Between the Devil and the Deep Blue Sea

For nearly 40 years now, the powers-that-be at the National Health Service (NHS) have clung on to the Home Office assessment that: “For some strange reason, people, staff and visitors seem to think that because hospitals are caring places, they are somehow immune from the effects of local crime and the ills of society.”

Without doubt, the NHS has a vital role to play in the fabric of our country but, so far as security is concerned, it’s readily apparent the organisation has rather ignored the fact that it must also evolve as society adjusts to meet changing attitudes, needs and developments.

Today’s threats in the healthcare arena are both numerous and different from those apparent only a few short years ago. They now include crime (theft, criminal damage, violence and other public order offences), activities that risk the good reputation of the NHS and its various Trusts, fraud and asset mismanagement, illegal interference with hospital equipment, the unauthorised release of confidential information, the person with a grudge or affliction who may cause damage to a given Trust, its staff and/or its property and the numerous activities of lobby, pressure and terrorist groups.

By the early 1990s, signals emerged that the lack of decent healthcare security needed to be addressed. In a 1993 report on the state of security, Sir David Nicholls – former chief executive of the NHS Confederation – wrote: “Hospital exits and entrances were open much of the time, allowing anyone to walk in unchallenged. The lack of adequate security measures in hospitals is making them a paradise for opportunist thieves and vandals. One manager commented that hospitals were merely supermarkets without tills.”

Inquiries conducted in the aftermath of the Beverley Allit affair – and the murderous activities of Dr Harold Shipman – did much to expose clinical fraternity fragilities, in particular the clash between medical ethics and public safety. Put simply, a state of affairs existed that simply could not continue.

The ‘machismo’ of security

Protective security is now an accepted feature of modern life. All of us have witnessed the expansion of CCTV and the presence of security officers in retail centres, at sports events and throughout our airports. The idea that healthcare security is not as expensive as insecurity began to be accepted by Acute Trusts in particular, but there were high hurdles. The cost of introducing security officers and technology to an organisation that focused on clinical matters proved problematic, while the perceived ‘machismo’ of security in healthcare settings was complete anathema to some health sector professionals.

However, staff employed in hospitals and healthcare centres are also members of the public exposed to security outside of the hospital environment. As a result – and not at all surprisingly – their demands for healthcare security improvements duly emerged.

Following a serious attack on a nurse and two security officers in a West Country hospital back in 1998, an official UNISON statement read: “Some NHS Trusts should be more realistic in their risk assessments. The NHS could do with more networking.”

The first security managers were recruited by Acute Trusts during the late 1980s and early 1990s. Most were highly experienced, and came from a wide range of backgrounds. That said, lots of incumbents had – and still have – additional roles, particularly in relation to specific facilities management activities.

Many of these security managers banded together and formed the National Association for Healthcare Security (NAHS), the idea being to promote and develop security management in both public and private sector settings.

NAHS: bringing managers together

Over the years, the NAHS has assembled security policies and procedures which have frequently proven beneficial to managers, particularly those general managers for whom security is but one of their tasks.

It’s fair to say that several NHS Trusts would not have any security operating procedures in place had it not been for the work of the Association. It arranges conferences with high level speakers, and has developed the current foundation training course for healthcare security officers. Networking and regular meetings were – and remain – a priority.

Regional groups soon developed, and the Executive then created national and international links with Government and commercial security organisations.

In 1997, the establishment of the Counter Fraud Service (CFS) by the (then) new Labour Secretary of State for Health, Frank Dobson, was designed to tackle the fraud and corruption known to exist throughout the health service. Nonetheless, the Government’s decision surprised many of those involved in healthcare security because violence and aggression had been high on the political agenda. The CFS sought to safeguard property over and above life – an outcome entirely consistent with legislation across many centuries, it must be said.

The CFS was most certainly an important initiative, and one that made a significant impact. Aside from convictions, dishonest money was returned to the public purse to the extent that for every £1 recovered in countering fraud, about £14 is returned to the Department of Health. Achieving a 97% successful prosecution rate, the CFS has performed better than any other protection agency in the UK including the Police and the Serious Fraud Office.

