1、BSI Standards Publication PD CEN/TS 16850:2015 Societal and Citizen Security Guidance for managing security in healthcare facilitiesPD CEN/TS 16850:2015 PUBLISHED DOCUMENT National foreword This Published Document is the UK implementation of CEN/TS 16850:2015. The UK participation in its preparation
2、 was entrusted to Technical Committee BCM/1/-/3, Supply Chain Continuity. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct
3、application. The British Standards Institution 2015. Published by BSI Standards Limited 2015 ISBN 978 0 580 89284 4 ICS 11.020; 13.310; 91.040.10 Compliance with a British Standard cannot confer immunity from legal obligations. This Published Document was published under the authority of the Standar
4、ds Policy and Strategy Committee on 30 September 2015. Amendments/corrigenda issued since publication Date T e x t a f f e c t e dPD CEN/TS 16850:2015TECHNICAL SPECIFICATION SPCIFICATION TECHNIQUE TECHNISCHE SPEZIFIKATION CEN/TS 16850 September 2015 ICS 13.310; 91.040.10; 11.020 English Version Soci
5、etal and Citizen Security - Guidance for managing security in healthcare facilities Scurit socitale du citoyen - Lignes directrices pour grer la scurit dans les tablissements de sant Schutz und Sicherheit der Brger - Leitfaden fr das Sicherungsmanagement in Gesundheitseinrichtungen This Technical Sp
6、ecification (CEN/TS) was approved by CEN on 27 July 2015 for provisional application. The period of validity of this CEN/TS is limited initially to three years. After two years the members of CEN will be requested to submit their comments, particularly on the question whether the CEN/TS can be conve
7、rted into a European Standard. CEN members are required to announce the existence of this CEN/TS in the same way as for an EN and to make the CEN/TS available promptly at national level in an appropriate form. It is permissible to keep conflicting national standards in force (in parallel to the CEN/
8、TS) until the final decision about the possible conversion of the CEN/TS into an EN is reached. CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hun
9、gary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG CEN-CEN
10、ELEC Management Centre: Avenue Marnix 17, B-1000 Brussels 2015 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Members. Ref. No. CEN/TS 16850:2015 EPD CEN/TS 16850:2015 CEN/TS 16850:2015 (E) 2 Contents Page European foreword . 4 Introduction 5 1 Scope
11、6 2 Terms and definitions . 6 3 General guidance . 6 3.1 Approach 6 3.2 Context of the HCF security management 6 3.3 Compliance with national legislation 7 3.4 Risk management 7 3.5 Leadership . 8 3.5.1 General 8 3.5.2 Organization of roles, responsibilities and authority 8 3.6 Establishment of a se
12、curity management policy . 9 3.7 Security Management Plan (SMP) . 9 3.8 Interfacing with other management systems 10 4 Operational guidance . 10 4.1 Organization (General procedures) 10 4.1.1 Controlled areas . 10 4.1.2 Access control 10 4.1.3 Secure storage . 12 4.1.4 Facility restricted access (em
13、ergency lockdown) 12 4.1.5 Car park and vehicle control 13 4.2 People . 13 4.2.1 Staff 13 4.2.2 Visitors . 18 4.2.3 Patients 19 4.3 Facilities and technology (infrastructure and access system) 22 4.3.1 Design and construction 22 4.3.2 Physical security . 23 4.3.3 Fences and walls . 23 4.3.4 Closed c
14、ircuit TV (CCTV) 23 4.3.5 Identity cards . 24 4.3.6 Technologies and alarm systems . 24 4.3.7 Control rooms 25 4.3.8 Accommodation for patients with protective status or prisoners . 25 4.3.9 Security signage 25 4.3.10 Alternative entries . 26 4.3.11 Operating (surgery) rooms security . 26 4.3.12 Eme
15、rgency unit security 26 4.3.13 Burglar and intruder resistant areas 27 4.3.14 Personal attack alarms (Panic alarms) 28 4.3.15 Cash and other monetary processing systems 28 4.4 Security incident response . 30 4.4.1 General . 30 4.4.2 Criteria . 30 4.4.3 Minimizing possibility of recurrence 31 4.4.4 R
16、eports and statistics . 31 PD CEN/TS 16850:2015 CEN/TS 16850:2015 (E) 3 4.4.5 Incident report 31 4.4.6 Interfacing with first responders and emergency management . 31 4.4.7 Targeted violence . 32 4.5 Plans for special cases . 33 4.5.1 Child abduction . 33 4.5.2 CBRN incident response . 33 4.5.3 Pris
17、oner patients 33 4.5.4 Offensive weapons and other dangerous equipment 33 4.5.5 Active shooter 34 4.5.6 Drug diversion and security of CBRNE substances . 35 4.5.7 Vehicle and aircraft security 36 4.5.8 Media . 36 5 Performance evaluation . 37 5.1 General . 37 5.2 Management review 37 6 Exercise and
18、testing . 37 Bibliography . 39 PD CEN/TS 16850:2015 CEN/TS 16850:2015 (E) 4 European foreword This document (CEN/TS 16850:2015) has been prepared by Technical Committee CEN/TC 391 “Societal and Citizen Security”, the secretariat of which is held by NEN. Attention is drawn to the possibility that som
