NHS Security Management – Update #3

October 01, 2017
Jim ODwyer

Here is update #3 on NHS Security Management by Jim O'Dwyer, Senior Consultant at AEGIS Protective Services...

Note: To view the previous update: Click Here

Before 2003, security management work fell to various parts of the Department of Health and the NHS, or was not addressed at all.

In March 2003, The National Audit Office (NAO) published a report titled: A Safer Place to Work: Protecting NHS Hospital and Ambulance Staff from Violence and Aggression’.

The report identified a number of problems around the reporting of violent incidents, including that there were more than 20 definitions of ‘assault’ in use across the NHS. The inconsistency meant that little meaningful analysis of incident reports could take place nationally. Responses to incidents also varied across the NHS.

The NAO report recommended that clear and unambiguous reporting cultures and systems should be developed, in parallel with consistent and comprehensive mechanisms for pursuing prosecutions.

Then, between April and June 2003, the (newly created) NHS Security Management Service conducted a series of fact-finding visits to health bodies to see and experience what the problems were and to explore how they could be addressed and prioritised.

The problems identified included:

  • Inconsistent standards of security management work
  • Inconsistent standards of training for those in security-related roles
  • Lack of nationally consistent guidance
  • Lack of application of, or compliance with, guidance
  • Limited awareness of the consequences of poor security, in both human and financial terms
  • Inconsistent reporting and lack of coordination, at both national and local levels.

2003 - A new national security management strategy

In December 2003, the NHS Security Management Service announced a new national strategy aimed to make the NHS a safer place to work and published a guidance document titled: A Professional Approach to the Management of Security in the NHS.

The strategic priorities were:

  • Tackling physical and non-physical assaults on NHS staff
  • Ensuring the security of property and assets
  • Ensuring the security of drugs, prescription forms and hazardous materials
  • Ensuring the security of maternity and paediatric wards.

2012 - A revised national security management strategy

In 2012, NHS Protect updated its Security Management Strategy and published a guidance document titled: Tackling crime against the NHS - A strategic approach.

The updated strategy outlined how the objective of reducing crime against the NHS would be achieved:

 

 

The updated NHS Security Management Strategy document (page 3) also incorporated this unarguable statement:

“In order for it to be effective, work to tackle crime against the NHS really needs to be nationally led and co-ordinated.”

Yet, on 1st April 2017, NHS Protect’s security management functions were abruptly ‘decommissioned’.

Note: NHS Protect will continue to lead on tackling fraud, bribery and corruption within the health service in England, under a new title: NHS Counter Fraud Authority (NHSCFA). However, when the NHSCFA is established as an independent Special Health Authority (expected during 2017-18), NHS Protect will cease to exist.

 

The immediate effects of the decision to decommission NHS Protect’s security management functions include:

  • Dissolution of the national NHS Security Management Strategy
  • A premature end to the national campaign to tackle violence against NHS Staff
  • No plans to continue publishing annual physical assault statistics
  • Closure of the Legal Protection Unit established by NHS Protect to increase prosecutions against those who assault NHS Staff
  • An end to the publication of Regional and National Alerts (i.e. info on security risks and active offenders, as well as, vulnerable people that go ‘missing’ from NHS settings)
  • Termination of the availability to NHS Trusts of expert advice and support from NHS Protect’s Area Security Management Specialists
  • An end to the previous arrangements for Local Security Management Specialists to meet quarterly to network, stay abreast of emerging security risks and establish and refine ‘best practice’
  • Abandonment of NHS ownership of specialist Security Management training courses to the public sector
  • Transfer of responsibility for compliance and enforcement of Security Management Standards to Clinical Commissioning Groups

 

Predictable consequences:

One strongly predictable consequence of the decision to decommission NHS Protect’s security management functions will be that standards of security across the NHS will become more widely variable than they are already - a real post code lottery!

Other predictable outcomes include the full list of problems (referred to above), that were identified in 2003, by the NHS Security Management Service!

For ease of reference, here is the list:

  • Inconsistent standards of security management work
  • Inconsistent standards of training for those in security-related roles
  • Lack of nationally consistent guidance
  • Lack of application of, or compliance with, guidance
  • Limited awareness of the consequences of poor security, in both human and financial terms
  • Inconsistent reporting and lack of coordination, at both national and local levels.

