By Shawn M. Whalen/ Special to Healthcare Facilities Today

The director of security at a healthcare facility must balance the needs of diverse groups of people while trying to maintain a safe and secure environment for patients. A facility’s top priority is providing quality patient care in a timely and cost-effective manner, but patient satisfaction scores encompass a broader scope – it’s about a patient’s entire experience.

That’s why maintaining a secure facility is critical, as a perceived lack of security can set the tone for a person’s visit to a healthcare facility. 

There are many aspects to making patients and visitors feel secure. Did they interact with the guard force or a security officer? How were they treated? Did the facility feel secure yet inviting and not overwhelming? Using a layered security design approach and access control strategies can help your facility achieve a secure and friendly environment. In this article, we’ll talk about design strategies to help create that safe and welcoming atmosphere. 

The five layers of security: creating a safe and secure experience

A hospital typically comes to mind when thinking of healthcare facilities. While many of the examples given in this article pertain to hospitals, other healthcare facilities (e.g. outpatient clinics, ambulatory surgery centers and urgent care centers) can also benefit from these strategies.

Layered security is a crime prevention through environmental design (CPTED) principal of compartmentalization and is defined as concentric layers of security measures that protect valuable assets behind multiple barriers. Starting from the outer perimeter and moving inward, each security layer is designed to delay an intruder or attacker as long as possible.

The International Association of Healthcare Security and Safety’s (IAHSS) “Security Design Guidelines for Healthcare 2012” further defines the five layers of protection as:

1. Property perimeter

2. Building perimeter

3. Building interior – segregating authorized and unauthorized visitors

4. Building interior – segregating public and patient areas from staff only areas

5. Building interior – further restrict staff access to highly sensitive areas

While we tend to think of electronic systems for access control, establishing and following proper facility security procedures is equally important. For example, failing to train staff to hold secured doors open only for authorized employees can defeat any Access Control System (ACS). To help prevent this, many ACSs utilize card and reader technology to segregate areas of the site to credentialed personnel. Credentials are worn on a lanyard that’s visible to others, and their color coding can provide quick visual cues to others as to whether certain staff have permission to access an area.

Let’s address each layer of protection and specific access control strategies to help define and manage the secure areas.  

1. Property Perimeter

Healthcare facilities are important parts of communities, so it’s vital to project a welcoming image – something that would be difficult to do with, say, a fence or barbed wire surrounding the property. 

Having a site that is open to the public creates challenges for security staff. Site signage is a simple and inexpensive way to try and guide visitors to the proper areas of the site for patient drop-off, visitor parking and access to the emergency department (ED). In addition, having visitors take a ticket when entering a parking area, even if they are not required to pay, establishes a “semi-private” area in the view of the public. Potential aggressors may avoid semi-private areas for other areas that seem less secure (i.e. more public).

While electronic security devices do not make a site or facility more secure, they can be a ‘force multiplier’ for the security team, meaning a larger area can be monitored and more security tasks can be accomplished with less staff. A prime example of this is the use of video surveillance technology. With the site open to the public, it’s important to know who is accessing it, which gives early warning to security staff of possible problems before reaching the building perimeter. Camera locations should offer the security team a good overall view of the site while providing sufficient resolution to read a car license plate or identify a person if needed.

2. Building Perimeter

The building perimeter is the first line of defense, with the goal being for the public and staff to enter their designated entrances. All exterior doors other than the designated public entrances should include access controls or be locked and monitored at all times. Exit-only doors should not have exterior hardware and all perimeter doors should be monitored, so a door cannot be propped open to allow unauthorized access.  

An ACS can be programmed with a “perimeter lockdown” function that allows security staff to quickly lock all exterior doors in case of an impending incident. The system may also lock out card readers, so even staff cannot enter until the issue is resolved. In lockdown scenarios some facilities may restrict access to security staff only.

3. Building interior – segregating authorized and unauthorized visitors

Areas of higher risk, such as emergency treatment areas, intensive care units, pediatric units and newborn nurseries, should offer access control. Although signage like “Authorized Personnel Only” is very effective at keeping the public from going into controlled or limited access areas, a sign will not keep determined intruders out of an area. 

