Societal and Citizen Security - Guidance for managing security in healthcare facilities

The standard will specify requirements for planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving a documented security management system in healthcare facilities.

Schutz und Sicherheit der Bürger - Leitfaden für das Sicherungsmanagement in Gesundheitseinrichtungen

Sécurité sociétale du citoyen - Lignes directrices pour gérer la sécurité dans les établissements de santé

Družbena varnost in varnost državljanov - Napotki za upravljanje varnosti v zdravstvenih ustanovah

Ta standard določa zahteve za načrtovanje, vzpostavljanje, uvajanje, upravljanje, nadziranje, pregledovanje, vzdrževanje in neprekinjeno izboljševanje dokumentiranega sistema za upravljanje varnosti.

General Information

Status
Published
Public Enquiry End Date
24-Jun-2015
Publication Date
18-Oct-2015
Technical Committee
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
06-Oct-2015
Due Date
11-Dec-2015
Completion Date
19-Oct-2015

Buy Standard

Technical specification
TS CEN/TS 16850:2015
English language
39 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)

SLOVENSKI STANDARD
SIST-TS CEN/TS 16850:2015
01-november-2015
Družbena varnost in varnost državljanov - Napotki za upravljanje varnosti v
zdravstvenih ustanovah
Societal and Citizen Security - Guidance for managing security in healthcare facilities
Schutz und Sicherheit der Bürger - Leitfaden für das Sicherungsmanagement in
Gesundheitseinrichtungen
Sécurité sociétale du citoyen - Lignes directrices pour gérer la sécurité dans les
établissements de santé
Ta slovenski standard je istoveten z: CEN/TS 16850:2015
ICS:
03.100.01 Organizacija in vodenje Company organization and
podjetja na splošno management in general
11.020.99 Drugi standardi v zvezi z Other standards related to
zdravstvom na splošno health care in general
13.310 Varstvo pred kriminalom Protection against crime
SIST-TS CEN/TS 16850:2015 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST-TS CEN/TS 16850:2015

---------------------- Page: 2 ----------------------

SIST-TS CEN/TS 16850:2015


CEN/TS 16850
TECHNICAL SPECIFICATION

SPÉCIFICATION TECHNIQUE

September 2015
TECHNISCHE SPEZIFIKATION
ICS 13.310; 91.040.10; 11.020
English Version

Societal and Citizen Security - Guidance for managing
security in healthcare facilities
Sécurité sociétale du citoyen - Lignes directrices pour Schutz und Sicherheit der Bürger - Leitfaden für das
gérer la sécurité dans les établissements de santé Sicherungsmanagement in Gesundheitseinrichtungen
This Technical Specification (CEN/TS) was approved by CEN on 27 July 2015 for provisional application.

The period of validity of this CEN/TS is limited initially to three years. After two years the members of CEN will be requested to
submit their comments, particularly on the question whether the CEN/TS can be converted into a European Standard.

CEN members are required to announce the existence of this CEN/TS in the same way as for an EN and to make the CEN/TS
available promptly at national level in an appropriate form. It is permissible to keep conflicting national standards in force (in
parallel to the CEN/TS) until the final decision about the possible conversion of the CEN/TS into an EN is reached.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and
United Kingdom.





EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2015 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TS 16850:2015 E
worldwide for CEN national Members.

---------------------- Page: 3 ----------------------

SIST-TS CEN/TS 16850:2015
CEN/TS 16850:2015 (E)
Contents Page
European foreword . 4
Introduction . 5
1 Scope . 6
2 Terms and definitions . 6
3 General guidance . 6
3.1 Approach . 6
3.2 Context of the HCF security management . 6
3.3 Compliance with national legislation . 7
3.4 Risk management . 7
3.5 Leadership . 8
3.5.1 General . 8
3.5.2 Organization of roles, responsibilities and authority . 8
3.6 Establishment of a security management policy . 9
3.7 Security Management Plan (SMP) . 9
3.8 Interfacing with other management systems . 10
4 Operational guidance . 10
4.1 Organization (General procedures) . 10
4.1.1 Controlled areas . 10
4.1.2 Access control . 10
4.1.3 Secure storage . 12
4.1.4 Facility restricted access (emergency lockdown) . 12
4.1.5 Car park and vehicle control . 13
4.2 People . 13
4.2.1 Staff . 13
4.2.2 Visitors . 18
4.2.3 Patients . 19
4.3 Facilities and technology (infrastructure and access system) . 22
4.3.1 Design and construction . 22
4.3.2 Physical security . 23
4.3.3 Fences and walls . 23
4.3.4 Closed circuit TV (CCTV) . 23
4.3.5 Identity cards . 24
4.3.6 Technologies and alarm systems . 24
4.3.7 Control rooms . 25
4.3.8 Accommodation for patients with protective status or prisoners . 25
4.3.9 Security signage . 25
4.3.10 Alternative entries . 26
4.3.11 Operating (surgery) rooms security . 26
4.3.12 Emergency unit security . 26
4.3.13 Burglar and intruder resistant areas . 27
4.3.14 Personal attack alarms (Panic alarms) . 28
4.3.15 Cash and other monetary processing systems . 28
4.4 Security incident response . 30
4.4.1 General . 30
4.4.2 Criteria . 30
4.4.3 Minimizing possibility of recurrence . 31
4.4.4 Reports and statistics . 31
2

