SIST-TS CEN/TS 17159:2018

SLOVENSKI STANDARD
01-junij-2018
Družbena varnost in varnost državljanov - Napotki za upravljanje varnosti v zvezi z
nevarnimi snovmi (CBRNE) v zdravstvenih ustanovah
Societal and citizen security - Guidance for the security of hazardous materials (CBRNE)
in healthcare facilities
Schutz und Sicherheit der Bürger - Leitfaden für die Sicherheit von Gefahrstoffen
(CBRNE) entlang ihres Lebenszyklus in Gesundheitseinrichtungen
Sécurité sociétale - Document d'orientation pour les établissements de soins de santé
relatif à la sécurité des substances NRBCE tout au long de leur cycle de vie
Ta slovenski standard je istoveten z: CEN/TS 17159:2018
ICS:
11.020.99 Drugi standardi v zvezi z Other standards related to
zdravstvom na splošno health care in general
13.300 Varstvo pred nevarnimi Protection against dangerous
izdelki goods
13.310 Varstvo pred kriminalom Protection against crime
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

CEN/TS 17159
TECHNICAL SPECIFICATION
SPÉCIFICATION TECHNIQUE
April 2018
TECHNISCHE SPEZIFIKATION
ICS 13.300; 13.310; 11.020.99
English Version
Societal and citizen security - Guidance for the security of
hazardous materials (CBRNE) in healthcare facilities
Sécurité sociétale - Document d'orientation pour les Schutz und Sicherheit der Bürger - Leitfaden für die
établissements de soins de santé relatif à la sécurité Sicherheit von Gefahrstoffen (CBRNE) entlang ihres
des substances NRBCE tout au long de leur cycle de vie Lebenszyklus in Gesundheitseinrichtungen
This Technical Specification (CEN/TS) was approved by CEN on 10 December 2017 for provisional application.

The period of validity of this CEN/TS is limited initially to three years. After two years the members of CEN will be requested to
submit their comments, particularly on the question whether the CEN/TS can be converted into a European Standard.

CEN members are required to announce the existence of this CEN/TS in the same way as for an EN and to make the CEN/TS
available promptly at national level in an appropriate form. It is permissible to keep conflicting national standards in force (in
parallel to the CEN/TS) until the final decision about the possible conversion of the CEN/TS into an EN is reached.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2018 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TS 17159:2018 E
worldwide for CEN national Members.

Contents Page
European foreword . 4
Introduction . 5
1 Scope . 6
2 Normative references . 6
3 Terms and definitions . 6
4 General guidance. 9
4.1 Context of CBRNE risks in HCF and other facilities within HCF responsibility . 9
4.1.1 General . 9
4.1.2 High-risk chemical materials/agents . 10
4.1.3 High-risk biological material . 10
4.1.4 High-risk radioactive sources and nuclear materials . 10
4.1.5 Explosives . 10
4.1.6 The relationship between security and safety . 11
4.2 CBRNE security management approach . 11
4.3 CBRNE security threat and risk assessment . 12
4.3.1 General . 12
4.3.2 CBRNE security threat and security risk assessment . 12
4.3.3 Graded Approach . 13
4.3.4 CBRNE security risk assessment. 14
4.3.5 Business impact analysis . 14
4.4 CBRNE security management policy . 14
4.5 CBRNE security design . 17
4.5.1 General . 17
4.5.2 Design and construction . 18
4.6 CBRNE security management plan . 19
4.7 CBRNE information security management . 19
5 General procedures . 20
5.1 Management, roles, and responsibilities . 20
5.2 Competencies . 21
5.3 Training . 21
5.4 Documentation . 22
6 Operational guidance . 22
6.1 Inventory analysis and classification . 22
6.2 Securing the supply chain . 23
6.2.1 General . 23
6.2.2 Transportation . 24
6.2.3 Suppliers . 24
6.3 Securing controlled areas . 24
6.3.1 Designation of security controlled areas . 24
6.3.2 Access control . 25
6.4 People . 25
6.4.1 General . 25
6.4.2 Staff . 26
6.4.3 Visitors . 29
6.4.4 Patients . 29
6.5 Communication and awareness . 30
6.6 CBRNE security incident response . 31
6.6.1 CBRNE security incident response plan . 31
6.6.2 Notification of the authorities . 32
6.6.3 Incident reporting . 32
7 Evaluation of the CBRNE security management system . 33
Annex A (informative) Guidance for the implementation and operation phase of
generic management systems in HCF . 34
Bibliography . 36

European foreword
This document (CEN/TS 17159:2018) has been prepared by Technical Committee CEN/TC 391
“Societal and citizen security”, the secretariat of which is held by NEN.
