Visitor management is an important element of many physical security programs. Visitor management is a component of an effective physical access control system to ensure that unauthorized persons are not able to enter a facility and commit crimes. We know the cost of not having an effective visitor management program – it is clear in healthcare. Failing to manage visitors increases security calls for service, decreases patient satisfaction and can raise turnover rates for nursing staff. This is a huge hidden cost not often measured when considering the trade-offs associated with managing visitors.
In organizations with high hazards or sensitive information, the visitor management system can be a choke point to accomplishing some key objectives:
- In high-hazard operations, visitors may need to be briefed (for safety and security) and accounted for in an evacuation, so briefing them upon arrival and logging entry and exit times will contribute to accurate headcount and prevent visitors from being exposed to safety hazards.
- The visitor enrollment process is an opportunity to establish and obtain consent to adhere to a non-disclosure agreement. This may seem like a small part of an information protection program, but it is an important element to demonstrate that a company did everything in its power should that company have to litigate for an injunction in the case of misappropriated intellectual property where the onus is going to be on the plaintiff.
In any access control program, it is always preferable and more efficient to have personnel, including visitors, pre-authorized and registered versus showing up unannounced and having to go through the process of locating and communicating with the host for approval. This can be distracting and reduce employee productivity. I recommend that for most businesses, visitation is only allowed with an appointment and prior approval of a sponsor to minimize these inefficiencies.
Visitor Management Options
Visitor management is often done manually, but there are more than a dozen software-based visitor management solutions and many others embedded in electronic access control products from which companies can choose. This article is designed to shed light on some of the key issues to consider in visitor management as an element in any physical security program.
The most simplistic approach is the pen and paper log. This approach is fine for some companies, provided a few minimum expectations are met:
· A representative from the company should collaborate with the visitor to authenticate the identity and ensure that the information recorded in the log is accurate. All too often visitor registration is a self-service endeavor and the results are unusable, unreadable, inaccurate, or incomplete.
- For facilities with strict escorting requirements, the log should have a placeholder for the escort to initial or sign to provide evidence that someone accompanied the visitor into the facility. Facilities regulated under the FDA’s Intentional Adulteration Rule for example, are mandated to produce records demonstrating that mitigation strategies such as escorts are occurring, and this is one way to accomplish that.
- Paper visitor logs can present HIPPA challenges in healthcare to the extent that a patient’s name appears on the log and may be visible to subsequent visitors. Data privacy should be considered for all visitor management solutions (manual and automated). Electronic solutions using a license scanner to capture data may store date of birth, which is considered personally identifiable information and a risk for identity theft if not properly safeguarded.
- In manual systems where an electronic credential is issued to the visitor for use in a complementary electronic access control system, consideration should be given to collecting a driver’s license or some other form of collateral to ensure that the electronic credential is returned. Absent that practice, visitor badges should feature an “end of day” expiration and strict auditing protocols should be in place to ensure that lost badges are discovered quickly, and efforts are made via the host for recovery. Self-expiring adhesive badges are also available so that they cannot be reused on another day.
When moving from paper to electronic, solutions range from single-site applications to multi-tenant and enterprise-class products, on-premise, hybrid, or total cloud architecture. Your IT department will have an opinion on this. Photo capture is an important feature to leverage facial recognition solutions in high volume, high-threat locations like healthcare where it may be necessary to ban an individual and have an early alert if the banned person returns to the site. Use a high-quality camera for image capture if the image may in the future be enrolled in a facial recognition system.
How to Integrate a Watchlist
Another interesting feature to be considered for electronic visitor management systems is the watch list. Most systems available as of the writing of this article support some form of integration for advanced screening. The use of a watch list can help identify and manage potentially risky or unauthorized visitors and can help ensure the safety and security of staff, visitors, and other users of a facility.
- Sex offender watch lists -- These lists contain the names and details of individuals who have been convicted of sexual offenses. Products offering this service may rely on third-party database providers that aggregate state and national sex offender lists for comparison. This is obviously an especially useful feature in schools and hospitals, particularly hospitals serving children.
- Denied party watch lists -- These lists can contain the names and details of individuals that are prohibited from entering a facility due to policy restrictions that may be imposed (e.g., due to past prohibited conduct).