Here’s why.

It is simply a fact that, whilst some NHS Trust Boards do recognise the importance of security and invest appropriately in anti-crime measures, many (the vast majority) still don’t and won’t unless they are directly compelled to do so by a ‘higher authority’ e.g. NHS Protect.

With NHS Protect gone, it’s more likely than not that, NHS Trust Boards will choose to apply ‘cost saving’ to security budgets over other expenditure and revert to the old approach to NHS security risk management - which was to hope nothing would happen and then react when it did (i.e. after losses, including injuries, had been incurred.)

Without a centralised reporting system for collating security incidents, it won’t be possible to accurately gauge the costs of failing to prevent them happening. Failing to identify the ‘total costs’ to the NHS of ‘security breaches’ will inevitably result in inadequate investment in preventative measures and, unless there is a centralised system for sharing and disseminating information on emerging trends and best practice, no improvement can happen. It’s a deadly cycle!

 

The ‘official’ justification for the decision

The official justification published for the decision to decommission NHS Protect’s security management functions was that, as a result of work already carried out by NHS Protect, boards of local NHS organisations should possess the knowledge and capacity required to deal with the crime threats they face and so NHS Protect should no longer continue to provide the security management services. It was also felt that if NHS Protect continued to provide these services, there would be a risk that NHS boards would not properly take ‘ownership’ of local anti-crime risks.

The real reason?

I believe that the real reason(s) for the decision to terminate NHS Protect’s security management functions appear in a report dated 26th November 2009 by PA Consulting Group Ltd., who were commissioned by the NHSBSA to conduct a thorough review of the Counter Fraud and Security Management Service to provide:

  • An understanding of the current situation and performance of CFSMS
  • A comprehensive list of options for improving this performance across the function
  • A recommended way forward, outlining how NHSBSA can shape and improve CFSMS

A (heavily redacted) copy of the report by PA Consulting Group Ltd is available thanks to Freedom of Information requests made in 2016 by Zoe Williams, a journalist who writes for the Guardian Newspaper.

To download a .pdf copy of the PA Consulting Group report: Click Here

NHSBSA Copyright 2016

Key statements in PA Consulting Group’s report:

Page 1: “CFSMS can deliver significant additional value in the short term through increased efficiency……supporting tools, such as management dashboards and Key Performance Indicators (KPIs)….do not currently exist….it is difficult to demonstrate value for money. The introduction of a comprehensive set of KPls and efficiency measures will bring greater rigour to operational management and enable a full understanding of CFSMS.”

Page 7: “CFSMS currently produce minimal management and reporting information. Limited collection of performance data and Key Performance Indicators.”

Page 11: 2.7 “Security Management Services - The poor relation."

Page 9: 2.2 “The importance of CFSMS is undervalued and seldom recognised across the Health sector.

Page13: 3.1.1 “We have examined comparator organisations to inform our recommendations……The size of these organisations differ to CFSMS but they all have a common approach in terms of how they tackle internal and external fraud. They employ clear financial management practices and always seek to demonstrate a return on investment.

Page 14:  3.1.3   “Applying design principles to shape the organisation……Design principles are used to provide a set of evaluation criteria to test alternate solutions for all elements of a new organisational design. They provide a method for identifying the key things that need to be changed in order to make a lasting difference to CFSMS.”

Page 14: “The ability to demonstrate return on investment.

Page 16: “CFSMS' future as an organisation is strongly linked to its ability to successfully communicate the actual and potential benefits of its work. If this does not change it is likely that a cycle of low strategic importance within the DH and NHS trusts will be perpetuated.

Page 17: “This operational strategy will define clearly the way in which CFSMS plans to organise itself to tackle its objectives, being specific about which activities it will focus on and which it will push to other parts of the NHS or stop doing.

Page 18: “Measurement of customer and stakeholder satisfaction levels is key to CFSMS future success as it is critical to the agreement of value for money.

Page 26: “The current resourcing model has evolved over the last ten years with little cost pressure.

