Security Audits and Security Risk Assessments

Loss Prevention Group of Australia www.lpga.com.au

Hospital & Healthcare Security & Safety Conference 2012

Security Audits & Security Risk Assessments Identifying Key Security Risks

October 25, 2012

Presenter: Richard MurrieManaging Director


Outline

This Session will explore:

General Security risks faced by healthcare facilities

Security risks relating to the failure of ageing & antiquated electronic security infrastructures

Case study of a major healthcare network and the process of identifying and rectifying electronic security infrastructures


What is Risk Management?

AS/NZS ISO 3100-2009 Risk Management

“The culture, processes and structures that are directed towards realising potential opportunities whilst managing adverse effects”


What is Risk?

The chance of something happening that will have an impact upon objectives

“What can happen, how can it happen, what impact will it have?”


Risk Categories

Human Resources

Clinical

Financial/Investment

Political

Environmental

Information Technology

Strategic

Market

Security

OHS

Legal

Property


Identifying Risk

Holistic security risk assessments are a mandatory requirement of Australian Standard 4485 “Security for Healthcare Facilities”

The security risk assessment should form the basis of identifying & managing security risks that may impact upon your healthcare facility

It is crucial all healthcare facilities undertake a security risk assessment compliant with AS/NZ ISO 301000, Why?


Security risks will differ for each facility

Once identified, the risks can be managed, strategies developed and security controls implemented

Identified and perceived risks may be mitigated by incorporating the information received into the security design of the facility

Identifying Risk cont…


Risk Management Processes

Establishing the context

Identifying the risk

Analyse the risks

Evaluate the risk

Treat the risk.


Risk Management Team

Nominated Team Leader (Risk Manager)

Security Manager

Quality Manager

Senior Nursing staff, E.D Manager, Mental Health Manager, ADON’s etc

Human Resources Manager

OHS Manager

Engineering Manager

(external consultant)

This is not an exhaustive list


Common Security Risks

Common security risks faced by Healthcare Facilities:

Occupational violence & verbal abuse

Unauthorised access to hospital facilities

Inappropriate use of & access to confidential information

Abuse/misuse of pharmaceuticals

Theft of hospital & personal assets

Failure of electronic security infrastructures.

Inadequate recruitment & probity checks.

Inadequate credentialing procedures

Internal Fraud


Introduction-Case Study

LPGA was engaged to undertake an electronic security audit and risk assessment & to develop an Electronic Security Master Plan.

Sites audited included:-

– The Northern Hospital

– Broadmeadows Health Service

– Bundoora Extended Care

– Craigieburn Health Service

– Panch Health Service


Why?

System & equipment failures were increasing

Repairs to equipment was expensive and largely restricted to one provider as proprietary equipment had been installed when main campus was commissioned in 2000.

The five campuses had a mixture of electronic security infrastructure, (old, older, tired & incompatible)

Lack of confidence in the existing security infrastructure

To officially document the risks associated to the current infrastructure and formally present to the hospital’s Risk Management Committee. (at BOM level).


Case Study-Scope

The scope of engagement included:

– Examination of existing security infrastructure, including current condition and capacity;

– Identification of security risks for the site;

– Review of existing security arrangements;

– Assessment and rating of security risks;

– Recommendation of risk mitigation strategies;

– Development of Baseline Security design standards;

– Recommendation of security upgrades and provision of budgets; and

– Audits & Risk Assessments have been documented on a site by site basis for future reference.


Case Study-Findings

Many of the security systems installed across Northern Health portfolio were below satisfactory condition and required updating.

A significant portion of Security Systems utilised outdated technology and were not supported by mainstream security providers.

Most of the systems installed no longer met minimum security design guidelines for health facilities.

In a number of cases, the systems could be subject to the possibility of total or partial failure.


Summary Case Study-Findings

Below is a high level summary of the condition of the security systems at each campus

TNH BHS BECC CHS PHS

ITEM

Swipe Card Readers

Electronic Locks

Alarm Monitoring

Duress Alarms

Control Panels

Security Management System

CCTV Cameras

CCTV Recording

Guard Tour

Intercoms

LEGEND

Acceptable technology for next 5 years

Requires replacement or major upgrade within less than 5 years

Requires urgent repair or upgrade


Summary of Risk Assessments

Northern Health staff will engage in a range of tasks which have implications for security risks, for example:

– Managing patient related and sensitive information;

– Engaging with members of the public who are in stressful situations, under the influence of drugs and/or alcohol

– Dealing with criminal activities (e.g. assaults)

– Working on cases which attract public or media attention.

As a result of this, staff, patients, residents and visitors are subjected to a range of security risks


Summary of Risk Assessments

TNH BHS BECC CHS PHS

THREAT

Harm to People EXTREME HIGH MEDIUM MEDIUM HIGH

Preventable Fatality HIGH HIGH HIGH MEDIUM MEDIUM

Abduction of Infant HIGH N/A N/A N/A N/A

Theft of Property MEDIUM MEDIUM MEDIUM LOW MEDIUM

Theft of Drugs LOW LOW VERY LOW VERY LOW VERY LOW

Property Damage LOW LOW VERY LOW LOW LOW

Unauthorised Disclosure of Confidential Information

MEDIUM MEDIUM MEDIUM MEDIUM LOW

Loss of Productivity MEDIUM N/A N/A N/A N/A

Disruption of Operations LOW LOW LOW LOW LOW

The outcomes from each of the site specific security risk assessments are summarised in the table below. A rating of medium or higher requires immediate action.

The level of Risk at each facility was used as the basis for developing upgrade recommendations.


Key Design & Upgrade Strategies

To prepare an upgrade plan & determine costs, a number of key design strategies were developed.

– Establish baseline Security & CCTV Design Standard

– Establish a security maintenance contract to reduce risk of systems failure

– Upgrade all CCTV & Security systems to a common operating platform and implement a digital IP network

– Utilise existing IT network infrastructure for communications between each site & Central Control Room

– Establish a central Security Control Room for the monitoring and management of Security & CCTV


Key Design & Upgrade Strategies Cont

These strategies will deliver a consistent standard of security across all of the Northern Health sites, reducing risk and allowing for improvements in efficiency (i.e. standardisation, multi vendor solutions & implementation

of a single access control smart card).


Master Plan

A range of recommendations were provided to guide the maintenance and renewal of the security systems at each campus which can be implemented over a number of years.

The recommendations have been arranged according to a prioritised, phased upgrade strategy.

Delivery Phases: Phase 1 – Develop baseline standards and determine standard operating

platforms

Phase 2 – Critical Repair and Urgent Upgrades

Phase 3 – Monitoring & Control System Upgrades and Expansion

Phase 4 – Field Equipment Upgrades, including cameras, card readers, etc.

Phase 5 – Establish Central Control Room & Inter-Connect All Sites


Master Plan

Current Position

* BOM Risk Management Committee accepted the report and allocated CAPEX over the next few years.

Phase 1 & 2 have been completed

Phase 3 is 75% complete

Expected prior to 2017 all infrastructure upgrades will have been completed across the 5 campuses.


Summary

Conduct a security risk assessment at your healthcare facility

Identify the risks, develop mitigation strategies and ensure you engage with executive management

Prepare a “Master Plan” to support the “business case” for all security infrastructure improvements


Questions?

Richard Murrie

Managing Director

Loss Prevention Group of Australia

[email protected]

www.lpga.com.au

Mobile: 0408 312 657

http://www.lpga.com.au/

Security Audits and Security Risk Assessments

Health & Medicine

Transcript of Security Audits and Security Risk Assessments