Guidance on the security and management of NHS assets

Guidance on the security and management of NHS assets

Guidance on the security and
management of NHS assets
May 2012
Tackling fraud and managing security
Guidance on the security and management of NHS assets
Contents
Executive summary
3
1. Introduction
5
The purpose and scope of the document
NHS assets
5
6
2. Understanding the lifecycle of an asset and issues of vulnerability
7
Procurement and purchase of the asset
Delivery and deployment of the asset
Inventories and registers
Use of the asset including storage, maintenance and repair
Returning, decommissioning, disposal and sale of assets
Auditing as part of monitoring and reviewing the security of assets
Reporting
8
8
8
9
9
10
10
3. Risk assessing NHS assets
12
4. Security response for protecting NHS assets
14
Pro-security culture
Staff roles and responsibilities
Identification badges and security passes
Security of buildings
Incorporating security within the design of buildings
CCTV systems
Access control
Integrated security systems
Key management and control
Security marking and asset tagging
Fraud reporting
Appendix 1
Checklist for assessing risk to NHS assets
14
14
15
16
16
17
17
18
18
19
20
21
Appendix 2
Policy template for the security and management of NHS assets
24
Appendix 3 Consultation questions
33
2
Executive summary
The NHS spends approximately £4.6 billion of its budget on equipment and consumables,
and has an annual spend of £50 million on high value capital equipment. It is clear that
assets represent an important class of expenditure for the NHS and any theft or loss can
place a huge financial burden on NHS health bodies, as well as having a significant impact
on the delivery of healthcare and depriving the NHS of resources which would otherwise
contribute to patient care.
In the current economic climate and at a time when NHS health bodies are expected to
demonstrate value for money, all NHS health bodies and their staff should ensure their
assets are protected and secured properly.
NHS Protect has produced this guidance to provide practical advice and support to all NHS
staff and managers on how to protect and secure NHS assets against theft, loss or damage.
This document provides the necessary tools to enable NHS health bodies to risk assess
their assets and identify appropriate ways to help protect and secure them.
Section 1 introduces the aims of the guidance document, gives a description of the assets
to be protected and briefly discusses the complexities of the subject.
Section 2 discusses the different stages of the life of an asset as it is procured, used,
disposed and decommissioned and highlights the vulnerabilities at each of these stages.
The section goes on to highlight what steps should be taken at each stage to protect and
secure assets including the reporting of assets that are stolen or lost.
Section 3 provides practical advice to NHS health bodies on how to conduct a risk
assessment of their assets in order to help determine the type and level of security
measures required for their protection. As well as giving advice on asset management and
the importance of auditing assets on a regular basis, the section explains the key concepts
involved. This includes a checklist for assessing risk to NHS assets (Appendix 1), which
NHS health bodies can use to conduct a risk assessment to identify the assets to be
protected, the threats/vulnerabilities and identify potential security solutions.
Section 4 of the guidance examines the security response to protect NHS assets. Most
NHS premises will already have some physical security measures in place; however these
are only as effective as the staff using them. Starting with the roles and responsibilities
everyone (staff and managers) has for protecting and securing NHS assets, the guidance
looks at the different roles within the organisation with regard to keeping assets secure and
the development and maintenance of a pro-security culture. This section also discusses how
access to the asset can be managed and controlled with some of the more commonly used
security measures already in use within NHS premises. Finally, Appendix 2 provides a policy
template to assist NHS health bodies in the development of local policies and procedures for
the security and management of NHS assets.
This guidance document should be used as a template to help develop and implement local
procedures and systems to promote the security and better management of NHS assets.
Implementation of the guidance should take account of local environments and work
activities in the way assets are used and managed.
The guidance aims to be as comprehensive as possible, but inevitably it may not cater for
every situation within the working environment. It is a living document and will be updated
when new developments occur. NHS Protect will be issuing further updates to this document
in relation to protecting portable NHS equipment and NHS equipment issued to staff.
3
We hope that NHS health bodies will find this document useful in ensuring their assets are
secured and properly managed at all times.
4
1.
Introduction
1.1
NHS organisations are under pressure to make efficency savings and with an
estimated spend of £4.6 billion 1 of the NHS budget on equipment and consumables
and an annual spend of £50million 2 on high value capital equipment, there is a
greater need for NHS organisations to secure their property and assets from theft,
loss and damage. However, as reported in the media, NHS property and assets have
been targeted by thieves, with autopsy tables, defibrillators, laptops and lead from
hospital roofs among the items stolen.
1.2
It is difficult to calculate the precise amount of overall losses to the NHS, as not all
losses are reported. For example, many staff members simply replace missing items
without reporting or recording them as lost or stolen, or they may not always know
how to report a theft or loss.
1.3
There is also the issue of NHS accounting rules, which define assets in purely
financial terms as items with a value exceeding £5,000. Many NHS health bodies
only include items of this value or above on their asset registers, which leaves a wide
range of smaller, portable, valuable items without any means of security protection,
management or audit arrangement.
1.4
However, ensuring the security of NHS assets, regardless of their size, use or value
is extremely important. Good crime prevention measures and effective asset
management can help contribute to the provision of good patient care and the
achievement of greater financial efficiencies.
1.5
The way in which assets are used, distributed, managed and audited varies
considerably from one organisation to another, making it a complex issue to address.
Even within the same organisation, practices may vary between departments.
1.6
Assets may not even stay within the organisation or be on site all of the time. They
can be loaned to other NHS health bodies and to patients, or taken off site for
maintenance and repair. Equally, the financial or operational value associated with
the asset, its size and portability can make it more susceptible to being stolen,
damaged or lost. These issues can lead to difficulties in determining how best to
secure and protect an NHS asset.
The purpose and scope of the document
1.7
The purpose of this guidance is:
• to provide practical advice and support to all NHS staff and managers on how
to protect and secure NHS assets against theft, loss or damage;
• to assist those responsible for the security management of NHS assets to
develop appropriate local policies and procedures;
• to help reduce the number of assets stolen, damaged or lost from within the
NHS;
• to assist NHS health bodies in meeting their statutory obligations to provide a
1
National Audit Office, The procurement of consumables by NHS acute and Foundation trusts, 2011.
Figure relates to an average annual spend on magnetic resonance imaging (MRI) and computed
tomography (CT) scanners and linear accelerator machines for cancer treatment. National Audit
Office, Managing high value capital equipment in the NHS in England, 2011.
2
5
safe and secure environment, and enable them to provide evidence to NHS
regulators that appropriate measures are in place.
1.8
The guidance has been designed to be used as a template from which local
procedures and systems are developed, revised or enhanced to protect and secure
NHS assets. These measures should reflect local needs and at the same time
ensure that the organisation meets its statutory obligations to provide a safe and
secure environment. While the guidance aims to be as comprehensive as possible, it
may not cater for every situation within the working environment.
