Security Audits and Security Risk Assessments


Published on

Richard Murrie, Managing Director, Loss Prevention Group of Australia delivered this presentation at the 2012 Australian Hospital & Healthcare Security & Safety Conference. The conference is a fantastic opportunity to network with hospital security managers, OH&S unit coordinators, senior nursing and management staff of hospital departments, namely emergency departments and mental health units In its 6th annual edition the conference has been rebranded Safe & Secure hospitals to reflect industry feedback we have received through our research calls. For more information, please visit:

  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security Audits and Security Risk Assessments

  1. 1. Loss Prevention Group of Australia Hospital & Healthcare Security & Safety Conference 2012 Security Audits & Security Risk Assessments Identifying Key Security Risks October 25, 2012 Presenter: Richard Murrie Managing Director
  2. 2. Loss Prevention Group of Australia Outline This Session will explore:  General Security risks faced by healthcare facilities  Security risks relating to the failure of ageing & antiquated electronic security infrastructures  Case study of a major healthcare network and the process of identifying and rectifying electronic security infrastructures
  3. 3. Loss Prevention Group of Australia What is Risk Management?  AS/NZS ISO 3100-2009 Risk Management  “The culture, processes and structures that are directed towards realising potential opportunities whilst managing adverse effects”
  4. 4. Loss Prevention Group of Australia What is Risk?  The chance of something happening that will have an impact upon objectives  “What can happen, how can it happen, what impact will it have?”
  5. 5. Loss Prevention Group of Australia Risk Categories  Human Resources  Clinical  Financial/Investment  Political  Environmental  Information Technology  Strategic  Market  Security  OHS  Legal  Property
  6. 6. Loss Prevention Group of Australia Identifying Risk  Holistic security risk assessments are a mandatory requirement of Australian Standard 4485 “Security for Healthcare Facilities”  The security risk assessment should form the basis of identifying & managing security risks that may impact upon your healthcare facility It is crucial all healthcare facilities undertake a security risk assessment compliant with AS/NZ ISO 301000, Why?
  7. 7. Loss Prevention Group of Australia  Security risks will differ for each facility  Once identified, the risks can be managed, strategies developed and security controls implemented  Identified and perceived risks may be mitigated by incorporating the information received into the security design of the facility Identifying Risk cont…
  8. 8. Loss Prevention Group of Australia Risk Management Processes  Establishing the context  Identifying the risk  Analyse the risks  Evaluate the risk  Treat the risk.
  9. 9. Loss Prevention Group of Australia Risk Management Team  Nominated Team Leader (Risk Manager)  Security Manager  Quality Manager  Senior Nursing staff, E.D Manager, Mental Health Manager, ADON’s etc  Human Resources Manager  OHS Manager  Engineering Manager (external consultant) This is not an exhaustive list
  10. 10. Loss Prevention Group of Australia Common Security Risks Common security risks faced by Healthcare Facilities:  Occupational violence & verbal abuse  Unauthorised access to hospital facilities  Inappropriate use of & access to confidential information  Abuse/misuse of pharmaceuticals  Theft of hospital & personal assets  Failure of electronic security infrastructures.  Inadequate recruitment & probity checks.  Inadequate credentialing procedures  Internal Fraud
  11. 11. Loss Prevention Group of Australia Introduction-Case Study  LPGA was engaged to undertake an electronic security audit and risk assessment & to develop an Electronic Security Master Plan.  Sites audited included:- – The Northern Hospital – Broadmeadows Health Service – Bundoora Extended Care – Craigieburn Health Service – Panch Health Service
  12. 12. Loss Prevention Group of Australia Why?  System & equipment failures were increasing  Repairs to equipment was expensive and largely restricted to one provider as proprietary equipment had been installed when main campus was commissioned in 2000.  The five campuses had a mixture of electronic security infrastructure, (old, older, tired & incompatible)  Lack of confidence in the existing security infrastructure  To officially document the risks associated to the current infrastructure and formally present to the hospital’s Risk Management Committee. (at BOM level).
  13. 13. Loss Prevention Group of Australia Case Study-Scope  The scope of engagement included: – Examination of existing security infrastructure, including current condition and capacity; – Identification of security risks for the site; – Review of existing security arrangements; – Assessment and rating of security risks; – Recommendation of risk mitigation strategies; – Development of Baseline Security design standards; – Recommendation of security upgrades and provision of budgets; and – Audits & Risk Assessments have been documented on a site by site basis for future reference.
