The killing of UnitedHealthcare Brian Thompson is a sobering example of the threats to executives. Two security leaders share ideas to help keep leaders safe.
Unprepared. Unused. Underfunded. Non-existent.
Paul Sarnese, left, and Eric Sean Clay offer insights for protecting healthcare executives.
Prior to the murder of Brian Thompson on December 4th, these words could be used to describe most healthcare executive protection programs. However, when the assassin fired those shots into Mr. Thompson, he unknowingly ushered in a sweeping reform of not only how we protect the healthcare C-suite, but also executives from most every other industry.
In May 2023, Chief Healthcare Executive®, published an article that we wrote, titled, “Protecting the C-suite.” In this article, we discussed the vulnerabilities that these executives face, in the office, while traveling, at home, and offered basic strategies to better protect them. This was by no means a comprehensive list of solutions, but was simply intended to help executives recognize these risks and discuss options with their security leaders.
On December 5th we realized that this was a discussion few were having as we were receiving calls from every major news outlet asking for interviews or appearances to discuss the murder of Mr. Thompson. During these interviews we made a number of suggestions, most of which you see large organizations implementing today.
One of the things we did not predict was the support the assassin's actions would receive. Even a cursory look at social media rhetoric shows the most popular posts express support, if not elation, over the murder of Mr. Thompson. In fact, United Health’s bereavement message for Mr. Thompson received over 77,000 response posts.
The results of a Newsweek poll published on December 17, 2024, revealed that 41 percent of people between the ages of 18 and 29 found the shooting of Mr. Thompson to be either “somewhat” or “completely” acceptable. Twenty-three percent in their 30’s believe the shooting was acceptable, while 13 percent of those in their 40’s found it acceptable, while 8-10 percent of people in their 50’s to 70’s said it was acceptable.
These numbers reveal that resentment towards the healthcare and insurance industry is at an all-time high. While some viewed this assassination as horrible, others responded with indifference, pointing to their own negative experiences with medical providers or denials of healthcare benefits.
In the immediate aftermath of the suspects arrest, multiple “GoFundMe” accounts were set up to support his legal defense, raising thousands of dollars before being shut down. However, “GoFundMe” quickly removed these accounts, and issued refunds, citing its policy against fundraisers for the legal defense of violent crimes. Undeterred, supporters moved to “GiveSendGo,” a Christian crowdfunding site, and “GoFundMe” alternative, whereas by late December, one of these sites had raised over $189,000 of their stated $500,000 goal.
In addition to support on social media sites, we have seen “WANTED” posters across New York City with the faces of healthcare executives, and criticisms of the healthcare industry. Some of the posters repeatedly referenced the words, “deny,” “defend,” and “depose,” that were written on bullet casing found at the scene of Mr. Thompson’s murder. These three words are used by health insurance critics to explain how these companies might decide to deny claims. They have also become the rallying cry for more radical supporters of the person charged with murdering Mr. Thompson.
These words have even appeared on merchandise, such as hats, T-shirts, decals, and pint glasses. The New York Police Department issued a law enforcement sensitive intelligence analysis report that contained the following sentence, “CEOs should act like they have targets on their backs.”
More attacks are possible
As healthcare security professionals, we have been focused on protecting our doctors and nurses, as we know the vast majority of workplace violence occurs in healthcare facilities. In fact, OSHA tells us that at least 73 percent of all non-fatal workplace injuries received due to violence occur in a healthcare setting. And as surprising as that statistic is, we know that for several reasons, due to underreporting, that number is significantly higher.
We also know that targeted violence committed against healthcare executives is exceedingly rare. One recent case involved Valley Children’s Hospital CEO Todd Suntrapak, who received numerous threats after the public learned of his $5.1M annual salary. In response, the organization ordered 24-hour security at his home. However, the lack of reported incidents doesn’t mean they don’t occur. This could also be attributed to organizations not publicly disclosing these events.
Despite the rarity of these attacks, the celebration of Mr. Thompson's murder suggests the potential of more attacks on healthcare executives is possible, if not likely.
Mr. Thompson’s murderer was prepared for his attack. He took the time to manufacture a “ghost gun,’ complete with a suppressor to mask the shots. He positioned a bicycle nearby to facilitate his escape, and he had a pre-planned exit strategy to leave the state. So, we as security professionals must also be meticulous in our efforts to protect our executives.
In today’s economy, we as consumers make purchasing decisions based on how we relate or identify with the product or service. Each product or service has a corporate identity, a cause, a mission, a benefactor that we may connect with personally or professionally. We place a value and trust in products or services based on our connection with them. Many organizations feel as though they must share the intimate personal details of their executives to foster this connection.
We encourage all organizations to review the information that is publicly available about your executives and board members. Information designed to build a connection with consumers can also be used to collect intelligence that may be exploited. The public does not need to know the executive’s hometown, significant others and children’s names and hobbies and what organizations where they volunteer their time. All of this information can be exploited and provides no value for customer acquisition.
For organizations that invite the public into their facilities to purchase goods or services, we suggest that you evaluate the need to inform your customers where the executive suite and other sensitive areas are located. The executive suite and the main distribution frame (MDF) are prime examples.
If the public has no need to know where the executive suite is then there is no need to place the suite on the way-finding directory. If there is a need for the public to meet with members of the executive team, we suggest that the guests be properly vetted and meet with the executives in an access-controlled conference room as close to the public entrance as possible.
Executives and board members must also be very conscious about information that they post on social media. Executives must always remember that they are representing their organization, their brand and their culture. Political and personal ideology should be evaluated before sharing on these platforms. Spouses and children of executives must also be careful with their opinions that they share on social media.
