1、BSI Standards PublicationPD CEN/TS 16850:2015Societal and Citizen Security Guidance for managingsecurity in healthcare facilitiesPD CEN/TS 16850:2015 PUBLISHED DOCUMENTNational forewordThis Published Document is the UK implementation of CEN/TS16850:2015.The UK participation in its preparation was en
2、trusted to TechnicalCommittee BCM/1/-/3, Supply Chain Continuity.A list of organizations represented on this committee can beobtained on request to its secretary.This publication does not purport to include all the necessaryprovisions of a contract. Users are responsible for its correctapplication.
3、The British Standards Institution 2015.Published by BSI Standards Limited 2015ISBN 978 0 580 89284 4ICS 11.020; 13.310; 91.040.10Compliance with a British Standard cannot confer immunity fromlegal obligations.This Published Document was published under the authority of theStandards Policy and Strate
4、gy Committee on 30 September 2015.Amendments/corrigenda issued since publicationDate T e x t a f f e c t e dPD CEN/TS 16850:2015TECHNICAL SPECIFICATION SPCIFICATION TECHNIQUE TECHNISCHE SPEZIFIKATION CEN/TS 16850 September 2015 ICS 13.310; 91.040.10; 11.020 English Version Societal and Citizen Secur
5、ity - Guidance for managing security in healthcare facilities Scurit socitale du citoyen - Lignes directrices pour grer la scurit dans les tablissements de sant Schutz und Sicherheit der Brger - Leitfaden fr das Sicherungsmanagement in GesundheitseinrichtungenThis Technical Specification (CEN/TS) wa
6、s approved by CEN on 27 July 2015 for provisional application. The period of validity of this CEN/TS is limited initially to three years. After two years the members of CEN will be requested to submit their comments, particularly on the question whether the CEN/TS can be converted into a European St
7、andard. CEN members are required to announce the existence of this CEN/TS in the same way as for an EN and to make the CEN/TS available promptly at national level in an appropriate form. It is permissible to keep conflicting national standards in force (in parallel to the CEN/TS) until the final dec
8、ision about the possible conversion of the CEN/TS into an EN is reached. CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland,
9、 Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Centre:
10、 Avenue Marnix 17, B-1000 Brussels 2015 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Members. Ref. No. CEN/TS 16850:2015 EPD CEN/TS 16850:2015CEN/TS 16850:2015 (E) 2 Contents Page European foreword . 4 Introduction 5 1 Scope 6 2 Terms and definition
11、s . 6 3 General guidance . 6 3.1 Approach 6 3.2 Context of the HCF security management 6 3.3 Compliance with national legislation 7 3.4 Risk management 7 3.5 Leadership . 8 3.5.1 General 8 3.5.2 Organization of roles, responsibilities and authority 8 3.6 Establishment of a security management policy
12、 . 9 3.7 Security Management Plan (SMP) . 9 3.8 Interfacing with other management systems 10 4 Operational guidance . 10 4.1 Organization (General procedures) 10 4.1.1 Controlled areas . 10 4.1.2 Access control 10 4.1.3 Secure storage . 12 4.1.4 Facility restricted access (emergency lockdown) 12 4.1
13、.5 Car park and vehicle control 13 4.2 People . 13 4.2.1 Staff 13 4.2.2 Visitors . 18 4.2.3 Patients 19 4.3 Facilities and technology (infrastructure and access system) 22 4.3.1 Design and construction 22 4.3.2 Physical security . 23 4.3.3 Fences and walls . 23 4.3.4 Closed circuit TV (CCTV) 23 4.3.
14、5 Identity cards . 24 4.3.6 Technologies and alarm systems . 24 4.3.7 Control rooms 25 4.3.8 Accommodation for patients with protective status or prisoners . 25 4.3.9 Security signage 25 4.3.10 Alternative entries . 26 4.3.11 Operating (surgery) rooms security . 26 4.3.12 Emergency unit security 26
15、4.3.13 Burglar and intruder resistant areas 27 4.3.14 Personal attack alarms (Panic alarms) 28 4.3.15 Cash and other monetary processing systems 28 4.4 Security incident response . 30 4.4.1 General . 30 4.4.2 Criteria . 30 4.4.3 Minimizing possibility of recurrence 31 4.4.4 Reports and statistics .