1.9
The guidance takes account of the Health and Social Care Act 2008 (Regulated
Activities) Regulations 2010 Essential Standards, which providers of health and adult
social care are required to meet in order to register with Care Quality Commission
(CQC).
1.10
Under the regulations, providers must ensure that “equipment is available in sufficient
quantities and stored safely and securely to prevent theft, damage or misuse”
(Regulation 11A). The regulations also state that providers must “ensure medical
devices are available when required and are disposed of or recycled safely and
securely” (Regulation 11F).
1.11
The guidance also takes account of the work of the NHS Litigation Authority
(NHSLA), which handles negligence claims and works to improve risk management
practices across the NHS. Member organisations are regularly assessed against the
NHSLA’s standards. This guidance takes into account the particular standards NHS
health bodies are expected to meet in relation to managing the risks associated with
the physical security of premises and assets.
NHS assets
1.12
Within the NHS, the terms ‘property’ and ‘assets’ are used interchangeably to
describe NHS-owned items. For the purposes of this guidance, we have chosen to
focus our work on the following classes of goods:
• medical and non-medical equipment
• consumables
• supplies
• NHS staff personal issue equipment
• fixtures and fittings.
1.13
Collectively we will refer to these items as ‘NHS assets’, which will be the focus of
this guidance. The recommendations in this document will also apply to those items
that are donated, loaned and leased.
1.14
Personal property, including staff and patient possessions, also needs to be
protected to help create an environment for those who use, visit or work in the NHS
that is safe and secure. This will be dealt with in a separate guidance document.
6
2.
Understanding the lifecycle of an asset and issues of
vulnerability
2.1
‘Asset lifecycle’ refers to the various stages an asset will go through, starting with its
acquisition through to its decommissioning. At each stage, the asset is likely to be
exposed to different security risks. These will need to be managed carefully by the
organisation and by whoever is ultimately responsible for the asset.
2.2
The diagram below highlights the key stages in the lifecycle of an asset and
illustrates the importance of regular auditing as part of the review process.
Figure 1: Lifecycle of an asset and its relationship to audit.
1. Procurement
and purchase
of the asset
AUDIT
2. Delivery and
deployment
AUDIT
AUDIT
5. Return,
decommission
and disposal of
the asset
3. Asset use
AUDIT
4. Maintenance
and repair
AUDIT
7
Procurement and purchase of the asset
2.3
The process by which organisations purchase their items may vary according to the
department purchasing the asset, the value of the asset, the quantity being
purchased and/or the type of asset it is. However, it is certainly worth considering
what security measures might be put in place at the procurement and purchase
stage. For example, tender specifications could include a requirement for contractors
or suppliers to demonstrate how they propose to enable the asset to be made secure
or arrange for specific security measures to be built into the product from the outset. Where possible, property should be indelibly security-stamped with the organisation's
name and post code. This should always be considered for electrical, portable and
other desirable items.
2.4
Any asset at this stage should enter the organisation’s own asset management
system and begin to be managed accordingly. Asset management systems can
either be computerised or paper-based, and include management policies,
procedures and practices specifically designed to protect or secure the asset. In
essence, the procurement process should feed into the asset management system,
providing data on the new asset as soon as the purchase order is complete and the
item has been received. This will enable proper and accurate tracking of the item.
Delivery and deployment of the asset
2.5
The organisation should have in place effective policies with regard to the delivery of
goods and adequate procedures for logging and tracking assets from the point of
receipt to the point of delivery to the end user. It is often during this period that assets
are most vulnerable. For example, stock should not be left in open-access areas, and
should be kept secure at all times.
2.6
NHS assets should be held on an inventory or register, in accordance with the NHS
organisation’s Standing Financial Instructions. Assets valued over £5,000 are usually
recorded on a corporate asset register.
Inventories and registers
2.7
In addition, each department, and smaller NHS providers such as GP practices,
should hold their own local asset/equipment register, ensuring it is kept up to date
and reviewed on a regular basis. The register should record the following information:
• the department/division/business unit
• name of the individual responsible for the management of the asset
• type of asset, model and serial number, description and quantity
• summary of the risks and assessment results
• security measures
• date of review.
2.8
If the asset is to be stored for any length of time before final delivery, access to the
storage area should be restricted and the area secured.
2.9
Once the asset has been delivered to the relevant department or individual, there
should be a system in place to ensure it is signed for and that this action is recorded
on the asset management system. The person receiving the item should then take
the necessary steps to ensure that it is properly secured. A risk management model
8
can be useful for identifying threats and vulnerabilities and determining the security
response needed to secure the asset. This is discussed in section 4 below.
Use of the asset including storage, maintenance and repair
2.10
Depending on the nature of the asset, it is likely to be used in a variety of different
ways and settings. For example, it may be used by an individual member of staff
within a particular department or given to a patient. In some cases it might be shared
across several departments/ divisions or even used by another local healthcare
establishment.
2.11
Set policies and procedures should be developed to deal with these various
scenarios and ensure that the asset is properly managed throughout its usage.
Attention should be given to how the item will be stored securely when not in use,
what should happen if it is relocated or loaned to another department and how it will
be tracked and audited.
2.12
NHS health bodies may need to consider what arrangements they have in place for
the maintenance and repair of items, especially in cases when an item is likely to be
taken off-site for these purposes. Added security measures may be required and an
appropriate log should be kept of what is taken off site, where it has gone and when it
is due back.
2.13
The risk assessment process discussed in section 4 should help to ensure the steps
taken are appropriate and proportionate to the vulnerabilities identified.
Returning, decommissioning, disposal or onward sale of assets
2.14
An asset can have a residual value at the end of its lifecycle and it remains the
property of the organisation until it is finally returned, decommissioned, disposed of
or sold. Managers and staff should familiarise themselves with the organisation’s own
specific policies and procedures in each case. This will help them establish what
should be done with the asset once it has completed its lifecycle.
2.15
In each case, security considerations remain important. For example, accurate
record-keeping is particularly important for tracking purposes, especially if the asset
needs to be returned to the issuing department or sent elsewhere by a specific date,
e.g. end of a contract period/lease.
2.16
It is also important to ensure the asset can no longer pose any risk to the
organisation or patients. Sensitive and confidential data must be removed from all
technological equipment such as laptops and mobile phones before they are
redeployed or decommissioned. Where the data is still required, it should be
transferred in the appropriate manner to another system for storage.
2.17
Medical equipment that is no longer fit for use must be disposed of in an appropriate
manner and in line with guidance from the Medicines and Healthcare Products
Regulatory Agency and legislation such as the Waste Electrical and Electronic
Equipment (Amendment) Regulations 2007. Items that are to be sold should have all
the health body’s security markings, identification and logos removed before being
sold and should still be compliant with all relevant health and safety requirements.
