The security vulnerability assessment

A resident is sexually assaulted in her room. Meetings are held. Fingers are pointed first at the nursing staff, then at security, then at the administration. The safety committee calls a special session. By now, numerous “security experts” are employed by the facility, all well-intentioned, making scores of comments and recommendations without merit, including: “Where was security?” “Why weren’t the police notified?” “If only we had an access control system.” “We need to install closed-circuit television cameras.” “Employees need to be trained to detect and prevent violence.”

The incidents may vary, but it’s the same old story at many facilities: Everyone becomes a “security expert” immediately following an incident. Recommendations are plentiful, blame is abundant and a “quick-fix” is needed to make it seem like something is being done to prevent future incidents. That’s all well and good for the media and the onslaught of concerned citizens demanding action. Quick fixes, however, only temporarily mask the problem. The real solution is to be proactive in your approach to security. Identify your weaknesses early through a comprehensive security vulnerability assessment (SVA), and put together a “plan for improvement.”

The assessment

A comprehensive SVA, performed by a qualified healthcare security professional, is the first step in creating a secure environment. You cannot minimize your vulnerabilities if you don't know what and where they are.

Imagine that you don't feel well. You have a headache, your throat hurts and you have body aches. When you go see your doctor, he or she doesn't just start handing you pills, saying, “Here. Try this and let's hope it works.” The first step in treating you is to make a diagnosis and, once it is made, begin appropriate treatment.

Creating and maintaining a secure environment in a long-term care community is no different. You have to know where your vulnerabilities lie (diagnosis) before you can think about treatment (minimizing the risk).

It is critical that the person(s) performing the SVA be a qualified healthcare security professional(s). You want someone who is looking out for the safety and well-being of the facility, the residents and the staff, and not someone who is hoping to sell you cameras and alarms when the assessment is over. A professional healthcare security consultant can be your greatest ally in creating a secure environment.

In simple terms, an SVA:

  • Identifies the credible threat level: What and who should the facility protect itself against?
  • Identifies critical assets: Who and what should the facility be protecting?
  • Identifies consequences: Likely consequences of identified vulnerabilities.
  • Provides sound and viable security recommendations: Based on the SVA findings, recommendations that include security system improvements and/or upgrades, changes in policy and procedures, changes in organization and changes in general safety/security operations.

Rings of protection

The security program for every facility should have deterrent, delay/denial, detection and response elements immediately around the target to be protected, at the perimeter of the property and between the perimeter and the target ring. This protection technique is referred to as the “rings of protection” concept.

The SVA should follow the P2T2 approach to security management. For a security program to be truly effective, all facets of the P2T2 system must be fully met: People, Programs, Training and Technology.

In the assessment phase, each of these four areas must be rated. If the security program in any of these areas is deficient, then the entire program is weakened, and security is proportionately compromised.

Focus areas

A comprehensive security vulnerability assessment must include, at a minimum, human resources (HR) and security staffing (proprietary or contract).

The HR department provides guidelines for hiring staff and makes decisions on contract versus proprietary security. It does background screening, performs criminal history checks and conducts exit interviews. HR also provides security-focused staff training and education.

Security staffing’s duties, whether proprietary or contract, are to assesses crime in the areas surrounding the facility, in the immediate vicinity and on the facility grounds and the number of perimeter entrances and exits. The assessment also includes police support and availability, response to after-hours events and the types of goods and services offered

The assessment also must consider the proper design and use of access control and controlled circuit television technology, security policies and procedures (regardless of the presence or absence of uniformed security), along with physical security measures.

A good assessment must also include determine the efficiency of access controls, alarm systems and the security of parking lots, perimeters and grounds.

Security-focused staff training and education, physical plant assessment and the quality management of safety/security round out the assessment.

The plan for improvement

When performed by a qualified healthcare security professional, the assessment will open many people’s eyes on how security can be improved. It eliminates the “quick fix” approach and eliminates the slew of “outside experts” who seem to have all your answers.

After completion of the assessment, you are left with a report of findings and recommendations on how your program can be improved. Some suggestions are simple and can be implemented almost immediately. Others are not so simple; they require substantial financial investments or significant changes in work practices. How can you decide what to do?

The plan for improvement (PFI) allows you to develop a “strategic plan” for improving security, based on the assessment outcomes. A good PFI breaks corrective actions into one of four categories:


These are corrective actions that need to be taken to correct a high-risk vulnerability, but they require a substantial monetary investment to accomplish. These corrections require planning and budgeting and may have to be implemented over time.


High-risk / low-cost corrections are just what the name implies. These are corrections that can reduce a high-risk vulnerability without requiring a large investment. Often, these are work practice adjustments; they change the way people perform as opposed to a large capital investment. These changes should be made as quickly as possible.


These improvements require a large investment of capital, but may not be a value-based approach based on the severity of risk. Serious consideration must be given to the value of acting on these corrections, and other alternatives should be considered.


Again, low-risk / low-cost corrections are just what the name implies. They are corrections that reduce low-risk vulnerability without requiring a large investment. Again, these are typically work practice adjustments. These changes should also be made as quickly as possible.


An SVA performed by a qualified security professional will prove to be an invaluable resource. As more and more litigation develops alleging inadequate security, facilities are taking their approach to security management more seriously than ever. The days of “doorknob shakers” and “night watchman” may be gone forever. Today’s healthcare security management demands require a well-organized, well-managed program that addresses all aspects of facility security and refuses to be compromised.

Steve Wilder, CHSP, STS, is President and CEO of Sorensen, Wilder & Associates (SWA), a healthcare safety and security consulting group based in Bourbonnais, IL.  A board-certified Healthcare Safety Professional, he is the co-author of the book The Essentials of Aggression Management in Healthcare: From Talkdown to Takedown. Steve can be reached at 800-568-2931 or at

Topics: Operations , Risk Management