NHS Physical Security Needs a Health Check

Traditionally the NHS has primarily focused its security efforts on the problems associated with violence and aggression toward staff. This is because it is still perceived as the major concern and so continues to be the main focus of resource expenditure. Whilst the threat of aggression is clearly an issue that needs to be in scope, there are other areas that not only need attention for the wellbeing of the people involved, but also to help guard against spiralling cost a pariah to any NHS Trust. Looking at the Threat Landscape In many cases, NHS Trust security is managed by former Police Officers who have a wealth of experience in dealing with aggression. . However, it has to be acknowledged that the threat landscape, is far more varied than this head-on threat. Security threats come from a variety of sources and not all revolve around outright aggression. The perception of the Security Officers duties in NHS Trusts is that they are to provide reassurance to the public, hospital staff and visitors in the event of violent behaviour. In fact, there are a myriad of duties that they are called upon to carry out, some of which they are not trained to perform. These duties can include; searching for missing patients; attending patients on suicide watch; supervision of patients awaiting Mental Health professionals; foot patrols; cashier runs; car park patrols; smoking patrols and issuing parking contravention notices, to name but a few.

Drugs: Expensive and potentially dangerous

The NHS is no different from any other organisation as far as security is concerned, security components are more often than not, bolted on as
Advent IM Ltd 2012 any republishing in part or full requires express permission of Advent IM

funding becomes available and usually without any long term objective in mind. In a recent NHS Trust project, we was discovered that the absence of a strategic vision meant that funding had in fact, been wasted. For example; additional CCTV cameras were installed without an understanding of what they were actually needed to do. The CCTV system was not integrated with other security systems and this lack of integration represented not only a wasted opportunity to increase efficiency as well as improve security, it also wasted scarce financial resources. A CCTV audit revealed that there were actually too many cameras but few were positioned where they were needed. Furthermore, many cameras were capturing images that were actually unusable. (This problem only increases when you add in multi sites, using different systems.) A rationalisation of the CCTV estate and review of their fitness for purpose is in many cases, the best way to proceed. Another very important aspect to using CCTV systems that is often overlooked or perhaps not fully understood is the Data Protection Act. The images that are recorded, stored and deleted constitute personal data that has to be properly handled and then when appropriate, properly destroyed. This means everyone who monitors, has access to, stores or manages these images, needs to be properly trained, aware of their responsibility and understand how to treat the data properly. In any organisation, loss creates cost and this is something each and every Trust is currently facing. A recent Daily Mail article highlighted theft from the NHS as a serious issue. Some equipment and facilities are very expensive. Loss or damage not only drive cost but can endanger lives. The absence of a security-aware culture or one that is almost entirely focused on an aggression-based threat, allows loss to flourish as the investment can be made ineffectually, as we read about the CCTV example. Staff may prop open frequently used doors, or share door entry cards for convenience. These are commonly found issues in security procedures in Trusts. What if that door gave access to drugs, vital equipment or confidential medical data? If the cameras are also ineffectual, a thief could wander around and help themselves to thousands of pounds worth of equipment, or steal personal data that the NHS trust would be held accountable for. During a recent project, a consultant found that no one challenged his presence in a medical record archive and said he could have easily made his way into a RESTRICTED information area by tailgating through the door; such was the lack of awareness.

Advent IM Ltd 2012 any republishing in part or full requires express permission of Advent IM

So how do Trusts shift the security mind set? The Threat environment has changed and security needs to be approached as a cyclical, on-going process. It needs to be reviewed and tested regularly. The narrow view of security within the NHS as being aggressionbased and the responsibility of the manned guarding component needs to be dispelled. Everyone working within any organisation has a personal responsibility for security; an NHS Trust is no different. A cultural change within Trusts is required to instil awareness . Only this way will everyone feel part of the security fabric and not something that is done by someone else. Security Training and education should be standard in all Trusts; this should include an understanding of the real rather than perceived threat landscape. Senior management need to understand how to maximise the effectiveness of their security infrastructure for the benefit of the Trust. This encompasses understanding all of the above plus a willingness to forget the mantra of this is the way weve always done it and move toward excellence. After all, effective security will prevent harm to staff, patients, visitors and contractors, protect costly equipment and dangerous drugs, prevent damage to other assets and loss of sensitive or personal information. A proper security review can identify areas where cost savings can be made or wasted costs controlled, such as the CCTV estate review removing cameras that are not fit for purpose will reduce the maintenance bill. The review will also determine if cameras are fit for their purpose and placed in an appropriate location to mitigate the identified threats thus ensuring that the Trust meets its Duty of Care for staff, visitor and patient safety.

Advent IM Senior Security Consultant - Paul Smith MSc MSyI

Advent IM The UKs Leading Independent Holistic Security Consultancy

www.advent-im.co.uk Head Office: 0121 559 6699 London Office: 0207 100 1124 Email: bestpractice@advent-im.co.uk

Advent IM Ltd 2012 any republishing in part or full requires express permission of Advent IM

Advent IM is the UK's leading independent information security and physical security consultancy. We specialise in holistic security management solutions for Information Security, HMG Information Assurance, Business Continuity, PCI-DSS and Physical Security and have a proven track record of successful certifications.
Our blogs www.adventim.wordpress.com www.adventimforarchitects.wordpress.com www.adventimforuklegal.wordpress.com www.adventimforgambling.wordpress.com www.adventimschoolsecurity.wordpress.com

Advent IM Ltd 2012 any republishing in part or full requires express permission of Advent IM