Depending on the health body’s own policy, it may be necessary to seek the
appropriate authorisation before the sale of an item can proceed.
9
2.18
Human Resources (HR), Finance, and Heads of Departments may wish to be
informed when an asset or an item of staff-issued property is no longer required, or
when the responsibility for the asset is to be transferred. For example, a mobile
phone may still have an outstanding contract which will need to be cancelled, or it
could be reissued to another member of staff. Managers and staff may wish to
consult with HR and finance departments on these matters, as suitable local
arrangements may already exist.
Auditing as part of monitoring and reviewing the security of assets
2.19
Figure 1 above illustrates that auditing should be conducted on an ongoing basis as
part of a monitoring and review process. This should be conducted by the most
relevant or authorised individual. Regular auditing can help to identify any
discrepancies and ensure action can be taken at the earliest possible stage to
reconcile them.
2.20
Auditing may also help to identify particular patterns or trends, and which assets are
most vulnerable. Without proper auditing, it is difficult for any organisation to know
whether they are experiencing problems in asset management or the scale of the
potential problem they are facing in relation to assets being stolen, damaged or lost.
2.21
As a minimum, standard audits should be conducted once a year to review the
security measures and to check the health body’s assets against the register.
However, depending on the risk assessment, the assets which are considered more
high-risk should be audited more frequently. For example, endoscopes (which are
used to examine the inside of a person’s body) are particularly expensive, portable
and easily concealed. Theft of these items would have an impact on business
continuity and affect patient care, as NHS health bodies would be unable to carry out
routine investigative medical procedures. For items such as these, where regular
cleaning and servicing is required, monthly audits should be undertaken to find out if
any of the items are missing.
Reporting
2.22
Where discrepancies are revealed in any audit, they should be reported to managers
and senior staff. Organisations should have a reporting system in place to enable the
reporting of such incidents. In the event of a suspected theft or actual loss of an NHS
asset, the staff member or manager should notify the Local Security Management
Specialist (LSMS). The LSMS is trained and accredited to undertake investigations
involving thefts and security incidents. NHS Protect provides central support and
guidance to LSMSs on security management issues within the NHS Security
Management Manual 3 . The police should also be notified as per the organisation’s
policy, particularly in the event of theft, burglary, vandalism or any criminal damage to
NHS property.
2.23
The matter should also be recorded as a security incident on the organisation’s
incident reporting system and the local notification/alert process should be initiated.
NHS Protect should also be notified of all security incidents involving the theft or
damage to NHS assets, including those investigated by the police. NHS Protect has
launched a security incident reporting system to record all theft or criminal damage
(including burglary, arson and vandalism) to NHS property and assets. The aim of
this system is to inform NHS Protect’s prevention and deterrence work, help identify
3
The NHS Security Management Manual is a restricted document; access is only available to
accredited LSMSs through a secure extranet, hosted by NHS Protect.
10
trends and patterns, generate statistics and enable NHS Protect to build a national
picture of security management across the NHS.
11
3.
Risk assessing NHS assets
3.1
In order to provide the best protection of NHS assets, a thorough and systematic
assessment of risks and threats needs to be undertaken. This assessment will help
to identify those assets most at risk and provide a greater understanding of existing
threats. Using this information, it is possible to develop the most appropriate security
solution for protecting and securing the asset.
3.2
Risk management is already widely practised within NHS organisations. The process
is no different when applied to the risk management of NHS assets. Where possible,
NHS organisations should build on their existing systems to avoid duplication of effort
or creating systems that are difficult to maintain. It may be possible to adapt existing
risk management systems to best suit the organisation’s needs rather than create a
new system.
3.3
The diagram below (Figure 2) illustrates a general cycle of risk management applied
to NHS assets.
Figure 2: Cycle of risk management.
Asset
valuation
Vulnerability of asset
Risk and threats
Impact
assessment
Monitor and
review
Safeguard assessment
and security
Risk
determination
3.4
Every asset has a monetary value. NHS organisations usually have standard
policies for the management and security of assets above certain levels of financial
value. NHS organisations should review existing policies and asset
inventories/registers, before deciding on whether to introduce any new systems.
3.5
However, an asset has more than just financial value. Its theft, damage or loss can
have a critical impact on the delivery of services and patient care or treatment. Thus,
it is also important to consider the asset’s criticality to business operations, and what
impact its loss would have on patient care, business continuity and the reputation of
the organisation. Naturally, over time the value of the asset is likely to decrease, both
financially and in terms of useability. Any valuation will also need to take these
factors into account.
3.6
The first stage of the risk assessment process consists in identifying what assets the
organisation/department has, and understanding their vulnerability. This is
determined by how likely it is that someone could steal or damage a particular asset;
12
and how often such incidents are likely to occur. The next stage is understanding the
impact such a loss or damage might have. Factors to consider include:
• extent to which the asset is exposed to potential loss or damage
• financial cost of the potential loss or damage
• severity of the potential loss or damage of the asset on patient care and safety
• severity of the potential loss or damage of an asset on business operations and
service continuity
• likelihood of injury/loss/damage occurring as a result of the asset’s loss or
damage
• number of people/amount of property at risk
• damage to reputation
• strength of existing mechanisms to protect the asset.
3.7
To assist with establishing a profile of the asset, Appendix 1 contains a checklist for
assessing the risks associated with an asset. Once this has been completed, it
should be possible to develop an appropriate action plan to prioritise which assets
need to be made safe and secure immediately and to determine the appropriate level
of security protection required.
3.8
Naturally, eliminating the risk altogether is the most effective way of protecting NHS
assets. However, there may be budgetary or physical constraints involved and in
most instances it is more realistic to focus on the most critical assets first and seek to
minimise the risk to the lowest practical level.
3.9
It is important to note that adequate control of risks can only be achieved through the
co-ordinated action taken by all members of the organisation. For this to occur, all
staff members need to be aware of their role and responsibility with regard to the
security of NHS assets. This is discussed in section 4.
3.10
It is also important to build appropriate links and consult with relevant stakeholders
from the outset. This may include staff, clinicians, patients, visitors or external
organisations such as the police, community groups or voluntary organisations.
Stakeholders can often provide vital local information that may not always be
immediately evident or readily available. The LSMS is also an important stakeholder
in assessing risk. They can provide practical advice and support to individual
departments and managers on assessing security risks for their assets and on the
range of security measures available to secure the items.
13
4
Security response for protecting NHS assets
4.1
Many NHS premises will already have in place some level of physical security
measures such as locks, alarms and access control systems. However, depending
on the type of asset and its identified risks and vulnerabilities, higher levels of
security may be required.
