Here is update #2 on NHS Security Management by Jim O’Dwyer, Senior Consultant at AEGIS Protective Services…

Note: To view the 1st Update: Click Here

Background: In April 2003, the NHS Security Management Service (NHSSMS) was established, with a remit encompassing policy and operation responsibility for NHS security, including the protection of people, property and assets. In November 2003, the Secretary of State issued new national guidelines on NHS Security Management and in particular tackling violence against NHS staff, all aimed to deliver an environment that is safe and secure for staff and ensure the highest standards of clinical care are made available to patients. NHS Trusts have also been provided with access to a NHS Security Manual (via their Local Security Management Specialists). In April 2011, the NHS Security Management Service (NHSSMS) and the NHS Counter Fraud Service (NHSCFS) were together re-named NHS Protect, part of the NHS Business Services Authority (NHSBSA). On 1st April 2017, NHS Protect’s security management functions were rather abruptly terminated/ decommissioned without any formal consultation with stakeholders, including NHS Trusts, LSMS’ or traditional ‘partners’ such as the Royal College of Nursing (RCN), the British Medical Association (BMA) or UNISON.

Debilitating effects on NHS Security

The decision to decommission NHS Protect’s security management functions effectively terminated the National NHS Security Management Strategy, meaning there is no longer any national oversight/direction of NHS security management.

It also, with immediate effect, ended the National Campaign to Tackle Violence against NHS Staff and also terminated the collation and future publication of national statistics on assaults.

It doesn’t stop there, the decision also ended the regional and national alerts service that NHS Security managers have relied on to receive and share information about active thieves and fraudsters targeting the NHS, as well as, for circulating information on vulnerable patients who’ve gone missing.

For NHS Security managers, the decision has also meant the sudden end of accessibility to the specialist advice, guidance and support previously available from NHS Protect’s Area Security Management Specialists (ASMSs) and NHS Protect’s Local Support and Development Services.

On top of that, the specialist Legal Protection Unit (LPU) set up to increase the prosecution rate of individuals who assault staff and professionals working in the NHS has also been shut down. Yes, NHS Security Managers can still refer to the Memorandum of Understanding (MOU) that exists between NHS Protect and the Crown Prosecution Service (CPS), which sets out the protocols for proceeding with investigations and prosecutions, but they can no longer just make a phone call to the LPU and get expert advice or obtain financial assistance to support a prosecution.

The decision to decommission NHS Protect’s security management functions has also meant the end of NHS ownership and control of the Accredited Security Management Specialist (ASMS) training course previously provided to Local Security Management Specialists. Instead, NHS Protect has passed its training material along with rights to deliver the training to the private sector. A new Security Professional Accreditation Board (SPAB) has been established to oversee the transition of delivery of the ASMS course to external training companies (e.g. Amber Conflict Training). However, the training is not yet accessible.

Last week, Amber Conflict Training posted this on LinkedIn:

Shouldn’t be much longer till we announce the dates for the Local Security Management Courses – Foundation Level. Sadly still no responses from the PAB board to any of our emails, we can only assume there is no issue, given all our team are already accredited with Portsmouth University and have been delivering the courses since they began with NHS Protect (Counter Fraud & Security Management Services) and those in the sector who can kindly vouch for our abilities. We appreciate the inaction is causing some concern for those that need the Qualification, but we have a plan to assist as many of you as we can in a relatively short period of time, as those on our list have been very patient and we will do our utmost to right the situation. For those who are waiting for Continued Professional Development, as soon as we break the back of our own waiting list we will be looking at dates regionally across the UK to run some sessions, in the style of the old NHS Protect Quarterly Meets, with guest speakers in key areas and the like. We will pick up the fight and campaign for a better future for Healthcare Security.”

The continuing lack of availability of the ASMS course and CPD training is a significant problem because NHS Security Management Standard 1.2 ‘Strategic Governance‘ (page 17) requires healthcare organisations to:

  • Employ or contract one or more security specialists trained and approved by NHS Protect and accredited by the Professional Accreditation Board.
  • Ensure that the nominated security specialist(s) attend all necessary training courses and undertake Continuous Professional Development (no CPD scheme or schedule is specified).

Note: If you have a query about ASMS training courses, contact Karen Nixon at the University of Portsmouth (telephone: +44 (0)23 9284 5219, email:

Another destructive consequence of the decision to decommission NHS Protect’s security management functions is that NHS Protect are no longer arranging Regional or National Forums. This immediately presents a problem for healthcare provider organisations because NHS Security Management Standard 1.2 ‘Strategic Governance‘ (page 17) specifically requires them to:

  • Ensure the security specialist(s) are involved in NHS Protect security management activities, including attendance at Regional Forums.

It is absolutely essential that communication, information sharing and networking between Local Security Management Specialists is facilitated and enhanced. It’s fundamental to the early recognition of emerging problems and identification and dissemination of best practice. If it doesn’t happen, any prospect of improving NHS Security will be dead in the water.

