Special Alert:
JCAHO Impostors

Impostors could be targeting hospitals to gain information for terrorist attacks

Beware of anyone posing as JCAHO surveyors, other visitors

By Greg Freeman
Healthcare Risk Management Editor

Healthcare Risk Management has learned that terrorists may be behind a recent spate of incidents in which people posed as JCAHO surveyors, doctors, or government officials to gain access to hospitals. Experts in hospital security and terrorism say the most likely explanation for these impostors’ attempts to gain access is they are collecting information for future attacks on health care facilities.

Word of these impostors has spread quietly through the health care community in the past year, but the problem gained more attention recently when JCAHO issued warnings about people posing as surveyors to gain access to facilities. The Joint Commission has received three reports in the past four months about such impostors. (Read the Joint Commission’s warning at www.jcaho.org/accredited+organizations/security.htm.) In all three cases, the impostors fled after being asked for proper identification.

The problem is larger than just the incidents reported by the Joint Commission. The law enforcement community is concerned enough to issue special bulletins warning of the danger. The number of incidents and their similarity suggest a terrorist connection, says James M. Roberts, CHPA, CAS, director of safety and security for Mercy Medical Center in Baltimore. He says impostors have been reported in New Jersey, California, Massachusetts, North Carolina, Virginia, and Ohio. Before working in health care, he spent decades working in counterterrorism efforts for the Army and is a certified anti-terrorism specialist. Roberts has been tracking the reports of impostors.

“Too many hospitals have been contacted” for it to be a coincidence, he says. “They’re all asking pretty much the same general questions; and in some cases, they seem to be very scripted in what they ask.”

The impostors are not part of any sort of spot test of hospital security, confirms Joint Commission spokesman Mark Forstneger. No other agency is authorized to use the Joint Commission’s name in that way, and such use would not be tolerated, he says.

Joint Commission officials say they do not know the motivation behind the attempts, but experts in hospital security and terrorism say the circumstances point to a frightening conclusion. Health care facilities have long been known as a secondary target of terrorists, officials say, because an attack at the local hospital would hamper any efforts to respond to a larger attack in the community. And as other primary targets, such as government buildings, are hardened against attack, hospitals may become increasingly attractive as a soft target.

Risk managers must be on the alert for these impostors and ensure that hospital staff know how to respond, the experts warn.

Unlikely to be common criminals

While no one can be certain of why the impostors are trying to gain access, their methods suggest they are more than just petty criminals looking to steal laptops, drugs, or financial information, says Fred Roll, CHPA-F, CPP, president of the International Association for Healthcare Security and Safety (IAHSS) in Glendale Heights, IL. The average person does not even know about the Joint Commission or that surveyors could access the hospital, he says, so the impostors must be sophisticated enough — and motivated enough — to have identified that method through research.

In addition to his work in health care security overall, Roll is an expert on the terrorist threat to health care facilities. He says the impostors are a growing threat that demands immediate attention.

“I’ve warned about the threat to health care facilities since 9/11, but we haven’t heard too much about these impostors until the recent months,” Roll explains. “We have to at least consider that these are terrorists looking for the weak points in our system because this is an unusual, very calculated way to try to get in and get information.”

If the impostors are terrorists, he adds, they are seeking information such as what resources you have, the access control points, what doors are kept open, your visiting hours, and other information that might help them get someone or something into your facility at a later date. They also may ask where you keep radiological materials or where other sensitive areas are located, Roll says. He notes that the impostors sometimes visit during off-hours when it is less likely a senior administrator will be readily available and more likely to realize that something is amiss than a night clerk.

“They depend on confronting someone who may not know everything about how the Joint Commission operates but knows enough to be intimidated and dazzled by someone who says they are surveyors,” he explains. “They’re hoping that person is impressed enough to comply before someone with more authority can step in.”