4.2
As a baseline, there should be a minimum level of security in place to protect any
asset. In most cases, this will include basic ‘good housekeeping’ such as, keeping
communal areas clean and tidy, securing items away after use and ensuring doors
and windows are locked out of hours. Encouraging staff to observe these basic
measures contributes to a strong pro-security culture.
4.3
At the top end of the spectrum, certain NHS assets may require more specialist
security solutions such as security marking or asset tagging systems. However, the
use of specialist solutions should always be based on a thorough risk assessment,
otherwise it can prove to be an expensive and unnecessary investment. More
common security measures to consider include good security lighting and integrated
security management systems, which combine individual components of physical
security such as access control, alarms and CCTV within one system.
4.4
As discussed at 2.22 above, the LSMS is a trained and accredited security
management specialist and can provide advice on security solutions for protecting
NHS assets. The LSMS can undertake security surveys to help identify any security
risks and potential breaches. They can also provide specialist advice on physical
security measures and undertake post-incident reviews.
Pro-security culture
4.5
A pro-security culture among staff (including temporary staff and contractors),
patients and visitors is one in which the responsibility for security is accepted by all
and the actions of a small minority who breach security are not tolerated. A key
element of a pro-security culture is encouraging staff to take an active part in creating
and maintaining a secure environment. This is usually done through practical
measures such as staff inductions, awareness campaigns and regular updates and
briefings on security matters. This is a key function of the LSMS role. In the absence
of a strong pro-security culture within an organisation, any protective measures put in
place are more than likely to only partially achieve their intended outcome. At worst
the measures may fail altogether.
Staff roles and responsibilities
4.6
4.7
All staff should be reminded of their role and responsibilities in protecting and
securing NHS assets and receive regular training and support on this issue. While
ultimate responsibility for NHS assets lies with the Chief Executive of each
organisation, this responsibility is also shared by individual managers and staff
who oversee and use the organisation’s assets.
The Chief Executive and Board of the organisation must ensure that the
appropriate policies and procedures are in place for the secure management and use
of its assets. This includes having an asset management system in place to manage
and control assets, as well as ensuring that suitable arrangements exist to report any
incident involving theft, loss or damage of NHS assets.
14
4.8
Managers and department heads should ensure that their staff adhere to the
organisation’s policies and procedures for the use of assets, and that their
department’s assets are entered onto the asset management system, or local asset
register as appropriate. They should seek to ensure their records are kept up to date
and regular audits are undertaken.
4.9
Staff members should ensure they use the organisation assets in the appropriate
manner and in accordance with applicable policies and procedures, and that they
report incidents as they occur.
4.10
The organisation’s induction process and its own security policies should help to
support this process, and all staff should be given access to the relevant policies.
During training, staff should be made aware of any assets or equipment they will be
using, how it should be kept safe and secure, and what they should do if it is stolen,
lost or damaged in any way. Appendix 2 of this document provides a policy template
for NHS health bodies to develop their own policy for the security of NHS assets.
Identification badges and security passes
4.11
The proper identification of staff and contractors is essential in helping to protect
NHS assets. A staff ID badge and security pass system enables NHS health bodies
to ensure that only those who have proper business on a healthcare site are allowed
access. However, this relies on staff compliance with the organisation’s policy on
staff identification and security passes for visitors/contractors.
4.12
Unauthorised access may result in the theft and damage of NHS assets, or even
assaults on NHS staff. Each NHS health body should have in place a system of
photo identification for permanent, temporary and contractor staff who work in the
healthcare environment on a regular basis. This should work alongside a system of
security passes for those who attend infrequently.
4.13
Where possible, identification badges and security passes should be part of an
overall security solution and ideally they should be linked to an integrated access
control system. The identification badge/security pass system should also have
strong links to HR processes, so that information on starters and leavers is
reconciled with access permissions. The system should also be monitored and
reviewed on a regular basis to ensure compliance and modifications should be made
when necessary. The LSMS should have oversight of the implementation and
maintenance of this system and incidents of abuse or weaknesses should be
reported to them so that further deterrent and preventative measures can be put in
place.
4.14
Staff should be issued with appropriate identification badges. Contractors and site
visitors should be escorted to and from their location and wear clearly marked
‘temporary’ security passes, which need to be signed and recorded on issue. Having
colour-coded passes for staff, visitors and contractors is a good way for staff to easily
identify individuals especially if they are in a restricted area.
4.15
Staff should be encouraged to challenge or report anyone not displaying staff
identification or a security pass to the appropriate authority or security personnel
immediately. NHS health bodies should consider introducing a security pass/photo
identification system if one is not already in operation.
15
Security of buildings
4.16
It is the responsibility of all staff working in NHS premises to keep their work area and
buildings secure. This will be achieved by individuals ensuring, when they enter and
exit a building or secure area, that the door is secured and they do not allow
tailgating 4 . Staff should not prop open fire doors or disable access-controlled doors,
and at the end of the day/shift windows should be secured, particularly those located
on ground floors, as these can provide easy access to unauthorised individuals. All
staff can also contribute to the protective security of their area by challenging and
denying access to those who cannot present a valid or legitimate reason to enter the
premises. This is particularly important in areas of high risk to people and where
high-value equipment or assets are located, such as endoscopy suites and theatres.
4.17
Some smaller providers, or parts of larger organisations, are based in a multioccupancy building or in premises within a shopping centre, high street or business
park. Where this is the case, security should be a joint effort. For example, common
access control procedures can be agreed or CCTV cameras sited for maximum
overall benefit to all occupants of the building/area. This can both increase
effectiveness and greatly reduce costs, while ensuring that health and safety
regulations, fire prevention requirements and building consents are met.
4.18
It is good practice to have a standard operating procedure (SOP) for buildings and
areas that are not staffed 24 hours a day/7 days a week. In some smaller premises,
staff members (other than security personnel) may have the responsibility for
securing their areas at the end of the working day and they will need to know what to
do. In these circumstances, the relevant staff should familiarise themselves with the
SOP for securing the area. The SOP should include guidance on setting alarms (if
relevant), how to check and lock all entrances/exits and ensure windows are locked;
as well as explaining how to secure valuable and portable assets and confidential
material. For office areas, a clear desk policy should be enforced to ensure that all
protectively marked documents are securely locked away. Random security patrols
(if available) are also a good way of checking the security of premises and to act as a
visible deterrent to would-be criminals.
Incorporating security within the design of buildings
4.19
When a healthcare building is being newly built or refurbished, measures should be
incorporated into the design to help protect the safety of staff, patients and visitors
and the security of the premises and the assets contained within them. The project
team should discuss security with the local police crime prevention design advisor
(CPDA) 5 and the LSMS at an early stage in the design process. The LSMS will be
able to identify specific security risks and offer advice on measures that can be
implemented to reduce them. The CPDA can provide free information and advice on
how to build to Secured by Design 6 specifications and reduce crime through
environmental design. Further information on Secured by Design and contact details
of CPDAs can be obtained from www.securedbydesign.com. Both the CPDA and
the LSMS will be able to provide advice on the particular security industry standards
and specifications which the healthcare building will be expected to meet.
