Planning the protection of your organisation

History tells us that no organisation is safe from attack. In the healthcare sector, it does not matter if it is a large modern acute hospital, a PCT spread across a rural shire, a learning disability centre or a mental health hospital struggling to deal with the casualties of society. All face the same cultural problem that, for some reason, people, staff and visitors seem to think that because hospitals are caring places, they are somehow immune from the effects of local crime and the ills of society.

The security risks
A key factor in crime and breaches of security is the criminology principle of repeat victimisation. In its simplest definition, repeat victimisation essentially means that crime and breaches of security occur in the same area more than once. Four basic events lead to such security events:
    
First is ineffective design infrastructure. The coupling of very few hospitals being built with protective security as a feature and the culture that hospitals have seen themselves immune from the ills of society has led to design weaknesses. As everyone else hardens their defences against crime, fraud and terrorism, the criminal fraternity have diverted and emigrated to soft targets and what better
place than hospitals full of expensive equipment, uncontrolled access and weak physical security, few realistic security procedures protecting property and, finally, people yearning for the halcyon days when healthcare facilities were respected.
    
Secondly, Trusts are often quick to replace losses from theft and damage without first investigating the implications of the event and assessing the associated security failures. Every security incident should be investigated to learn the lessons, collate information in order to establish patterns and apply counter-measures. Two guiding principles are that protective security is not as expensive as insecurity and short term security pain will be a long term security gain.
    
Thirdly, those attacking the organisation generally return to scenes of previous success because they know the risks and the layout of the target area and can avoid the unknown. Patrolling security officers adds to increasing uncertainty, as much as the patrolling ‘bobby on the beat’ once did.
    
Fourthly, with little or no response after a security event, the attackers can assume that the organisation does not care.
    
In addition to repeat victimisation, other common security events include threats that risk the good reputation of the Trust, typically infant abduction, criminal acts committed by NHS and private health employees, and clinical issues. Few Trusts have considered how protective security controls can contribute to infection control and other clinical risks.
    
The person with a grudge or affliction causing damage to the Trust or, worse still, attacking a member of staff, is not unknown. The fraud of public money, once widespread, is being vigorously addressed by the Counter Fraud Service (CFS). Asset protection and interference with equipment remains generally weak because of inadequate accounting and security controls. Investigative journalism and the unauthorised release of confidential information, while eased by the Freedom of Information Act, is not preventing snooping.
    
While it is always difficult to predict the future, all organisations face over-the-horizon security risks, and the NHS is no different. The consequences of a pandemic and the necessity to store vaccines and medicines under secure conditions will probably lead to civil disturbances against and inside hospitals. Unfortunately, defining hospital perimeters with demarcation fences are positively discouraged. With the growth of IT and the conversion of records into electronic formats, information is vulnerable.         

The unethical acquisition of commercial information, usually known as industrial espionage, should not be discarded, particularly in the research arena where the competitive struggle for funding is fierce. International and political situations leading to threats to national security from within the NHS. There has already been evidence of this.
    
Protective security
So, if we accept that the healthcare sector faces risks, then it follows that the development of protective security management is key. However, evidence continues to emerge of the security function not being seen as a contributor to the safety of the organisation. It also seems that PFI projects consider security management as an affordable cost and are reducing this by reducing the security management role. This is unwise in an organisation at last realising it is at risk.
    
Failing to challenge that security is an avoidable cost is retrograde to the bad old days. If continued, acceptance will undermine the NHS security strategy, particularly among those Trusts negotiating with PFI partners.
    
Hospitals are population centres and need protecting. We have seen for decades the damage to society consequent to the withdrawal of the police from public view. Interestingly, very few people see the police, as a protector and detector, in communities to be an overhead.

Security management
Briefly, security is the mechanism employed to safeguard people, property and resources against crime, loss, misplacement and costs - as a consequence of insecurity.
    
The Department of Health Security strategy is enshrined in the Health Commission Standards for Better Health, Domain 6 (Care Environment and Amenities) Core Standard C 20 (a) to provide a “safe and secure environment which protects patients, staff, visitors and their property, and the physical assets of the organisation”. And security is now audited for performance.
    
Focal to decent security management in the NHS is the Local Security Management Specialist (LSMS). It is unfortunate that in virtually every other sector throughout the world that the LSMS is known as the Security Manager. Evidence has emerged from the security supplier sector that unfamiliarity with the term LSMS means that their first approaches are being made to estates departments, who are often equally unsure about the terminology. Members of the public also understand the term ‘security manager’.
    
Although the Security Management Service (SMS) is doing its best to promote practical and effective security strategies, it is the LSMS who must adopt and apply them. However, some are finding that converting the SMS documents into functional documents suitable for local use not easy. A useful outlet is the National Association for Healthcare Security (NAHS) website, which has a library of policies and procedures and information of use to the general management of security.
    
The security department cannot and should not be allowed to stand in isolation. Security management is a specialist multi-functional protective role filling a range of tasks shared by more than one police officer. Car parking is an estates issue, not a security one.
    
In order to achieve cost-effective quality security, counter-measures must be developed with a range of proactive and reactive generic actions suitable to the role of the organisation.
    
In its simplest terms, the aim of the security strategy is to plan the protection of the organisation by diverting security threats; slow down the attack and thus buy time and opportunity for successful counter responses; and ensure the attack is costly in terms of time, risk of detection and profit. It is also important to highlight security weaknesses.

Security planning
It is important to appreciate that there is no such concept as failsafe security. If an attack is determined enough, it will succeed.
    
The primary objectives of security planning are to ensure that minimum security standards are developed to create a safe and secure environment for the protection of everyone, in its widest context; interact in the delivery of medical care; and safeguard public and private assets and resources against loss, damage and disruption, which could be detrimental to the continuation of patient care.
    
Like every management function, protective security has several principles, the success or failure of which depends entirely upon the culture and dynamics of the organisation accepting that the security department is a necessary business resource.
    
The proactive nature of a security department is to lead in the deterrence of breaches of security by enhancing security awareness and thereby minimising the risk. Decent security management is achievable when security incidents are detected and analysed in a consistent manner in order to identify trends, to a greater or lesser degree. It follows that security breaches should be investigated in an objective manner that draws conclusions and makes recommendations that strengthens the protection and survival of the organisation.
    
Too often, after organisations are attacked, there is a sense of problem solved - no further action needed. This is counter productive because it sends a message that retribution will not be sought. Good security management applies sanctions with organisational disciplinary and procedural measures. Redress must be sought through the criminal and civil justice systems against those, including staff and the contracted, whose actions lead to loss of assets and resources.
    
Finally, there is a requirement to ensure that victims, which includes the corporate body, are supported in a mature fashion, particularly where breaches attack reputations. GPs are still reeling from the activities of Dr Shipman.
    
In conclusion, in today’s healthcare society, protective security management has a role, the public and staff demand it. However, the thrust should not be confined to addressing violence and aggression. There are other substantial risks affecting the public and private healthcare sector. The quality of security management and planning depends entirely on the quality of the security department and surrendering the task will end in recrimination. Although the NHS is generally slow to learn from history, the motivation for improvement exists through the standards sought by the Health Commission. Although early days, the omens are good.
    
Those Trusts that ignore or discard the security department risk hospitals returning to being supermarkets without tills, unable to prevent slippage, and accepts loss and inefficiency.

For more information
Web: www.nahs.org.uk