Healthcare facilities accumulate access control vulnerabilities over time. Doors that should be locked aren’t. Credentials for former employees remain active in the system. Access permissions granted for a specific project were never revoked. Shared credentials circulate among departments that have learned to work around access restrictions they find inconvenient. These vulnerabilities are invisible without systematic audit—and discovered, most often, during a Joint Commission survey or following a security incident.

An access control audit is a structured process to identify and remediate these vulnerabilities before they result in regulatory findings or security events. For healthcare facility directors, annual access control audits should be a standard element of the security management program.

Audit Scope and Planning

An effective access control audit covers four core domains:

Physical Door Hardware and Reader Verification Physical inspection of every controlled access point in the facility—not just a sample. This includes verification that:

  • All doors with card readers require valid credentials for entry (test the door without a credential)
  • No doors have been propped, wedged, or otherwise bypassed as a workaround
  • All electromechanical locking hardware is functioning correctly (latches engaging, magnetic locks holding rated force)
  • Reader hardware is mounted correctly and free of tampering indicators

Credential Database Review Systematic review of the active credential database against HR records to identify:

  • Credentials associated with terminated employees that remain active
  • Credentials with no recent access history (30+ days) that may indicate phantom credentials
  • Credential records without associated employee or vendor records (orphaned credentials)
  • Duplicate credentials issued to the same individual
  • Credentials without expiration dates where time-limited access should have been granted

Access Permission Policy Review Review of door/area access permissions against documented access policies:

  • Do the doors that clinical staff can access align with their documented role requirements?
  • Are contractor and vendor credentials limited to areas necessary for their work?
  • Do high-security area permissions (pharmacy, medication storage, operating suites) match current authorization records?
  • Are any doors programmed with all-credential access (any valid card opens the door) when restricted access is required?

Access Event Log Review Analysis of recent access event logs to identify anomalies:

  • After-hours access to sensitive areas by individuals without documented legitimate need
  • Access events associated with credentials that should be inactive
  • Credential use at doors outside the credential holder’s authorized zone
  • Unusual access frequency patterns that may indicate credential sharing

Credential Database Audit Process

The credential database audit is the highest-value component of most healthcare access control audits. Organizations with poor credential hygiene discover significant numbers of active credentials for individuals who are no longer associated with the facility.

Cross-Reference with HR The access control database should be compared against the current HR employee roster. Every active employee credential should have a corresponding active HR record. Credentials without matching HR records should be flagged for investigation and deactivation.

For large healthcare organizations, this comparison should be automated through an integration between HR systems and the access control platform. Manual comparison of large credential databases (thousands of records) is error-prone and time-consuming.

Contract and Vendor Credential Review Vendor and contractor credentials require a separate review process since they are typically not included in HR employee rosters. Cross-reference active vendor credentials against:

  • Active vendor contracts and purchase orders
  • Vendor credentialing platform records (if using a national vendor management system)
  • Documented completion of required training and immunization requirements

Expiration Date Audit All time-limited credentials—temporary employee badges, contractor access, vendor credentials, student and intern badges—should have expiration dates configured in the access control system. Credentials without expiration dates that were intended to be time-limited represent an audit finding. Add expiration dates to all appropriate credentials and establish a process to prevent issuance of time-limited credentials without expiration date configuration.

Physical Door Hardware Inspection

Physical inspection requires walking every controlled access point in the facility—a time-consuming but essential process. An organized approach using a floor plan marked with all controlled access points ensures complete coverage.

Door Hardware Testing Protocol For each controlled access door:

  1. Verify the door is secure in the closed position without credential presentation
  2. Present an invalid credential and verify the door does not release
  3. Present a valid credential and verify the door releases appropriately
  4. Verify the door re-secures after closing (automatic closer or re-locking)
  5. Document the hardware condition, reader model, and any deficiencies observed

Common Physical Deficiencies Found in Healthcare Audits

  • Door closers that have lost tension, allowing doors to remain ajar
  • Magnetic lock hardware that has weakened and no longer holds rated force
  • Card readers with loose mounting or visible tamper indicators
  • Request-to-exit devices (REX) that have been disabled or bypassed, allowing the door to be opened from the secured side without credential
  • Door frames with gaps or alignment problems that allow bypass of the locking mechanism

Documenting Audit Findings and Remediation

Audit findings should be documented in a format that supports remediation tracking and provides a compliance record for Joint Commission or CMS review. A useful audit documentation format includes:

  • Finding description (what was found)
  • Location (building, floor, door identifier)
  • Risk classification (critical, high, medium, low)
  • Recommended remediation
  • Responsible party for remediation
  • Target completion date
  • Actual completion date and verification

Critical findings (active credentials for terminated employees in high-security areas, propped emergency exit doors, bypassed locks on medication storage) should have immediate remediation requirements with same-day or next-business-day target dates.

Joint Commission Relevance

Access control audits support compliance with multiple Joint Commission Environment of Care standards:

EC.02.01.01 (Campus security and safety) requires that healthcare organizations take action to address security risks. A documented access control audit with remediation tracking demonstrates active security risk management.

EC.02.01.02 (Controlling access to sensitive areas) requires that organizations control access to areas where infants, children, and vulnerable patients are housed. An audit that specifically verifies access restrictions to these areas provides documentation of compliance.

MM.01.01.03 (Medication security) requires controlled access to medication storage areas. An access control audit that verifies appropriate credential restrictions on pharmacy and medication storage access provides compliance documentation.

Audit Frequency Recommendations

Healthcare facility security programs should conduct:

  • Annual comprehensive audit covering all four audit domains
  • Quarterly credential database review to catch terminated employee credentials that accumulate between full audits
  • Triggered audits following significant events: workforce reductions, construction projects that affect access points, security incidents

Some organizations conduct continuous automated credential hygiene monitoring through HR-to-access control integration that automatically deactivates credentials when employment terminates. Even with automated deactivation, annual physical door hardware inspection and access permission policy review remain necessary.

Frequently Asked Questions

How long does a comprehensive access control audit take for a mid-size hospital? A mid-size community hospital (200–400 beds, 2–4 buildings) typically requires 3–5 business days for a comprehensive audit covering physical hardware inspection, credential database review, and access event log analysis. Larger academic medical centers with campus-wide access control may require 2–3 weeks. Many organizations engage external security consultants for the physical inspection component to ensure objectivity.

What’s the most common access control vulnerability found in healthcare facility audits? Terminated employee credentials that remain active in the access control system are the most consistently found vulnerability in healthcare access control audits. This is particularly common in organizations without automated HR-to-access control integration, where credential deactivation requires manual action by security staff after HR processing.

How should healthcare facilities handle access control audit findings that involve clinical department workarounds? When audits discover that clinical departments have implemented workarounds—propped doors, shared credentials, bypassed locks—the remediation process must address both the security finding and the operational problem that the workaround was solving. Simply closing the workaround without addressing the underlying access management friction typically results in the workaround reappearing. Engage the relevant department managers in developing an access solution that meets both security requirements and operational needs.

Can access control audit data be used in Joint Commission survey responses? Yes. Documented audit findings and remediation records are valuable evidence during Joint Commission surveys to demonstrate proactive security risk management. Survey readiness preparation should include organizing recent audit documentation with remediation tracking that shows how identified issues were resolved.