit right now to develop strategies aimed at preventing targeted acts of violence. And I think your services, Jeremy, you and your team of real professionals, uh, by the way, which I hadn't mentioned earlier, you are all former law enforcement, FBI, CIA, Secret Service, really an incredible roster of talent that you bring to this particular risk issue.

So when we're talking to the C-Suite leaders on investments, as I just mentioned earlier, again, whether it's cybersecurity, physical security, any business level, what investments do you advise them to make to minimize risk while bringing their security program really to the right level of performance based on their level of risk and their physical security posture? And we'll talk later about the intersection of cybersecurity and physical security.

Jeremy Baumann: Yeah, you're absolutely spot on John. It, it really does come down to a measurement of translating the security risks into strategic outcomes. What is the impact of the investment? What is the cost in terms of reputational or operational excellence?

We actually like to, to work with organizations to help them think about their investments in terms of the value it's going to bring, not just in providing a safer environment, but what are the knock on effects of that in terms of being able to attract more patients to seek care at their organization because of that safer environment?

As with anything else, we want to make investments that work together, that leverage off of each other. So in terms of people, process, technology, those all have to work as a system. So as an example, technology might be panic buttons, cameras, uh, the ability to overhear when something is pressed. They might be, uh, the use of a central monitoring station that's remote from that. You've got the responsive security officers.

If those investments are all made as part of a strategic plan where they're working together in concert as a system, then we magnify the effects of them. Many of the, the hospitals that we see, many of the healthcare organizations deploy panic buttons and security officers responding to those don't have any idea whether it's an accidental press or whether there's a person with a weapon.

When we combine those technologies together, the central monitoring, the response of a uniformed security team, together with the ability to monitor what's happening, uh, subsequent to that press, then everything starts to work together in a system and allow for rapid response of 911 and first responders from the outside if that's necessary.

This is one example of where helping leaders think about the right blend of people, process, and technology really becomes the pathway towards success. It provides the opportunity to have a clear, staged investment plan that's tied to achievable and measurable goals, and it aligns again, all of your security investments with organizational strategy, not just compliance.

Host : Thanks, Jeremy. It's so interesting to hear you talk about those tenets, those principles we use in cybersecurity as well, people, process and technology. In fact, what we are seeing is the merger of your physical security discipline with cybersecurity in certain areas. A lot of the technology you spoke about, cameras, panic buttons, door access controls are all network or internet connected.

So there's this merger of the cybersecurity function, needing to secure all that physical security technology, making sure we're not hacked by bad guys, while you're trying to monitor for the real life physical, bad guys on the property, and there may be indicators which on the cyber side they may be able to share with the physical security side.

Are we getting harassing emails so forth? Is there some type of hacking or denial of service activity tied to somebody who has ideologically motivated? Who may actually show up in-person on premises. So the most effective security programs we've seen, and I use security broadly to encompass cybersecurity, physical security, risk as well, are those hospitals which combine all those disciplines.

So thank you for taking that approach. So in today's, as we've indicated, very complex environment, it's really critical to build a team that can execute at the highest level on all those disciplines. What advice do you have for our listeners related to security talent, recruiting and development?

Jeremy Baumann: You know, John, that's a great question and I'd like to take that starting at the top of the organization. Any healthcare organization needs a senior leader who understands not only healthcare, but business and security at the strategic level.

There tends to be an over-reliance on technical expertise, and the gap that we see in most organizations is that the Vice President of Security is not necessarily able to perform at the same level as the Vice President of HR, the Vice President of IT, the Vice President of finance. Avoid the technical experts, ensure that your leader can function at the strategic level.

Ensure that they, you're comfortable putting them in front of your executive committee or your board, if necessary, to conduct a briefing, ensure that they've got the right background necessary to lead and to teach other leaders, but to think about their program in terms of their impact on the organization and the business.

From there, building a team culture focused on accountability, mission alignment, and continual development are important. It's important to invest in mentoring, cross training, and career progression to retain top talent. You have to have the ability for people to move throughout the organization to progress, if you plan on keeping them around. There's no reason that your uniform security officers who are being hired as entry level staff on your team should not be able to progress over time, move up through shift supervision, site supervision, specialty program management roles and project management roles, roles specializing in systems and technology within security to moving up into strategic levels with the the right leaders developing their teams.

