AS 4485.2:2021 Security for healthcare facilities Part 2: Procedures guide.
Section 3 Security risk assessment
3.1 Risk management
AS ISO 31000 provides the general framework and processes that should be adapted and applied when developing security risk management for facilities. Insight and guidance on specific security risk management can be gained from HB 167. AS/NZS ISO 45001 should also be applied where appropriate in the development of security risk management.
3.2 Important assets and property
The following is a non-exhaustive list of items that should be considered as part of security risk management:
(a) Workers, patients and visitors.
(b) Facility’s reputation.
(c) Buildings and surrounds, including critical infrastructure.
(d) Plant and machinery.
(e) Radioactive sources.
(f) Essential services cupboards, boxes, pits and risers.
(g) Office equipment, particularly computers (software and hardware).
(h) Medical and associated equipment.
(I) Drugs and controlled substances and other dangerous items.
(j) Patient property.
(m) Supplies and consumables.
(n) Intellectual property.
(o) Security office and system infrastructure.
(p) Security and emergency communications infrastructure.
(q) Security keys and access cards.
(r) Storage of contraband.
(s) Storage of confidential waste.
(t) Food preparation areas.
The following is a non-exhaustive list of information that needs to be considered as part of security risk management:
(a) Information relating to plans, policies, finances and other matters associated with operating a healthcare facility.
(b) Any personal and official records.
(c) Building floor plans, especially showing security features and essential services details.
(d) Details of drug holdings and locations.
(e) Valuable or significant intellectual property.
(f) Data from security systems, e.g. video surveillance footage, identification (ID) photo images, personal data.
Many facilities process and store information on computers, or computer systems, as well as in hard copy form. When identifying information to be protected, it is important to look at both electronic (locally and remotely stored) and hard copy holdings.
3.4 Assessment of threats
3.4.1 Non-deliberate threats
Not all risks which could impact on security will be deliberate or have a criminal connection. Human error, natural hazards outside of the facility’s control and equipment failure are some examples of nondeliberate risks which could impact on the security of a facility. Such matters need to be considered during the risk assessment process.
Particular consideration should be given to patients who are a risk to themselves and/or others.AS 4485.2