  14. 14. Loss Prevention Group of Australia Case Study-Findings  Many of the security systems installed across Northern Health portfolio were below satisfactory condition and required updating.  A significant portion of Security Systems utilised outdated technology and were not supported by mainstream security providers.  Most of the systems installed no longer met minimum security design guidelines for health facilities.  In a number of cases, the systems could be subject to the possibility of total or partial failure.
  15. 15. Loss Prevention Group of Australia Summary Case Study-Findings  Below is a high level summary of the condition of the security systems at each campus TNH BHS BECC CHS PHS ITEM Swipe Card Readers      Electronic Locks      Alarm Monitoring      Duress Alarms      Control Panels      Security Management System      CCTV Cameras      CCTV Recording      Guard Tour      Intercoms      LEGEND  Acceptable technology for next 5 years  Requires replacement or major upgrade within less than 5 years  Requires urgent repair or upgrade
  16. 16. Loss Prevention Group of Australia Summary of Risk Assessments  Northern Health staff will engage in a range of tasks which have implications for security risks, for example: – Managing patient related and sensitive information; – Engaging with members of the public who are in stressful situations, under the influence of drugs and/or alcohol – Dealing with criminal activities (e.g. assaults) – Working on cases which attract public or media attention.  As a result of this, staff, patients, residents and visitors are subjected to a range of security risks
  17. 17. Loss Prevention Group of Australia Summary of Risk Assessments TNH BHS BECC CHS PHS THREAT Harm to People EXTREME HIGH MEDIUM MEDIUM HIGH Preventable Fatality HIGH HIGH HIGH MEDIUM MEDIUM Abduction of Infant HIGH N/A N/A N/A N/A Theft of Property MEDIUM MEDIUM MEDIUM LOW MEDIUM Theft of Drugs LOW LOW VERY LOW VERY LOW VERY LOW Property Damage LOW LOW VERY LOW LOW LOW Unauthorised Disclosure of Confidential Information MEDIUM MEDIUM MEDIUM MEDIUM LOW Loss of Productivity MEDIUM N/A N/A N/A N/A Disruption of Operations LOW LOW LOW LOW LOW The outcomes from each of the site specific security risk assessments are summarised in the table below. A rating of medium or higher requires immediate action. The level of Risk at each facility was used as the basis for developing upgrade recommendations.
  18. 18. Loss Prevention Group of Australia Key Design & Upgrade Strategies  To prepare an upgrade plan & determine costs, a number of key design strategies were developed. – Establish baseline Security & CCTV Design Standard – Establish a security maintenance contract to reduce risk of systems failure – Upgrade all CCTV & Security systems to a common operating platform and implement a digital IP network – Utilise existing IT network infrastructure for communications between each site & Central Control Room – Establish a central Security Control Room for the monitoring and management of Security & CCTV
  19. 19. Loss Prevention Group of Australia Key Design & Upgrade Strategies Cont  These strategies will deliver a consistent standard of security across all of the Northern Health sites, reducing risk and allowing for improvements in efficiency  (i.e. standardisation, multi vendor solutions & implementation of a single access control smart card).
  20. 20. Loss Prevention Group of Australia Master Plan  A range of recommendations were provided to guide the maintenance and renewal of the security systems at each campus which can be implemented over a number of years.  The recommendations have been arranged according to a prioritised, phased upgrade strategy.  Delivery Phases:  Phase 1 – Develop baseline standards and determine standard operating platforms  Phase 2 – Critical Repair and Urgent Upgrades  Phase 3 – Monitoring & Control System Upgrades and Expansion  Phase 4 – Field Equipment Upgrades, including cameras, card readers, etc.  Phase 5 – Establish Central Control Room & Inter-Connect All Sites
  21. 21. Loss Prevention Group of Australia Master Plan Current Position  * BOM Risk Management Committee accepted the report and allocated CAPEX over the next few years.  Phase 1 & 2 have been completed  Phase 3 is 75% complete  Expected prior to 2017 all infrastructure upgrades will have been completed across the 5 campuses.
  22. 22. Loss Prevention Group of Australia Summary  Conduct a security risk assessment at your healthcare facility  Identify the risks, develop mitigation strategies and ensure you engage with executive management  Prepare a “Master Plan” to support the “business case” for all security infrastructure improvements
  23. 23. Loss Prevention Group of Australia Questions? Richard Murrie Managing Director Loss Prevention Group of Australia Mobile: 0408 312 657