Page 39: “7.2.2  Design and implement a balanced scorecard ... a performance management tool for measuring the activities and overall effectiveness of CFSMS.”

 

Bottom line

It would appear that the CFSMS was subjected to a cost/performance exercise and that, whilst the Counter Fraud Service was just about able to justify its continuing existence in terms of revenue recovered and fraud prevented, the Security Management Service (the poor relation) wasn’t able to do so and when this was realised the SMS became an embarrassing ‘hot potatoe’ that the Department of Health Anti-Fraud Unit (which funded NHS Protect) wasn’t prepared to hold onto any longer.

Note: The decision to decommission NHS Protect’s security management functions was taken, notwithstanding that the report from PA Consulting Group recognised the need for a single, expert and intelligence-led organisation to provide oversight for anti-crime work across the NHS.

(Page 12)

2.8          There is a continuing requirement for centrally managed fraud and security guidance

The complexity and technical nature of the task requires a central directing and coordinating body focused on counter fraud and security management in the NHS.

The decision also conflicted with the statement in paragraph 2 on page 14 of NHS Protect’s Business Plan 2016-17, which states:

“There remains a need for a single, expert, intelligence-led organisation - NHS Protect - to provide centralised investigation capacity for complex crime matters and to have oversight of and monitor anti-crime work across the NHS.”

 

Has reform in the NHS been a factor?

The NHS is currently undergoing a significant reform and this may have been a factor in the decision to decommission NHS Protect’s security management functions.

The NHS and local councils have come together in 44 areas across England to develop proposals to improve healthcare. The proposals are known as Sustainability and Transformation Plans (STPs) and are an important part of delivering the NHS Forward View.  The idea being that, each area will eventually be operated as an Accountable Care Organisation (ACO). It’s a variant of a type of US system called a Health Maintenance Organisation in which all services are provided in a network of hospitals and clinics all run by the HMO company. There is little evidence that they work and there hasn’t been a pilot to prove their effectiveness. But, what they definitely will do is to limit health spending. Few people understand them, sceptics doubt they will work, and some even see them as a Trojan horse for the ultimate privatisation of the NHS, with powerful US HMO companies such as Kaiser Permanente and UnitedHealth likely to be bidding for the huge contracts to run these ACOs when they go out to international tender.

If that’s the plan, it would rather over complicate the contractual assignment of responsibilities in the tendering process, if the ACOs were going to be subjected to directives to implement security measures (that involve expense) issued by a separate (central) organisation which has overall responsibility for developing, improving and standardising security management across the NHS. In which case, even though it may not be in the interests of the NHS, it may just have suited the DH to simply abdicate responsibility for security management standards and just let the ACOs find their own way. Who knows?

Who actually made the decision to decommission NHS Protect’s security management functions and why?

NHS Protect’s Business Plan 2016-17 (page 14) states that the business plan had been “written in the context of the requirements of the government’s comprehensive spending review and the outcome of the Department of Health Anti-Fraud Unit’s review of NHS Protect’s functions. The review concluded that the primary responsibility for all local anti-crime work (both economic and non-economic) should remain with the boards of local NHS organisations.”

So, by implication then, it would seem that the decision to decommission NHS Protect’s security management functions was made by the Department of Health’s Anti-Fraud Unit (DH AFU), the DH unit that ‘sponsors’ NHS Protect.

Note: During 2014-15 the Department of Health (DH) created an Anti-Fraud Unit (DH AFU) with a remit to co-ordinate the approach to countering fraud across the entire health family, the purpose being to combat fraud within the DH and its Arm’s Length Bodies (ALBs). It also has a “horizon scanning” role to help the DH and its agency improve their response to “future cross government anti-fraud requirements” and an “investigative capacity” for “national, large or complex cases that it is not realistic to expect the NHS to take on”. The DH AFU also feeds information into a fraud error and debt team in the Cabinet Office. The creation of the DH AFU led to the review of NHS Protect’s functions and the decision to de-commission NHS Protect’s security management functions.

