May 4, 2009
Security Assessments for Healthcare Facilities
There are no shortcuts for doing an effective security audit of a hospital or for any other healthcare provider such as extended care facilities and behavioral health facilities. Achieving an adequate level of security which ensures sufficient protection of patients, employees and visitors, and at the same time, adequately protects assets is no easy task for a number of reasons. First, most administrations do not want their hospitals to look like military instillations. This means hospitals must maintain the appearance of openness while at the same time filtering out criminality. Second, one size does not fit all. There are no universal solutions for mitigating security threats and risks. Security is a situational discipline which means that the efficacy and adequacy of the security program at your hospital must be predicated on the analysis of the special needs of your hospital. The security needs of a hospital in Lebanon, New Hampshire are different than the needs of a hospital in Lynwood, California for a variety reasons.
There are no quick fixes when it comes to doing security assessments, especially hospital security assessments. There are no off-the-shelf inventories or computer based instruments that can answer the entire range of necessary questions. Remember effective security programs are all about behavior modification. This means that the elements of an effective security program are intended to deter criminal behavior. It also stands to reason that if no two hospitals have the same set of unique needs, no two hospitals require the same set of mitigation solutions.
The security assessment process is all about assessing the probability of risk and subsequently reducing the probability of those risks coming to fruition. The key then is to determine how much risk is acceptable (with some exceptions) and then determining the level of resources required to bring risk to a tolerable level with one eye on the budgetary rule of diminishing returns.
In the previous paragraph, in parentheses, we noted “with some exceptions.” There are always exceptions to the rule. In hospitals the most glaring exception to the risk/prevention ratio is found in the way most all hospitals presently protect infants. Most hospitals allocate significant resources to the protection of infants. However, the risk of an infant being taken from a hospital in any given year, even before the application of tag systems, drills and the application of security procedures and technology, is probably less than 1%. Why than do hospitals devote so many resources to the protection of infants against an insignificant statistical probability that anyone will steal a baby? The answer: The hospital cannot afford to be wrong, even once.
Security assessments usually require at least a week of on-site presence. These assessments are best conducted by experienced security professionals who truly understand the uniqueness of the healthcare environment. Security consultants should also be independent and hence should not be tied to the guard industry or to the electronic security industry. Additionally, independent security consultants have the advantage of objectivity as well as the experienced of having worked with a large cross-section of hospitals all over the country. Now, let us briefly discuss the assessment process and goals.
An important component of the assessment process is the examination of both factual data as well as the perceptions of employees. When it comes to security programs, perception is often reality. Both the actions and inactions of employees are usually predicated on the inculcated perceptions of the actor. Sometimes good security programs are perceived as being poor. Sometimes poor security programs are perceived as being good. The latter carries much greater liability and is probably the most common.
Without getting to the specific details of the Scope of Services contained in the Security Assessment Proposal, a brief discussion of some of the components of the Scope of Services may be useful.
Clearly the security assessment will focus of those areas of special concern such as:
§ The emergency department
§ L & D and postpartum
o LDRP
o NICU
§ Pediatrics
§ Medical-Surgery units
§ Behavioral Health
§ Business Office
§ Admitting
§ Parking & Grounds
§ Access management
§ HR
o Background screening
§ Pharmacies
§ Support services
§ Asset protection
§ The issue of Workplace Violence Prevention as applied to all of the above
The security assessment will look at each of the aforementioned areas of interest from more than one perspective. Obviously the application of traditional physical security protocols will be reviewed, including:
§ Security guard operations
§ Locking systems and key control
§ Access control and automated lock-down systems
§ Closed Circuit Television application
§ CPTED (Crime Prevention Through Environmental Design)
§ Lighting
§ Use of barriers such as fencing
§ Security and sustainability for critical infrastructure
§ Emergency communication
§ The application of security awareness practices
The identification and quantification of risks will be studied using a variety of sources including:
§ Anecdotal employee surveys and interviews
§ Review of site-specific security data
§ UCR crime data
§ Local police data
§ Crimecast demographics
§ Professional judgment
On the mitigation side of the equation the security professional must exercise prudence. It makes no sense to commission a security assessment that ends up on a shelf collecting dust. Therefore the security professional must endeavor to produce mitigating solutions that are acceptable to the hospital and will actually be implemented. The delivery of a set of “pie in the sky” solutions will do the hospital no good and could potential cause harm. This is why it is so important for the consultant to take the time to understand the corporate persona and mores of the organization he or she is working along with the community the hospital is serving. Solutions offered must be cost efficient and produce measurable outcomes. The least costly fixes must be developed as a precursor to more costly remedies. More often than not, the outcome of a security assessment will lower total operating costs while reducing liability.
An area of opportunity often ignored by many hospital security and loss prevention programs is the whole notion of asset protection. Most hospitals are loaded with thousands of consumable goods that the average person could use around the home such as: linen products, food products and supplies, office supplies such as toner and computer paper, cleaning equipment and supplies, etc. Many hospitals take in cash in departments such as food service, gift shops, clinics and pharmacies, yet they have no discernable cash-handling protocol. The result: a cafeteria employee is able to skim about $175.00 per day, five days per week of undetected tax-free income. A hospital is something like a large department store, except there is no checkout counter.
In tough economic times, a stem to stern security assessment makes more (cent$) sense than ever. Security programs that are not comprehensive send the wrong message. It is important that hospital security programs are developed with the same vigor and employee involvement as is being done with safety programs with a fundamental difference. Safety programs more generally lend themselves to universal precautionary behaviors. The characteristics of an effective security program will vary from facility to facility.
In closing, there is the perception of some that the role of consultants is to find fault. Some employees perceive consultants as a threat. We at Security Management Services International (SMSI) believe in positive consulting. The role of SMSI is to ascertain what is right and what is working and then help to build on that foundation to make thing better going forward. After all, most security programs have evolved overtime. It is foolhardy to assume that all of this evolution is misguided. In keeping with the assumption that no two security programs are, or should be, identical, SMSI’s mission is to discover the unique set of needs for each client and to help those clients to develop security programs that address those special needs.
William H. Nesbitt, CPP is a Board Certified Protection Professional certified in Security Management and the President of Security Management Services International, Inc. He has more than 35 years of diverse security management experience. That experience includes his participation in approximately 600 security driven lawsuits as a court certified security expert covering 40 states. He and his team have also conducted numerous hospital security evaluations and needs assessments.
Bill is a longstanding member of ASIS International, as well as, IAHSS, ASHRM, and ACHE. He is also a member of the ASHRM Patient Safety Interest Network. For questions please call: 805-499-3800.
1 Comment »
May 20, 2009
Clint Schaefer, CPP :
Bill,
I found your insight regarding cash handling protocols especially interesting and timely. Your example regarding cafeteria employees is right on the mark. This is an issue that I am currently putting a lot of energy in to for two main reasons: (1) when money goes missing the finger pointing begins and morale eventually suffers causing poor performance and behavioral issues (read: increased potential for workplace violence), and (2) the organization is losing revenue and often doesn't even know the extent of the losses.
I hope to get a chance to talk with you in Anaheim later this year at the ASIS Seminar.
Clint Schaefer, MS, CPP
Regional Manager - Aurora Health Care
ASIS - Milwaukee Chapter Chairman
262-896-6457 - Office
clint.schaefer@aurora.org