Here's a link to a site that has numerous documents of interest - scroll down to the Security section in particular, although there a bunch of other things that might be useful in the HICS section and the Planning Guides section among others, so I'd really scrutinize the entire list very carefully:

Healthcare Emergency & Security Resource Library

The Security Survey Tool from the New Jersey Hospital Association is a very large PDF file - it's about 8 MB and takes awhile to download, so be patient. I believe Appendices are what you want, and they're listed separately, but I'd pick up the whole Tool since it's available. What's good about the survey is that it's based on the "Environment of Care" standards for JCAHO accreditation. This not only gives it great credibility, but also suggests that someone at your facility might have performed a similar survey for a previous Joint Commission inspection. I'd ask around about that.

While you're there, you might pick up Hospital Security and Force Protection: A Guide to Ensuring Patient and Employee Security - also a PDF file (136 pp.) but pretty quick download.

Anyway - I'd really spend some time in this "reading room" - lots of great stuff to use for your own self-training.

Here's another resource: Environment of Care Checklist - as noted above, the EC is the standard for compliance you're interested in with regard to JCAHO compliance. Even if the EC isn't what you're directly interested in for this particular survey, there's no point in doing a survey that doesn't reference some standard, and the EC is "the" standard where hospitals are concerned with respect to security.

...and another EC checklist - this one's a Word document.

Here's a list of Interview Questions to ask during your security survey. Again, these are tied to the Environment of Care standards.

On the commercial side, there's a product that ain't cheap at $129, but it might make a very good investment in your career because of the impression you'd create by using it. Here's the Environment of Care Survey and Report.

Good luck!

Try the Security Toolkit on the ASIS site. I like the Risk Assessment Guidline (pdf), for example. There's lots of good stuff all over that website, actually, and most of it is free.

That is indeed a good resource, but unfortunately it's too generic to be useful for healthcare facilities except in a very general way. Healthcare facilities have a jillion special risk issues (e.g. infant kidnapping, theft of nuclear materials, drug redirection, etc.), special regulations, special role in the EM community, etc. and I'd strongly recommend using assessment tools specifically designed for them and which are specifically aimed at meeting the Environment of Care JCAHO standards.

True, but you've got to crawl before you can run. I don't know how familiar HospitalOfc. is with corporate speak, but if you are already comfortable talking with the zombie bean-counters that will approve your budget, skip the ASIS site and go right with the Iroquois one, which I've bookmarked.

I hope you understand that I was in no way "dissing" your reference. As I said, it's very good for general purposes, and I've used it myself, in fact.

For hospitals (and you might find this useful yourself if you should have healthcare clients or consultants for healthcare), the survey has to blend the "general" risk assessment items (that your source so admirably covers) with many other elements that are covered by the "Environment of Care" standard, or else it's not going to be accepted by hospital leadership as addressing their needs.

My assumption, since this individual specifically states that he has been tasked with developing what he calls a "comprehensive security assessment and inspection program", is that he needs to cover all the bases and I also have to assume that he is considered to be capable of doing so by his superiors, or else they are very misguided in giving him the assignment.

Unfortunately, we haven't heard back from him, and now it's just you and me talking about this, so all of our assumptions might be wrong!

I just finished a risk assessment on our parking structures. Everything from lighting style to traffic flow and proper signage etc....time consuming to say the least.

I recently applied for another position as the NRM for a medical facility (sick of retail BS again) which has a far better remuneration, closer to home and is just 50 hours a week. At the interview, I was unable to display any current RA's due to confidentiality but produced me RM thesis from college from last semester. They admitted they had never seen a completed RM assessment and when I tabled both 200 page volumes, for the RM strategy they were curious to know more of the contents.

I think Green Peace really hates me for the size of the documents but my current employers RA consists of some 4 x volumes of 200 pages each. As a result our insurance costs have dropped by 9.5% nationally (over $3 million US savings) not to mention other benefits as a result of the 12 month program.

Sorry I hadn’t been back in a couple of days, but I had a couple of things come up that had to be dealt with and haven't had much free time. Thanks to all who have chimed in to give a hand.

Cameraman, ASIS is a great resource and their publications are always a great first place to look, I have also attended several of their seminars and found them extremely informative and would recommend them to anyone whose organization is able to budget for them.