Impostors showing up nationwide

Stephen Gaunt, CHCHPA, a past board member of the IAHSS and director of security at a large metropolitan hospital on the East Coast, says the impostors have turned up nationwide. Gaunt has been following the imposter reports and the related warnings from law enforcement agencies, and he says they all suggest a terrorist connection. “You put a small device in a hospital or school and you’ve got instant worldwide attention,” he says.

Gaunt notes that there is no hard proof of a terrorist connection, but when asked what other purpose might motivate people to pose as Joint Commission surveyors and seek information about access points, he pauses for a long moment and then says, “There isn’t any.”

It is not unheard of for people to try to gain access to a hospital for illicit reasons, he notes, such as when a gang member tries to find out if a rival gang member is being treated there. “But those people would not know enough about the Joint Commission to use that as their cover,” Gaunt says.

Other explanations possible?

Dan Hodges, a retired FBI agent and currently a consultant with OpSec Consultants in Nashville, TN, also agrees that terrorism is at least one explanation for the impostors. There may be other explanations, he says. “It’s either terrorist activity or to steal something. It’s hard to say,” he explains. “It all goes back to access control. Many of our hospitals are wide-open societies in which people can go wherever they want.”

If the impostors are not terrorists, Hodges says they are probably seeking access to patient information for some reason. A rogue private detective, for instance, could use a ruse to gain access to the hospital’s database. Any time someone tries to gain access to the hospital under a ruse, Hodges says, the most likely explanation (other than simple theft) is that the person is seeking information on a particular patient or personal financial information to exploit, he says. But Hodges acknowledges that the nationwide pattern of these impostors also must be considered in determining their motive.

What are they looking for?

Almost all of the impostors have claimed to be Joint Commission surveyors, but some have claimed to be doctors, and federal law enforcement agents, Roberts says. The questions seem to all relate to the hospital’s ability to respond to a mass emergency, he says. “In all cases in which they were challenged, they left,” he says. “They do not seem to want to have anything to do with security.”

Witnesses have reported a wide range of appearances for the visitors, including Caucasian, Middle Eastern, and Asian appearances. One incident included a blonde woman as one of the three visitors, he says.

Before 9/11, Roberts says he may have assumed the impostors had a different goal, such as a well-planned abduction of an infant. “But after 9/11, to me it appears to be targeting data” for a future attack, he says.

Then why would terrorists target a small hospital like Newton Memorial Hospital in Sussex County, NJ, a 148-bed acute care facility that was recently hit by the impostors?

Actual hospitals may not be the target

Roberts explains that the actual hospitals visited may not be the target. Large metropolitan hospitals are the mostly likely targets for any terrorist attacks in health care, but those also are more likely to have strong security measures in place. So instead of going to Johns Hopkins Hospital in Baltimore, the terrorists may go to smaller facilities such Newton Memorial where they can gather general information about hospital processes and procedures that may be applied when attacking the larger, more preferred target, says Roberts .

But that doesn’t mean that smaller hospitals would not be a target at all, he says. If an attack on a rural hospital put it out of commission, the impact on the surrounding community would be enormous, he says. “And don’t ever forget that the goal of a terrorist attack is not necessarily the actual damage you inflict, but the terror you create in the community,” he says. “If they want to send the message that you’re not safe in rural communities, that can be one way to do it.”

Careful planning a hallmark of terrorists

Roberts notes that, contrary to some commonly held ideas, terrorists are not just wild thugs. They actually are well educated, methodical, and willing to research an attack for years before carrying it out. The carefully orchestrated attacks of 9/11 show that to be particularly true for al-Qaeda, he says.

The 9/11 attacks also show that the terrorist operatives can pass for typical Americans, he notes. Most of the terrorists who hijacked planes on 9/11 could have passed for Joint Commission surveyors, physicians, or government agents if that was their goal, Roberts says. “This could be an effort to just get a feel for health centers, a way to ask how secure are these places, would they make a good target for us,” he says.