19、e of the elements of this document may be the subject of patent rights. CEN and/or CENELEC shall not be held responsible for identifying any or all such patent rights. According to the CEN-CENELEC Internal Regulations, the national standards organizations of the following countries are bound to anno
20、unce this Technical Specification: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Ro
21、mania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. PD CEN/TS 16850:2015 CEN/TS 16850:2015 (E) 5 Introduction Security of healthcare facilities is very important for effective and high quality medical treatment. It is a very wide area and the primary objective of th
22、is Technical Specification (TS) is to provide all responsible persons, within healthcare facility, with guidelines on how to manage security. This is not a management system standard. This TS is giving an opportunity to be more specific in proposed security measures, which leads to better security o
23、f healthcare facility staff, patient and other people, who are visiting such a facility. There is also an important fact that this TS is not a closed project and we are expecting further development of this document. Management of security in healthcare facilities is a dynamic process and this TS pr
24、oposes guidelines, which help responsible persons have a choice from different techniques for how to improve security. It is important to emphasize that across the European Union there are several regulatory and legislative limitations for use of security techniques and technologies, so it is import
25、ant to take these limitations into account. Use of the guidelines may vary based on the health care system in each country of the European Union. PD CEN/TS 16850:2015 CEN/TS 16850:2015 (E) 6 1 Scope This Technical Specification provides guidance for managing security in healthcare facilities. It cov
26、ers the protection of people, critical processes, assets and information against security threats. This Technical Specification applies to hospitals and places that provide healthcare services, such as - but not limited to - psychiatric clinics, homes for the elderly and institutions for the handica
27、pped. It also applies to self-employed practicing healthcare professionals. It does not apply to occupational health and safety and fire safety. This Technical Specification is not a management system standard. However it can be applied as part of a management system, such as with EN ISO 9001. 2 Ter
28、ms and definitions For the purposes of this document, the following terms and definitions apply. 2.1 controlled area area which has specific controls to restrict access to authorized persons only 2.2 targeted violence situation where an individual, individuals or group are identified at risk of viol
29、ence, usually from another specific individual such as in cases involving domestic violence Note 1 to entry: Often, the perpetrator and target are known to each other prior to an incident. 3 General guidance 3.1 Approach Security management for a healthcare facility (HCF) should: be consistent with
30、other policies; be documented, implemented and maintained; be visibly endorsed by top management; provide a framework which enables the specification of security management objectives and targets; be consistent with the organizations risk management; be communicated to all employees, patients and ot
31、her stakeholders; and respect the rights of patients and visitors. 3.2 Context of the HCF security management The HCF should determine internal and external issues that are relevant to its purpose and that affect its ability to achieve the intended level of security within the HCF. The context shoul
32、d be taken into account when establishing, implementing, maintaining and continually improving the HCF security management (system). PD CEN/TS 16850:2015 CEN/TS 16850:2015 (E) 7 The HCF should identify and document: the HCFs activities, functions, services, products, partnerships, supply chains, res
33、ources, relationships with interested parties, and their relationship with security management; and links between the HCF security management system design and the HCFs other policies, including its other management strategies and implemented management systems. 3.3 Compliance with national legislat
34、ion The HCF should establish and maintain procedure(s) to: identify legal, regulatory, and other requirements to which the HCF subscribes related to the HCF security management; determine legal restrictions on certain security procedures based on jurisdiction; and determine how these requirements ap