SecTrainer, thanks for the great links. I had found a couple of the documents before, but I don’t know how I had missed the Iroquois site. Captain Blackwell’s thesis is also very interesting, I had seen parts of it before, but am grateful for the link to the entire document. You also make some very good points about the necessity of tying the assessment to environment of care standards.

All that being said; I’m afraid that I still haven’t been able to find a checklist that is comprehensive enough for the scope of my project. With 39 facilities including a regional trauma center, shipping and warehousing facilities, small family practice clinics, large medical office buildings, inpatient psychiatric units, and retail pharmacies spread across 23 communities in three states it is a bit of a daunting task. I was hoping to find something that I could use to base my assessment on that would cover every aspect of the organizations security policy, except for IT security which for now is a separate animal here, but I have come to the realization that for a tool to cover everything I need it to I will have to invest the time to do it myself.

The scope of this project screams committee.

Let me make this clear - up front. Hospital security is not within my field of practice. But Nathan is right. With the scope of the work required here and the fact that you are looking for a 'security asessment' tool shows that you are not qualified to make they type of assessment needed to protect your employer from litigation. Now, I didn't make this statement to upset or belittle you in any way, but let's say something bad happens at one of your facilities (and you know sooner or later it's going to happen). In court you show the security assessment you did as evidence that you and your employer did all they could to protect your invited partons and employees.

This screams of negligence and big jury award. "With 39 facilities including a regional trauma center, shipping and warehousing facilities, small family practice clinics, large medical office buildings, inpatient psychiatric units, and retail pharmacies spread across 23 communities in three states" you need to hire a professional whose field of expertise matches your needs.

Once again, anything I wrote here is not meant to degrade or belittle you or your abilities - just some free common sense advice.

If you're interested in talking with qualified consultants - contact me and I'll give you the names of several. Some may even be in your back yard.

No offense taken, I agree whole heartedly that this project is pushing my comfort zone and would be better left to an outside expert. Unfortunately we told our administration that this is something that needed to be done to meet regulatory requirements and were told “Do it” but given a budget of $0, and it is hard to find an expert who will work for that. We did find one “consultant,” who is employed by the company that does our systems integration, who did assessments of two of our facilities for free simply because we give his company close to $750,000 worth of business yearly, but what he completed did not live up to expectations. So, as it stands I need to put together a program and have been using every resource I can get my hands on make it the best that it can be.

And when it's done, you can come back here and link to it, so we can share it with other security profesionals.

If I may make a suggestion as to the make-up of the commitee which surely will need to be formed to deal with something of this scope (deep breath)- make sure you have a representative of IT on your commitee. Security and IT should be working as closely together as possible. Leaving aside the fact that more and more security systems are 'intelligent' and work with and on the network. Access control systems doing data logging, for example, IP cameras, etc.

The benifit to you, Mr. Security Dude Struggling to Get The Budget You Need To Do Your Job, is you can sell the bean counters on 'integrated' systems easier than you can sell them on dumb systems, even though the dumb systems are significantly cheaper. It just takes a little salesmanship and a little creativity to point out how much easier it would be if the in-house IT people added the security stuff to the existing IT infrastructure rather than having an outside contractor responcible for maintaining a totally seperate sytem. Use phrases like "total cost of ownership" and "price point" and 'integration' and 'convergence'.

Just a thought.

Shame on them!

HospitalOfc, Curtis has given you very sound advice. Your CEO must form a "Hospital Security Committee" and its membership must include all disciplines that keep the hospital functioning. Participation is not on a voluntary basis, it must be mandatory. If the CEO and board of directors do not understand liability, as Curtis stated, "SHAME ON THEM."
The federal government will receive all inspection reports from the joint commission and action will be taken against management. If discrepancies found are adjudged to be egregious, criminal sanctions will be forthcoming. I hope those "block heads" understand that.
The guide I sent you contains the basics for establishing a security program along with the beginnings of a security committee. If your leadership is either unable or unwilling to back a viable security committee, I'd suggest to seek employment elsewhere because they are setting you up for a fall!
Curtis, this young man would be safer in a insurgent ambush than where he is now.
Now that my blood is up; enjoy the day,
Bill