However, it has been confirmed to me in a response from the Department of Health to a Freedom of Information Request (Reference FOI-1096092) that in fact the recommendation or decision to decommission NHS Protect’s Security Management functions was NOT made by the Department of Health Anti-Fraud Unit and that at the time the decision was made, responsibility for Security Management within DH resided with the former DH Assurance Directorate – which, as part of the 20-20 restructuring of the Department (of Health), no longer exists!

The response also confirmed the Department of Health does NOT hold the information I had requested, which was:

  1. The names of the individual(s) at the Department of Health Anti-Fraud Unit, who recommended or made the decision to decommission NHS Protect's Security Management functions w.e.f. 01/04/2017
  2. Details of the business case (i.e. rationale/reasoning) underpinning the decision to decommission NHS Protect's Security Management functions w.e.f. 01/04/2017.

Prior to that, I had sent a Freedom of Information Request to NHSBSA (on 1st August) asking for:

  1. Either the name and job role of the individual or alternatively, details of the members of the committee that made the decision to decommission NHS Protect's security management functions w.e.f. 1/4/2017
  2. Details of the rationale /reasoning underpinning the decision to decommission NHS Protect's security management functions wef 1/4/2017
  3. Details of the NHS body currently holding responsibility for ensuring and enforcing compliance with service condition 24 of the NHS National Contract (NHS Counter Fraud and Security Management) or alternatively confirmation that the decommissioning of NHS Protect's security management function went ahead without any body being responsible for ensuring and enforcing compliance with service condition 24 of the NHS National Contract.

The reply I received back from Helen Moore, Information Governance Officer, NHS Protect (on the 22nd August) stated:

In response to your request:

  1. NHS Protect was the subject of a review of its functions and services by the Department of Health, as a result of the review the recommendations of the review were implemented.
  2. See (1) above.
  3. The standards for security management work are imposed through the relevant clauses of the standard commissioning contract between commissioners and providers. It is the responsibility for commissioners to ensure that security management standards are met in accordance with the contract. NHS England is responsible for the standard commissioning contract, the clauses within it and the standards to which it refers.

"NHS Protect FOIA request, NHSBSA Copyright 2017"

I then wrote back to Helen Moore, (24/08/2017) saying I didn’t think the response I’d received adequately answered my request (for details of the rationale/reasoning underpinning the decision to decommission NHS Protect's security management functions wef 1/4/2017) and requesting further and better particulars, if not a copy of the document that must have been created to record the decision and the reasons for making it.

On Friday, 25 August 2017 I received an email from Helen Moore, Information Governance Officer, NHS Protect saying:

“Jim, Thank you for your reply.  As per my previous response to your freedom of information request. NHS Protect was the subject of a review of its security management functions by the Department of Health. I would recommend that you make a request for information to the Department of Health."

"NHS Protect FOIA request, NHSBSA Copyright 2017"

On 29th August I emailed Helen Moore asking for confirmation that NHSBSA/NHS Protect do not hold the information I had requested (i.e. details of the rationale /reasoning underpinning the decision to decommission NHS Protect's security management functions wef 1/4/2017). My reason for asking was that, I'd consider it very strange if NHS Protect did not get or keep a copy of the document(s).

On 21st September, Helen Moore emailed me confirming, following a search of their paper and electronic records, NHS Protect does not hold the information I’d requested.

"NHS Protect FOIA request, NHSBSA Copyright 2017"

 

Upshot:

It is still unclear exactly who made the decision to decommission NHS Protect’s security management functions and what reasoning if any underpinned their decision. What is clear from the written assurances I’ve received is that, neither the DH, or NHSBSA, or NHS Protect have retained a copy of any report or correspondence that would answer these questions and that is more than a little strange.

It is inconceivable isn’t it, that no record exists at NHSBSA or NHS Protect, or the Department of Health, of the rationale/reasoning underpinning the decommissioning NHS Protect's security management functions or who took the decision?

But, that’s the reply I’ve received from those organisations!

 

Deliberately buried?

The reference number (i.e. 2017.08.001) allocated to my FOI Request by NHSBSA doesn’t resemble the numbering system used on the NHSBSA web site’s FOI Disclosure Log.

It’s also curious that the URL quoted in the NHSBSA’s correspondence to me showing where details of my FOI Request and the response would be published on the FOI Disclosure Log page of the NHSBSA website turned out to be a dead link.

