Agent of opportunity risk mitigation: people, engineering, and security efficacy.
Academic Article
Overview
abstract
BACKGROUND: Agents of opportunity (AO) are potentially harmful biological, chemical, radiological, and pharmaceutical substances commonly used for health care delivery and research. AOs are present in all academic medical centers (AMC), creating vulnerability in the health care sector; AO attributes and dissemination methods likely predict risk; and AMCs are inadequately secured against a purposeful AO dissemination, with limited budgets and competing priorities. We explored health care workers' perceptions of AMC security and the impact of those perceptions on AO risk. METHODS: Qualitative methods (survey, interviews, and workshops) were used to collect opinions from staff working in a medical school and 4 AMC-affiliated hospitals concerning AOs and the risk to hospital infrastructure associated with their uncontrolled presence. Secondary to this goal, staff perception concerning security, or opinions about security behaviors of others, were extracted, analyzed, and grouped into themes. RESULTS: We provide a framework for depicting the interaction of staff behavior and access control engineering, including the tendency of staff to "defeat" inconvenient access controls. In addition, 8 security themes emerged: staff security behavior is a significant source of AO risk; the wide range of opinions about "open" front-door policies among AMC staff illustrates a disparity of perceptions about the need for security; interviewees expressed profound skepticism concerning the effectiveness of front-door access controls; an AO risk assessment requires reconsideration of the security levels historically assigned to areas such as the loading dock and central distribution sites, where many AOs are delivered and may remain unattended for substantial periods of time; researchers' view of AMC security is influenced by the ongoing debate within the scientific community about the wisdom of engaging in bioterrorism research; there was no agreement about which areas of the AMC should be subject to stronger access controls; security personnel play dual roles of security and customer service, creating the negative perception that neither role is done well; and budget was described as an important factor in explaining the state of security controls. CONCLUSIONS: We determined that AMCs seeking to reduce AO risk should assess their institutionally unique AO risks, understand staff security perceptions, and install access controls that are responsive to the staff's tendency to defeat them. The development of AO attribute fact sheets is desirable for AO risk assessment; new funding and administrative or legislative tools to improve AMC security are required; and security practices and methods that are convenient and effective should be engineered.