- Employee watch lists -- These lists contain the names and details of former employees who have been terminated, who may be on disability or are on suspension and not allowed to enter the facility.
- Advanced healthcare applications -- In advanced healthcare applications capable of operating within the confines of HIPAA, visitor management systems can be integrated with electronic medical records systems. For example, if a patient is enrolled who is the victim of domestic violence, the nurse at the bedside can develop an approved (and non-approved) list of visitors, add that to the medical records system and that information becomes available at the visitor check-in point.
For pandemic response, visitor management systems can help to streamline the application of screening questions which can be used to identify individuals who may have been exposed to or have symptoms of a virus. Answering the questions with preferred answers can be a prerequisite for proceeding through the registration and enrollment process. COVID seems to be behind us, but this would be a logical feature to consider to future-proof a visitor management system since both OSHA and the CDC recommended screening employees and visitors.
Options for Efficiency
Given the preference for pre-registration, visitor management solutions should be evaluated for their ability to have an elegant solution for this feature. The visitor experience is another element to consider, thus having a pre-authorization option that can contribute to a welcoming and positive experience for visitors. Some systems will send mobile credentials or QR codes to visitors to allow for ease of entry when arriving at the site, thereby reducing the enrollment time needed on-site and making reception operations more efficient.
Another efficiency that can assist in streamlining enrollment is when a visitor management platform can scan government identification such as driver’s licenses or passports. This not only allows for identity verification but also ensures the accurate enrollment of the data in the visitor management system.
For unstaffed lobbies, iPads or self-service kiosks can be used for both enrollment and notification to the host that the visitor has arrived. Most systems available have multiple methods of notifying the visitor’s host such as email, text or phone calls. It is beneficial for repeat visitors if the information is retained to make future visit enrollment quicker. Large groups can be enrolled in most systems as a base feature.
Integrated Access Control System Visitor Management Modules
An analysis involving the deployment of automated visitor management should include an assessment of the capabilities of any electronic access control system in use at the organization. These may exist at no or low cost. This might be a viable option for an organization with basic visitor management needs. Generally, the companies specializing in this do a better job with the more advanced features such as integrations with a third party.
Reporting and Metrics
Visitor management systems collect essential data to help inform reporting and metrics around visitors, contractors, and vendors. In some systems, reports can be developed and scheduled for electronic delivery to different stakeholder groups. Examples include:
- Visitor volume by time and date.
- Tracking for when maximum visitor limits have been reached (healthcare).
- No shows and cancellations.
- Threats were denied at the visitor check-in points.
Integrations represent another differentiator among systems. Some common integrations found in visitor management systems include:
- Electronic access control
- Electronic medical records systems
- External databases (for screening of banned or potential security threats)
- Single sign-on
- Active Directory
- Crisis alerting notification tools.
In some cases, visitor entry is not a given -- visitation will be denied, and the situation can be contentious. A hospital is a good example of this. In emergency departments there are often visitor limits and, in some cases, patients are put on a list where visitors must be told that the person is not there. It is always wise to consider this potential risk when designing the visitor check-in environment. Consider barriers, counter or desk height, depth, video surveillance and inclusion of a duress alarm which could be activated discreetly in the event of a threat.
For more traditional corporate settings, consider also creating meeting space outside of the staff-only areas to allow for visitation without exposing employees, sensitive information or assets to outsiders who may not be under a non-disclosure agreement. These areas also provide better locations to have termination and separation pending investigation conversations away from coworkers. Such spaces should be designed with two openings. There should also be a second layer of access control from the visitor-only area to the staff-only area. In some sensitive businesses, visitors should not be allowed to bring cell phones into a secure area and the visitor check-in process provides a means to collect and secure those devices.
Knowing who is in your facility mitigates the risk of workplace violence and asset and information loss and can assist in accounting for all persons in the event of an emergency. There are a variety of ways to manage this element of a physical security program from manual to sophisticated enterprise-class products with high levels of integration and reporting. Depending on the threat and risk levels associated with a facility, an effective visitor management program can be vital to preventing a serious security incident and reducing liability. Effective and efficient visitor management also sets an expectation that an organization is serious about its security program.