35、ply to its HCF security management. The HCF should document this information and keep it up to date. The HCF should ensure that applicable legal, regulatory and other requirements to which the organization subscribes are considered in developing, implementing and maintaining its HCF security managem
36、ent. NOTE 1 These procedures are in most cases an integral part of management system standards, such as quality management systems, e.g. EN ISO 9001:2008. In this case, the organization should ensure that specific requirements for security-related issues, such as requirements for technologies etc. a
37、re included. NOTE 2 The mission of HCF personnel is to provide healthcare and not law enforcement. 3.4 Risk management Security management is risk management, therefore the security management system should be aligned with other risk management systems within the HCF. The HCF should establish, imple
38、ment and maintain a formal and documented risk assessment process for security risk identification, analysis and evaluation, in order to: identify operational security risks caused by intentional, unintentional and human threats that have a potential for direct or indirect consequences on the HCFs o
39、bjectives, tangible and intangible assets, and interested parties (threat, vulnerability, and criticality analysis); systematically analyse risk likelihood and consequence, and set risk criteria; and systematically evaluate and prioritize security risk controls and measures and their related costs.
40、The HCF should: document and keep this information up to date and secure; periodically review whether the risk assessment methods are effective for security risk management; re-evaluate risks within the context of changes within the HCF, or made to the HCFs operating environment, procedures, functio
41、ns, services, partnerships, and supply chains; evaluate the direct and indirect benefits and costs of options to manage risk and enhance reliability and security; PD CEN/TS 16850:2015 CEN/TS 16850:2015 (E) 8 evaluate the actual effectiveness of security risk management measure options; ensure that t
42、he prioritized risks and impacts are taken into account in establishing, implementing and operating its HCF security management; and evaluate the effectiveness of security risk controls and measures. NOTE For methods of risk assessment and risk analysis see IEC 31010. The HCF should establish, imple
43、ment and maintain a formal and documented communication and consultation process, consistent with operational security, with all stakeholders in the risk assessment process to ensure that: security risks are adequately identified and communicated; interests of other internal and external interested
44、parties are understood; dependencies and linkages with subcontractors, third parties providing outsourcing and those within the supply chain are understood; the risk assessment process interfaces well with other management disciplines; and risk assessment is being conducted within the appropriate in
45、ternal and external context and parameters relevant to the HCF and its interested parties. The risk assessment should identify activities, operations and processes that need to be managed. Outputs should include a prioritized risk register identifying measures to mitigate risk and justification for
46、risk acceptance. 3.5 Leadership 3.5.1 General Top management should demonstrate leadership and commitment with respect to the HCF security management by: making security management one of the responsibilities of one of the members of top management; appointing a responsible person for the healthcare
47、 security management with leadership and technical competence (see 3.5.2); supporting relevant management roles to demonstrate their leadership as it applies to their areas of responsibility (see 3.6); ensuring that the resources needed for the HCF security management are available (see 3.6); suppor
48、ting the planning of security measures (see 3.7); and directing and supporting persons to contribute to the effectiveness of the HCF security management (see 4.2.1.6 and 4.2.1.8). 3.5.2 Organization of roles, responsibilities and authority Top management should ensure that the responsibilities and a
49、uthorities for relevant roles are assigned and communicated within the organization. Top management should ensure that: PD CEN/TS 16850:2015 CEN/TS 16850:2015 (E) 9 an administrative person, designated by leadership, is charged with primary responsibility for the security function, e.g. a security manager; and provision is made for the professional development of the Security manager. NOTE Membership in at least one professional security organization and participation in security educational progr