Attention is drawn to the possibility that some of the elements of this document may be the
subject of patent rights. CEN shall not be held responsible for identifying any or all such patent
rights.
According to the CEN/CENELEC Internal Regulations, the national standards organisations of
the following countries are bound to announce this Technical Specification: Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic
of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia,
Spain, Sweden, Switzerland, Turkey and the United Kingdom.
Introduction
Protecting citizens, institutions, infrastructures and assets is one of the four key pillars of the
EU’s Counter-Terrorism Strategy. One of its aims is to detect and mitigate risks related to the
acquirement and misuse of hazardous chemical, biological, radioactive or nuclear (CBRN)
materials, such as those referred to in the EU CBRN action plan [1]. There are indications that
terrorists would be interested in using some of these CBRN materials for executing attacks.
Securing them and preventing unauthorized access to them is therefore key to preventing their
misuse. In the action plan, EU member states have planned to enhance the security of CBRN
materials.
One of the industries that uses these hazardous materials in their regular processes is the Health
Care Industry. Possible risk scenarios for this industry could include the theft of CBRN material
from hospitals to perform (complicated) malevolent attacks such as the contamination of major
water supply systems, but also the production (and detonation) of an improvised explosive
device (IED) containing chemical and/or radiological material in public areas that would cause
panic and fear across Europe. Securing these materials in healthcare facilities (HCF) is therefore
important.
This document provides guidance for the design and implementation of a security management
approach and system to deal with security threats involving hazardous CBRNE materials.
Security management of hazardous materials also has a strong relationship with occupational
health and safety (OH&S) management. This standard does not aim to provide guidance for
safety management (i.e. occupational health and safety issues deriving from the improper use of
CBRNE material) as these are already managed via different standards and guidelines. This
relationship is discussed in 4.1.6.
NOTE It is important to emphasize that across the European Union there are several regulatory and
legislative limitations for use of security techniques and technologies, so it is important to take these
limitations into account. Use of the guidelines can vary based on the health care system in each country of
the European Union.
1 Scope
This Technical Specification provides guidance for managing security of (high risk) chemical,
biological, radioactive, nuclear or Explosive materials, such as those covered by the EU CBRN
action plan, that are used within healthcare facilities (HCF); it covers the lifecycle of such
materials within a HCF’s span of control. In this Technical Specification these materials are
referred to as ‘CBRNE materials’.
It covers the protection of (high risk) CBRNE materials used in healthcare facilities against
security threats relating to their deliberate misuse. It covers the protection of people, assets and
information related to CBRNE materials.
This Technical Specification also applies to circumstances where healthcare is provided at
locations remote from the normal location of the HCF.
This Technical Specification also provides guidance to all stakeholders that are responsible for
each step in a lifecycle of CBRNE materials within the HCF such as such as administrator staff,
facility management staff, logistics and transport staff, medical staff, waste management staff,
domestic staff and security staff as well as visitors and contractors working on the HCF
premises.
This Technical Specification can be applied as part of generic management systems such as
EN ISO 9001 [2], EN ISO 22301 [3], ISO 22320 [4] and possibly ISO 28001 [14].