4
Tailgating can be defined as gaining unauthorised access by following an authorised user through a
secure door.
5
Crime Prevention Design Advisors are also known as Architectural Liaison Officers.
6
Secured by Design is a crime prevention initiative managed by ACPO CPI Limited on behalf of the
UK Association of Chief Police Officers.
16
4.20
The local fire officer and LSMS should be consulted in conjunction with each other to
avoid the possibility of the demands of security and fire safety conflicting.
4.21
Natural ventilation and night-time cooling of spaces should not compromise security
measures.
4.22
Natural surveillance can assist in the deterrence and detection of crime and
contribute to a secure environment. The building’s design should promote natural
surveillance and good visibility by enabling staff to observe their working areas
without any fixtures or structures impeding their sightlines.
4.23
Research has shown that good levels of lighting can be effective in reducing the fear
of crime and in some instances, result in crime reduction. Lighting schemes should
ensure there are no dark corners or areas that could be used as hiding places. They
also need to take account of CCTV systems, as lighting can help or hinder the
identification of individuals on TV screens.
4.24
Any plans to install CCTV or expand an existing system should be discussed with the
LSMS.
CCTV systems
4.25
The installation of overt and well-publicised CCTV cameras should be considered for
areas where there is an identified security risk. This may include public areas,
entrances and exits (which may or may not be access controlled), staff-only areas
and circulation routes within high risk clinical departments such as operating
theatres, maternity, neonatal and paediatric units and theatres.
4.26
The use of CCTV in healthcare premises as part of an overall integrated security
strategy can help to deter, prevent and detect security-related incidents, as well as
providing evidence for investigations following an incident. This is discussed further
in 4.30. CCTV can be intrusive and its operation must comply with the provisions of
the Data Protection Act 1998 and the CCTV code of practice (Information
Commissioner’s Office, 2008), which is available at
http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_spec
ialist_guides/ico_cctvfinal_2301.pdf
Access control
4.27
Access control can either be a standalone or electronic controlled system which
controls entry through the use of physical barriers. In the simplest form it requires a
means of identifying people, providing access according to a set of rules and when
necessary preventing access. Commonly, access control measures are likely to be a
combination of physical security measures, e.g. locks or magnetic swipe/proximity
card access, and processes, e.g. a guardian such as a receptionist or security officer
checking identification and controlling access to authorised personnel/visitors.
Organisations are advised to regularly audit, review and maintain their access control
measures and procedures. Access control measures work best when used properly
by staff.
4.28
Access to staff-only areas, restricted clinical areas (i.e. controlled by staff) and
storage rooms containing valuable medical equipment and consumables should be
locked or controlled via close-proximity cards or similar devices.
17
4.29
Good signage can also provide a deterrent effect and support such systems, e.g.
signs indicating restricted access or staff-only areas.
Integrated security systems
4.30
Physical security measures such as access control, alarms, CCTV and security
tagging assets are commonly used to deter crime, detect offenders and delay their
actions. Combining these separate security measures into one integrated security
system can provide many benefits in terms of cost effectiveness and achieving a
more efficient monitoring system. An integrated security system can be very effective
in protecting assets because of the ability of separate security components to interact
with each other to provide maximum security. For example, if someone without the
right level of access permission attempted to gain access to a restricted area or an
alarm is activated, the system would automatically re-position CCTV cameras to
capture images of the area and individual, access controls could be applied to limit
their movement and security staff could be alerted to attend the area.
4.31
The type of system required will depend on a number of issues, as these systems
differ in their complexity. Linking existing security components will depend on
whether they are compatible, require upgrading and how they are managed and
maintained. However, in any new build or refurbishment of NHS premises, it is
always worth considering the benefits of an integrated security system. In planning
for the implementation and installation of an integrated security system, the LSMS
should undertake an operational requirement that will determine the system
specification. Estates and IT departments will need to be consulted as part of this
process, as it will require their involvement on whether the system can be integrated
into the building management system and existing IT structure. Any system
implemented will need to be future-proofed for software upgrades and the addition of
further security hardware.
4.32
Intrusion detection technology can also play an important part in any integrated
security system. It is as much a deterrent as a means of protection. However, if a
police response to an alarm is required, the system must be compliant with the
Association of Chief Police Officers’ Security Systems Policy. For further information,
contact should be made with the Alarms Administration Office at the local police
headquarters. The NHS Security Management Manual also provides advice to
LSMSs on the use of these systems.
4.33
All of the systems and procedures discussed above need to be regularly reviewed
and updated, as they all contribute to the overall security of the organisation’s
property and assets.
Key management and control
4.34
Where individuals are given key holding responsibility, keys must be kept in a secure
cabinet in a secure location (locked room within a supervised area) and on sealed,
numbered rings with no other means of identification. Key holders should be advised
that they are not to duplicate keys and made aware of the NHS health body’s
protocol for reporting lost or missing keys. If the lost or missing keys are for a high
risk area, extra precautions should be taken to ensure that a secure environment is
maintained.
4.35
A system should be established for the distribution of keys which includes an audit
trail that shows how keys are managed and used. It should also allow for
identification of the last user of each key. As part of the system to manage the keys,
18
a regular inventory should be undertaken of the keys in possession of
individuals/departments. The frequency of the inventory should be determined
following a risk based approach. For example, if the value of the asset is high or the
impact on the health body of the asset being stolen, damaged or lost is significant,
then an inventory of the keys for the relevant area will be undertaken daily.
4.36
There are now secured key cabinets that can provide an electronic audit trail and
only provide access to authorised users. However the use and implementation of this
type of system can be costly. Organisations are advised to undertake a risk
assessment and cost benefit analysis before considering such an investment. The
LSMS should be involved in this process.
4.37
Original and duplicate keys should be held securely by a main reception/security
control. The keys should be under the control of an authorised individual, who will
account for any keys in their possession by use of a key book or safe, and act as the
contact for issue of any duplicate keys required in an emergency. All keys kept at
main reception/security control should be signed for on issue and the identity of the
signatory verified using the organisation’s ID card and checked against the list of
those authorised to withdraw the key.
4.38
There should be much stricter controls around the access to, and use of, master keys
which open all the locks of a particular set. In the event that a master key is to be
used to provide access, its use should be supervised. Key holding responsibility for
master keys should be limited to a small number of staff.
