First Things First: Maturing Your Physical Security Program Starts with Foundational Governance

Corporate Security Advisors has assessed numerous hospital and healthcare systems’ security programs over the past few years, and several critical trends have emerged. One of the most basic and most common deficiencies is a lack of clear foundational governance.

Quite understandably, hospitals and healthcare organizations have historically not been built with security as a top-of-mind consideration. At many hospitals, long-tenured staff can remember when security was merely a single uniformed officer sitting in the main lobby. However, our hospitals and clinics have become more dangerous over the past decades, and many security programs have grown apace. High-profile incidents, including hospital-based shootings, targeted attacks, and internal security breaches, are no longer unthinkable—they are part of the healthcare risk landscape.

As a result of these emerging trends and the never-ending pace of healthcare operations, security programs have, in most cases, evolved in a reactionary manner without a clear vision or a rational, documented governance framework.

Governance Begins at the Top

Two critical governance cornerstones often missing even in large, high-performing healthcare systems are a codified organizational structure and a charter-type document specifically tailored to the security program.

The organizational structure is critical in identifying the lines of responsibility and authority for the security program. The executive risk-owner (e.g., CEO) should designate, in writing, who “owns” the security function, must ensure that the necessary authority and resources are provided to the responsible party, and must be kept appraised of the security posture of the organization.

In many healthcare organizations, the responsibility for physical security resides too low in the organizational hierarchy, which often results in an immature and under-resourced security program. In the past, Security was often treated as an add-on to other departments, such as Facilities, Safety, or Risk. While this approach may have made sense during simpler times, this legacy, fragmented approach now leaves institutions exposed—not only to physical harm, but to reputational, financial, and legal consequences.

Once the organizational structure is clarified, the responsible parties should draft a charter or overarching policy for the Security function. Such a document should include:

• Security Department’s Mission Statement and Vision
• Roles and Responsibilities and Key Tasks
• Performance Metrics
• Risk Management Processes
• Operational Rhythm

An impactful Mission Statement describes the department’s ‘what and why’ and is truly the foundation of the security program. A typical Security Department Mission Statement clarifies that the Security Department’s role is to implement risk-rational and culturally aligned security controls to protect people, property, assets, interests and brand with the goal of maintaining an environment conducive to providing world-class healthcare.

While that may seem intuitive, it’s important to codify. When asked, it’s not uncommon for security leaders to be unable to clearly articulate their program’s reason for existence. Answers like this include:

“My mission is to deter crime.”

“My mission is to enforce hospital policies.”

“We observe and report to keep people safe.”

While all of those may be true, they do not articulate the true overarching purpose and core-value-alignment that are hallmarks of a well-crafted mission statement.

The Roles and Responsibilities/Key Tasks section is a vital part of the charter document, as it clearly defines what the security team is—and is not—accountable for. Healthcare leaders must articulate the boundaries of security’s scope by identifying the functions the team fully owns, those in which they are integrated partners, and those where they provide support. A practical framework for this delineation is: “Owned, Integrated, Supporting.” For example, an organization:

• Owns: Access Control, Executive Protection, Security Technology, Alarm Monitoring
• Integrates: Cybersecurity, Risk Management, High-Risk Patient Operations, Infant Security
• Supports: Investigations, Diversion Prevention, Privacy

The security department charter document should also articulate the Key Performance Metrics for the security program. The charter document doesn’t necessarily need to set the Specific, Measurable, Achievable, Relevant, and Time-bound (S.M.A.R.T.) objectives for metrics, but it should at a minimum lay out the items to be measured. Some security professionals advocate for aligning with the corporate metric scorecard. While that may be an effective technique, we advocate for aligning with corporate goals and cultural alignment across four broad categories of metrics:

• Security spending
• Security incidents
• Staff/Provider perceptions of security
• Risk Quantification

Risk Management is such a critical function of the security department that it warrants a dedicated section in the charter document. It is arguably at the core of the security team’s mission. This section should outline the methodology used to identify, evaluate, and prioritize the risks the security team is responsible for mitigating. Because these risks evolve over time, the charter should also define a regular review and update process to ensure continued alignment with the organization's risk landscape.

Additionally, the risk management section should detail the security controls that are required, authorized, or prohibited along with the rationale behind these designations. For example, in some jurisdictions such as the U.K., certain types of video surveillance, including audio recording in public areas, may be restricted or outright prohibited under privacy regulations. Lastly, clarify how the security function integrates into the broader Enterprise Risk Management (ERM) program.

Operational Rhythm is a final section that belongs in any departmental charter. The Operational Rhythm would describe when and how often critical security tasks are performed, how often different controls are audited, and when and to whom security reports should be presented.

Conclusion

Having a documented and published security structure and charter is, of course, only the beginning.  In addition to these governance “who,” “what,” and “why” cornerstones, the hospital or healthcare system must develop and publish policies, standards, training materials, and job aids that flesh out the details of “how” the security function operates. Firmly establishing a clear governance structure will help avoid the creation or continuation of healthcare security programs that are reactionary, unaligned, and sometimes even counterproductive.

--

Tim Leroux is a security and risk management expert with a distinguished, 30-year track record of leading teams to solve a wide range of problems in all kinds of conditions across multiple industries.  A proven leader in healthcare security and risk management, he has extensive experience guiding large organizations through enterprise-wide assessments and safety initiatives.  Tim has held senior roles at Sutter Health and Kaiser Permanente, where he helped shape programs that protect patients, staff, and facilities.