In autumn 2021, we started organising an event for senior security, estates and operations folks who look after our hospitals and healthcare sites here in the North. We wanted to create an opportunity for them to meet, to chat, and to discuss one of the most important changes on the horizon – the Protect Duty consultation, legislation set to impact our public spaces. Little did we know that before the event would even take place, there would be an explosion outside one of our NHS Trusts in Liverpool. Suddenly security in hospitals was not just on the minds of the folks in the room, it was making international headlines. Perhaps now more than ever before, this discussion was critical. With that in mind, we want to share some of the highlights from our time together.
I’ll set the scene. It’s a beautiful winter’s day at the Nostell Estate in Wakefield. There is a lot of food on the table. Chris Lakin, co-founder of Oracle Vision and our host today, jokes that the doors are locked and we’re not leaving until it’s all eaten.
Luckily, there’s plenty to get our appetite going. Today we’re discussing Protect Duty – a government consultation on what will be required of anyone responsible for public spaces. It might be a few hundred pages long, but it’s a good read! Here at Oracle Vision, we like getting nerdy about this sort of thing. We look after lots of large organisations with multiple sites that receive well over the 100+ people covered under the new legislation. So what does it mean for people like us?
Fundamentally, from our point of view, it feels as though this legislation is going to bring about the accountability in security that we already see in fire. Processes will need to be more robust, and fines will be in place for those who don’t comply. We wanted to ask those in the room how this might change their processes.
Chris Lakin: Do you think we should see your security plans?
Mahesh Mistry – Bradford Royal Infirmary: I think you should be involved. The main people creating it should be the team who are on site, but if you could be involved as we’re creating it, we could probably save money. You’re more in touch with the tech side and the solutions available.
Chris: What about your risk assessments, how often are you doing those?
Johan Celliers – South West Yorkshire Hospitals NHS Trust: we have a rolling programme of risk assessments. Some are on an annual basis. Some are every three or four years. If it’s for a patient environment, it will be every year. That risk assessment process starts the whole drive around applying for capital money to put these schemes into place.
Chris: and when you’re looking at these processes, are they technically driven, or are they people first?
Johan: Our trust is a very unique place. Our plans are already very person-focused, with lots of stakeholder involvement, right from the staff on the wards, to create them. We liaise with lots of people – it all comes from the bottom up. Of course, you’re always going to get something that comes up that needs an immediate technical response, but those should be rare.
Ian Kilroy, Calderdale & Huddersfield NHS Trust: we have a legal context to bear in mind here, when we’re putting together our plans. We should absolutely be people-centred, but there are frameworks from above within which we have to operate. Firstly, the Civil Contingency Act 2004 for our emergency plans and business continuity. Then the Health & Safety at Work Act 1974, which is there to protect staff from violence and aggression. Finally, the Counter Terrorism Act which is important here as we look at how to move forward. This legislation all links together – security, crime, terrorism. And of course, we all have NHS England and the Violence Reduction Prevention Standard which demands of us, as a trust, to explain how we are reducing the risk on our sites. Just like NHS Protect, the Protect Duty may come up in different forms, but none are really going to go away.
Chris: As a contractor, we need to be advising on this, especially when we’re working with customers who aren’t as switched on as you guys. How are we going to approach this? How are we going to respond to these new (and existing) requirements, while at the same time getting that culture change which is going to make it all work?
Ian: bigger thinking is the way to move forward. It’s all about balance, and asking ‘what do we NEED’? We don’t wait for the sh*t to hit the fan, then people from above give us the money to fix it. It’s about joint partnerships between estates and facilities, with departments in the hospital, who off course, have their own priorities.
A risk assessment is not the solution, but it lets us look at the process. We need to create a strategy. Not for one year, or three years – this should be a constant live document. What needs to work in tandem with that is our internal security culture. We need to get the message over to the people on the ground.
Johan: you’re absolutely right. For me, the appetite from the top down is really important. What we’re talking about here – the Protect Duty – is in our processes potentially becoming statutory. For instance, we’re having intense talks about health and safety training, but it still doesn’t feature in our inductions. This is what you’re up against. Until that appetite becomes reality at the top, it will be difficult to bring this into play.
Mahesh: it all depends on the organisation’s priorities. Here in hospitals, it’s all about keeping people safe, and we build an environment to support that. I used to work for West Yorkshire Police, where it’s all about security. Before that, I worked in consultancy and for our retail clients, it was all about turnover and sales. Before that, I worked with a chemical works – I’m only 22! My point is that you have to tailor the strategy for the industry you’re in.
Chris: How can we make it simple enough to tackle this? That’s the biggest thing. It’s about the whole team understanding how we ALL play a part. This consultation will push that. It’s a process thing, and a people thing, not just technology.
To be best placed to help you, we need this context and information. What information do you guys get?
Johan: it’s difficult. Historically we were lucky, we had dedicated support from NHS Protect, Counter Terrorism, Police etc. and information from them was freely available to us. Nowadays it’s not. Now is the time to look at things differently. At the moment, for me, it’s all about getting the reassurance that we’re in line with what they’re expecting.
Ian: NHS Protect may be gone, but we also have a Yorkshire and Humberside Security Management group, to connect us. It’s about intelligence gathering. Secondly, we also have links to West Yorkshire Police. This isn’t about a PC on shift in the hospital, it’s more about engagement with senior figures in our region. Lastly we also have that connection with Counter Terrorism, and the National Counter Terrorism Security Office (NACTSO). That all takes time. To make that connection.
Chris: We’re doing all this to get some solutions. It’s about being responsible for that space you’re managing and responding to external input. But the question is, if you’re expected to respond to that, at what speed? If there’s going to be an attack, how fast can you respond, and how fast do you need your contractor to move?
Ian: after the Liverpool attack, we met with Counter Terrorism to assess our situation. We wanted to get a message out that wasn’t a knee jerk reaction. We wanted to make it clear that this didn’t pose a threat to us as a hospital. Our CEO did a talk explaining, ‘this has happened, please be calm, please be curious, please challenge anything unusual’. Secondly we immediately re-introduced our e-learning on Counter Terrorism. We wanted to try and keep the balance..
Chris: You’re right, it’s really about training. You need people on the ground to be considering what’s normal and how to report anything that doesn’t seem right. The systems can only be as good as the people on the ground.
How quickly would your staff know if there’s an incident? How quickly would you respond?
Ian: That’s why it’s important to test your system. That’s how we assess our resilience, doing simulation-based exercises, looking at scenarios like loss of power. It’s just about finding vulnerabilities. When you exercise your system you can escalate your results to the right people.
Chris: and how do you put the message out there, if there is a vulnerability, or an issue? I like pictures – a traffic light system works for me!
Ian: We have a good system in place of getting round and talking to people, then reporting back to estates group. We want to be compliant in terms of meeting our targets for annual review.
Chris: Sites like yours are massive, so we break them down and zone them. We layer it and categorise it from the outside in, like an onion. Do you approach it in a similar way?
Ian: I agree – we call it Defensive Depth, which is a military term. You look at the Triple DRs: detect, deter, delay, respond. You see if it’s easy to get through a door at a certain time. You make it more difficult to stop someone doing it. Then if an alarm does goes off, what happens next? Is there a team on site?
I have 17 risk assessments on our security portfolio. I have high, medium and low. Clearly you need a different approach for reception areas compared to where we have the pharmacy, or our gases storage. It’s about taking a balanced look at ‘what have we got’? That might be a process, a job or technology.