4.39
Lists of authorised key holders should be regularly reviewed to reconcile them with
information on starters and leavers with key holding responsibility. This should be
closely coordinated with the HR department. Ideally, the key holding authorisation
lists should be updated every three to six months or determined by local risk
assessment. However, in the event of a staff member with key holding responsibility
being investigated or leaving the organisation abruptly due to suspension or other
disciplinary action, authorisation lists should be updated immediately and the keys
obtained from the individual involved.
4.40
Keys should only be issued to persons specifically authorised to withdraw them; the
number of such persons should ideally be limited to one, but no more than three for
each department, to prevent the need for lengthy lists. Authorisation to withdraw a
key should be provided by a key authorisation letter, countersigned by the Head of
the Department and bearing the printed names and specimen signatures of those
entitled to withdraw.
Security marking and asset tagging
4.41
When practicable, NHS assets should be security marked or tagged with details
including the organisation’s postcode and name. Security marking refers to making
conspicuous or inconspicuous identification on the asset that cannot be altered or
removed. Visibly marking the asset can act as a good deterrent to would-be thieves.
There are many available products on the market for marking different types of
assets. Security marking assets can also assist in their recovery in the event of theft
or loss. The use of an asset marking system will require a secure database register
which is linked to the system. Such systems should meet the requirements of the
standards on overt asset marking technologies, LPS1225 Requirements for the
LPCB Approval and Listing of Asset Marking Systems; and LPS1650 Requirements
and testing procedures for the LPCB approval and listing of ‘theft resistant’ electronic
products, which determines the efficacy of built-in security features on some
19
healthcare equipment. Loss Prevention Standards are issued by the Loss Prevention
Certification Board 7 . The full range of standards can be obtained from
www.redbooklive.com.
4.42
Asset tagging refers to attaching security tags to equipment, which uses wireless
radio frequency identification technology (RFID) to track the equipment as it moves
around the premises, or leaves a designated area. RFID tags vary in size and can be
attached to anything of value. There may be concerns about the use of RFID in
relation to certain types of medical equipment. Therefore, before considering the
implementation of asset tagging, NHS health bodies are advised to look at how
different systems operate and to consult other NHS health bodies where an asset
tagging system is already in use.
Fraud reporting
4.43
In cases involving suspected fraudlent behaviour or alleged fraud, this should be
reported either to the health body’s Local Counter Fraud Specialist, or by calling NHS
Protect’s confidential Fraud and Corruption Reporting Line on 0800 028 40 60.
7
The Loss Prevention Certification Board is part of BRE Global. It is an independent third party
approvals body offering certification of fire, security and sustainability products and services to an
international market.
20
Appendix 1
Checklist for assessing risks to NHS assets
This checklist assists with assessing the risks to an asset or particular group of assets. The
questions will assist managers and the NHS health body’s LSMS to identify particular risks
and to mitigate them. Once an analysis is undertaken of the appropriate information
including the asset’s value, criticality and vulnerability, it should be possible to determine the
level of risk it is exposed to and the appropriate level of security protection required.
Note: This list is neither prioritised nor exhaustive, and does not need to be
completed sequentially. It acts as a guide only.
1. Where the asset is stored/used
State the location and purpose of the site or building and provide any background
comments on its priority or importance. State existing physical security measures including
controls such as access control, security patrols etc.
2. Stakeholders
List all the stakeholders who have an interest in the operational security of the site or
building. Confirm whose priorities might be most important, and how any conflicting
priorities might be resolved, for example fire officer.
3. Assets to be protected
List the assets that are to be protected together with their value (human, financial,
operational).
21
4. The threat
State the perceived threat, the likely abilities of attackers, the tools they may use and the
likely methods of attack. Try to estimate the probability and expected frequency of the event
occurring. What has happened before and where?
5. Areas of concern and vulnerabilities
What are your areas of concern and vulnerabilities? (List each defined area). Where are the
assets located (site or building)? Indicate how these sites are vulnerable to the threat. Tie in
with the likely methods of attack (section 4 above).
6. Consequences of compromise
State what these are in terms of financial, operational, morale and reputational
consequences. There may be different assets with different consequences resulting from
their compromise – these should be recorded. Consider how easy it would be to replace the
assets if they were compromised.
7. Success criteria
What are your success criteria? For example the detection of all intruders, or preventing an
intruder breaching an asset, identifying an intruder or obtaining evidence for legal purposes.
22
8. Other factors
Include any constraints like budgets, legal issues, planning permission, neighbouring
facilities, staffing levels, response force and external constraints like procedures and
management controls.
9. Possible security solutions
While considering the issues under the above headings, various possible solutions may
have come to mind. These should be noted, together with any constraints. Keep an open
mind; this is still only the statement of needs, not the final solution. This section might state
which possible solutions have been discounted and why.
10. Integration and critical linkages
Identify where integration would be desirable and note which elements would need to be
integrated. Integration and critical linkages in any system can occur at different levels. At a
management level the combining of different functions at the control room can reduce the
required manning levels while simplifying an operator’s tasks.
23
Appendix 2
Policy template for the security and management of NHS assets
Document header: [Insert document reference number: xxxxx
organisation name: xxxxx]
Policy template for the security and management of NHS
assets in [insert name of organisation]
The following sections form a standard model policy template. NHS health bodies can use these
headings and contents as a guide to structure their own localised policy for the security and
management of NHS assets. The localised policy can also be used to create departmental/unit
policies and procedures, tailored to the specific needs of the department/unit.
The italicised text under each section is designed as a series of questions/prompts
to assist in developing a policy; the standard text is for general guidance.
Title:
Policy for the security and management of
NHS assets in [xxxxx] trust
Purpose:
Policy outlining the roles and responsibilities
for the security and management of NHS
assets in [xxxxx] trust
Author:
Name and title
Version number:
Version [xxxxx]
Supersedes document:
Title and version number
Cross reference with:
Associated relevant policies (e.g. security
management, risk management, SFIs, SOs)
Responsible committee / director:
Name and title
Lead officer:
Name and title
Target audience:
Staff groups that this policy applies
Date ratified:
Date document approved
Ratified by:
Name and title
Date issued:
Date policy issued
Review date:
Date policy to be reviewed
Contact details:
Person responsible for maintenance of this
policy
24
Contents
1. Introduction
2. Policy intention/aim
3. Policy scope
4. Definitions
5. Statutory responsibilities (organisations)
6. Roles and responsibilities (individuals)
7. Risk assessment
8. Security measures
9. Monitoring and auditing of policy effectiveness
10. Dissemination of this policy
11. Review of policy
12. Appendices
25
1.
Introduction
1.1
Provide detailed explanations tailored to the local needs of the organisation under
each of the following headings.
2.
Policy intention/aim
2.1
This section should explain the aims of the policy and the intended outcomes, which
at a minimum should be to secure the health body’s assets and to reduce the risk of
an asset being stolen, damaged or lost.
