Healthcare organizations should conduct a security risk assessment annually to serve as a basis for revising the organization’s security program to address new technologies, workplace violence, and community crime risk. Prior to beginning an assessment consider these five items:
1. Assessment frequency and completeness
2. Purpose and design of assessment
3. Source and quality of security program data
4. Key user feedback
5. Threat versus vulnerability
Assessment frequency and completeness
It is recommended that you conduct a comprehensive assessment annually. Additionally, organizations may choose to complete a limited assessment in response to a serious incident or an increase in risk related to the addition of a behavioral health unit or forensic patients. As part of the new assessment process, the prior assessment and work plans should be reviewed to determine goal progress, outstanding tasks, as well as incomplete tasks.
Purpose and design of assessment
The design of the assessment should support the purpose of the assessment. Additional emphasis should be placed on areas of concern. These priorities should be based on current issues, areas identified that require focus, or leadership/board member concerns. Typical areas of emphasis include:
• Access to ER, birthing centers, psychiatry inpatient and outpatient areas
• Communications and dispatch
• Access control
• Visitor management
• Staff training
• Workplace and domestic violence programs
• Organizational structure
• Use and appropriateness of armed officers
• Use and appropriateness of metal detectors
• Use and appropriateness of K9 officers
Source and quality of security program data
The source and quality of the information and data that you review determines the accuracy of the final assessment report; garbage in equals garbage out. If you are doing an internal self-assessment then it is critically important that you read your own policies and review the data versus making assumptions based on what you think the policy states or the data portrays. It is important to consider the following:
· Are you collecting all the required information (policies, incident reports, paid staffing versus scheduled staffing, call data, camera locations, parking lot light levels, etc.)?
· Are you categorizing the call and response data correctly?
· Have you collected external data to understand community risk and threats?
· Is your internal data reliable, accurate, and complete?
Key user feedback
Key user and employee feedback are an important component to a comprehensive assessment. Perception of safety is important to understand to determine if a real risk exists or if education is a requirement of the program. Additional items for consideration are:
· How does the data collected support the key user feedback, for example does the frequency of night parking lot patrols and light levels correspond with users sense of safety in parking lots?
· Have you sampled a representative group that includes all shifts? Did you include a representative sample from all demographic groups?
Threat versus vulnerability
As you complete the assessment it is important to distinguish between threats and vulnerabilities. A threat is the potential for a serious incident. Most threats to healthcare organizations come from:
• Community crime risk (are there greater rates of violent crime or crimes against property?)
• Behavioral health units
• Forensic patients
• Trauma level and ER access points
Vulnerabilities are weaknesses or exposure that creates unnecessary risk. Common vulnerabilities include:
• Access and visitor management
• Incomplete policies or lack of training on policies
• Staffing and response times
• Comprehensive and continuous officer training
• Electronic monitoring methodologies
A great security assessment should create the basis of an annual performance improvement plan for the Security Department that mitigates risk for the healthcare organization. We invite you to take 15 minutes to reach out and learn more about how our solutions can impact change in your organization.