---------------------- Page: 4 ----------------------

SIST-TS CEN/TS 16850:2015
CEN/TS 16850:2015 (E)
4.4.5 Incident report . 31
4.4.6 Interfacing with first responders and emergency management . 31
4.4.7 Targeted violence . 32
4.5 Plans for special cases . 33
4.5.1 Child abduction . 33
4.5.2 CBRN incident response . 33
4.5.3 Prisoner patients . 33
4.5.4 Offensive weapons and other dangerous equipment . 33
4.5.5 Active shooter . 34
4.5.6 Drug diversion and security of CBRNE substances . 35
4.5.7 Vehicle and aircraft security . 36
4.5.8 Media . 36
5 Performance evaluation . 37
5.1 General . 37
5.2 Management review . 37
6 Exercise and testing . 37
Bibliography . 39

3

---------------------- Page: 5 ----------------------

SIST-TS CEN/TS 16850:2015
CEN/TS 16850:2015 (E)
European foreword
This document (CEN/TS 16850:2015) has been prepared by Technical Committee CEN/TC 391
“Societal and Citizen Security”, the secretariat of which is held by NEN.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent
rights.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to announce this Technical Specification: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia,
France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta,
Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and the United Kingdom.
4

---------------------- Page: 6 ----------------------

SIST-TS CEN/TS 16850:2015
CEN/TS 16850:2015 (E)
Introduction
Security of healthcare facilities is very important for effective and high quality medical treatment. It is a
very wide area and the primary objective of this Technical Specification (TS) is to provide all
responsible persons, within healthcare facility, with guidelines on how to manage security.
This is not a management system standard. This TS is giving an opportunity to be more specific in
proposed security measures, which leads to better security of healthcare facility staff, patient and other
people, who are visiting such a facility. There is also an important fact that this TS is not a closed project
and we are expecting further development of this document.
Management of security in healthcare facilities is a dynamic process and this TS proposes guidelines,
which help responsible persons have a choice from different techniques for how to improve security.
It is important to emphasize that across the European Union there are several regulatory and legislative
limitations for use of security techniques and technologies, so it is important to take these limitations
into account. Use of the guidelines may vary based on the health care system in each country of the
European Union.
5

---------------------- Page: 7 ----------------------

SIST-TS CEN/TS 16850:2015
CEN/TS 16850:2015 (E)
1 Scope
This Technical Specification provides guidance for managing security in healthcare facilities. It covers
the protection of people, critical processes, assets and information against security threats.
This Technical Specification applies to hospitals and places that provide healthcare services, such as -
but not limited to - psychiatric clinics, homes for the elderly and institutions for the handicapped. It also
applies to self-employed practicing healthcare professionals. It does not apply to occupational health
and safety and fire safety.
This Technical Specification is not a management system standard. However it can be applied as part of
a management system, such as with EN ISO 9001.
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
2.1
controlled area
area which has specific controls to restrict access to authorized persons only
2.2
targeted violence
situation where an individual, individuals or group are identified at risk of violence, usually from
another specific individual such as in cases involving domestic violence
Note 1 to entry: Often, the perpetrator and target are known to each other prior to an incident.
3 General guidance
3.1 Approach
Security management for a healthcare facility (HCF) should:
— be consistent with other policies;
— be documented, implemented and maintained;
— be visibly endorsed by top management;
— provide a framework which enables the specification of security management objectives and
targets;
— be consistent with the organization’s risk management;
— be communicated to all employees, patients and other stakeholders; and
— respect the rights of patients and visitors.
3.2 Context of the HCF security management
The HCF should determine internal and external issues that are relevant to its purpose and that affect
its ability to achieve the intended level of security within the HCF.
The context should be taken into account when establishing, implementing, maintaining and continually
improving the HCF security management (system).
6