On that note, I am pleased to report that the National Association for Healthcare Security (NAHS) has, in the meantime, been actively arranging networking meetings for their members across various areas and Security Managers at a number of Trusts have also clustered together to maintain contact and mutual support. I’m hearing that some have even welcomed the autonomy they’ve now been granted to get on and do the job their way without all the ‘rigmarole’ of complying with NHS Protect’s demands.

Prior to April 2017, inspections and assessments of NHS security standards were conducted by NHS Protect’s Quality and Compliance team. However, the decommissioning of NHS Protect’s Security Management functions included the disbandment of this unit. The decommissioning apparently went ahead without any NHS body being specifically assigned responsibility for ensuring and enforcing compliance by healthcare providers with Service Condition 24 of the NHS National Contact. Yes, OK, Clinical Commissioning Groups (CCGs) are responsible for the planning and commissioning of health care services for their local area and have a responsibility to ensure that security management standards are met in accordance with the contract, but have they got the necessary experience and expertise to accomplish that? If not, are they going to have to buy in that expertise externally from private companies – and are they going to?

At present, it appears that currently, no-one independent (i.e. external to an NHS Trust) and possessing the necessary competence to conduct security assessments  is responsible for inspecting and reviewing security management arrangements at NHS Trusts, or for requiring healthcare providers to implement any reasonable modifications/improvements that may be found necessary (i.e. as provided for by Service Condition 24.4).

So, without any external oversight, how likely is it that NHS security standards will improve?

Or, is it more likely that NHS security standards will not improve and instead will decline?

One thing is certain, it’ll widen variance in standards of NHS Security across the NHS.

What are NHS Protect’s responsibilities now?

Exactly what NHS Protect’s functions and responsibilities are right now is a little unclear.

The NHSBSA website homepage for NHS Protect states: “NHS Protect is the national body leading on work to protect NHS staff and resources from crime“.

The About NHS Protect page States: “NHS Protect leads on work to protect NHS staff and resources from crime. We deal with a wide range of issues, including violence against NHS staff, theft of NHS property and economic crime (i.e. fraud, bribery and corruption) affecting NHS resources.”

NHS Protect’s 2016/17 Business Plan at the chapter on ‘Context’, at Page 14 states:

“There remains a need for a single expert intelligence-led organisation – NHS Protect – to provide centralised investigation capacity for complex crime matters and to have oversight of and monitor anti-crime work across the NHS. This will include the definition of anti-crime standards and assessment of performance through the provision of comparative data together with a drive to improve the  anti-crime work that is undertaken.”

NHS Protect’s 2016/17 Business Plan, Page 9 states:

“There are many types of crime that could affect the NHS, including the following:

  • violence against NHS staff and patients
  • criminal damage and theft of NHS property, assets and resources
  • economic crime (fraud, bribery or corruption)

NHS Protect seeks to prevent crime within the NHS by targeting and coordinating work effectively, building in anti-crime measures at all stages of national and local policy development, and reflecting wider government initiatives.”

Personally, I think NHS Protect should avoid confusing matters by overstating it’s responsibilities and instead of using terms like ‘anti-crime’ and ‘prevent crime’, should constrain itself to saying simply and more accurately that it ‘leads with fraud, bribery and corruption in the NHS’ – and the quicker NHS Protect does this, the better!

Who recommended the decommissioning of NHS Protect’s security management functions?

The review that resulted in NHS Protect’s security management functions being terminated was undertaken by the Department of Health Anti-Fraud Unit.

Note: The DH Anti Fraud Unit (DH AFU) is the Department of Health’s sponsor for NHS Protect.

What was the basis for decommissioning the NHS security management functions?

So far, it has not been possible to ascertain exactly how comprehensive or in depth the review was which resulted in NHS Protect’s security management functions being terminated.

NHS Protect’s 2016/17 Business Plan only provides scant details. The chapter on ‘Context’, at Page 13 states:

“It was identified that the support work undertaken currently by NHS Protect, such as anti-crime specialist training and local support services, had been successful. The review concluded that NHS Protect should no longer provide these services as boards of local NHS organisations should now have the knowledge and capacity required to deal with the crime threats they face. If these services continued, there is a risk that NHS boards would not properly take ownership of local anti-crime risks. As a result NHS Protect’s service delivery model will now change from direct operational support to standard setting, bench marking and assurance which will enable local corrective action.”

Reading between the lines

The decision to amputate NHS Protect’s security management functions was provoked by a need to make financial savings. But, was the subject of the ‘consideration’ the NHS as a whole or the Department of Health?

