How to Conduct a Risk Assessment at a Healthcare Facility

Physical security concerns are an integral issue for healthcare facilities. These vital organizations are open to the public and serve vulnerable populations. A physical or cybersecurity attack could be devastating to the facility, its personnel, patients and the community. Conducting a risk assessment can significantly mitigate the vulnerabilities of a healthcare facility to ensure a safe environment for everyone.

Let's understand how to protect critical infrastructure, the three phases of a successful risk assessment, and the solutions to protect every area of a hospital from the parking lot to a surgical room.

Man installing security camera

Risk Assessments Aren’t Just Prudent, They’re Federally Mandated

The Department of Homeland Security (DHS) considers healthcare and the public sector to be critical infrastructure. Critical infrastructure can be defined as an industry whose services are so vital that their incapacity or destruction would have a debilitating impact on the defense, social and/or economic stability and security of the United States. Therefore, the essential public services and functions of the industry require additional resources and attention concerning its security posture, facility by facility.

Presidential Decision Directive (PDD 63) of 1998 directed that the appropriate authorities identify and protect American Critical Infrastructure:

Based upon the vulnerability assessment, there shall be a recommended remedial plan. The plan shall identify timelines for implementation, responsibilities, and funding.

The PDD 63 has since been replaced by the National Institute of Standards and Technology and their new Risk Management Framework (RMF) practices. This RMF process provides enormous details on product and controls which a team can implement for mitigation.

A risk assessment is not only prudent – it’s mandated by the federal government for all 16 sectors of the DHS. Don’t think that cybersecurity standards and directives are limited to data. The mandates distinctly recognize the need for physical security and protection for American’s critical assets. For the time being, the FBI classifies physical security protection under the cybersecurity label.

Steps to Conducting a Security Assessment

A security assessment for a healthcare facility starts with defining objectives. These can be basic action statements such as “maintain operations,” “continuity of operations,” “critical asset protection,” and “customer and staff safety.” Keep in mind, your objectives should take into consideration any disruption to the functions outlined which could result in significant or total destruction of the healthcare facility.

Each objective has multiple functions that need to be assessed for risk and vulnerabilities. These functions are static, for the most part, regarding the RMF directive. These functions of a physical critical infrastructure plan must be followed:

1. Identify the risks
2. Protect the assets and services
3. Detect what is happening, when it is happening, and where it is happening
4. Respond with the appropriate level of resources
5. Recover from the event to keep the essential services operational (Continuity of Operations Plan or COOP) for the public good

Access control door scanning card

The 3 Phases of a Successful Security Assessment

1. Define the objectives and what you need to protect

For example, if the objective is “personnel safety,” you would need to collaborate with the security team. Identify the personnel in the building and where they would congregate outside on the property, for example, smoking areas and meditation gardens. Defining objectives can be overlooked or blended into other phases. It’s imperative that security teams and management work together to clearly identify objectives. 

2. Identify the threats, vulnerabilities, and risks

Threats are defined here as an event, natural or man-made, that would significantly reduce or destroy the functionality of a health care facility. Vulnerabilities include where and what would be attacked and how to prevent it. Risks are identified as what an attack would do to operations and what is acceptable as likely or unlikely, scaled and measured.

In this step, managers and security teams identify the types of dangers to personnel. Their likelihood should be listed and given a “rating” as to the probability of occurrence. The rating system is completely up to the security team, but it must be logical and scaled.

The DHS lists active shooters, disgruntled or violent persons, bomb detonation, arson, criminal violence, proximity to neighborhood violence, as well as a danger-close proximity of the hospital to other High Value Targets (HVT) such as military bases, power stations, and government buildings as the most likely threats to a healthcare facility.

3. Apply and integrate risk mitigation

At this point in the process, careful resource allocation analysis is required to include the “rating” designators discussed in the previous step to rate one event likelihood and its impact versus another. The team should take into account the single-loss expectancy and multiply that against the annual rate of occurrence to compute an annualized loss expectancy. Once the decision is agreed upon by the security team, it’s time to decide on the types of solutions to implement at your facility.

Mitigation and Solutions

From parking lots, waiting areas, surgical rooms, electrical rooms, and pharmacies, healthcare facilities have dozens of critical areas that must be properly protected. Working closely with security integrators and other experts can provide security solutions for each of these unique locations. Learn about the types of security solutions available to determine what would best protect your facility.

Some solutions that benefit healthcare facilities include:

  • Many types of surveillance cameras are available for indoor or outdoor use in all types of applications, ranging from patient care areas to parking lots, to meet specific security objectives.
  • Barriers and bollards can be carefully deployed to slow or restrict access to unauthorized areas or channel traffic in a certain direction.
  • LED and intelligent lighting systems offer technological advances over many current lighting networks.
  • Perimeter detection systems can be deployed around properties, including the use of sensitized cabling running along fences to identify and report any sort of grabbing, cutting, climbing or lifting.
  • Sensors on ingress/egress points, such as doors, windows and even manholes, can instantly notify personnel when opened or closed.   
  • Access control systems utilizing badging or various types of authentication techniques help prevent unauthorized access to critical areas such as electrical rooms, water and sewage areas, gas/oil storage areas, pharmacies or surgical rooms. Depending on the area, appropriate access control could include smart chip-enabled identification cards for employees, biometric scanners, or remote management systems to allow security personnel to view activity and unlock doors.

Safeguard Your Facility, Patients, and Personnel

Hospitals have many vulnerabilities that must be secured for the safety of personnel and the general public. It’s important for management and security teams to collaborate when conducting a security assessment, defining objectives and possible solutions to protect your facility. 

Article originally published May 16, 2017 and updated for accuracy and relevance.

Jason Wolff


Jason Wolff, RCDD, PMP, Security+
Jason is a senior application engineer who focuses on DoD secure communications, information management, ISP/OSP cable, facility designs and specifications, and our DHS CIP Secure(it) initiative with a focus on energy. He provides direct engineering and sales support to the regional government and government strategic account managers across the spectrum of Wesco solutions.