---------------------- Page: 8 ----------------------

SIST-TS CEN/TS 16850:2015
CEN/TS 16850:2015 (E)
The HCF should identify and document:
— the HCF’s activities, functions, services, products, partnerships, supply chains, resources,
relationships with interested parties, and their relationship with security management; and
— links between the HCF security management system design and the HCF’s other policies, including
its other management strategies and implemented management systems.
3.3 Compliance with national legislation
The HCF should establish and maintain procedure(s) to:
— identify legal, regulatory, and other requirements to which the HCF subscribes related to the HCF
security management;
— determine legal restrictions on certain security procedures based on jurisdiction; and
— determine how these requirements apply to its HCF security management.
The HCF should document this information and keep it up to date.
The HCF should ensure that applicable legal, regulatory and other requirements to which the
organization subscribes are considered in developing, implementing and maintaining its HCF security
management.
NOTE 1 These procedures are in most cases an integral part of management system standards, such as quality
management systems, e.g. EN ISO 9001:2008. In this case, the organization should ensure that specific
requirements for security-related issues, such as requirements for technologies etc. are included.
NOTE 2 The mission of HCF personnel is to provide healthcare and not law enforcement.
3.4 Risk management
Security management is risk management, therefore the security management system should be aligned
with other risk management systems within the HCF. The HCF should establish, implement and
maintain a formal and documented risk assessment process for security risk identification, analysis and
evaluation, in order to:
— identify operational security risks caused by intentional, unintentional and human threats that have
a potential for direct or indirect consequences on the HCF’s objectives, tangible and intangible
assets, and interested parties (threat, vulnerability, and criticality analysis);
— systematically analyse risk likelihood and consequence, and set risk criteria; and
— systematically evaluate and prioritize security risk controls and measures and their related costs.
The HCF should:
— document and keep this information up to date and secure;
— periodically review whether the risk assessment methods are effective for security risk
management;
— re-evaluate risks within the context of changes within the HCF, or made to the HCF’s operating
environment, procedures, functions, services, partnerships, and supply chains;
— evaluate the direct and indirect benefits and costs of options to manage risk and enhance reliability
and security;
7

---------------------- Page: 9 ----------------------

SIST-TS CEN/TS 16850:2015
CEN/TS 16850:2015 (E)
— evaluate the actual effectiveness of security risk management measure options;
— ensure that the prioritized risks and impacts are taken into account in establishing, implementing
and operating its HCF security management; and
— evaluate the effectiveness of security risk controls and measures.
NOTE For methods of risk assessment and risk analysis see IEC 31010.
The HCF should establish, implement and maintain a formal and documented communication and
consultation process, consistent with operational security, with all stakeholders in the risk assessment
process to ensure that:
— security risks are adequately identified and communicated;
— interests of other internal and external interested parties are understood;
— dependencies and linkages with subcontractors, third parties providing outsourcing and those
within the supply chain are understood;
— the risk assessment process interfaces well with other management disciplines; and
— risk assessment is being conducted within the appropriate internal and external context and
parameters relevant to the HCF and its interested parties.
The risk assessment should identify activities, operations and processes that need to be managed.
Outputs should include a prioritized risk register identifying measures to mitigate risk and justification
for risk acceptance.
3.5 Leadership
3.5.1 General
Top management should demonstrate leadership and commitment with respect to the HCF security
management by:
— making security management one of the responsibilities of one of the members of top management;
— appointing a responsible person for the healthcare security management with leadership and
technical competence (see 3.5.2);
— supporting relevant management roles to demonstrate their leadership as it applies to their areas
of responsibility (see 3.6);
— ensuring that the resources needed for the HCF security management are available (see 3.6);
— supporting the planning of security measures (see 3.7); and
— directing and supporting persons to contribute to the effectiveness of the HCF security
management (see 4.2.1.6 and 4.2.1.8).
3.5.2 Organization of roles, responsibilities and authority
Top management should ensure that the responsibilities and authorities for relevant roles are assigned
and communicated within the organization.
Top management should ensure that:
8

