Assessing & Securing the Hospital Environment

Oct. 27, 2008
More than ever, balance is key.

Security departments in all types of facilities have to negotiate a tricky balance between appropriate levels of security and appropriate levels of accessibility. But for hospitals, this balancing act is particularly critical. The primary stakeholders in this environment—staff, patients and visitors—have divergent perceptions of appropriate security.

Hospital visitors want unrestricted access to their loved ones, and patients want their friends and family to arrive unhindered. Patients often are in pain and uncomfortable, which translates into stress and anxiety for their visitors. The last thing a family member wants or needs is to come face-to-face with a security program that makes visitation inconvenient or adversarial.

Conversely, hospital security satisfaction surveys show that the number-one concern of staff is the under-restricted access that visitors—both authorized and unauthorized—have to the hospital.

To address these diametrically opposed concerns, hospital directors of security must develop a program that protects all people and assets while interacting with a culture that expects unencumbered access. And by the way, it should be cost effective at the same time.

Review Codes and Guidelines

The security industry, unlike other disciplines, has no statutory requirements. The appropriate level of security for a healthcare institution is generally determined by industry best practices. Hospital security directors must determine the level of their program by reviewing available security literature and industry-specific codes or statutory requirements for other disciplines. Consider the following:

• The Joint Commission on Accreditation of Hospital Organizations' (JCAHO) Environment of Care Manual

• Occupational Safety and Health Administration (OSHA) regulations

• Healthcare Insurance Portability and Accountability Act (HIPAA)

• National Fire Protection Association (NFPA) Section 101

• NFPA Section 99 for Healthcare Facilities

• NFPA Section 730 Guide for Premises Security (new). Section 730 covers the security vulnerability assessment, designing a security plan, interior protection, exterior protection, security guards, special events, and security measures for occupancies

• NFPA 731 (new), Standard for the Installation of Electronic Premises Security Systems, covers the application, location, installation, performance, testing, and maintenance of physical security systems and their components

• International Association for Healthcare Security and Safety (IAHSS) Security Officer and Supervisor Training Program

Assess Your Risk

Once you've reviewed the applicable guidelines, how can you determine how much security is enough for your particular facility? The most reliable method is to conduct a risk assessment that identifies specific criticalities including threats to the building(s), adjacencies and people, their respective impacts, and recommendations to mitigate the impacts or threats.

Generally, a risk assessment should consider

• the geographic location of the hospital and the impact of crime on its location.

• the operation and type of hospital being assessed. Does the hospital have an emergency department, psychiatric/behavioral health unit, labor & delivery/pediatrics unit? Has the hospital developed a security program that meets the needs of these specialized care units?

• the security staff. Does the hospital maintain a security staff? Does it adequately train them as well as hospital employees to prepare for and respond to critical incidents?

• security technology. What technology is in place? Does it meet the protection requirements of the hospital, its people and assets? Is it cost effective? Consider card access control, video surveillance, intrusion detection and door monitoring systems, infant protection systems, and duress alarm systems.

Think About Your Program

The security assessment should give the security director plenty of food for thought. Here are some questions to ponder while reviewing the results.

• Many crimes are crimes of opportunity. Does the hospital have a security program in place that reduces this opportunity element?

• The probability of volatile activity in a hospital is greatest in the emergency department. Is there a program in place to isolate the emergency department and control unauthorized access into treatment and non-public areas?

• Is the senior management committed to a proactive, professional security department? Without this commitment, development and implementation of a professional security department will be seriously hampered.

• Does the hospital have an intrusion detection system on its perimeter doors? Are the doors equipped with a door position switch that will alert the security department when doors are left open or forced?

• Does the hospital have an access control policy that regulates access of all persons who enter the facility?

Strike a Balance

The most practical solution to the dilemma of security vs. accessibility is to develop a balanced hospital security program that provides effective safeguards for its staff, patients, visitors and assets. The most effective balanced program addresses the operational, architectural and technical elements of a healthcare facility.

By creating a comprehensive security program that encompasses all three of these elements, the security director ensures that the security solution minimizes vulnerabilities and addresses all reasonable threats.


The operational element includes security personnel, procedures and policies. Operational elements begin with the development of a security department mission statement, which should be endorsed and signed by the hospital's chief executive officer and should include

• the target audience,

• the protection philosophy of the hospital,

• the major objectives of the security department, and

• the strategy to complete the mission.

The mission statement should be accompanied by a policy and procedure manual that describes such elements as departmental rules, uniforms, post descriptions, appropriate responses to emergency codes, training, guidelines for use of force, and patrol procedures.

The operational response requirements for healthcare security departments are becoming more demanding. The ability to lock down emergency departments in order to isolate potential hazardous substances is becoming commonplace and must therefore be procedurally addressed. The Joint Commission on Accreditation of Healthcare Organizations (JCAHO) requires security management plans that specifically address emergency response procedures.

Another critical operational consideration is continual training for security department employees as well as hospital staff. The JCAHO and Occupational Safety and Health Administration (OSHA) now require training programs to teach healthcare workers procedures for responding to chemical, biological and radiological (CBR) victims.


Hospital security programs should supplement the architectural design of the healthcare campus and its buildings. Architectural elements in hospital security programs may include:

• Crime prevention through environmental design (CPTED): the concept of using the physical environment as protection against criminal action. CPTED employs physical design features that discourage crime while encouraging and inviting patients and family members to use hospital facilities.

• Physical barriers and lighting: the use of landscaping, decorative fencing, and correct lighting levels to enhance security perceptions.

• Control centers, screening locations and security officer posts: visible security concepts that enhance security without being considered intrusive or excessive.

• Signage: the use of Authorized Entry Only signs or wayfinding signage to prevent wandering and use of non-public areas.


The technological elements are the electronic security solutions.

• Access control systems may control access into non-public or sensitive areas, such as operating suites, intensive care units and psychiatric units. Access control options include biometrics, magnetic stripe cards, proximity cards or tokens, and smart card access.

• Alarm monitoring and intrusion detection monitors all perimeter doors to provide notification of unauthorized use.

• Surveillance and alarm integration provides for instant monitoring, recording and security officer response to a designated location.

• Emergency and duress notification devices placed in critical areas such as cashiers, the emergency department and psychiatric units quickly notify the security department of an incident.

• Infant protection and monitoring provides computerized security system design to prevent infant/mother mismatching and deters abduction of newborn infants from protected nurseries and hospitals.

These technical security systems are most efficient when they're integrated with one another. A security management system, which manages the access control, intrusion detection and video surveillance systems from a central security control center, can provide a viable option for integration and management. It allows security departments to monitor intrusion detection devices and access-controlled doors, while having the ability to link all this activity with the video recording system for either real-time viewing or post-incident event viewing and investigation.

Technology is a critical component of the hospital security program; however, the most effective program involves the use of well-trained personnel, educated employees and the development of well-thought-out and practiced security plans and procedures.

Robert B. Koverman is associate manager of Sako & Associates Inc., a provider of security technology consulting, design and construction management services. For more information, visit the Sako & Associates Web site at