3.
Policy scope
3.1
This section should explain the scope of the policy, and how it will assist the
organisation in the protection of its assets and help support the delivery of NHS
Protect’s anti-crime strategy.
3.2
It should also identify the target audience of the policy and who it applies to. This
may include internal and external stakeholders.
3.3
The policy should also identify which situations it applies to, e.g. equipment loans
between departments and surgical equipment being sent off site for cleaning.
4.
Definitions
4.1
For consistency purposes, this section should explain any definitions or technical
terms used within the document which might need clarification. Not everyone reading
the document may be familiar with a particular term or have the same understanding
of its meaning. For example, a definition of ‘asset’ might be useful.
5.
Statutory responsibilities
5.1
This section should outline the responsibilities of organisations whose statutory role
has a bearing on the protection and security of NHS assets. Local policies should
incorporate existing legislation, guidance, policies or forms of good practice made
available by these organisations.
Provide detailed explanations, tailored to local needs, of the following organisations
under each of the following headings.
5.2
NHS Standing Financial Instructions
Explain that Standing Financial Instructions (SFIs) are issued in accordance with the
Financial Directions issued by the Secretary of State for Health.
Explain that SFIs shall have effect as if incorporated in the Standing Orders (SOs) of
the organisation. The SFIs refer to the financial responsibilities, policies and
procedures adopted by the organisation.
Explain that SFIs are designed to ensure that financial transactions are carried out in
accordance with the law and government policy in order to achieve probity, accuracy,
economy, efficiency and effectiveness. The SFIs identify the financial responsibilities
that apply to everyone working for the organisation.
26
Explain within the policy document that all executive and non-executive directors and
members of staff should be made aware of the existence of these documents and,
where necessary, be familiar with the detailed provisions within them. However, SFIs
do not provide detailed procedural advice and should be read in conjunction with the
organisation’s own appropriate departmental and financial policies in relation to asset
management.
5.3
NHS Protect
State that NHS Protect is a division of the NHS Business Services Authority and has
policy and operational responsibility for the management of security in the NHS.
Explain that all security incidents involving theft or criminal damage of NHS assets
should be recorded on the organisation’s reporting system and reported to NHS
Protect by the LSMS.
5.4
Health and Safety Executive (HSE)
State that the HSE enforces workplace health, safety and welfare legislation,
underpinned by the Health and Safety at Work Act 1974 and by the Management of
Health and Safety at Work Regulations 1999. Explain that there may be health,
safety or welfare implications when equipment is stolen, damaged or lost, and there
may be an impact on patient care or safety.
5.5
The Care Quality Commission (CQC)
State that the CQC was established under the Health and Social Care Act 2008 as
the independent regulator for health and adult social care in England. Explain that
the CQC has introduced a new system of registration for all health and adult social
care providers. This is designed to make sure that people receive services that meet
essential standards of quality and safety. Explain that the Health and Social Care
Act 2008 (Regulated Activities) Regulations 2010 set out these essential standards,
which providers of health and adult social care are required to meet in order to
register with CQC. Under Regulation 16 providers must ensure that “equipment is
available in sufficient quantities in order to ensure the safety of service users and
meet their assessed needs”. CQC guidance provides a set of outcomes and prompts
which will help providers ensure that they meet standards and regulations. Examples
of relevant outcomes are Outcome 11A (equipment is “stored safely and securely to
prevent theft, damage or misuse”) and Outcome 11F (medical devices are “available
when they are required for use [and] disposed of or recycled, safely and securely”).
Also explain that CQC guidance indicates in more detail what providers should be
doing to meet the requirements of the regulations. These detailed indications are not
legally binding, but if a provider decides not to follow them, they will still have to show
they have taken them into account when judging their compliance with the
regulations. These indications include measures which may impact on patients’
experience, e.g. measures relating to theft.
5.6
NHS Litigation Authority (NHSLA)
State that the NHSLA handles civil legal liability claims through a variety of
membership schemes of which most providers of NHS care are members. The
NHSLA has an active risk management programme to help raise standards and
reduce the number of incidents leading to claims.
27
Explain that the NHSLA Risk Management Standards include an assessment of the
process the organisation has in place for managing the risks associated with the
physical security of premises and assets.
Potential losses, damages and theft to NHS assets may have an impact on the
insurance premium the organisation will be expected to pay. Therefore this policy
should demonstrate that there are effective risk management arrangements in place
that meet the NHSLA’s requirements.
5.7
Medicines and Healthcare Products Regulatory Agency (MHRA)
State that the MHRA is the government agency responsible for ensuring that the
manufacture and use of medicines and medical devices meet appropriate standards
of safety, quality, performance and effectiveness. It has responsibility for ensuring
compliance with statutory obligations relating to medicines and medical devices
through inspection, and for taking enforcement action where appropriate.
Explain that the MHRA investigates adverse incidents involving medical devices and
equipment, issues safety warnings, provides advice and guidance on safety and
quality issues and acts as the UK regulator for the medical devices industry.
Include reference to MHRA guidance Managing Medical Devices DB2006(05) which
provides guidance on the resale of medical equipment.
6.
Roles and responsibilities
6.1.
This section should set out the roles and responsibilities of those individuals and
departments who play a critical role in the acquisition of NHS assets and will have
some involvement in the protection and security of assets.
6.2
Chief Executive
Explain that the Chief Executive has overall responsibility for the assets of the
organisation and for ensuring that the organisation has adequate processes in place
to protect the public investment in them. If this responsibility has been delegated to a
member of the board or board level committee, details should also be provided here.
6.3
Board of Directors
Explain the Board has a dual role: it is responsible for ensuring effective security
management systems are in place within the organisation, and also for ensuring that
the organisation complies with all its statutory functions and obligations in relation to
safety and security management, such as health and safety legislation.
Explain that the Board instructs the Director of Finance to implement the
organisation’s financial policies, ensure that detailed financial procedures and
systems are established and ensure that sufficient records are maintained to show
and explain the organisation’s transactions, in order to disclose its financial position.
6.4
Director of Finance (DoF)
Explain that the Chief Executive delegates powers to the DoF in his/her role as a first
line budget holder responsible for the Finance Directorate. In addition to these, the
28
DoF is provided with further powers to manage the approval of financial transactions
initiated by other directorates across the trust.
Explain that the DoF shall prepare, document and maintain detailed financial
procedures and systems incorporating the principles of separation of duties and
internal check to supplement these instructions.
The DoF will report annually to the Board and Council of Governors(in Foundation
Trusts) on the adequacy of internal financial control and risk management as part of
the Board’s overall responsibility to prepare a statement of internal control for
inclusion in the organisation’s annual report.
