A physical security assessment is a systematic examination of a healthcare facility’s security vulnerabilities — identifying gaps between the current state and a defined security standard, then prioritizing remediation based on risk. For facility directors and security managers, periodic assessments are an operational management tool, not just a compliance exercise.
The Joint Commission’s EC.02.01.01 (Security Management) requires hospitals to conduct a security risk assessment and develop a security management plan based on identified risks. Most hospitals satisfy this requirement with an annual assessment — often conducted internally, sometimes by external consultants. The quality of that assessment determines whether the security management plan reflects actual risk or simply documents the status quo.
Assessment Methodology
A comprehensive physical security assessment covers multiple evaluation domains:
Site perimeter and access points — Evaluate all points where people and vehicles can enter the campus. Are all access points controlled? Are there informal paths (through parking areas, landscaping gaps) that allow uncontrolled entry? Is perimeter lighting adequate? Are building approaches visible from security monitoring locations?
Building envelope — Examine all building entry points for compliance with access control policy. Are there propped doors, disabled access readers, or entrance doors that should be secured but are not? Are loading dock and service entrance controls adequate for the level of traffic they receive?
Internal zone access — Walk through all clinical and support areas, testing access control points. Are restricted zone credentials actually limited to appropriate staff? Are there areas where access control has been defeated or bypassed by operational workarounds (propped doors, shared codes)?
Visitor and vendor management — Assess the implementation of visitor management protocols. Are visitors being checked in and badged? Are vendor credentials being verified? Are visitors in clinical areas identifiable as visitors?
High-security areas — Assess pharmacy, controlled substance storage, server rooms, and other high-security zones with heightened scrutiny. Are dual-factor authentication requirements being met? Are access logs being reviewed?
Environmental vulnerabilities — Identify physical design features that create security risk: blind spots in corridors, poor sightlines from nursing stations, inadequate lighting in stairwells, furniture configurations that impede staff visibility into public areas.
Security technology status — Verify that all security cameras are operational and recording. Test alarm activation at access control points. Verify that duress alarm systems are functional and staff know how to use them.
Common Vulnerability Findings in Healthcare Facilities
Physical security assessments in hospitals consistently identify certain recurring vulnerabilities:
Tailgating at secured entrances — Staff credentials allow entry at secured doors; non-credentialed individuals follow immediately behind. This is the most universally common access control vulnerability in healthcare. Solutions include vestibule/mantrap designs, anti-tailgating video analytics, and cultural training that makes challenging tailgaters an expectation.
Propped doors — Secured doors propped open for convenience eliminate the security value of the access control system at that location. Door-held-open alarms and a no-propping culture, enforced consistently, address this.
Contractor access without supervision — Contractors working in clinical areas without escort or check-in, sometimes with credentials that are broader than necessary for the work they are performing.
Inadequate camera coverage — Gaps in surveillance coverage at key access points, stairwells, or parking areas where incidents have occurred or are likely.
Pharmacy access control gaps — Expired credentials retaining pharmacy access, shared PIN codes, or door-held-open conditions in pharmacy areas.
Visitor management inconsistency — Visitor management protocols applied rigorously at main entrances but not at secondary entrances that the public uses.
Prioritizing Remediation
Not all assessment findings require immediate action. A risk-based prioritization framework evaluates each finding on two dimensions:
Severity of potential harm — If this vulnerability is exploited, how bad could the outcome be? Patient safety impact (infant abduction, assault of a patient), controlled substance access, and data breach risk represent the highest severity. Inconvenience, minor policy violation, and property access are lower severity.
Probability of exploitation — How likely is this vulnerability to be exploited in your specific environment? A vulnerability in an area with very low traffic and historical incident rate may warrant lower priority than the same vulnerability in a high-traffic, historically active area.
Findings that score high on both dimensions require immediate remediation regardless of cost. Findings that score high on severity but low on probability should be addressed in the next planning cycle. Findings that are low severity or very low probability may be accepted, monitored, and addressed as budget allows.
Staffing Crisis and Security Assessment Timing (2022)
The healthcare staffing crisis has complicated security assessment follow-through. Security findings that require staff training, enhanced visitor management protocols, or increased security patrol presence are difficult to implement when security department staffing is itself challenged by vacancies and high turnover.
Some facilities have used the staffing crisis as a reason to invest in technology-based security solutions — visitor management kiosks, automated access control, video analytics — that reduce the staffing demand of security functions while maintaining or improving performance.
Ongoing Security Program Management
A periodic assessment is a snapshot. Effective security management is continuous. Elements of an ongoing program:
Monthly security rounds by security leadership specifically checking vulnerability points identified in assessments — are propped doors being corrected? Are visitor badging protocols being followed?
Quarterly security metrics review — Incident frequency by type and location, access control alarm frequency, visitor management compliance rates. Trends in these metrics predict emerging vulnerabilities before they become incidents.
Annual formal reassessment — Using the same methodology as the initial assessment allows direct year-over-year comparison of the vulnerability profile. Formal documentation of improvement and remaining gaps supports the security management plan.
Post-incident review — Every security incident should be reviewed against the physical security program to determine whether a security gap contributed to the incident and whether assessment or protocol modification is warranted.
Frequently Asked Questions
Should we conduct physical security assessments internally or with an external consultant? Both have value. Internal assessments leverage institutional knowledge and operational context; external assessments bring objectivity, benchmark data from comparable facilities, and independence that may surface issues that internal assessors are reluctant to document. Many facilities use a combination: annual internal assessment with an external consultant assessment every 2–3 years.
What credentials should we look for in an external security consultant for healthcare? Healthcare-specific experience (not just commercial security). Familiarity with Joint Commission security management standards. CPP (Certified Protection Professional) or CHPA (Certified Healthcare Protection Administrator from IAHSS) credentials. References from comparable healthcare facilities. Membership in IAHSS (International Association for Healthcare Security and Safety).
How detailed should the security assessment report be? Detailed enough that a person unfamiliar with the finding can understand it, understand the risk, and understand what remediation is required. Vague findings (“access control is inconsistent”) are not actionable. Specific findings (“The loading dock on the south side of Building B has a card reader that has not functioned since November; the door is being propped open during delivery hours, allowing uncontrolled access to the service corridor that connects to the pharmacy”) are actionable and documentable.
Are security assessment reports discoverable in litigation? Potentially. Security assessment reports that identify vulnerabilities that are then not remediated can be used to establish negligence in litigation following a security incident. Some facilities have their attorney review the assessment report before final distribution to ensure appropriate privilege protection. Consult your legal counsel on the best practice for your jurisdiction.
