Note: Everything discussed here is what I was able to notice without looking. I suspect that the problem extends well beyond what I noticed, and that someone actively looking with malicious intent would see even more than I did.
Two weeks ago, I had the misfortune of burning both my hands. While most of the skin has now regrown, I’ve thought a lot about what I observed at the hospital and it’s left me with a very disconcerting conclusion: American hospitals are horribly vulnerable to a terrorist attack. There are actually two local hospitals, and the other seems just as insecure. I’ll be discussing the two hospitals as though they were one facility, though I will not mention any vulnerabilities if I have reason to believe that only one of the facilities suffers from that vulnerability.
First, a brief bit of background. Attacks on civilian hospitals have been historically frowned upon, and seen as an inhuman violation of the Laws of Wars. Aside from this, attacks on civilian hospitals are unlikely to benefit a traditional military. There are no high profile targets there, it will only cause chaos and the loss of innocent lives; this combined with the backlash from the international community and the pointless expenditure of resources has been enough to prevent civilized military groups from attacking a civilian hospital.
Modern terrorists, especially al Qaida and others espousing a doctrine of global jihad, will feel little compunction from attacking a civilian hospital. Hospital patients would be easy targets for an armed assault on a hospital, and can just as easily be used as hostages. While most hospitals have evacuation plans, many of them are designed to a disaster or severe weather threat, and they will have trouble quickly removing injured and disabled people from the hospital – especially once an assault has begun.
Terrorist groups like al Qaida, who see it as their duty to kill every American and every ally or collaborator of America, would be thrilled with the high body count a hospital could provide – especially if it were a religious (i.e. Catholic) hospital. They would also be happy that the local medical establishment is disrupted as new patients must be redirected to another facility, and while damages to the hospital are repaired after the assault – especially if expensive equipment, like MRI machines, were sabotaged. Al Qaida would also be ecstatic if such an attack made people afraid to go to a hospital. Depending on how much intelligence was gathered ahead of time, they may be able to steal medical waste, including infectious and radiological materials.
Let’s move beyond some of the reasons why a terrorist group would like to attack medical facilities, and focus on some of the vulnerabilities that the hospitals need to address ASAP.
The ‘Professional’ Security Staff Doesn’t Know Who Belongs and Who Doesn’t
My first hint that hospital security was below par came when a security guard convinced himself that I worked at the hospital. When I parked my car in the Visitor’s Lot, he stopped me and repeatedly insisted that I couldn’t park there because I worked at the hospital. After a few minutes of talking to him, I was able to finally convince him I didn’t work at the hospital. The alarming part is that his confusion wasn’t the result of me looking like someone who did work at the hospital – it was that I was wearing a nice button up shirt and slacks, and I had a laptop/messenger bag/man purse that I keep my iPad and other essentials in.
If I had gone there wearing actual scrubs, or with a name badge that even slightly resembled the ones used by the hospital, or if I had stated that I was with the IT department, hospital administration or any number of other positions, I could have easily accessed most parts of the hospital.
The ‘Professional’ Medical Staff Are Unfamiliar With Their Own Hospital
When I needed tests to look for nerve damage, I went to the Neuro-Diagnostic Lab at the hospital. I already had the suite number and information, when one of the hospital orderlies got onto the elevator with me and hit the button for the floor I was going to. I asked him to confirm if that floor was where the NDL was, he gave me a confused look. When I rephrased and asked about Neurology, he wrinkled his brow and said no – that wasn’t on that. The only department on that floor was the one he worked in. We stepped off the elevator and were immediately greeted by a giant sign, with arrows indicating Neuro in one direction, and the orderly’s department in the other. He was completely surprised to discover that he was wrong, which is distressing since the staff in the NDL told me they had not been moved there anytime recently.
It’s a safe bet that the orderly was unfamiliar with the NDL staff and wouldn’t be able to tell whether they did or didn’t belong on that floor – meaning he would have no idea if he saw something out of place, and he’d be unable to alert security until it was too late.
The Ambulance Bay and Parking Garage Are Both Exceedingly Vulnerable To Car Bombs
Unfortunately, there may be little that can be done to protect ambulance bays from being attacked by a suicide car bomb, but there is no excuse for the parking garage to share that vulnerability. There are no measures in place to prevent someone from parking their car in the garage, probably near the entrance/exist or a support beam, and then detonating explosives in the trunk from a safe distance. This could be carried out as an attack unto itself, or if the terrorists are planning an assault on the hospital, the explosion outside acts as a convenient cue for the primary assault to begin while giving the emergency response teams something else to distract and divert them.
Computers Are Regularly Left Unattended, and Their USB Ports Are Exposed
An attached USB device could easily act as a key logger to gain access to the hospital’s database and files. The right kind would be very difficult to notice, as the keyboard would plug into the key logger, which then plugs into the computer. The computer doesn’t detect the key logger, which stores every bit of information the keyboard sends through it. Almost universally, the computers are positioned so that the USB ports face away from the operator and towards a potential attacker. It would be all too easy to attach a USB device without the operator being aware of it; and even easier with the computers which are left unattended in unlocked rooms.
The After-Hours Lockdown Is A Joke
I’ve never been able to stomach false security, ever since my High School announced that if anyone ever tried to attack the school after the students had all arrived, they’d be unable to get inside because the doors automatically locked. The glass doors. I considered that fake security, since anyone coming to harm students or teachers would not balk at throwing a rock through the locked glass door. The hospitals do essentially the same thing. After visiting hours end, the hospital goes into “lockdown” where the main entrances are all locked, so no one can get in except through the Urgent Care or Employee entrances.
This seems like an excellent idea, except that no one performed any sort of sweep to make sure that no one was hiding in the hospital, and waiting for most of the medical and security staff to leave. The doors into Urgent Car (also made of glass) do have a security post just past them – the problem is that in the seven hours I spent waiting in Urgent Care, the security guard spent less than 20 minutes at his post. He was nice enough to pull out the log and record books and then put them back in an unlocked drawer which could easily be seen from the waiting area. Once someone has made it to Urgent Care, they’re an unguarded corridor away from the rest of the hospital.
Performing Reconnaissance and Gathering Intel Is Simple and Easy
Unfortunately, getting a good look at a hospital’s layout could not be simpler. By posing as a visitor during the day, most of the hospital can be accessed or studied, making it easy to become familiar with the layout. Getting a closer look only requires an injury severe enough to require admittance to Urgent Care, or the hospital itself. With a simple gash on their arm or unknown animal bite provides plenty of access to look around, plant key loggers and spyware using the USB drives on computers. The devices can later be recovered the same way.
Hospitals are also extremely vulnerable to Open Source Intelligence gathering. General maps of the facilities are uploaded online, reducing the need for physical reconnaissance. In an attempt to improve patient doctor relations, and to make it easier to find the right doctor, information about hospital personnel is available online – including names, pictures, specialties and backgrounds. All of this information would make it easier for someone to bluff that they belong there until it’s time to launch the assault.
I assume that the hospitals are using detectors to alert them to an airborne chemical or biological contaminate. They are designed to not be seen or obvious, but their use in hospitals is a necessity. More than almost any non-governmental facility, hospitals must protect against a biological attack due to the number of people with weakened immune systems, and the presence of on-site infectious material.
Based on my observations, hospitals remain extremely vulnerable to terrorist or active shooter attacks. Unless the shortcomings in security are addressed, then it is a matter of when and not if civilian hospitals will become targets of terrorists. There are many ways that an attack could be launched on a hospital, this piece discusses only a few of them and in a general way; the goal was to point out specific security vulnerabilities and not compile a list of ways terrorists could decimate a hospital.