Meantime, the NAHS was lobbying – as it had done for several years – for a dedicated Department of Health security management organisation. On 1 January 2003, the CFS was then expanded into the Counter Fraud and Security Management Service (CFSMS) (‘Healthier options’, SMT, September 2003, pp23-24). On 1 April 2003, the Security Management Service (SMS) then emerged with a mission: “To provide the best protection for patients, staff, professionals and property” and a defined remit to develop “policy and operational responsibility... for the management of security within the NHS.”

For those healthcare security managers battling to improve safety and security in the NHS, this was good news. That said, there were doubts surrounding the wisdom of separating security and fraud. As has been proven over the centuries, as soon as the components that form security (ie physical security, investigation, fraud and information security) are split, cohesion and the co-ordination of information sharing is lost. Worse still, the damaging factors of factions, elitism and competition soon begin to surface.

Following two Directions

Two Secretary of State for Health Directions followed – as ever, without additional revenue identified to support their implementation. The first, issued on 20 November 2003:

• listed measures to deal with violence and aggression against staff, and those who provide services to the NHS;
• specified the establishment of the Legal Protection Unit (to help with legal advice, and to increase the prosecution rates relating to assaults);
• established the Physical Assault Reporting Systems (PARS) – the first genuine step in national reporting;
• published a national syllabus on conflict resolution training.

Although the Direction had a strong emphasis on tackling violence and aggression, as opposed to security management in its purest sense, it was a welcome start.

The subsequent publication – on 24 March 2004 – of the Direction on NHS security management measures gave a clear signal that weak healthcare security could no longer be tolerated, and that every health body must:

• appoint a non-executive director (or non-officer) to promote security management;
• appoint a Board-level representative to assume responsibility for security management issues, and act as a security management director (at Trust level, this must be an executive director);
• appoint a local security management specialist – ‘SMS-speak’ for a security manager, although the job description issued by the SMS bore little relation to the role of security management in a corporate environment;
• take measures to ensure that breaches of security are reported to the local security management specialist;
• support the local security management specialist, with area security management specialists being directly recruited by the SMS.

The quality of security has to be audited by both the Healthcare Commission and the Health and Safety Executive. The CFS has its own quality inspection teams.

Some clarity is needed

Security Management Service staff lacking corporate security management experience are the ones developing security policies. Visits to the ‘front line’ are rare at best

Two-and-a-half years on, it is still not clear how many security management directors and local security management specialists have been appointed and nominated (ie those awaiting a course), notwithstanding the requirements of the Directions. Nor is it clear how many local security management specialists a given Trust should appoint. In at least one large Acute Trust there are three yet, in another similar Trust with virtually identical workloads there’s only one. How can that be?

Financial constraints have limited the recruitment of the area security management specialists to four from the eight originally planned. As expected with such limited resources, all four are deluged with work.

Every local security management specialist must pass a security foundation course, regardless of experience and qualifications in healthcare and other security management roles. The course is accredited by the University of Portsmouth and, being the first step towards a healthcare security degree, will result in much-needed academic papers on the discipline of healthcare security.

However, the course has a strong theme of investigation with a week each spent on incident detection, incident investigation, sanctions and, finally, prevention and deterrence. The key elements of security planning, the complexities of security surveys and the refined skills necessary for general management are largely ignored, and yet it is these that form the principles of corporate security management.

This is particularly applicable to Acute Trusts, which are more akin to corporate organisations with budgets in excess of £250 million and the accompanying security issues surrounding the theft of IT and medical equipment, criminal damage and vandalism. Not to mention those incidents associated with clinical conditions and violence.

‘Investigation agents’ of the SMS?

The course curriculum has led to local security management specialists being seen, by some, as merely ‘investigation agents’ of the SMS. Further, the mandatory principles of attendance on the course and its curriculum present a risk to the development of healthcare security in that experienced and qualified security managers – which the NHS very much needs – may look elsewhere when attempting to develop their careers.

