Spotting and Shutting Security Gaps in Healthcare Visitor Management
Nurses in two major New York City hospital systems were on strike this year due to concerns about staffing levels, workplace safety, and health insurance. While a tentative agreement was announced on 9 February that could end the dispute, it’s no surprise that workplace violence is a top concern for healthcare professionals.
In 2020, 76 percent of all U.S. victims who experienced trauma due to workplace violence worked in the healthcare and social assistance industry, according to the U.S. Centers for Disease Control and Prevention.
Similarly, the U.S. Bureau of Labor Statistics reported that healthcare workers experienced the highest incidence rates for workplace violence in 2021 and 2022, according to the latest data. “There were 41,960 total nonfatal cases of workplace violence requiring days away from work, job restriction, or transfer in the health care and social assistance industry over this time, accounting for 72.8 percent of all cases in private industry over the two-year period,” the bureau reported.
Nurses and other medical or support staff are increasingly dealing with this issue, according to Claire Zangerle, CEO of the American Organization for Nursing Leadership.
“We’ve seen a significant uptick in workplace violence in healthcare settings since the pandemic,” Zangerle says. “…In the healthcare setting, caregivers and nurses are taking care of people at their most vulnerable time.”
The patients are not the only people healthcare staff have to care for. Nurses and other workers also have to manage people accompanying or visiting patients, often in tense, emotional situations.
For hospitals, this kind of stress is exacerbated by an increase in occupancy rates, which have spiked since 2020. A recent report published in 2025 found that hospital emergency department visits have increased by 40 percent in the United States. Without mitigating factors, an influx of patients and a lack of space result in longer wait times and more aggravation.
“So, wait times are longer and when you’re not feeling well and your wait time is longer, that’s a bad formula for any human to deal with. The reaction comes out in a negative way, which is sometimes being uncivil, being mean, being combative, and violence happens on a continuum,” Zangerle says.
In addition to managing patients in crisis, healthcare staff also juggle the responsibility to control access to sensitive spaces such as neonatal units, intensive care units, and pharmaceutical storage.
“Hospitals are different because they must stay open, accessible, and compassionate while still protecting vulnerable people and sensitive spaces,” says Lisa Terry, CPP, senior consultant for Vizient. “Unlike many other industries that can tightly restrict entry without major mission impact, healthcare must accommodate 24/7 public access, emergency arrivals, families under stress, and a wide mix of patients and visitors.”
The range of risks to patient safety, facility operations, and overall security in healthcare settings includes unauthorized entry, at-risk patients leaving without being properly discharged (commonly referred to as elopement), infant or child abduction or custody-related incidents, contraband being brought into the facility, workplace violence, privacy breaches, and infection or spread of contagion when screening and isolation controls are bypassed, Terry says. But while the nature of these risks might vary, they all rely on gaining access into a facility, making effective visitor management a crucial element of healthcare security.
Determining Access
“Consistent visitor management is one of the most practical ways to prevent harm and preserve safe, reliable care,” Terry says. “Strong access control and visitor practices reduce the likelihood of violence, abduction, elopement, and privacy breaches.” Those practices can help minimize conflicts, crowding, and interruptions in high-acuity areas like the emergency department, behavioral health, intensive care, and labor and delivery, while supporting regulatory expectations for a safe care environment, she adds.
However, given that each facility is different and will provide different services—whether it’s a teaching and research hospital or a smaller, dedicated private practice—the level of access control should be tailored to the specific risks, patient vulnerability, and operational impact of that area. It also needs to be compliant with relevant life-safety requirements.
“In practice, that means applying lighter controls in truly public spaces,” Terry says, referring to spaces like lobbies and waiting rooms. Those lighter controls allow patients and visitors to enter and have access to necessary medical services and information. That’s not to say healthcare facilities should skimp on security there, but they can focus on deterring and influencing behavior, such as maintaining clear visibility and a staff presence, or similar crime prevention through environmental design (CPTED) measures.
Meanwhile, in semirestricted spaces, there’s the expectation of more deliberate controls, such as a check-in desk and protocol. Access is limited to authorized staff and patients. Examples include hallways leading to operating rooms, scrub sinks, and certain recovery areas.
The most stringent controls—like role-based badge access, escort rules, alarmed doors, and anti-tailgating measures—are reserved for restricted and high-risk areas, such as sterile operating rooms, pharmaceutical or narcotics storage, units with vulnerable patients (like ICUs and neonatal units), or high-privacy areas. These are areas that not only demand security in case of a bad actor but also to prevent contagions and infections.