I think one of the areas of focus that gets overlooked in healthcare a lot is having subject matter expertise on systems and technology and security. Many of our, our client organizations, because of how security devices and technology are procured, don't understand their total cost of ownership of their security technology, and when that can be north of 10, 20, 30 million in some of these large organizations; having a strategic level technology leader specific for security really helps that technology support the overall mission that this uniform security team is undertaking. And finally, when possible, outsource the commoditized work to keep internal teams focused on, on strategic initiatives. Having a good blend of internal teams and outsourced support is really the the right lever to be able to adjust your coverage to dynamic risks that organizations are facing.

Host : Again, thanks for those insights, Jeremy, again some of the very same principles we talk about in cybersecurity as well. It's not necessarily the technical expert that is the most effective advocate for the program. You need somebody who is a strategic leader, we say this in cyber all the time, who can translate that technical risk into enterprise risk and strategic risk for the organization.

And of course, ultimately I think what we're most concerned about, whether it's cyber security or physical risk, is patient and staff safety, and ultimately community safety for all of those that we serve within our surrounding service area of the hospitals. Jeremy, before we wrap up, can you close our discussion by sharing some parting thoughts on what success looks like for a world-class high performing security program?

Jeremy Baumann: What we have seen, and we've seen this post 911 outside of healthcare and publicly traded companies, was a shift towards intelligence led proactive mitigation of risk. And what we're seeing in a post COVID environment is that healthcare organizations and the demands on healthcare organizations from the marketplace and from societal shifts are necessitating that security makes this change within healthcare as well.

We need to think about stopping bad things from happening rather than just reacting to them when they do. So understanding that your high performing security team can stop that active shooter from happening through the use of advanced intelligence tools that are available to every healthcare organization out there; is absolutely a mindset shift that every healthcare organization needs to undergo for their security programs. We can, through the correct processes and tools, stop bad things from happening. We need to ensure that security is embedded in the organization, not bolted on. They need to be part of that patient care continuum that we spoke of earlier, and they need to think about everything they do from access control, visitor management, the use of technology to be able to assist visitors, to get to patient rooms, to be able to keep the wrong people from visiting patient rooms.

That all needs to be part of that patient care continuum, that proactivity that's aligned with the strategy, organizational leaders that are trusting of their security leaders and teams, thinking about risks that are managed in real-time, not just reported out on quarterly. And ensuring that success is measured by enabling the organization to provide care with confidence.

That's really the, the single underlying metric that needs to be the focus of the security team so that the clinical staff can come to, to work every day, so that patients and visitors can focus on healing and recovery. That's really what a high performing security program looks like. Having these experts that are focused on deescalation and their contribution to that patient care continuum is absolutely what the best healthcare organizations in the world are shifting their security programs' focus to.

Host : Thank you, Jeremy. Again, great points. Intelligence driven, proactive security operations, recruiting talented folks who believe in a mission. I've found in over my years in law enforcement and in the intelligence world, those highest performing units were those that we had people that really believed in a mission, give them a cause, expert leaders, and those were consistently the highest performers.

And you touched on another point I, I think folks lose sight of is that when you have an environment that is filled with or at-risk of violence, especially for clinicians that face so many challenges. There are studies which indicate that those type of environments contribute to physician and clinician burnout.

We have a hard enough time keeping and retaining good physicians, clinicians, nurses, without them having to worry about being physically assaulted while they're, again providing care for their community. So Jeremy, thank you and all the team of professionals at Corporate Security Advisors for what you do every day to contribute to the AHA's mission and help protect our healthcare workers in America.

And thanks for joining the podcast and sharing your takeaways with us. For our listeners, if you would like to learn more about AHA cybersecurity and risk programs, please visit aha.org/cybersecurity. Also, and as always, special thanks to our frontline Healthcare Heroes for what you do every day to defend our networks, care for our patients, and serve our communities.

This has been an AHA Preferred Cybersecurity and Risk Providers Bringing Value Podcast brought to you by the American Hospital Association. Thanks for listening and stay safe everyone.