An unusual safety breach at an assisted living facility shines a light on relentless human ingenuity and need for management to reconsider approach to safety measures
When it comes to operating a successful assisted living facility, safety is business critical. It’s among the top criteria considered by residents and families in choosing a community. It’s also a pre-requisite for regulatory compliance. When poorly implemented, it can lead to suspension or loss of an operating license, reduced occupancy, and long-lasting reputational damage.
Steering clear of safety violations is typically a matter of following Life Safety Codes, also known as NFPA 101. Related codes include the Joint Commission’s Physical Environment regulations, OSHA, and CMS.
Occasionally, meeting a code’s technical requirements isn’t enough. When compliance doesn’t translate into the best security, facilities can be left exposed to the very safety violations they were aiming to avoid.
A case in point is the March 2020 elopement by residents of a Tennessee memory facility. The safety breach gained national attention for the ingenuity employed by a dementia patient in using his morse code training to outsmart exit security based on a keypad.
The daring and ingenious escape won accolades and admiration for the man and his wife, who was also a resident at the facility. For facility management, the incident led to an investigation, a corrective action plan and a hefty fine.
By dint of good fortune, the “escapees” were safely returned to the care facility by a good samaritan who encountered the couple, unharmed, strolling down a street some 30 minutes away. The code violation, monetary penalty, and national attention resulting from the breach were a blow to the facility. They were also, on the whole, a preferable alternative to the huge liability that could have resulted had the incident ended in injury, or worse, to the residents.
A post-event investigation by the Tennessee Board for Licensing Health Care Facilities identified a number of procedural violations. Not addressed by the inquiry but clearly at the center of the breach was the keypad-based security protocol that was defeated by the resident.
Keypad technology has been around since 1875. Its low acquisition cost and ability to operate independent of keys, cards, and other tokens makes it affordable and, thus, a popular choice for keyless access control. It also meets the technical requirements for “means of egress” regulations applicable to exits of secure facilities like memory care and dementia units.
A question raised by the Tennessee case is whether a touchpad is, despite its technical compliance, the right solution for the high-risk, high liability workflow associated with exiting a secure healthcare facility. The hefty price of the keypad, after adding the cost of fines and reputational damage to the relatively affordable acquisition expense, suggests that it may not have been the best fit for the requirement.
Keypads work well in many use cases and the level of safety provided by security automation technology can’t always be measured until its limits are tested in production. Measured by the probability that a dementia patient could have the knowledge, capacity and motivation to capture and reproduce a tonal sequence of keystrokes, the limits of touchpad security would seem to be well within the range of acceptable. The safety vulnerability exposed by the Tennessee incident would have been hard if not impossible to pick-up based on this type of analysis.
What may have surfaced the weakness, possibly by luck rather than design, was a safety and security assessment that considered practical measures like the probability of shared passwords being compromised or the risk of an individual entrusted with a password suffering impaired recall in an emergency requiring quick action to release an exit door.
When it comes to managing risk around safety and security, assisted living facilities might not have the resources, as hospitals do, to conduct expansive vulnerability assessments and gap analysis. Having said that, a simple exercise of assigning a value to each entry/exit point, based on importance to business operations and potential cost of a breach, can help facilities to make better decisions about how and where to focus their security investment for maximum safety and best return.
While finance, in collaboration with risk management, is likely to be the functional area that decides investments, sound decisions are based on input from a team that should include, but not be limited to:
Safety-Security Management: different from most access control processes, which create barriers to exclude bad actors intent on causing harm to people or property, egress management is largely about protecting individuals from self-harm. Its focus on locking individuals in, albeit for their own protection, while also facilitating easy and rapid access in emergencies, carries both a security responsibility and a life safety burden. In this context, a safety professional that understands behaviors like wandering, elopement, and exit seeking is equally or better qualified than a physical security expert to define the problem and solution requirements
Clinical Leadership: with their unique insight into the behavioral underpinnings of exit seeking behaviors, and their knowledge of individual patients’ conditions, these professionals bring essential understanding of care-based preventative measures that can compliment technology solutions
Human Capital Management: with workforce burden and burnout top-of-mind in today’s healthcare workplace, caregivers and staff must have a voice in decisions that impact their workflow and productivity.
When safety is on the line, an assisted living facility’s business is at risk. That’s why C-suite management shouldn’t be satisfied with security measures that meet technical compliance standards but aren’t the best solutions to protect residents at egress points and similar high-risk areas of a facility. A risk management approach to safety and security, including a point-by-point assessment of vulnerability and feedback from stakeholders can mitigate liability exposure from technology vulnerabilities and focus decision-making on solutions that maximize safety and achieve business goals.
Next installment: Biometrics – a managed risk approach to safety and security that everyone can agree on.