For example, children’s hospitals are likely to have the strictest visitor management systems, with visitors being photographed before they are allowed entry, or perhaps each visitor has to be cleared against a sex offender database, says Ashley Ditta, CPP, director of public safety and parking for Newton‒Wellesley Hospital.
Consistent visitor management is one of the most practical ways to prevent harm and preserve safe, reliable care.
Within larger facilities, tiers of security have more stringent measures for maternity, pediatrics, and psych wards. But even the hospitals that are less strict about visitor management have lockdown procedures and areas, thanks to the COVID-19 pandemic.
“Before COVID, we were expected to be open all the time. It was a very patient-centric and visitor-centric culture,” Ditta says. But the need to minimize the risk of infection during the pandemic forced healthcare facilities to rethink elements of access—such as restricting the number of entrances and screening requirements. “We realized we could do it and we could still function.”
To deal with the demands of COVID—providing medical treatment during a pandemic while also keeping staff safe—Newton‒Wellesley Hospital enforced a full visitor management system, checking in everyone and ensuring each person had an approved reason for entry, such as bloodwork, an appointment, an emergency, or visiting a patient.
Even after COVID protocols were scaled back for other public-facing sites like retail stores, Newton‒Wellesley reevaluated its access protocols and retained some measures, such as keeping unnecessary entrances closed and upgrading visitor management systems.
Identifying Security Gaps
In her capacity as a consultant, Terry often provides healthcare facilities with a risk assessment, typically spotting security gaps by “combining what people report, what the policies state, and what the building, grounds, and data reveal,” she says. “Once that information is assembled, you then validate findings through observation.”
This observation commonly involves walking the campus or facilities like a visitor would, including during evening and weekend hours, as well as mapping paths between public and restricted areas, observing peak periods to spot instances of tailgating or door propping, interviewing staff, and relying on video surveillance. Observations should be compared to written policies.
For example, Ditta realized that while the hospital was inundated with signage, people could still get confused and lost.
“Signage is my arch-nemesis,” Ditta says, because although a sign might be posted, there’s no guarantee that someone will read it. While signs should still be posted, security should enlist leaders and staff to share relevant information from signs with other staff and visitors, especially if security measures change. “What ends up happening is if you change something from a visitor management perspective but you don’t tell the staff, the staff are telling the visitors and the patients something completely different than what’s actually current,” Ditta says.
To further mitigate missed messages, Newton‒Wellesley also uses its electronic medical records portal to send patients information about any visitor management procedures.
Another way to spot security issues is through strengthening reporting systems and security accountability, according to Mary Gates, CEO of GMR Consulting Group. This effort can help quickly identify patterns that indicate a security gap and then reduce the likelihood of repeating offending incidents. “It starts with the people who live in the setting on a daily basis,” Gates says.
From the C-Suite to the Trenches
As with many industries, security in healthcare facilities is an organizational and cultural issue. Without support from nonsecurity staff, even the best-intentioned measures can fail.
Nonsecurity staff need to understand that access control and visitor processes, while they may interrupt the ease of allowing access to patients or care, can ultimately reduce disruptions, protect patients and staff, and support employees and their goals, Ditta explains. Once staff understand this, they are usually more willing to participate and support these procedures or measures.
But that understanding largely depends on security committing to reporting, communicating, and building trust—which are all interconnected. For example, when someone reports a security issue, the follow-up is crucial. “If someone reports something and nothing ever happens, they’re going to stop reporting,” Ditta says.
Hospitals are different because they must stay open, accessible, and compassionate while still protecting vulnerable people and sensitive spaces.
Communication between departments and security helps build and maintain trust, and assists security in recruiting nonsecurity staff to work as security amplifiers.
“I think it’s really explaining the why to a lot of things, why it’s important to them,” Ditta says. “That is a very nuanced thing. With the maternity units, the psych units, the pediatric units, I think it’s very easy because you’re doing it for the protection of that psych patient, that baby, and mom and baby.”
But it can be trickier to easily communicate why a door shouldn’t be left propped open in instances such as someone taking a cigarette break or waiting for a food delivery to arrive. “People almost always pick their convenience over security, and having them understand that inverse relationship is really important,” she says.
Regular, structured touchpoints and shared expectations improve communication between security and clinical leaders, instead of relying on ad hoc calls during crises, according to Terry.
One way that security leaders and team members can improve communication is by understanding various facets of the business, according to Gates.
“They have to be in the trenches with the clinicians, with the nurses, with the doctors,” she says. Security professionals and leaders have to ask staff which elements of security work and which don’t, as well as why. Given staff’s various demands and responsibilities, there are several methods that can open up that communication, such as reporting channels, surveys, open-door policies, lunch-and-learn sessions, or town halls.
