An officer on routine patrol spots a suspicious individual taking photos of the exterior of a building on the hospital campus. Before the officer can approach the individual, he departs the property. Later in the day, the same suspicious person is spotted by employees inside the secured power plant on campus. They immediately contact security and he is stopped and questioned.

What sounds like potential terrorist activity is actually a “Red Team” surveillance and penetration exercise. The suspicious individual in this case is a carefully selected Red Team member who was given instructions from hospital security executives to gather information about vulnerable locations on the hospital campus and attempt to infiltrate secured critical areas. Upon being stopped by security, he produces his official identification and successfully answers a challenge phrase to confirm his identity.

In a debriefing after the exercise, the Red Team member displays photos he took of critical infrastructure of the hospital and tells security leadership how he piggybacked into the power plant behind an employee. The information gleaned from the exercise is later used to enhance security of the power plant and other areas at the hospital.

What Is a Red Team?
The term “Red Team” and the concept of the Red Team exercise is nothing new or revolutionary. The U.S. military has been using Red Teams (also referred to as the Opposition Force or OPFOR) to simulate the enemy during field exercises for quite some time. Also, information systems’ security professionals use red teams, or ethical hackers, to test security defenses regularly. In short, a Red Team is comprised of two or more people who are playing the role of the enemy. In the case of hospital security, the “enemy” could be a criminal intent on stealing or destroying assets within your facility, a terrorist planning an active shooter attack or any other scenario you develop.

4 Reasons Why You Should Be Using Them
Red Teams are helpful in evaluating your hospital security and challenging your assumptions about how secure your hospital is against the threats posed by criminals, terrorists and others. Here are just some of the ways that Red Teams are useful:

• 1. Red Teams identify issues that a security risk assessment might miss. When you conduct a security risk assessment of a building on your hospital campus, you’re typically doing it with notice to the key people in that building and involving them in the process. Also, you’re probably someone the building occupants recognize, so you’re unlikely to be challenged by people because they don’t consider you to be suspicious. A Red Team member, on the other hand, is someone unknown to the occupants and is not conducting a formal, announced risk assessment. They are charged with challenging security in a realistic manner by attempting to use a variety of means to infiltrate secured areas and to conduct surveillance.
• 2. Red Teams can help uncover targets for terrorism. A fresh look at your hospital from the standpoint of a Red Team member acting as a terrorist may uncover previously unknown vulnerabilities. When you charge the Red Team with evaluating targets for terrorist acts against infrastructure and people, they switch their mindset to that of a terrorist. They look for opportunities to disrupt your hospital and/or inflict mass casualties. While it may sound disturbing, it might not be something you have done during a risk assessment or even considered previously.
• 3. Red Teams keep your security department on its toes. By involving security in a Red Team exercise, you can test your security team’s ability to spot suspicious activity related to criminal and/or terrorist activity.
• 4. Red Teams build expertise within your security team. By giving your security staff assignment to the Red Team, you are providing them with a unique opportunity to view security from a different perspective.

How To Form a Red Team
A Red Team can be formed using internal or external resources, but it should always be comprised of security professionals. Using the internal resources approach, the Red Team members are sourced from existing hospital security staff.  Ideally, these team members should be security staff from other campuses (if you are a multi-site hospital system) who are unknown to staff at the target hospital site. They should be experienced security personnel, but anyone from officers through supervisory staff may be used. An internal team helps to control costs associated with hiring contract staff and also helps to ensure the control of vulnerability information that may be identified during Red Team exercises.

However, externally sourced Red Teams can also be effective. An external Red Team can be hired through a contracted professional security service. The selection of a professional, experienced, discreet security provider is paramount to the success of an external Red Team.

As long as the Red Team is comprised of experienced security professionals, there is little formal training required to field a Red Team. The most important training that these team members need to receive is related to the operating guidelines and restrictions associated with the Red Team exercise as described below.

What the Red Team Exercise Should Look Like
A Red Team exercise can be conducted in a variety of different ways and at varying levels of difficulty. Regardless of the purpose of the exercise, it is vitally important that it is carefully planned and executed. As with any security-related exercise, poor planning and lack of guidance and/or communication can result in disastrous outcomes. Here are some key considerations when designing your Red Team exercise:

• Consider what you want to get out of it. Do you want to examine your vulnerability to terrorism? Are you testing the physical security of a new unit or building against intruders? The desired purpose of the exercise should be clearly defined.
• Select your Red Team and set the operating guidelines. The guidelines define what the team members can or cannot do during the exercise. It is generally recommended that the Red Team does not engage in any activity that could cause alarm among security or other hospital staff (such as running from a scene, planting a suspicious package in a public area, etc.).
• Define when and where the Red Team will operate. Do you want them to attempt entry through your building’s perimeter or just one particular unit (e.g., ICU, Labor & Delivery)? Will they attempt this infiltration on the day, evening or night shift? On which days will they operate?
• Involve the target site’s security team. Inform them that you are conducting a Red Team exercise and give them a time frame during which they should be increasing vigilance for suspicious activity. The time frame should be purposely broad (across a week or more) to avoid making it too easy for them to identify the Red Team.
• Assign a challenge phrase for the target site’s security team and countersign for the Red Team for the exercise. This provides the target site’s security with a definitive way to identify Red Team members. The members of the Red Team should also carry official hospital identification on them at all times during the exercise. Once challenged, Red Team members should identify themselves and should not be evasive to prevent unnecessary concern among security staff.
• Red Team members should write a summary of their findings immediately after the exercise and submit it securely to a single point of contact within the organization. A debrief of the exercise should be held after its completion and should involve the Red Team members and the target site’s security administration. Identified vulnerabilities should be mitigated wherever possible.

Red Teams Encourage Constant Readiness
Overall, the use of a Red Team and associated exercises will help to strengthen the overall security posture of your hospital. Also, these exercises will assist in increasing the ability of your security staff to recognize suspicious and surveillance-related activities. In a world where constant readiness and vigilance for threats is increasingly necessary, Red Teams should become a regular and integral part of your security program.