AS 4485.1:2021 – Security for healthcare facilities Part 1: General requirements.
Section 3 Security risk assessment
3.1 General
To implement an effective security program, a facility shall make an assessment of the potential threats. viilnerabiljtjes and risks it will need to manage, including the appropriateness and effectiveness of current controls.
The security risks to each healthcare facility will vary depending on its operations, location, perceived or known value of information and assets, and the image portrayed by the facility from a security perspective (e.g. it may be seen as an easy target because it has little or no security). It would be impossible for any organization to operate in a zero-risk environment.
The risk management process involving identification, analysis, assessment, control and continuous risk monitoring shall be undertaken in accordance with AS/NZS ISO 45001 and AS ISO 31000.
A healihcare facility shall be able to produce evidence that the findings of the security risk assessment have been implemented.
3.2 Asset identification
Before being able to manage its risks, a facility shall identify critical infrastructure, other important assets and information to be assessed.
NOTE Refer to AS 4485.2 for more Information on asset Identification.
3.3 Assessment of threats
The next step Is to assess the risks that may be directed against persons, information or property which belong to, or which are located at, a facility/workplace, resulting in a negative impact. The assessment of these threats can only be usefully coordinated by a person in each facility who has a good understanding of the operations of the facility and who can obtain, analyse and assess potential threat information from a variety of sources,
NOTE Refer to AS 4485.2 for further Information on threat assessment.
3.4 Frequency of risk assessments
Every hcalthcare facility shall take a systematic and coordinated approach, including an Initial security risk assessment, to reduce potential security risk.
After an initial security risk assessment each healthcare facility shall conduct regular assessments in response to any significant change in the facility’s —
(a) Internal and/or external risk context;
(b) role, responsibilities and functions;
(c) property and buildings; and
(d) volume or severity of security incidents.
NOTE Frequency and intervals between risk assessments may be subject to additional regulatory and/or urisdictional requirements.
A healthcare facility shall be able to produce evidence that it has conducted a comprehensive security risk assessment within the past three years.
3.5 Performance of risk assessments
Security risk assessments shall be conducted by qualified and experienced personnel in consultation with relevant workers and other stakeholders as part of—
(a) the decomrnlssoniisg process to secure vacated premises; and
(b) the commissioning and planning processes for new and redeveloped facilities.
Security risk assessments shall be documented and plans developed.
Risk assessments and control plans shall be retained by the facility for a period of at least seven years.
NOTE There may be additional regubiory requirements affecting how long risk assessment and control plan
documeniation is to be retained.
3.6 Outcomes of risk assessment
Each risk assessment shall result in a plan to manage identified risks.
Policy, procedures, controls and training shall be reviewed, revised and updated in accordance with the security risk management plan.
The facility shall be able to produce evidence that the recommendations of the security risk management plan have been implemented. Each security risk management plan shall address the following:
(a) Identification of priority areas.
(b) Security governance.
(c) Security overview.
(d) Physical security.
(e) Security technology.
(f) Administrative and procedural security.
(g) Worker, patient and visitor safety.
(h) Security personnel.
(i) Information security management (in accordance with AS ISO/IEC 27001).
(j) Strategies to address vulnerabilities.
(k) Training and development.
(l) Traffic and vehicle management.
(m) Security activities.
(n) Incident management and response.
(a) Personal protective equipment.
(p) Emergency preparedness and business continuity,
NOTE Refer to AS 4485.2 for further lnlorm.itlon on the security risk management plan.