Determine threat — Look for faults in policy and procedure

When protecting a hospital's possible targets, the first step is a threat assessment, says Zachary Goldfarb, EMT-P, CHSP, CHEP, CEM, principal with Incident Management Solutions, a company in Uniondale, NY, that helps hospitals and other organizations prepare for and respond to emergencies.

That step means determining what you are protecting your target from. Is it surreptitious theft by an employee or visitor? Is it an armed theft by one or two people? A full assault by terrorists? A quiet, nonviolent but skilled burglar?

The hospital's defense will depend on the perceived threat and the resources available, Goldfarb says. Keep in mind that a key part of any defense is the use of layers so that even if there is an armed attempt to reach radiological material, the criminals are slowed by having to get through multiple locked doors and other security. Those layers increase the likelihood that police can respond quickly enough to intervene, Goldfarb explains.

"A more likely scenario is that you have someone on the inside who takes away just a little bit of material at a time, over some period, until there is enough to pack some explosives around and have the desired effect," he says. "That is reason to take a good look at your screening processes and your surveillance procedures in this area, which may need to be much more extensive than in the rest of the hospital."

Any defensive measures and security procedures should be tested periodically with a "red team" effort, which means having one or more people try to access the controlled areas and obtain (or simulate obtaining) the radiological material. This step can be one of the best ways to find deficiencies, Goldfarb says. He refers to the hospital in the GAO report where a combination lock secured a sensitive area, but the combination was written on the doorframe.

"That's so overt, but people really do that kind of thing," he says. "You have to find those problems and ask yourself why they did it, rather than just saying, 'that's a crazy, willful violation.' Why did they do that workaround, and how can you improve the process so that they're not motivated to do that anymore?"