It does not apply to occupational health and safety issues deriving from the proper and improper
use of such materials.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
CBRNE material
chemical, biological, radioactive, nuclear or explosive material that could harm society or
individuals through their deliberate release, dissemination, or misuse and for which high levels
of security are warranted
[SOURCE: EU CBRN Action Plan [1], adapted]
3.2
CBRNE security management
set of interrelated or interacting elements (system) for managing the security of CBRNE
materials in organisations in order to prevent their deliberate misuse
3.3
design basis threat
DBT
description of the attributes and characteristics of potential insider and/or external adversaries
who might attempt unauthorized removal of CBRNE materials or sabotage against which
a physical protection system is designed and evaluated
[SOURCE: IAEA Development and Use of the Design Basis Threat [15], amended]
3.4
explosive
reactive compound that contains energy, which when released quickly from the compound, can
produce an explosion that is usually accompanied by the production of light, heat, sound, and
pressure
3.5
explosive precursor
chemical substance which can be made into an explosive with relative ease e.g. by mixing or
blending with other materials, or by simple chemical processing
[SOURCE: Guidance on the EU Marketing and Use of Explosives Precursors Regulations, [8] ]
3.6
healthcare facility
HCF
facility and its organisation, personnel, management and processes which provides health care
such as hospitals, psychiatric clinics and nursing homes including pharmacies, storage and
laboratories within the healthcare facility’s control
Note 1 to entry: HCF refers to singular and plural. HCF’s refers to the possessive subject.
3.7
improvised nuclear device
IND
improvised device that is designed to cause nuclear material contained within it to produce
a nuclear explosion
3.8
life cycle
set of consecutive and interlinked stages of a product system, from raw material acquisition or
generation from natural resources, to use and final disposal
[SOURCE: EN ISO 14040:2006, 3.2 [9]]
3.9
life cycle inventory analysis
phase of life cycle assessment involving the compilation and quantification of inputs and outputs
for a product throughout its life cycle
[SOURCE: EN ISO 14040:2006, 3.3 [9]]
3.10
nuclear material
Uranium 235, Uranium 233 and Plutonium 239
Note 1 to entry: Detailed information can be found in IAEA NSS 13, Section 4, Table 1 [10].
3.11
occupational Health & Safety
OH&S
conditions and factors that affect, or could affect, the health and safety of employees or other
workers (including temporary workers and contractor personnel), visitors, or any other person
in the workplace
[SOURCE: OHSAS 18001:2007 [11] ]
3.12
radioactive material
material designated in national law, regulation or by a regulatory body as being subject to
regulatory control because of its radioactivity, or, in the absence of such a designation by a State,
any material for which protection is required by the current version of the International Basic
Safety Standards
[SOURCE: IAEA NSS Risk Informed Approach for Nuclear Security Measures, No 24-G, [12],
modified]
3.13
radioactivity
phenomenon whereby atoms undergo spontaneous random disintegration, usually accompanied
by the emission of radiation
[SOURCE: IAEA Safety Glossary [13]]
3.14
radiological dispersal device
RDD
device designed to disperse, usually with explosives, radioactive material in an uncontrolled
way, without the need of nuclear explosion
3.15
risk
expression of the combination of the consequences of an event (including changes in
circumstances) and the associated likelihood of occurrence
[SOURCE: ISO 31000 [21], modified]
3.16
security
resistance to intentional acts designed to cause harm or damage to or by the supply chain
Note 1 to entry: Harm includes psychological and societal harm.
[SOURCE: ISO 28001:2007, 3.20, [14]]
3.17
security risk
expression of the combination of the consequences of a threat once enacted and the associated
vulnerability to that threat at a specific location
3.18
security threat
situation where an adversary has the capability and the intent to violate security of CBRNE
materials
3.19
security threat scenario
means by which a potential security incident might occur
[SOURCE: ISO 28001:2007, 3.26 [14]]
3.20
security controlled area
area which has specific controls to restrict access to authorized persons only
[SOURCE: CEN/TS 16850:2015, 2.1 [8]]
3.21
security management
systematic and coordinated activities and practices through which an organization optimally
manages its security risks, and the associated potential threats and impacts therefrom
[SOURCE: ISO 28000:2007, 3.3 [5]]
3.22
security management policy
overall intentions and direction of an organization, related to the security of and the framework
for the control of security-related processes and activities that are derived from and are
consistent with the organization’s policy and regulatory requirements
[SOURCE: ISO 28000:2007, 3.5 [5]]
3.23
vulnerability
weakness within the security arrangements which could, at some point, be exploited by a threat
3.24
visitor
person authorized to visit restricted areas who is not a visitor for patients during visiting hours
or person authorized to visit restricted areas who is not part of the HCF´s organization
4 General guidance
4.1 Context of CBRNE risks in HCF and other facilities within HCF responsibility
4.1.1 General
To understand the context of security risks in healthcare facilities, associated with CBRNE
materials, a brief overview is presented below. Recommendations regarding approaches to
security are then presented in subsequent paragraphs.
