Dear Hospital Security…
Security at most hospitals is very weak. Over the years my work has involved protecting hospitals on many fronts. Access Control, IP Video, Door Hardware, Fire Alarms, Fire Suppression, Nurse Call, and the list goes on. Over the last dozen years I have visited hundreds of hospitals as part of my work. Often, my visits are without appointments and unscheduled.
My background has largely been focused on Physical Security and Risk Assessment for the last 25+ years. While I hold all three security industry board certifications from ASIS International, what I am about to share regarding hospital physical security vulnerabilities is pretty basic. Which is why I find it so troubling.
At their core, hospitals are an open campus. A 300-2000 bed hospital campus will have thousands of visitors from all walks of life in the course of a day. I get that balancing act of being welcoming vs. being secure. It is a constant challenge.
Yet, I should not be able to freely walk into your boiler room, locksmith shop, carpenter shop, electrical rooms, or use employee-only elevators, or access your building from outside through receiving dock doors or unlocked (even open) man doors. I should not be able to walk through football fields of hallways two sub-floors down in your facility with no one asking me a question–past laundries, food prep, facilities management, environmental services, biomedical services, imaging services, etc… This includes passing by multiple uniformed security officers who exchange greetings and head nods as I make my way through what is typically (or should be) the “employee-only” or “escorted access” part of your hospital.
And, on the off chance that I do receive a question from a staff member (maybe 1 out of 20 times) in such an area, they are often too afraid (or busy) to ensure I am not a threat. When my response is “I might be a bit turned around, I think I need to go back this way,” they really ought to do something other than shrug and continue on their way.
Maybe I do “look” official, wearing a corporate name badge, carrying a briefcase, and a plastic foam-filled demo case labeled “Electronic Demos.” Maybe I do walk with an air of confidence that makes one hesitate to confront me. Yet, couldn’t I be that guy working my way to an electrical or boiler room to cause your hospital harm? Couldn’t my demo case hold weapons or other threats?
Again, I am in areas of your facility that hold items of extreme vulnerability. I am not doing circles around your lobby, or hanging out in your cafeteria. I realize all areas within a hospital need a certain level of protection balanced with access.
What to do? Here are some ideas:
Control elevator access to employee only levels with the proper access controls/credentials.
Secure stairways to employee only levels with access control, signage, and door alarms–that will be responded to when set off. (Even fire exits can be properly safeguarded to allow emergency egress, but stop the casual visitor without authorized access).
Use more door closers and more storeroom lock functions – and enforce a policy that these work area doors will not be propped open.
Use intercoms, buzzers, electric strikes, and cameras outside of external receiving doors and maintenance access doors–to keep them secure until proper ID or authorization to enter is granted.
Train staff to escort people when found in areas they don’t belong. Escort to an area/person who can authorize or reject them.
In employee-only areas question anyone without your hospital ID and not accompanied by a authorized hospital staff member.
Gatekeepers. Those staff who screen visitors (Security, Bio-Med, Facilities, and dozens of others). You can lessen the likelihood of wandering visitors by being MORE accommodating when requests are made to contact specific employees (once you verify the authenticity of the visitor). Put the visitor in touch with the staff member and let the two of them work out any meetings, discussions, or appointments. Too often, I see Gatekeepers use the authoritarian approach. Realize this approach contributes to your lack of security–not the improvement of it.
Use contractor badging for screened individuals who are allowed unescorted access to your facility. Where possible, have this badging indicate which areas they are allowed to be within.
Cameras trained on outside, locked “employee only” doors, should have an analytic that indicates when a person attempts to open the locked door and/or approaches it–alerting security staff, who should respond or maintain surveillance of this person.
Many of these areas of vulnerability should not only be secure from unauthorized visitors, but also unauthorized staff. In other words, boiler rooms, locksmith shops, IT closets, and electrical rooms should not be accessible by shipping and receiving staff, or food workers, and others.
About 10% of the hospitals I visit have systems in place that prevent unauthorized access. I applaud those hospitals. They demonstrate that a more secure facility is not impossible and set a standard that the other 90% must work to emulate.
Author’s note: While this article was hospital-focused, many of the same security weaknesses apply to Universities and K-12 School Systems. In general, these education-based facilities and campuses have more restrictive access controls than hospitals, yet there are still a good 75% of them where controls are largely lacking.