6.6
Other directors
Explain that it is the responsibility of the Security Management Director (SMD) to lead
and communicate at board level on strategies to protect and secure the assets. NonExecutive Directors (NEDs) play an important role in scrutinising these arrangements
and holding the Chief Executive and Board to account. NEDs and SMDs should also
refer to the NHS Protect publication Guidance for Security Management Directors
and Non-executive Directors for details of their full roles and responsibilities.
Explain the role of the Director(s) for Governance and Risk, Health and Safety who
are also likely to have some responsibility for assets and are likely to need to liaise
and work closely with the SMD and NED on related issues. Include how they will coordinate with the SMD and the DoF and report to the Board.
6.7
Audit Committee
6.8
Explain that, in accordance with standing orders, the Board of Directors shall
establish an Audit Committee, with clearly defined terms of reference. The Audit
Committee shall review the establishment and maintenance of an effective system of
integrated governance, risk management and internal control.
6.9
The Audit Committee should also be responsible for:
• overseeing internal and external audit services
• reviewing financial systems
• ensuring compliance with standing orders and standing financial instructions
• reviewing schedules of losses and compensations and making
recommendations to the board
• reviewing information prepared to support the Statement of Internal Control
prepared on behalf of the board and advising the board accordingly.
6.10
Local Security Management Specialist (LSMS)
Explain that the LSMS takes forward security management work locally in
accordance with national standards, reporting directly to the SMD.
Explain how the LSMS will work with key colleagues to promote security and
effectively respond to security breaches and incidents involving NHS assets,
particularly their theft or loss.
29
This section should link to the organisation’s security policy for further details on the
roles and responsibilities of the LSMS.
6.11
Medical Equipment Advisor/Department
Explain the role of the Medical Equipment Advisor/Department in coordinating the
procurement, use, maintenance, decommissioning and disposal of pooled medical
equipment in line with current legislation and guidance. Include the organisation’s
policy for how it will manage the risks and reduce vulnerabilities when medical
equipment is sent off-site for maintenance and repair.
Explain how the Medical Equipment Advisor/Department will work with the LSMS and
other staff to secure NHS assets. This section should link to the organisation’s
medical equipment policy for further details on the maintenance, decommissioning
and disposal of medical equipment.
6.12
Responsibilities of Ward Managers and Heads of Department
Explain that all managers and department heads share responsibility for ensuring
security measures and processes are adhered to in their local area. It is their
responsibility to see that the right policies, procedures and systems are in place in
their local areas and that such policies are kept under constant review.
They need to be able to carry out risk assessments and ensure that staff understand
the importance of protecting and securing NHS assets. Mention that managers and
department heads are responsible for ensuring their staff are aware of the
organisation’s policies and procedures for securing NHS assets, and for enforcement
and/or disciplinary action against staff that do not comply.
Include that managers and department heads should implement a procedure to
record details of all assets, e.g. the make, model, serial number etc of all valuable or
important assets within their department or directorate. They should also report any
loss or damage of an asset as soon as is practicable.
State that the LSMS is available to advise on methods of security management and
appropriate systems, and he/she should be kept informed of any losses, damage or
thefts.
Explain that managers and department heads should also consider security
requirements when purchasing new assets or during large projects where there is an
opportunity to consider security from the outset.
6.13
Responsibility of the employee
Explain that all employees are expected to co-operate with management to achieve
the aims, objectives and principles of any asset management systems. Staff should
be particularly aware of their own responsibilities in protecting, at all times, NHS
assets, property of patients, visitors and the organisation.
State that where specific security procedures exist, staff must abide by them at all
times. Where staff know of, or suspect, a breach in security, they must report it
immediately to their manager and should inform the LSMS.
30
6.15
Contractors and contracted staff
Explain that this policy applies to all contractors and contracted staff, who should
equally be made to understand the importance of protecting NHS assets and should
receive appropriate training in relevant security practices and procedures. They
should also have access to the policy.
7.
Risk assessments
LSMSs should provide detailed explanations tailored to the local needs of their
organisation….
7.1
Explain the organisation’s risk assessment process and how it applies to the security
of its assets. Following the risk assessment, the organisation should be in a position
to determine appropriate security measures and controls to deliver the aims of the
policy.
8.
Security measures
LSMSs should provide detailed explanations tailored to the local needs of their
organisation…
8.1
This section should highlight the main security options available to protect assets and
provide advice on how to select the most appropriate security measures, based on
the risk assessment.
9.
Monitoring and auditing of policy effectiveness
9.1
Explain that monitoring is essential to ensuring that security measures are
appropriate and robust. Arrangements might include:
• reminding everyone they have a role in protecting and securing NHS assets
and that it is their responsibility to report any theft, damage or loss immediately
• asset registers, which should be completed and kept up to date
• regular audits or inspections to measure performance against asset registers.
9.2
Where deficiencies are identified as a result of monitoring, the organisation should
explain how appropriate recommendations and action plans are developed and how
any recommendations made are to be implemented.
10.
Dissemination of this policy
10.1
This section should explain how this policy will be disseminated, who it should be
disseminated to and by what means.
11.
Review of this policy
11.1
This section should describe how this policy will be reviewed, and link to any relevant
organisational level guidelines. Detail here which committee is responsible for the
review of this policy, and how often a review should take place.
31
12.
Policy appendices
12.1
List here information on existing policies that are relevant to the organisation and to
this policy.
32
Appendix 3
Guidance on the security and management of NHS assets –
Consultation
Consultation on this document was undertaken between July and October 2011. All
NHS Local Security Management Specialists (LSMSs) and a broad range of other
NHS stakeholders were invited to participate in the consultation process. In total,
19 responses were received. This feedback proved extremely valuable in finalising
the document and its contents.
The consultation questions are included below for reference.
1.
In your opinion, does the document address the specific ‘purpose and scope’ as
set out in section 1.10?
2.
Who do you think the target audience should be for this type of document?
3.
Does chapter two, explain the stages in the ‘life cycle’ of an asset in enough
detail? If not, what else should be included?
4.
Do you have any comments on the risk assessment framework as outlined in
chapter three?
5.
Are there any other security measures you would like to see discussed or included
in chapter four?
6.
In the future, would it be helpful for NHS Protect to produce further guidance on
securing and protecting any particular NHS asset? If yes, which assets?
7.
Do you think the checklist in appendix 1 will assist NHS health bodies to conduct
or inform their own risk assessment process?
8.
Do you think the policy template provided in appendix two will assist health bodies
to develop their own local policy?
9.
What other types of materials or support on the issue of protecting and securing
NHS assets, would be helpful to NHS health bodies?
10.
Do you have any examples of good practice you would like to share with us?
11.
Would you be willing to help support our work on this subject in the future? For
example, to assist in providing case study material, be part of a work group, etc?
12.
Do you have any other comments you wish to make on this document?
33