The major threat from CBRNE materials is that they could be deliberately used for executing
criminal and/or terrorist acts. These materials can, for instance, be placed in locations where
people would be directly harmed by them or they could be deliberately distributed into the
environment through dispersal devices or other means.
4.1.2 High-risk chemical materials/agents
These are chemicals with the potential to be used to cause death, temporary incapacitation or
permanent harm to humans or animals. This includes all such chemicals, regardless of their
origin or of their method of production, and regardless of whether they are produced in
facilities, in munitions or elsewhere [16].
The wide range of chemicals and materials used in healthcare treatment and associated research
implies that HCF are potential sources of high risk chemical materials / agents or their pre-
cursors.
HCF should consult their national authority to define what is high/medium/low risk material.
4.1.3 High-risk biological material
When speaking of security of biological material the focus lies on pathogens, or parts of them,
and toxin-producing organisms [17]. These can be plant, animal, microorganism and human
derived.
Toxins are also classified as biological agents. These are naturally occurring poisonous chemicals
produced by biological organisms, including plants, animals and microorganisms (although
some may be artificially synthesized).
Some of these materials are extremely important for research and development in the domains
of medicine, biology and agriculture, but on the other hand can be used as biological weapons.
This means that many of them can therefore be used for two purposes. The term used by the
international community for these types of materials is ‘dual use’ [18].
Clearly, HCF and their processes are potential sources of high risk biological materials / agents.
HCF should consult their national authority to define what is high/medium/low risk material.
4.1.4 High-risk radioactive sources and nuclear materials
Radioactive materials give rise to two types of radiological hazard. Firstly, the hazard of external
exposure to the radiation they emit and secondly, internal exposure if radioactive material
enters the body.
Nuclear materials are a special class of radioactive materials which have the potential to be used
to construct devices that also generate large amounts of energy as well as highly penetrating
radiation, through the process of nuclear fission. HCF are extremely unlikely to be sources of
nuclear materials but they may be the source of other radioactive materials that could be used to
aid the construction of an IND or used in a RDD.
HCF should consult their national authority to define what is high/medium/low risk material.
4.1.5 Explosives
Explosives are not routinely used in HCF, but in the context of this Technical Specification the
term Explosives should also be taken to refer to explosive pre-cursor chemicals such as those
listed in Annex I or Annex II of [19] (as amended from time to time) on the marketing and use of
explosives precursors, in a concentration higher than the corresponding limit value set out
therein.
Therefore, such materials are included in the term of high-risk materials/agents for the rest of
this document.
4.1.6 The relationship between security and safety
It is important to note that safety management and security management serve some common
objectives – the protection of workers, the public and the environment – and that they typically
reflect a common philosophy [6]. To put it simply, in the context of CBRNE materials, the main
difference is that safety is about protecting people from hazardous materials and security is
about protecting hazardous materials from people. Safety incidents are always unintentional
(errors). Safety incidents are errors caused by humans, natural disasters or by failing of
structure (inferior material). Safety incidents are reported widely and shared with peers, to
learn and to avoid new incident. Security incidents are always committed deliberately and
unlawfully or wilfully.
Security management of hazardous materials therefore has a strong relationship with
occupational health and safety (OH&S) management of these materials. Many features of
equipment design or operation serve to enhance both safety and security simultaneously; they
also act to prevent deliberate misuse by intruders.