(https://apps .nhsbsa.nhs.uk!FOI /foiReguestDetail.do?bo   id=2017.08.001)

I searched the NHSBSA website, FOI Disclosure Log page on 28/09/2017. The most recent record on show was Request Reference: 7159 Date: 21 Sep 2017. That is the same date as the last correspondence I received from the NHSBSA. I suppose it could be that there’s just been a delay in publishing my FOI Request, or for some reason it may not be considered ‘complete’ yet?

But, the point is that no public record of my FOI Request seems to be available on the FOI Disclosure Log page of the NHSBSA website. Could it have been ‘buried’ to stifle interest?

Note: Interestingly, but probably just another co-incidence too, is that the links to the responses to Zoe Williams’ FOI requests on the NHSBSA web site’s FOI Disclosure Log are also dead?

This is worrying too

In his reply to my FOI Request (Reference FOI-1096092), Edward Franklyn, Freedom of Information Officer at the Department of Health said: "NHS Protect has never had an operational role for security management work.

So, what was the purpose of saying that?

Was it perhaps, to (attempt to) obscure the fact that NHS Protect actually did provide some very significant operational and support roles (referred to above) that are going to be very badly missed by NHS Trusts up and down the country?

Mr Franklyn followed that ‘shocker’ with this: “Employers in the NHS are responsible for assessing risks to staff and addressing those risks. The role of NHS Protect was to develop national guidance to assist NHS organisations locally in their security management work. Comprehensive and detailed guidance is now available to NHS employers to assist them in assessing and managing the risks accordingly and involving the police where appropriate. Additionally, there is a mature network of trained local security management specialists in place across the country. The standards for security management work are imposed through the relevant clauses of the standard commissioning contract between commissioners and providers. It is commissioners’ responsibility to ensure that security management standards are met in accordance with the contract. NHS England is responsible for the standard commissioning contract and the clauses within it. Trusts appoint trained and accredited security management specialists who have responsibility for taking forward security management work locally within their health bodies. The work is overseen by members of the executive boards who are responsible for providing strategic management and support for all security management work within their organisations. These individuals have responsibility for ensuring their trusts have a security management strategy in place that is supported by policies, procedures and physical security measures. Due to these measures now being firmly in place, widespread and well established, the requirement for NHS Protect to assist further was no longer required.”

Mr Franklyn can tell me all this, but he can’t tell me who made the decision? Really?

 

Also of concern

On 26th April 2017, Labour Party MP, Justin Madders posed the following question in writing to the Secretary of State for Health in Parliament about NHS Protect:

Question 71144 “Who will assume responsibility for the counter-terrorism security preparedness functions undertaken by NHS Protect following its change of role?”

Here’s what Conservative Party MP, Mr Philip Dunne replied on behalf of the Secretary of State for Health:

“NHS Protect has never had responsibility for counter terrorism work in the National Health Service. This rests with the Emergency Preparedness, Resilience and Response branch within NHS England.

Why would Mr Dunne have said that if it wasn't true and, if it was true, why would NHS Protect have stated (at Page 3) in their Security Management Strategy document “Tackling crime against the NHS - A strategic approach”, published on 24th May 2012:

There are many types of crime that could affect the NHS, and in response to these NHS Protect has responsibility for this, including the following areas:

  • violence
  • counter terrorism security preparedness

????

There’s definitely something fishy here!

 

Intervention by the Secretary of State is urgently required

The gravity of the impact of the decision to decommission NHS Protect’s security management functions demands a detailed explanation from the Department of Health of the reasoning underpinning the decision.

I hope that ‘stakeholders’ like the RCN, BMA, UNISON, UNITE, KINGS FUND, NAO that have the necessary ‘influence’ will take positive action to hold the Department of Health to account and I believe that personal intervention is urgently required by Jeremy Hunt, the Secretary of State for Health, who is ultimately accountable for the NHS.


Jim O’Dwyer
Senior Consultant
AEGIS Protective Services
T: 01202 773736

P.S. If you are involved in security in the NHS, it would be great to see you at the NAHS annual conference on 9th November 2017, in Birmingham. More Info