---------------------- Page: 10 ----------------------

SIST-TS CEN/TS 16850:2015
CEN/TS 16850:2015 (E)
— an administrative person, designated by leadership, is charged with primary responsibility for the
security function, e.g. a security manager; and
— provision is made for the professional development of the Security manager.
NOTE Membership in at least one professional security organization and participation in security educational
programs is strongly encouraged.
The security manager:
— should have demonstrated competence in security risk management and knowledge of the
healthcare industry;
— is involved in the planning and building phases of all new facility construction and renovations;
— possesses policy-making authority, and will be in charge of the reviewing and approval process of
the HCF;
— plays a critical leadership role in Healthcare Facilities (HCFs) security management; and
— possesses the authority to immediately and independently address any imminent threat that may
result in serious bodily injury, death, or significant loss of property. This authority should include
standing authorization to deploy and implement timely interim measures.
3.6 Establishment of a security management policy
A security management policy should clearly state the organization's objectives for, and commitment to,
security management, and typically addresses the following:
— the organization's rationale for managing security;
— articulate its objectives related to healthcare facility security;
— links between the organization's objectives and policies and the security management policy;
— accountabilities and responsibilities for managing security;
— the way in which conflicting interests are dealt with;
— commitment to make the necessary resources available to assist those accountable and responsible
for managing security;
— the way in which security management performance will be measured and reported; and
— commitment to review and improve the security management policy and framework periodically
and in response to an event or change in circumstances.
The security management policy should be communicated appropriately.
3.7 Security Management Plan (SMP)
Organizations should develop a Security Management Plan (SMP), based on their risk assessment. The
SMP should include preventive, protective, mitigation, response and recovery measures designed to
provide a safe and secure environment.
The plan should be based on the risk assessment and needs of the HCF.
The SMP should include, but not be limited to:
9

---------------------- Page: 11 ----------------------

SIST-TS CEN/TS 16850:2015
CEN/TS 16850:2015 (E)
— a security program mission statement;
— a statement of program authority (e.g. a facility organization chart depicting reporting levels);
— the identification of security sensitive areas;
— an overview of security program duties and activities;
— the documentation system in place (i.e. records & reports);
— a training and exercise program for the security staff and all other staff;
— planned liaison activities with local public safety agencies and other HCFs as appropriate;
— a security organizational chart; and
— a copy of the most recent annual program, evaluation report and plan for improvement.
The SMP should be evaluated periodically, and modified as required. Periodical reviews should be
documented.
3.8 Interfacing with other management systems
Top management and the security managers should ensure that:
— the HCF security management system operates conforming to the requirements of other
implemented management system standards; and
— the performance of the HCF security management is reported to top management.
The HCF should align the security management with other quality, safety and security management
systems, such as Information Security Management System (ISMS).
4 Operational guidance
4.1 Organization (General procedures)
4.1.1 Controlled areas
Based on the risk assessment, certain areas of the HCF are determined to be a controlled areas. A
controlled area may be part or all of a burglar or intruder resistant area. A controlled area should have
means of:
— denying entry to unauthorized persons;
— identifying authorized persons;
— logging entry and - where required - exit of authorized persons; and
— alerting the appropriate authorities in the event of a forced entry or a door opened too long based
on the set down criteria.
4.1.2 Access control
4.1.2.1 General
Access control (entry/exit) - using positive personal identification - is essential for controlled areas. The
methods actually available to control the access are as follows:
10

---------------------- Page: 12 ----------------------

SIST-TS CEN/TS 16850:2015
CEN/TS 16850:2015 (E)
— key lockable door using a key management which is strictly controlled by limiting the number of
authorized users and the means of duplicating the keys;
— visual recognition of authorized people (suitable for access control to small areas which are always
occupied, or areas where entry is supervised by a trusted custodian who knows the occupants of
the area well enough to identify them, or is able to do so with the assistance of a security pass or ID
card);
— mechanical code locks (suitable for access control of small to medium areas which are sometimes
left unoccupied);
— electronic access control systems (suitable for larger areas, including several networked areas,
whether occupied or not, or where a reliable and secure audit of entry and exit is required. Passes
or identity cards authenticate bona fide authorized persons;
The highest level of security is provided by biometric recognition systems using personal
characteristics such as fingerprint, hand geometry or eye retina for recognition. For effective
electronic access control, the quality of locking mechanisms, door closers and other peripheral
equipment shall be commensurate with the quality of the recognition system and level of control
required.
— specific access control systems such as interlocking doors.
NOTE Cards (e.g. identity cards) need to be clearly legible.
For other open areas, consideration should be given to the installation of entry/exit control measures to
ensure that:
— only authorized people have unimpeded entry/exit to the building or area;
— visitors are logged and escorted; and
— valuable or vital assets cannot be removed from the controlled area without proper authority.
4.1.2.2 Level of access control
When designing or implementing access control, the HCF should consider:

...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.