Eighteen minutes. On a sleepy Saturday morning in 2008, the actions taken in a span of 18 minutes were the difference between tragedy and just another sunny day in La Crosse, Wisconsin. Fortunately for the people at a mid-sized hospital there on 12 April, it ended up being just another sunny day.

But it wasn’t entirely fortune. When Michael J. Barrett entered the hospital through an employee entrance carrying a concealed weapon, it wasn’t fortune that led a cafeteria worker to notice something unusual, approach the man, confirm her suspicions that this was indeed unusual, and go straight to security to report it. That was security awareness training.

And yet, you can’t help but think that fortune played a role. “There were things that went wrong,” Drew Neckar, CPP, president of Security Advisors Consulting Group, said during a session at the recent Global Security Exchange (GSX) conference in Orlando, Florida. “But luckily, there were enough things that went right.”

This is the story that Neckar, who was the midnight shift supervisor about to go off duty that morning, and his supervisor at the time, then security manager and now owner of NORD Security Management, Bob Nordby, CPP, told to the GSX audience at “Lessons from a Near Miss: The Active Shooter That Almost Was.”

The overriding lesson: try not to overthink it. What saved the hospital that day was good, basic security practices. The lessons they learned—those “things that went wrong”—also were basic security principles. “In my role as a consultant, I see a lot of organizations place a lot of laser-like emphasis on countering the active shooter threat,” Neckar said in an interview after the presentation. “It’s important not to over-emphasize 18 minutes.”

To be clear, both Neckar and Nordby are advocates for active assailant preparation and mitigation security measures. They emphasize that such measures need to be part of a comprehensive security approach that emphasizes actions, policies, and strategies appropriate to the risks faced by the organization.

Here’s how that morning on 12 April played out.

• 7:35 a.m.: Man enters hospital through employee-only entrance. This is not detected at the time—it was discovered in video footage during post-incident review. (The 18-minute clock starts.)
• 7:40 a.m.: The man enters the hospital cafeteria area—bustling at this time in the morning—and stands near the back wall, observing. Again, this report is part of the post-incident review.
• 7:47 a.m.: At some point in the intervening minutes, a cafeteria worker notices the man, and it seems unusual to her. It did not seem like a threatening situation, so she walks up to the man and asks if she could help him with something. The man reaches for his belt and says, “I have a permit for this.” The cafeteria worker disengages and proceeds to security.
• Approximately 7:49 a.m.: The cafeteria worker reports the incident to the security shift supervisor (Neckar), who instantly begins searching live video feeds to find the man. The supervisor radios the two security officers on duty, who leave their current posts and begin patrolling the hospital. The supervisor also calls 911 and reports that police may be needed at the hospital.
• 7:51 a.m.: Using video footage from high-traffic areas, the location of the suspect is narrowed down to a location on the fifth floor. That information is relayed to the security officers.
• 7:53 a.m.: A chaotic scene where the first security officer on the scene makes initial contact with the suspect telling him to remain still. Fortunately, the two security officers were approaching the location from different directions. As the suspect appeared again to go to his waist, the first security officer shouts “Gun, gun, gun!” just as the security officer behind the suspect is able to initiate a takedown procedure. The 911 dispatcher is still on the phone, hearing the commotion, and urgently asking for details. The security officers report that the suspect is in custody. (The 18-minute clock ends. However, while the threat has been quashed, the incident—and the potential for lessons—is not over.)
• 7:55 a.m.: Police arrive in a flurry at emergency room waiting and demand to know how to get to the fifth floor. The receptionist is initially flustered and after a little back and forth, police are escorted to the fifth floor.
• Approximately 8:10 a.m.: Media begin to call, including national media. No senior hospital executives or communications staff are available yet.

There are many lessons and takeaways from these 18 minutes (and the immediate aftermath). Here’s a look at some of those things that went wrong.

The first obvious breakdown is access control at the employee-only entrance. The door was not locked down. Why? As Nordby said in the GSX session, “This was 100 percent convenience for the doctors.”

It’s an obvious security weakness, but it was not an oversight. Prior to the incident, hospital leaders determined that the risk presented by the entrance was not severe enough to force badge access. Mostly, staff wanted to leave their badges in their lockers and not run the risk of forgetting them and being delayed access in the rare occasions when quick access was needed to prevent adverse patient reactions.

Another area of improvement was having an explicit process and training on what to do when police arrive during an emergency—no matter the time, since hospitals operate 24/7. It is easy to assume that absent other information, police will show up at emergency entrances, so additional procedures and training for that situation is called for.

A related lesson is that security did not have a public address system code for a situation where there was an incident that is no longer an emergency situation. They were still using the color system at the time. Post-incident, they initiated a more plain-language approach with an announcement starting with “security incident” followed by a specific condition or instruction.

Finally, the hospital’s incident command system needed an overhaul as it was not up to the task for a significant Saturday morning incident. Communication channels and a system of on-call executives and communications needed to be established and tested.

Just as important is emphasizing what went right, and that starts with the hero of this story: the cafeteria worker. All hospital staff had been trained on security awareness, and to act when they feel something is out-of-the-ordinary.

“If that person hadn’t noticed something and come told us, this could have been a very different incident,” said Neckar. “We wouldn’t have had that five- or six-minute jump on it. It would have been a response to a shooting instead of a response to a suspicious person.”

Some might question if it is wise to put a staffer in a potentially dangerous situation. Nordby explained that he thinks this situation occurred exactly as it should. If the person in question had been acting erratically or been doing something—anything—other than just standing there, then perhaps a direct report to security would have been in order. But 99 times out of 100, that initial customer service approach would have revealed that he was waiting for someone or needing direction of some kind. Instead it led to a concern, and the potential for danger, at which point the worker went straight to security. And that brings up the next success factor.

The next success factor is a combination of security planning and security drilling. Using crime prevention through environmental design (CPTED) principles, the hospital layout directed the flow of traffic in the hospital through choke points, so these and other key entering and exit areas could be monitored by cameras.

The security drilling that came into practice was some gamification that the security team used in the control room in conjunction with officers on the floor—basically a game of hide-and-seek. This drilling, combined with the CPTED-influenced surveillance, is what enabled security to pinpoint the suspect’s location in two minutes. The radio system worked as needed, and security officers were able to engage the suspect within two minutes of his location being identified.

Next, security officer physical training meant the officers—equipped with pepper spray, handcuffs, and keys—were able to effectively take down a suspect who was carrying, but not yet wielding, a .44 Magnum handgun and hundreds of rounds of ammunition.

And finally, there was a culture within the security team that they knew they were empowered to act. They knew that if somehow the takedown ended up being an inappropriate action, that, based on all the information the officers had at the time, it was a course that their supervisors would defend.

And do not completely discount fortune. That initial notice by the cafeteria worker coupled with the feeling that it just didn’t look right? There’s a bit of fortune in that. The approach from the security officers, when they were able to approach the suspect from different sides? There was no time to coordinate as they were still trying to sight the suspect. They just happened to be coming from different ends of the hospital. So really, it’s great planning that allows you to capitalize on a little luck to prevent a tragedy.

A final point of emphasis from Nordby is to be sure to use major incidents to effect positive security change. “You don’t want to appear to be opportunists,” Nordby said. “But on the other hand, there are always security incidents happening, and when you have the attention of the executives, it’s important to have a list of concrete solutions needed and examples to back up why the security measures you want to enact are necessary, and what the risks are if the measures are not adopted. When security is successful, nobody sees it, so it is important to document successes and share action reports.”