“A lot of the clients that we’ve worked with in the past have those town hall sessions or lunch-and-learn events so they can really talk about the threats that they’re facing,” Gates says. “…If you’re not communicating, that’s where the biggest fault lies. If you’re going in heavy-handed and you’re not talking about what you’re doing, why you’re doing it, and what the impacts are going to be, that’s where the disconnect occurs.”
At Newton‒Wellesley, the security team hosts a daily safety huddle where each department, including someone from senior leadership, is represented and has the chance to bring up safety issues—such as visitors bypassing a check-in station or a scheduled procedure for a prisoner or other patient who could pose a risk to staff. The meeting also gives security a chance to directly respond to issues, building trust with other departments and confidence in their team.
The presence of senior leadership is reflective of a larger need: executive support for security. “A true culture of safety begins with support from the C-suite,” Terry says. “It is important that nonsecurity staff see security measures as somewhat simple, clinically aligned, and visibly backed by leadership.”
A Nurse’s Perspective
When it comes to visitor management, nurses have specific concerns and must rely on their abilities and training to help address related issues, according to Zangerle.
Communication. “You can never communicate enough with a family member about what’s happening,” Zangerle says. Family members waiting for information—such as when a patient will be admitted or about the status of a patient—are often frustrated, so communicating the reason for the wait is the best way to try to de-escalate a tense situation, she adds.
“The family member feels helpless because their family is here and doesn’t feel well. They’ve brought that person in to mitigate that situation and they don’t know what to do. So, you have to give them something to hold onto,” Zangerle says.
Developing an effective communication strategy and de-escalating a tense or volatile situation depends on active listening—identifying and planning how to react to the person, whether that person is frustrated, unreasonable, or exhibiting another agitated state. Staff has to identify the source of a person’s agitation in order to manage that person’s expectations, according to Zangerle.
Filtering visitors. Medical staff must also deal with ensuring that only appropriate and approved persons are able to visit a patient. In some instances, the patient doesn’t want certain people coming to see him or her, or someone tries to take advantage of the situation and access a patient he or she would not normally interact with, Zangerle says. Examples can include a parent with limited or no custody, someone with a restraining order filed against him or her, or rival gang members.
Effective visitor management on behalf of a patient depends on the patient and whether he or she can or will inform hospital staff about issues with other people. If the patient is unable to provide the information, staff will try to determine the patient’s next of kin or emergency contact, who can provide that information instead.
“Hospitals always err on the side of caution,” Zangerle says. “…It’s almost like they’re detectives trying to get to the right people so that they have a spokesperson for [the patient] and that decision can be made” about who may visit.
Security nearby. When caregivers encounter someone who they believe poses a threat to other people, there must be a way to alert security. There are several solutions, such as panic buttons at registration or check-in desks, wearable devices, and video and audio surveillance.
But these devices are dependent on having security personnel close enough to respond to an alert. “That’s why it’s so important to have the presence of security personnel, essentially treating each environment as a neighborhood within a city, and they’re walking the beat so that their presence is known,” Zangerle says.
Seeing security personnel in areas and familiar with spaces increases confidence among medical personnel about support from security, according to Zangerle, who saw this play out in a previous organization where she worked as a chief nurse executive. In that space, when security staff were assigned to specific areas—like “cops walked the beat,” according to Zangerle—nursing staff and security personnel became familiar with each other and developed positive relationships. Security staff also learned more about the healthcare business, including about the types of patients that would frequently be treated by certain units and even which patients to expect at certain times of day or on different holidays. “That level of comfort cannot be over-emphasized,” Zangerle says.
Seeing security on the floor or throughout a facility is also “the best de-escalation technique you can have,” Zangerle notes. Whether it’s someone who arrived with the intention of attacking the facility (such as a dissatisfied patient, or someone hoping to steal controlled substances or medical equipment), or a patient or visitor who is frustrated to the point of violence, seeing security personnel often forces a bad actor to rethink his or her actions.
More training, please. While nurses and other caregivers may hope that security is nearby, security staff cannot be everywhere all at once. This means that nurses also need training to respond to various situations such as lockdowns, active shooters, and de-escalation.
While Zangerle doesn’t expect nurses to resist this training and run drills, support is needed from executive administration and leadership, since additional training takes time away from caregiving duties. She recommends making security training part of a nurse’s annual competency requirements.
“The world is changing constantly and there are so many access points to get into the hospital,” Zangerle says. “You have to be prepared for positioning on quick exits and those types of things. It’s important for nursing, for all personnel to come together and have that collaboration.”
Sara Mosqueda is associate editor for Security Management. Connect with her on LinkedIn or email her at [email protected].