EXAMPLE Secure storage of hazardous (CBRNE) materials to prevent accidents may also help to
restrict unauthorised access.
In addition, actions undertaken to advance or modify one purpose could adversely affect the
other. This means that decisions regarding OH&S or security require an integrated management
approach and that safety and security issues should be evaluated on mutually supporting and
reinforcing terms.
4.2 CBRNE security management approach
A CBRNE security management approach should be part of an organisations’ overall security
management approach with primary focus on the protection of CBRNE materials and security of
information relating to them. Therefore, a CBRNE security management approach for HCF
should (also see CEN/TS 16850:2015, 3.1 [20]):
— be consistent with the organization’s overall risk and business continuity management
approach;
— be consistent with other security and safety management systems, policies and approaches;
— provide a framework which enables the specification of CBRNE security management
objectives and targets (see Figure 2);
— train staff accordingly on security and security awareness (see 6.5);
— provide operational guidance (standard operating procedures) for the execution of CBRNE
security management tasks/targets;
— be visibly endorsed by top management;
— be documented, implemented, monitored and maintained;
— be communicated to all staff, patients, visitors and other stakeholders present in controlled
areas;
— respect the rights of stakeholders;
— align with the OH&S management approach for hazardous material; and
— be coordinated with OH&S activities to ensure that they do not compromise each other’s
goals.
4.3 CBRNE security threat and risk assessment
4.3.1 General
For establishing the range and type of security issues that will be addressed in their CBRNE
security management system, HCF should undertake security threat assessments as set out in
4.3.2. The threats that are identified by the threat assessment should each be graded according
to the potential consequences that could arise if the threats were realized. This graded approach,
as set out in para 4.3.3, should be used to achieve a balance between managing such material
securely and not unduly limiting the conduct of HCF activities. HCF should assess the
acceptability of their arrangements for dealing with the identified threats and their potential
consequences using a risk management approach as set out in 4.3.4.
4.3.2 CBRNE security threat and security risk assessment
To establish the range and type of security issues that will be addressed in their CBRNE security
management system, and the arrangements that are necessary to address them, HCF should first
undertake appropriate security threat assessments.
As security threats can occur during the entire lifecycle of CBRNE materials within a HCF (or
even outside of a HCF), HCF should perform a Life Cycle Threat Assessment (LCTA) which covers
all stages of material use, storage, transport and handling over which they can exert influence
(see Figure 1).
Figure 1 — Example for a LCTA of a product system
The LCTA should give priority to the following business processes within the HCF:
— procurement (acquisition) of CBRNE materials;
— delivery / receipt / logistics of CBRNE materials;
— storage of CBRNE materials (warehousing);
— transport (in house / external) of CBRNE materials;
— use of CBRNE materials (in production processes);
— waste management of CBRNE materials;
— unintentional loss of CBRNE materials and subsequent misuse.
Next to this attention shall be paid to
— the management of the entire supply chain (6.2), and
— the management of information on CBRNE materials (4.7).
HCF should make and maintain a list of the threats identified by the LCTA. HCF should also
design (see 4.5.1), implement, maintain and evaluate their security plans and arrangements by
reference to the list. HCF should note that several organizations with different areas of expertise
will need to work together to ensure that the list of threats is appropriate. HCF should ensure
that their list of threats takes cognisance of (or is aligned with) national security plans and,
where available and authorized, national design basis threat (DBT) assessments. In the event
that a HCF is not authorized to access the DBT, HCF should assess the possibilities of having their
security plan and threat assessment reviewed by the appropriate authorities.
NOTE Some of these national DBTs may have been produced specifically for the protection of nuclear
material but they will be a useful starting point for the development of HCF specific threat assessments.
HCF should agree with their appropriate national authority which threats they are expected to
address within their own security systems and those which the state itself will address.
HCF should develop from their threat assessments a set of scenarios which they should use in
the training of staff. These scenarios should be regularly reviewed to ensure that they remain
current and appropriate and that they continue to present realistic and novel challenges to the
security systems and staff.
