Impostors could target hospitals for terrorism

Beware of anyone posing as JCAHO surveyors

Terrorists may be behind a recent spate of incidents in which people pose as accreditation surveyors, doctors, or government officials to gain access to hospitals. Experts in hospital security and terrorism say the most likely explanation for these impostors’ attempts to gain access is they are collecting information for future attacks on health care facilities.

Impostors have been reported in New Jersey, California, Massachusetts, North Carolina, Virginia, and Ohio. Word of these impostors has spread quietly through the health care community in the past year, but the problem gained more attention recently when the Joint Commission on Accreditation of Healthcare Organizations issued warnings about people posing as surveyors to gain access to the facilities.

The Joint Commission has received three reports recently about such impostors. (See the Joint Commission’s warning at www.jcaho.org/accredited+organizations/security.htm.) In all three cases, the impostors fled after being asked for proper identification.

What to expect from a Joint Commission surveyor

Question anyone claiming to be a Joint Commission surveyor at your facility, says Joe Cappiello, vice president for accreditation field operations with the Joint Commission on Accreditation of Healthcare Organizations.

Surveyors are well aware of the problem with Impostors and will not be offended by a request for identification or even being asked to wait while you confirm that they are who they say they are.

At a minimum, Cappiello advises taking these steps:

  1. Ask them to show their Joint Commission identification badges.
  2. Examine the letter authorizing their visit. If the surveyors are not expected for a scheduled survey, they will have a letter addressed to the head of the organization signed by Russell Massaro, MD, executive vice president of accreditation operations for the Joint Commission. The letter will explain who they are and why they are there.
  3. If there is any doubt about the legitimacy of the credentials or other concerns, call Cappiello directly at (630) 792-5757, or call your local Joint Commission account representative.

Incidents are not part of a test

The impostors are not part of any sort of spot test of hospital security, confirms Mark Forstneger, Joint Commission spokesman. No other agency is authorized to use the Joint Commission’s name in that way, and such use would not be tolerated, he says.

Joint Commission officials say they do not know the motivation behind the attempts, but experts in hospital security and terrorism say the circumstances point to a frightening conclusion. Health care facilities have long been known as a secondary target of terrorists, they say, because an attack at the local hospital would hamper any efforts to respond to a larger attack in the community. And as other primary targets, such as government buildings, are hardened against attack, hospitals may become increasingly attractive as a soft target.

The FBI and other law enforcement agencies are looking into the incidents, according to a published report in The Washington Post.1

"There is no working hypothesis. It could be any number of things, from identity theft to something more nefarious," an FBI spokesman, who declined to be named, was quoted as saying.

The Department of Homeland Security also is aware of these suspicious reports, said Brian Roehrkasse, a department spokesman, in the published report. He added the agency doesn’t have "any intelligence information that indicates al-Qaida is planning an attack or targeting hospitals."

The problem is larger than just the incidents reported by the Joint Commission. There have been many similar attempts to gain access and information about hospitals through impersonating other officials, and the law enforcement community is concerned enough to issue special bulletins warning of the danger.

Unlikely to be common criminals

While no one can be certain why the impostors are trying to gain access, their methods suggest they are more than just petty criminals looking to steal laptops, drugs, or financial information, says Fred Roll, CHPA-F, CPP, president of the International Association for Healthcare Security and Safety (IAHSS) in Glendale Heights, IL.

The average person does not even know about the Joint Commission or that surveyors could access the hospital, he says.

The impostors must be sophisticated enough — and motivated enough — to have identified that method through research.

In addition to his work in health care security overall, Roll is an expert on the terrorist threat to health care facilities. He says the impostors are a growing threat that demands immediate attention.

"I’ve warned about the threat to health care facilities since 9/11, but we haven’t heard too much about these impostors until the recent months," Roll adds. "We have to at least consider that these are terrorists looking for the weak points in our system, because this is an unusual, very calculated way to try to get in and get information."

If the impostors are terrorists, they are seeking information such as what resources you have, the access control points, what doors are kept open, your visiting hours, and other information that might help them get someone or something into your facility at a later date, he says.

They also may ask where you keep radiological materials or where other sensitive areas are located, Roll explains.

Impostors showing up nationwide

Stephen Gaunt, CHCHPA, a past board member of the IAHSS and director of security at a large metropolitan hospital on the East Coast, says the impostors have turned up nationwide.

Gaunt has been following the imposter reports and the related warnings from law enforcement agencies, and says they all suggest a terrorist connection.

"One of the things that Al-Qaeda is contemplating or planning is attacks on softer targets like shopping malls, schools, and health care facilities," he adds. "You put a small device in a hospital or school, and you’ve got instant worldwide attention."

Dan Hodges, a retired FBI agent who is now a consultant with OpSec Consultants in Nashville, TN, also agrees that terrorism is at least one explanation for the impostors. There may be other explanations, he says.

A terrorist connection?

"It’s either terrorist activity or to steal something. It’s hard to say," Hodges explains. "It all goes back to access control. Many of our hospitals are wide open societies in which people can go wherever they want."

The number of incidents, and their similar circumstances, suggest a terrorist connection, adds James M. Roberts, CHPA, CAS, director of safety and security for Mercy Medical Center in Baltimore. Before working in health care, he spent decades working in counterterrorism efforts for the U.S. Army and is a certified antiterrorism specialist.

"Too many hospitals have been contacted" for it to be a coincidence, Roberts says.

"They’re all asking pretty much the same general questions, and in some cases, they seem to be very scripted in what they ask," he adds.

Almost all of the impostors have claimed to be Joint Commission surveyors, but some have claimed to be doctors and federal law enforcement agents, he adds. The questions seem to all relate to the hospital’s ability to respond to a mass emergency, Roberts says.

"In all cases in which they were challenged, they left," he notes. "They do not seem to want to have anything to do with security."

Witnesses have reported a wide range of descriptions for the visitors, including Caucasian, Middle Eastern, and Asian appearances. One incident included a blonde woman as one of the three visitors, he says.

Before 9/11, Roberts says he may have assumed the impostors had a different goal, such as a well-planned abduction of an infant.

"But after 9/11, to me it appears to be targeting data" for a future attack, he points out. That leaves one question: If that is the case, why would terrorists target a small hospital such as Newton Memorial Hospital in Sussex County, NJ, a 148-bed acute-care facility that was recently hit by the impostors?

Roberts explains that the actual hospitals visited may not be the target. Large metropolitan hospitals are the mostly likely targets for any terrorist attacks in health care, but those also are more likely to have strong security measures in place.

So instead of going to Johns Hopkins Hospital in Baltimore, the terrorists may instead go to smaller facilities such as Newton Memorial where they can gather general information about hospital processes and procedures that may be applied when attacking the larger, more preferred target, Roberts says.

"This could be an effort to just get a feel for health centers, a way to ask how secure are these places, would they make a good target for us," he says. But that doesn’t mean that smaller facilities would not be a target at all, Roberts points out.

If an attack on a rural hospital put it out of commission, the impact on the surrounding community would be enormous, he says.

"And don’t ever forget that the goal of a terrorist attack is not necessarily the actual damage you inflict, but the terror you create in the community," he adds. "If they want to send the message that you’re not safe in rural communities, that can be one way to do it."

Reference

  1. Brown D. Fake hospital inspectors probed — FBI investigates incidents at facilities in Boston, Detroit, L.A. The Washington Post, April 22, 2005:A10.