One well-known and often referenced security standard is from the human resources section, HR.01.04.01: “The hospital orients external law enforcement and security personnel on the following: how to interact with patients: procedures for responding to unusual clinical events and incidents: the hospitals channels of clinical, security and administrative communication and distinctions between administrative and clinical seclusion and restraint” (as defined by the Centers for Medicare and Medicaid Conditions of Participation CFR 482.13).
These standards are among the most well-known to healthcare security practitioners because they are the ones most often cited as a direct security risk or potential issue.
But what about those standards that have a security component but are not directly within the realm of security or safety?
Known Unknowns
Many of the “Known Unknowns” are from security and safety related disciplines that overlap and spill into the security and public safety domain, such as emergency management. For example, standard EM01.01.01 includes that “the hospital conducts a hazard vulnerability analysis to identify potential emergencies that could affect demands for the hospital’s services or its ability to provide those services, the likelihood of those events occurring and the consequences of those events. The findings of this analysis are documented.”
While this does not specifically include a named security component, we all know that security should (and hopefully does) participate in if not lead the annual HVA process for our facilities, since so many security related events (workplace violence, infant abduction, etc.) can occur. Security is mentioned specifically in another emergency management standard, EM02.01.01, which states, in part, “The Emergency operations Plan identifies the hospital’s capabilities and establishes response procedures……to provide communications, resources and assets, security and safety, staff, utilities or patient care for at least 96 hours.”
On a similar note, standard EM02.02.05 states that the hospital’s emergency operations plan contains “the hospital’s arrangements for internal security and safety,” as well as “how the hospital will coordinate security activities with community security agencies…” and “the hospital implements the components of its Emergency Operations Plan that require advance preparation to support security and safety during an emergency.”
Again, none of this is new to a seasoned security director or manager in the healthcare environment, but to someone who is just beginning their career in the industry or perhaps security is a secondary or even tertiary part of their responsibilities, such “known unknown” standards can be easy to overlook.
Unknown Unknowns
Lastly we have those bothersome standards that do not really lend themselves to association with the security function, but they definitely have to be addressed and can cause significant issues if left incomplete. A small sampling of such “unknown unknowns” includes EC02.06.01: “lighting is suitable for care treatment and services.” Is security not a service? Can poor lighting not be a fa
ctor in criminal activity, especially in parking structures and lots? Or what about EC02.02.01: “the hospital minimizes risks associated with selecting, handling, storing, transporting, using and disposing of radioactive materials.” If anyone thinks this does not include a security component, take the time to review the scathing results of the 2012 Government Accountability Offices report titled Additional Actions Needed to Improve Security of Radiological Sources at U.S. Medical Facilities or the literature available on the Global Threat Reduction Initiative (GTRI) program from the National Nuclear Security Administration.
The same holds true for standard MM03.01.01, which states in part that the hospital stores all medications…including controlled (scheduled) medications in a secured area…in accordance with law and regulation (such as the DEA Controlled Substances Act).