16、31 PD CEN/TS 16850:2015CEN/TS 16850:2015 (E) 3 4.4.5 Incident report 31 4.4.6 Interfacing with first responders and emergency management . 31 4.4.7 Targeted violence . 32 4.5 Plans for special cases . 33 4.5.1 Child abduction . 33 4.5.2 CBRN incident response . 33 4.5.3 Prisoner patients 33 4.5.4 Of
17、fensive weapons and other dangerous equipment 33 4.5.5 Active shooter 34 4.5.6 Drug diversion and security of CBRNE substances . 35 4.5.7 Vehicle and aircraft security 36 4.5.8 Media . 36 5 Performance evaluation . 37 5.1 General . 37 5.2 Management review 37 6 Exercise and testing . 37 Bibliography
18、 . 39 PD CEN/TS 16850:2015CEN/TS 16850:2015 (E) 4 European foreword This document (CEN/TS 16850:2015) has been prepared by Technical Committee CEN/TC 391 “Societal and Citizen Security”, the secretariat of which is held by NEN. Attention is drawn to the possibility that some of the elements of this
19、document may be the subject of patent rights. CEN and/or CENELEC shall not be held responsible for identifying any or all such patent rights. According to the CEN-CENELEC Internal Regulations, the national standards organizations of the following countries are bound to announce this Technical Specif
20、ication: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia,
21、 Spain, Sweden, Switzerland, Turkey and the United Kingdom. PD CEN/TS 16850:2015CEN/TS 16850:2015 (E) 5 Introduction Security of healthcare facilities is very important for effective and high quality medical treatment. It is a very wide area and the primary objective of this Technical Specification
22、(TS) is to provide all responsible persons, within healthcare facility, with guidelines on how to manage security. This is not a management system standard. This TS is giving an opportunity to be more specific in proposed security measures, which leads to better security of healthcare facility staff
23、, patient and other people, who are visiting such a facility. There is also an important fact that this TS is not a closed project and we are expecting further development of this document. Management of security in healthcare facilities is a dynamic process and this TS proposes guidelines, which he
24、lp responsible persons have a choice from different techniques for how to improve security. It is important to emphasize that across the European Union there are several regulatory and legislative limitations for use of security techniques and technologies, so it is important to take these limitatio
25、ns into account. Use of the guidelines may vary based on the health care system in each country of the European Union. PD CEN/TS 16850:2015CEN/TS 16850:2015 (E) 6 1 Scope This Technical Specification provides guidance for managing security in healthcare facilities. It covers the protection of people
26、, critical processes, assets and information against security threats. This Technical Specification applies to hospitals and places that provide healthcare services, such as - but not limited to - psychiatric clinics, homes for the elderly and institutions for the handicapped. It also applies to sel
27、f-employed practicing healthcare professionals. It does not apply to occupational health and safety and fire safety. This Technical Specification is not a management system standard. However it can be applied as part of a management system, such as with EN ISO 9001. 2 Terms and definitions For the p
28、urposes of this document, the following terms and definitions apply. 2.1 controlled area area which has specific controls to restrict access to authorized persons only 2.2 targeted violence situation where an individual, individuals or group are identified at risk of violence, usually from another s
29、pecific individual such as in cases involving domestic violence Note 1 to entry: Often, the perpetrator and target are known to each other prior to an incident. 3 General guidance 3.1 Approach Security management for a healthcare facility (HCF) should: be consistent with other policies; be documente
30、d, implemented and maintained; be visibly endorsed by top management; provide a framework which enables the specification of security management objectives and targets; be consistent with the organizations risk management; be communicated to all employees, patients and other stakeholders; and respec
31、t the rights of patients and visitors. 3.2 Context of the HCF security management The HCF should determine internal and external issues that are relevant to its purpose and that affect its ability to achieve the intended level of security within the HCF. The context should be taken into account when
32、 establishing, implementing, maintaining and continually improving the HCF security management (system). PD CEN/TS 16850:2015CEN/TS 16850:2015 (E) 7 The HCF should identify and document: the HCFs activities, functions, services, products, partnerships, supply chains, resources, relationships with in
33、terested parties, and their relationship with security management; and links between the HCF security management system design and the HCFs other policies, including its other management strategies and implemented management systems. 3.3 Compliance with national legislation The HCF should establish