Emergency departments (ED) typically have the highest rates of security incidents in a healthcare facility, so the ED perimeter should include access control at all entries to the area. Similar to the perimeter lockdown function, access control systems can be programmed with an “ED lockdown” function that locks the department’s doors in case of an incident.

Requiring visitors to wear a visitor credential is nothing new in facility security; however, providing the visitor with an active access control badge is a newer approach that is gaining in popularity. For example, the security staff could issue the father of a newborn in the nursery an access control credential that allows him to access the labor and delivery areas only. 

Another recent trend is Visitor Management, which is a module or add-on software to the ACS that quickly logs visitors on premises and optionally gives them access to certain areas. These systems have the capability to scan drivers’ licenses and check the visitor information against a database of unauthorized visitors. 

4. Building interior – segregating public and patient areas from staff only areas

The fourth layer of access control should segregate generally accessible public and patient areas from “staff only” areas, such as nursing offices, staff locker rooms, storage and distribution locations, sterile corridors and research laboratories. 

5. Building interior – further restrict staff access to highly sensitive areas

The final layer of protection is meant to further restrict staff access to highly sensitive areas -- ones that are specifically limited to authorized healthcare staff. These include pharmacy and narcotic storage spaces; hazardous materials, plant utility and information technology (IT) infrastructure; and areas housing personal health information. The Health Insurance Portability and Accountability Act (HIPAA) has provisions that govern the privacy of personal health information. As a result, access to physical records or electronic records must be controlled. 

One concern with this layer is that IT staff can have equipment and software vendors that must access these restricted areas, making it necessary for staff to supervise vendors while they access these rooms. Having access control on the IT space’s outside door, and then segregating the vendor and healthcare equipment inside the space, is one solution to this issue. The interior barrier would also include access control, so only IT staff can enter the network area of the space. The vendor could also be issued a badge granting access to the specific IT space, meaning they wouldn’t have to be escorted to IT spaces.

An ever-increasing problem for healthcare facilities is drug diversion, which entails drugs being taken and then distributed or used illegally.  Vulnerability to diversion exists when a single worker, out of view of others, is free to engage in drug procurement from central stores, drug preparation, drug administration to patients, and/or disposal of drug waste. In the absence of sufficient controls, it is relatively easy for a staff member to divert drugs for sale or their own use.

To help combat drug diversion, healthcare facility designs now include MEDS rooms where medications are housed. There has also been an increase in the implementation of medication dispensing systems, which use a computer log-in system to allow access to the locked medications cabinets/refrigerators. After log-in, the system unlocks the appropriate drawer, allowing access to specific medication(s). 

Pharmacies are another layer 5 area that needs special attention from the security designer, as two levels of access authentication are typically required to access them. A standard card reader with an integral keypad or biometric style reader can provide this additional level of authentication. 

Additional access controls are also necessary at the Labor and Delivery (L&D) area. Healthcare systems and The Joint Commission, an independent, non-profit organization that accredits and certifies health care organizations and programs in the United States, are starting to encourage the use of Infant Protection (IP) systems, providing another level of security for the L&D unit. IP systems use radio frequency identification (RFID) tags that are placed on the infants’ ankle right after birth, and they have skin and tamper sensors that sound an alarm if they’re removed or cut. The systems can also protect elevators by not allowing the elevators to leave the floor if an infant tag is in the elevator car. Finally, IP systems can be integrated with other security structures, so staff can be notified and surveillance cameras can record video of an incident. 

A challenge worth solving

Healthcare facilities are a challenging environment for security designers and security staff. The varied reasons for visits to the facilities, the allure of drugs, and the stress on visitors and staff can make these environments difficult to manage. Using a layered security approach along with tailored security procedures and ongoing staff training can help make healthcare facilities safe and secure for patients, visitors and staff.

About the author: Shawn Whalen is an electrical engineer certified as a professional engineer in over 20 states and is an ASIS Physical Security Professional (PSP) with over 23 years of engineering experience in providing security and communications systems consulting. He is a BICSI Registered Communications Distribution Designer (RCDD) and is a member of Burns & McDonnell’s Global Security consulting practice that provides security assessments and designs for clients in the healthcare, critical infrastructure, commercial, and governmental markets.

Shawn M. Whalen, PE, PSP, is RCDD of Burns & McDonnell.