The resources and experience available to some Trust security managers for investigating public order offences and Breaches of the Peace involving members of the public (where the Police and Crown Prosecution Service do not prosecute in the public interest) have been minimal. Some tutors – most of whom were former police training instructors – have had little exposure to pure security management.

At times, therefore, the bizarre spectacle arose where experienced healthcare security directors were being taught rudimentary healthcare security by tutors whose own experience and qualifications in the field is limited, to say the very least. Little attempt was made to invite experienced healthcare security managers to give presentations.

The local security management specialist’s background and route to appointment can vary. They may be an in-house security practitioner. Although salaries do not match commercial rates for the size of the organisation and responsibilities, offers in excess of £30,000 are nonetheless not uncommon. Alternatively, existing employees may be transferred into the role, or security management skills might be added to an existing role (such as that of the Health and Safety manager or the litigation manager).

In addition, support might be forthcoming from another health body’s local security management specialist. Otherwise, an independent security consultant could be contracted to provide a local security management specialist function.

Security’s remit is far wider

Although the SMS structure was generally welcomed by those involved in healthcare security – in particular relating to the fact that every healthcare body must have security management representation – there was concern that it was similar to that of the CFS, which is basically an organisation designed for investigation. It seemed to ignore the fact that while fraud is essentially based on a few sections of the Theft Act, security management has a far, far wider remit.

The basic problem is that the SMS was established principally on the basis of investigating violence and aggression, and not developing security management. The strategy is driven from the very centre of the CFSMS – a civil service organisation – seemingly on the principle that: “The CFS has been successful, and therefore we know best.”

Initial development of the SMS lacked credibility, largely because the visions, talents and experiences of existing healthcare security managers were not fully exploited. The outcome was that, as opposed to the SMS slotting straight into the existing security management structure (admittedly loosely formed), a dogmatic approach was adopted based on the success of the CFS strategy. An organisation of investigators rather than security management specialists then emerged. This is not the expectation of NHS Trusts, all of whom want security managers.

Local security management specialists are expected to conform to an annual work plan agreed by the health body SMD and which is auditable by the SMS. While a good idea, its timetable for submission is not always tied into Personal Development Review agreements. Local security management specialists needing to balance loyalty to their employer against the demands of the SMS frequently find themselves in invidious positions.

As things stand, SMS staff lacking corporate security management experience are the ones developing security policies. Visits to the ‘front line’ are rare at best.

The production of a security manual was welcomed. However, it is only issued after the local security management specialist has passed the foundation course. Nominated and future local security management specialists cannot make reference to the manual until they have passed the course.

Nominated local security management specialists are not permitted to attend SMS seminars and, consequently, lose out when it comes to gaining valuable knowledge and benefiting from networking. It is fortunate that the NAHS fills the gap, although it’s a great shame the SMS does not promote the Association’s role as a depository of ‘front line’ policies and procedures.

Danger of being outflanked

There’s no doubt that the development of the SMS is – and will be – immensely beneficial to health bodies, and deserves to be fully supported. However, the senior echelons of the CFSMS must acknowledge that the NHS is experiencing significant medium-term political, organisational and financial upheaval. The establishment of the SMS, while generally welcome, needs to be shoe-horned into the NHS in a sensitive manner.

The patient assault information system will unearth the true extent of intentional violence and aggression, although the depth of losses and damage needs to be carefully quantified and costed before any high-tech (and needlessly expensive) solutions are identified and promulgated as the saviour for all ills.

Healthcare security updates through the periodical ‘Secure’ and security alerts and guidance are useful, but if they are not distributed to nominated local security management specialists this isn’t helpful. Formal relationships with the Health and Safety Executive, the Healthcare Commission, ACPO, the Prison Service and the Magistrates Association will be beneficial, although the SMS has to exercise caution. It must not be outflanked as it is the discipline of security management that will be most affected.

Political dogma and credibility

As a ‘toddler’ on the security block, the SMS should not assume that it knows best. Political dogma can affect credibility, although it’s accepted that the SMS must respond to its political masters. Without detracting from the work undertaken so far, it’s time to move on from the understandable agenda of dealing with violence and aggression towards training for – and developing – the wider security management issues affecting the NHS.