Healthcare Security by Senior Security Consultant Lennart Bredberg

1. BEARING FACT SHEET
Healthcare Security
 Bearing Solutions; Healthcare
Security
Bearing´s model for Healthcare security is built on the true
understanding of the important prerequisities needed to build an
integrated healthcare security solution where security and risk
management are treated and managed as any other basic
process within the organization.
 Management systems and process orientation
 Security Convergence
 Safety culture
 Systematic safety and security operations as integral
part of the Management system
 Functional safety and technical infrastructure
 Incident report systems as integral part of the
Management system
Security and safety at healthcare facilities are important for both
good quality healthcare and public safety. Hospitals are a safe
haven for those in physical and/or emotional need, and
increasingly seen as a place of refuge in the event of a large-scale
emergency such as a natural disaster or terrorist attack.
The systemic work regarding healthcare safety today is
multidisciplinary and holistic. The security threats that confront
us are no longer respecting the traditional categorization that
we would want to use in order to describe the risks and
vulnerabilities arising from such operations. Information security
and physical security, for example, can no longer be handled
independently without taking into account the convergence
taking place between these areas that rapidly draws entirely new
maps of what previously formed the basis of safety work.
 Healthcare Security issues today
Improving safety in healthcare is not just about technology but
also about safety in terms of responsibilities, attitudes, values
and the understanding management and employees have to
security issues in order to carry out a systematic and
constructive safety work.
Hospital security departments are challenged to provide safe
environments for employees, patients and visitors. Hospitals and
clinics are by their nature designed to be open and accessible to
the public, which means street crime and other dangers can
easily enter through hospital doors if not properly protected.

2. A survey conducted by the American Society for Industrial
Security (ASIS) determined that effective security has become a
part of the everyday operations of many healthcare
organizations, regardless of size, location, or type of hospital.
Security issues and concerns are identified and addressed daily
by management. Some top-rated security concerns and issues
were identified and ranked as shown below;
Security and Safety Priorities
1. Patients
2. Employees
3. Visitors
4. Vendors
Areas ranked for greatest risk of crime
1. Infant Units
2. Pediatric Units
3. Pharmacy
4. Psychiatric Units
 Conclusion
Patients have really high expectations for quality healthcare
today. State-of-the- art facilities, safety and security are a big
concern. In order to meet the higher expectations within this
really cost-sensitive market, hospitals must invest sensibly in
their facilities as a true strategic asset to serve patients, attract
well-qualified doctors and nurses, and also serve the greater
general public. New building management solutions are able to
increase security at healthcare facilities while also maximizing
energy efficiency and performance.
Technology must work effectively as a tool for well-trained
security staff. Evaluating perimeter and intrusion detection,
access control, and CCTV, require that the vendors show how
integration of these security functions can increase security and
minimize the training and burden to security personnel.
 References
Bearing has over the years gained vast experience from major
healthcare security projects in Sweden. Based on our unique
methodology and understanding of the prerequisites that build a
holistic based healthcare security model we have e.g. led a major
project in “Region Västra Götaland” (Gothenburg) with the goal
to improve the overall security and safety situation in all regional
hospitals and clinics. Areas that were covered involved;
 Inventory of physical and IT- based security equipment
 Extensive Physical and Information security risk
assessments
 Developing a model for security classification of
hospital premises
 Advising on how to build a new holistic based security
organization within the region
 How to implement a new security management
platform within the region
 Security as a business process
Security should naturally be seen as a business process that
manages a security function, a process that is very closely
connected with the principles of quality assurance and
quality control.
Management of the risk inherent in an organization used to be
seen upon as a function embedded within individual roles of the
Management level. Traditionally the approach was to treat risks
separately and assign responsibility to individuals or small teams.
To manage a singular type of risk became a distinct job and to
be successful in the job you had to focus on only one particular
area. The big problem with this “stove piped” approach was that
it ignored the interdependence of many risks and that it sub-
optimized the financing of total risk for an organization.
Breaking stovepipes and seeing risk management and security
programs more like processes means that we need to bring
different stakeholders in the problem together and set them to
solve the problem – together.
 Security convergence
© AESRM 2008
A major trend in the security arena today is security
convergence.
ASIS International define security convergence as;
“The identification of security risks and interdependencies between
business functions and processes within the enterprise and the
development of managed business process solutions to address those
risks and interdependencies.”
Imperatives driving convergence are;
 Rapid expansion of the Enterprise Ecosystem
 Value migration from physical to information-based
and intangible assets
 New protective technologies blurring functional
boundaries
 New compliance and regulatory regimes
 Continuing pressure to reduce cost
The convergence of IT and Physical Security is now a fact and as

3. IT has become a very important part of most organizations, new
international standards for physical security now also include IT
considerations for electronic documents.
Security convergence forces organizations to see beyond
security as a function and instead something that consists of
people, processes and strategies, being part of the overall
business life-cycle as a system.
Furthermore, organizations now start to appreciate the cost and
competitive advantages that can be leveraged when viewing
security not as a cost center but one of a value add - lowering
costs and providing cost efficiencies.
 Bearing and RiskWatch®
Bearing Consulting is a Partner and VAR of RiskWatch, the
leading Risk Assessment tool for regulatory compliance. For
regulatory compliance, RiskWatch is the most accurate,
comprehensive way to conduct governance, compliance and risk
assessments based on international standards including HIPAA,
ISO 17799, ISO 27001, COBIT 4.0 and Sarbanes Oxley (SOX).
The RiskWatch software includes an installed Windows
application and a simple web-based questionnaire application.
This can also be used on an internal server, or hosted, to
facilitate the gathering of responses from management and IT
system users. Respondents simply answer the questions, and
their answers are imported for analysis.
RiskWatch™ is the world top-rated provider of innovative
security risk assessment and compliance software that
automates the risk management process. RiskWatch clients
include over 2000 hospitals, health plans, investment banks,
business banks, credit unions, state agencies and Federal
agencies including the U.S. Federal Reserve Bank, the nuclear
Regulatory Commission and the Department of Defense.
 The Risk assessment process