4.3.3 Graded Approach
CBRNE security measures should be based on an assessment of the consequences of malicious
use of those materials, so that resources are not wasted on unnecessary security. Recognizing
the societal benefits of using some hazardous materials, especially within HCF, the HCF should
strive to achieve a balance between managing such material securely and not unduly limiting the
conduct of such beneficial activities.
When assessing these consequences HCF should consider the characteristics of the material that
is being protected, how attractive the material might be to an adversary, how it could be
maliciously utilized, and how harmful the consequences of the malicious misuse could be (see
also 6.1).
HCF should also consider other factors, such as potential liabilities, economic costs and impact
on their reputation (see also 6.1)
HCF should use these characteristics and factors to grade threats into differing consequence
categories.
4.3.4 CBRNE security risk assessment
HCF should follow a structured security risk assessment approach, to reduce the risks from the
threats identified in their LCTA to an acceptable level.
HCF should recognize that it may be difficult to quantify the likelihood of particular threats
actually occurring and that it is hence difficult to quantify risk in the traditional way, risk with
any accuracy. For security risk assessments, risk can be defined as the evaluation of the
combination of vulnerability (of the HCF) to that threat and the grade (see 4.3.3) of the threat.
CBRNE security risk management is related to traditional risk management and the general
principles of risk management – such as from ISO 31000 [21] and/or CEN/TS 16850:2015, 3.4
[20] – could be used to inform security risk assessments. You may also consider guidance from
other industries such as PAS 96:2014 [22] and the British Retail Consortium’s Global Standard
for Food Safety [23].
HCF should decide what level of security risk is acceptable and what level of effort is justified to
protect hazardous materials, associated facilities and associated activities against the threat so
as to reduce the risk to an acceptable level, given the availability of resources, the benefit of the
protected materials to Society and other priorities.
4.3.5 Business impact analysis
The organization shall establish, implement, and maintain a formal and documented evaluation
process for determining continuity and recovery priorities, objectives and targets after a CBRNE
incident. This process shall include assessment of the impacts of disruption to activities that
support HCF. The business impact analysis shall include the following:
a) identifying activities that support the provision of products and services;
b) assessing the impacts over time of not performing these activities;
c) setting prioritized timeframes for resuming these activities at a specified minimum
acceptable level, taking into consideration the time within which the impacts of not
resuming them would become unacceptable; and
d) identifying dependencies and supporting resources for these activities, including suppliers,
outsource partners and other relevant interested parties.
NOTE Based upon: EN ISO 22301:2014 “Societal security – Business continuity management systems
– Requirements” [3]
4.4 CBRNE security management policy
A CBRNE security management policy should be part of a HCF’s overall security management
policy and it should clearly state the organization's objectives for, and commitment to, secure
management of hazardous materials, and it should clearly address at least the following:
— the need for the organization to base its approach to security of CBRNE materials on a Life
Cycle Threat Assessment;
— the organization's rationale for managing the security of its CBRNE materials both in
existing and planned new facilities;
— articulate the HCF’s objectives relating to the security of these materials;
— align the organization's objectives and policies with those of the CBRNE security
management policy;
— the accountabilities and responsibilities for managing CBRNE security;
— the way in which conflicting interests are dealt with;
— the commitment to make the necessary resources available to assist those accountable and
responsible for managing security;
— the way in which the performance of the CBRNE security management system will be
measured and reported; and
— the commitment to review and improve the security management policy and framework
periodically and/or in response to an event or change in circumstances.
The security management policy should be communicated appropriately, see 6.5.
Figure 2 illustrates how the clauses of Clause 4 of this Technical Specification align with those of
CEN/TS 16850:2015 [20].
Figure 2 — Illustration of the context of the guidance given in this Technical Specification and in CEN/TS 16850:2015
4.5 CBRNE security design
4.5.1 General
HCF should develop the design of their security technologies and the allocation of their security
control systems based on the CBRN threat and risk assessment.
The plan for use and design of security technologies should be a documented process.
Security design should focus on, for example:
— technologies (like mechanical barriers, detection devices, CCTV, security lightning, warning
signs, etc.);
— guards;
— operational measures.