Some questions to answer before posting. Is this content valuable to my audience? Will it spark engagement? Will it spark controversy? Is the post appropriate for my image? Am I sharing too much personal information? Would I say this directly to someone? Is there a better way to communicate this message?
We often share stories that highlight how easy it is to use something meant to share information with the public to improve their experience that can be used to exploit vulnerability.
We were conducting a security vulnerability assessment at a large academic medical facility on the east coast. We were familiar with the campus but decided to navigate their website looking for a site map. When we arrived on their website, we found a virtual campus tour. They had mounted a high-definition camera to a pole in the middle of the campus so that the end user can control the pan, tilt and zoom. We were able to identify the main hospital, the parking garage, the cancer institute, the women’s and children’s facility, etc.
We were also able to identify many vulnerabilities. We were able to see hiding spaces under the canopy and cover of landscaping. We were able to see that several exterior doors were being held open with rocks and other objects. We were also able to see that the American flag needed to be replaced, there were several large potholes in the parking lot, and that the exterior grounds were not being well maintained. When we met with the client, who was the chief operating officer, we showed her the pictures that we were able to gather from their website that showed the vulnerabilities that could easily be exploited. We recommend that virtual tours be prepared by the organization for public viewing and that end users cannot freely control cameras that are viewing the facility in real time.
Identifying threats
Since many threat actors utilize social media to threaten organizations, their executives and the organization’s brands, organizations must have a process to identify threats on social media by utilizing a social media threat monitoring solution. Social media sites, forums, blogs must be monitored to identify potential threats.
When threats are received by social media or other sources, organizations must evaluate the threat and take the appropriate actions to mitigate risks. Organizations must have an internal confidential process for reporting threats and accessing the threat assessment expert or team. A threat assessment team is a group of professionals who identify, evaluate, and respond to potential threats. The typical steps involved in a threat assessment include identifying threats, assessing the seriousness of the threat, analyzing the risks, developing mitigation strategies and follow up.
We recommend that organizations consider creating an internal threat assessment process that involves identifying, evaluating, and responding to potential threats.
The International Association for Healthcare Security and Safety suggests that organizations develop a threat assessment and management program informed by data and research in this area.
In support of the program, the organization should: (1) establish a multidisciplinary Threat Assessment and Management (TAM) team; (2) establish a TAM team charter; (3) establish a written policy, process and workflow for threats, threat assessments, and threat mitigation; (4) and conduct threat awareness training for all employees.
The Association of Threat Assessment Professionals is a non-profit organization of law enforcement, prosecutors, mental health professionals, corporate security experts, probation and parole experts. The goal of ATAP is to provide the necessary knowledge, tools and support to better understand the area of threat and workplace risk assessment. For some organizations, it makes sense for them to have an internal expert who is a Certified Threat Manager.
To protect sensitive information and to reduce the risk of a data breach, organizations should consider hiring a privacy consultant to conduct a Technical Security Countermeasure Assessment of the Executive Suite and conference rooms.
Consultants can identify potential vulnerabilities in the IT security infrastructure and can recommend mitigation strategies. As a general rule, executives should consider turning off all audio-visual equipment, including microphones, speakers and teleconferencing equipment, in conference rooms and meeting spaces when conducting sensitive conversations and meetings.
To prevent unauthorized listening using external laser microphones, executives should consider installing “anti -eavesdropping film” or “RF attenuation film” on the exterior windows in the executive offices and conference room. Executives should consider implementing a “clean desk” policy. The policy would require that all employees remove sensitive information from their workspace and to secure the information before they leave the space.
Executives must be aware of their normal environment to identify behavior, activities, or people that are out of the ordinary. This requires an initial scan of people to discover an unusual appearance or behavior that may indicate suspicious or criminal activity.
Security leaders are encouraged to provide situational awareness training and education to the executives, their administrative assistants and board members.
Training should include safety measures when driving, traveling abroad, at home and at work. Executives must also receive training and education about recognizing and responding to an active assailant. Executives must know how to safely evacuate a space and where they can safely seek shelter and actively barricade themselves inside for safety reasons.
The need to initiate an executive protection program should be based on the risk of physical harm to an executive based on the threat assessment. Healthcare organizations that do not have a formal executive protection program are certainly having discussions about when and how they would stand one up if necessary.
Security leaders and executives have to consider the following risk factors. Is the executive’s public profile in the media and the surrounding communities positive in nature? Are executives’ personal income publicly available and has that created unwanted attention and negative public opinion? Has there been threats in the past and have those threats been deemed credible? Does the executive have an unpopular opinion on matters that impact the surrounding communities and public opinion?
The International Association for Healthcare Security and Safety recommends that the need for Executive Protection measures may be determined through the Security Vulnerability Assessment (SVA) or from an active threat brought forward by the Threat Management Team (TMT) or others.If there is an identified need for an executive protection program, then the elements of the program must be planned and resourced.
Is there a need for trained and dedicated staff to accompany the executive when they are in transit, attending public meetings, when traveling? Is there an appetite for an in-house program or will the services be provided by a contracted service? Is there a need for a dedicated vehicle to be purchased, leased or rented to transport the executive?
Today’s executives face unprecedented threats because of their high-profile exposure and the public’s ability to share information on social media and other forums. Executives should be open to discuss the need for an executive protection program when the risk assessment identifies the need.
Our hope is that this information provides some foundational information to consider when developing the executive protection program.
Paul Sarnese is a healthcare security consultant. Eric Sean Clay is the vice president of security at Memorial Hermann Health System.