34、and maintain procedure(s) to: identify legal, regulatory, and other requirements to which the HCF subscribes related to the HCF security management; determine legal restrictions on certain security procedures based on jurisdiction; and determine how these requirements apply to its HCF security manag
35、ement. The HCF should document this information and keep it up to date. The HCF should ensure that applicable legal, regulatory and other requirements to which the organization subscribes are considered in developing, implementing and maintaining its HCF security management. NOTE 1 These procedures
36、are in most cases an integral part of management system standards, such as quality management systems, e.g. EN ISO 9001:2008. In this case, the organization should ensure that specific requirements for security-related issues, such as requirements for technologies etc. are included. NOTE 2 The missi
37、on of HCF personnel is to provide healthcare and not law enforcement. 3.4 Risk management Security management is risk management, therefore the security management system should be aligned with other risk management systems within the HCF. The HCF should establish, implement and maintain a formal an
38、d documented risk assessment process for security risk identification, analysis and evaluation, in order to: identify operational security risks caused by intentional, unintentional and human threats that have a potential for direct or indirect consequences on the HCFs objectives, tangible and intan
39、gible assets, and interested parties (threat, vulnerability, and criticality analysis); systematically analyse risk likelihood and consequence, and set risk criteria; and systematically evaluate and prioritize security risk controls and measures and their related costs. The HCF should: document and
40、keep this information up to date and secure; periodically review whether the risk assessment methods are effective for security risk management; re-evaluate risks within the context of changes within the HCF, or made to the HCFs operating environment, procedures, functions, services, partnerships, a
41、nd supply chains; evaluate the direct and indirect benefits and costs of options to manage risk and enhance reliability and security; PD CEN/TS 16850:2015CEN/TS 16850:2015 (E) 8 evaluate the actual effectiveness of security risk management measure options; ensure that the prioritized risks and impac
42、ts are taken into account in establishing, implementing and operating its HCF security management; and evaluate the effectiveness of security risk controls and measures. NOTE For methods of risk assessment and risk analysis see IEC 31010. The HCF should establish, implement and maintain a formal and
43、 documented communication and consultation process, consistent with operational security, with all stakeholders in the risk assessment process to ensure that: security risks are adequately identified and communicated; interests of other internal and external interested parties are understood; depend
44、encies and linkages with subcontractors, third parties providing outsourcing and those within the supply chain are understood; the risk assessment process interfaces well with other management disciplines; and risk assessment is being conducted within the appropriate internal and external context an
45、d parameters relevant to the HCF and its interested parties. The risk assessment should identify activities, operations and processes that need to be managed. Outputs should include a prioritized risk register identifying measures to mitigate risk and justification for risk acceptance. 3.5 Leadershi
46、p 3.5.1 General Top management should demonstrate leadership and commitment with respect to the HCF security management by: making security management one of the responsibilities of one of the members of top management; appointing a responsible person for the healthcare security management with lead
47、ership and technical competence (see 3.5.2); supporting relevant management roles to demonstrate their leadership as it applies to their areas of responsibility (see 3.6); ensuring that the resources needed for the HCF security management are available (see 3.6); supporting the planning of security
48、measures (see 3.7); and directing and supporting persons to contribute to the effectiveness of the HCF security management (see 4.2.1.6 and 4.2.1.8). 3.5.2 Organization of roles, responsibilities and authority Top management should ensure that the responsibilities and authorities for relevant roles
49、are assigned and communicated within the organization. Top management should ensure that: PD CEN/TS 16850:2015CEN/TS 16850:2015 (E) 9 an administrative person, designated by leadership, is charged with primary responsibility for the security function, e.g. a security manager; and provision is made for the professional development of the Security manager. NOTE Membership in at least one professional security organization and participation in security educational programs is strongly encouraged. The s