I say this because, if you were to ask any qualified Security Manager in the country how NHS Security should be best managed, the answer, I am sure would resoundingly be ‘a national strategy, directed from the centre’. However, such a centralised, national NHS strategy would conflict with the Department of Health’s current approach, which is effectively to devolve responsibility (and accountability) for decision making in the NHS just as far away from the ‘centre’ as it can, if possible right down to the people on the ‘coal face’; and managing its ‘NHS affairs’ simply by issuing more and more Guidance to NHS Trusts, without any consideration of enforcement in the event of non-compliance. Whilst this ‘strategy’ may help keep ‘the department’ and those who operate it protected against criticism (e.g. from the National Audit Office or the Public Accounts Committee), it is not in the best interests of the NHS as a whole. Just think about how the ‘economies of scale’ that would go with a national NHS security management department could cut the costs of staff training and slash the cost of purchasing security equipment (e.g. c.c.t.v. systems, alarm systems, lone worker devices; radios; body worn video cameras; stab vests; uniforms; etc).

A national NHS Security Strategy would also help to reduce the post-code-lottery variances in security standards, policy and operational decision making across the NHS.

Concerns about the future safety of NHS Staff have already been voiced

Back in February, the Royal College of Nursing (RCN) publicly expressed concern about media reports that NHS Protect’s security and violence management functions were going to cease to exist after 31 March 2017.

The RCN said: “This will be a retrograde step and undermine all the progress that has been made to date to take forward the recommendations of the report by the Comptroller and Auditor General, A Safer Place to Work. At a time when morale among nursing staff is low, removing the role and function of NHS Protect would send out a very negative message about the value of NHS staff and potentially impede NHS England’s objective to improve the health and well-being of the workforce.

Note: There are currently 193 attacks on NHS staff a day in England and official figures show that the number of physical assaults on staff has been rising year on year over the past decade.

Questions have been asked in the House

On 26th April 2017, some questions about NHS Protect were posed in writing to the Secretary of State for Health in Parliament by Labour Party MPs Holly Lynch and Justin Madders.

A brief summary appears below. (You can read the full text here.)

Holly Lynch, MP, asked two questions. The first, (70999), asked if the Secretary of State for Health would commission a National Alert system on security-related issues and individuals who may post a significant present or potential threat to NHS staff, NHS service providers and NHS property assets. Her second question (70071) asked which organisations will have responsibility for ensuring that NHS providers comply with security standards following the decommissioning of NHS Protect’s security management functions.

Here is what Conservative Party MP, Mr Philip Dunne replied on behalf of the Secretary of State for Health. (Note: the responses have been edited to eliminate ‘chaff’ :))

  • Comprehensive and detailed guidance is available to NHS employers to assist them in assessing and managing the risks accordingly and involving the police where appropriate. A separate NHS national alert system is therefore unnecessary.
  • The standards for security management work are imposed through the relevant clauses of the standard commissioning contract between commissioners and providers. It is commissioners’ responsibility to ensure that security management standards are met in accordance with the contract.

Justin Madders, MP, asked five questions. The first  [71106] asked the Secretary of State for Health, who will be responsible for setting out minimum security requirements and standards after the abolition of NHS Protect. The second question (71144) asked who will assume responsibility for the counter-terrorism security preparedness functions undertaken by NHS Protect following its change of role. The third (71145) asked whose role it is to keep central records of assaults on NHS staff, following the change of role of NHS Protect.  The fourth question [71146] asked if Secretary of State for Health will publish the risk assessment undertaken by his Department before the decision was taken to change the remit of NHS Protect and the fifth and final question [71147] asked the Secretary of State for Health what assessment he had made of the potential effect of the change of role of NHS Protect on the safety of staff; and if he will make a statement.

Here is what Conservative Party MP, Mr Philip Dunne replied on behalf of the Secretary of State for Health. (Note: the responses have been edited to eliminate ‘chaff’ :))

  1. The standards for security management work are imposed through the relevant clauses of the standard commissioning contract between commissioners and providers. It is the responsibility for commissioners to ensure that security management standards are met in accordance with the contract. NHS England is responsible for the standard commissioning contract, the clauses within it and the standards to which it refers.
  2. NHS Protect has never had responsibility for counter terrorism work in the National Health Service. This rests with the Emergency Preparedness, Resilience and Response branch within NHS England.
  3. The figures previously published by NHS Protect were a collation of the numbers of reported assaults provided by individual health bodies. Employers in the NHS are responsible for assessing the circumstances of these reported assaults and addressing the risks identified and this work will continue at a local level where it is best delivered.
  4. The role of NHS Protect was to develop national guidance to assist NHS organisations locally in their security management work. Comprehensive and detailed guidance is now available to NHS employers who are responsible for assessing risks to staff and addressing those risks. It was not, therefore, necessary for a separate risk assessment to be undertaken as this change should have no effect on the safety of NHS staff.
  5. The answer to Justin Madders’ final question appears either to have been incorporated in the answer provided to question 4 above, or else was not answered directly/completely.

Further parliamentary questions are in the pipeline. More on this soon.

The question that needs to be asked first is this:


Jim O’Dwyer
Senior Consultant
AEGIS Protective Services
T: 01202 773736