The security design should be divided into:
— perimeter protection;
— building and facility protection;
— space, area or room protection;
— object protection.
HCF should ensure that security design is planned with respect to
— the legal and normative requirements;
— privacy of patients, visitors and staff,
— information security of all information related to security technologies and controls,
— identified risks and threats (see 4.3), and
— non-security HCF healthcare procedures and processes.
The following aspects should be considered during the planning and implementation of security
technologies:
— ease of operation;
— clear indication of status in all protected sectors;
— protection against tampering;
— high resistance to nuisance and false alarms; and
— periodic testing.
Maintenance procedures should be such that they ensure that the system is reliable and
continually operational.
4.5.2 Design and construction
Security technologies and controls for new buildings or reconstruction projects, within which
CBRNE materials are intended to be used or stored, should be considered as early as possible,
preferably during the concept or design stage.
The HCF should complete preliminary security threat and security risk assessments during the
design and construction phases of new facilities.
HCF shall ensure that all suppliers, system and components of security technologies meet all
applicable and related (legal) requirements and standards.
NOTE The location and proximity of some departments such as emergency units can warrant special
consideration in the access/exit requirements. Placement of windows, doors, furniture and fittings can
influence the level of security within a healthcare facility. In addition, Environmental Design (e.g. Crime
Prevention Through Environmental Design – CPTED) can influence physical security and the security of
CBRNE assets.
The HCF should consider the layered implementation of security controls (In-depth security)
in which CBRNE materials are stored and processed, so that these areas are given the
appropriate protection (see also 6.3.1).
The HCF should ensure that the security design stage includes, but is not be limited to
— floor loadings capacity for security equipment and containers;
— space for secure storage;
— space for security personnel;
— special features for staff protection;
— needs for security technologies and alarm systems including mechanical security systems;
— location and design of transportation routes; and
— specific needs of specialized departments of HCF such as emergency units, surgery rooms
etc. for quick access.
The HCF should identify the preferred locations for storage and use of CBRNE materials, as well
as perimeter protection, security technology and structural requirements.
The HCF should carefully evaluate the alternative design proposals and determine things such as
— cost-effectiveness;
— user-friendliness;
— effect on the general administration of the facility; and
— threat and risk analysis outputs.
For guidance on physical security, security technology design and controls, intrusion and holdup
alarm systems, access control and alarm systems etc., see CEN/TS 16850:2015 [20].
4.6 CBRNE security management plan
Organizations should develop a CBRNE security management plan or CBRNE security
management section as part of the overall security management plan, based on the Life cycle
security risk and threat assessment. This should be consistent with the overall OH&S
management approach and the HCF’s safety management approach for CBRNE materials.
The security management plan should include, but not be limited to
— the overall goal of the CBRNE security approach;
— a description of the security organization and responsibilities (e.g. an organization chart
depicting responsibilities and reporting levels concerning the security of CBRNE materials);
— prevention, detection, deterrence, dissuasion and recovery measures designed to provide
a secure environment;
— the identification of security sensitive areas;
— an overview of all CBRNE security measures/activities;
— a training and exercise program for the security staff and all other staff dealing with CBRNE
materials;
— a description of all planned liaison activities with local emergency services and other HCF as
appropriate; and
— a documentation system in place (i.e. records and reports).
HCF should consult with the relevant national authority on the contents and structure of their
CBRNE Security management plans.
The CBRNE security management plan should be evaluated periodically and modified as
required. Periodic reviews should be documented.
4.7 CBRNE information security management
It is not only necessary to secure CBRNE materials but also to secure information about them.
This will prevent them from being located by unauthorised individuals and it will prevent
exploitation of this information for illicit purposes.
HCF should ensure that information that they hold in relation to CBRNE materials is held
securely. This information shall include but is not limited to:
— the exact type and amount of these materials;
— supply chain information about receiving, transport and removal;
— details of staff who have access to these materials;
— supplier information;
— security measures.
This information should
— be secured so that it is only available when an authorized person needs it;
— have a high level of integrity so that this information is
...