Healthcare facilities in Western Australia operate under a security obligation that most other sectors don’t share: they must remain open and accessible at all hours, to anyone who needs care, while simultaneously protecting staff from violence, controlling access to drugs and controlled substances, managing vulnerable patients, and maintaining the kind of environment that supports clinical outcomes rather than undermining them.
That combination — open access, 24-hour operations, high-acuity patients, and a genuine aggression risk — creates a security challenge that a generic risk assessment will not adequately address.
This article explains what a security risk assessment for healthcare facilities in WA involves, which standards and obligations apply, and why the assessment needs to be independent, site-specific, and aligned with the right framework.
The Security Challenge That’s Unique to Healthcare
Most organisations can control who enters their facility and when. Healthcare facilities largely cannot. Emergency departments, hospital foyers, outpatient clinics, and community health centres are designed to be accessible — and that accessibility, while essential to the delivery of care, creates security exposure that requires deliberate, structured management.
The threat profile in healthcare environments is also distinct. Violence and aggression directed at staff is one of the most consistently reported occupational hazards in the health sector. Patients in distress, family members under pressure, people affected by substances or mental health crises — these are not edge-case risks. They are a routine feature of clinical environments, particularly in emergency departments, mental health units, and community-facing services.
Add to this the specific vulnerabilities that come with healthcare facilities — controlled drug storage, medical equipment, cash and personal valuables, sensitive patient information held in physical records rooms — and the security risk picture becomes genuinely complex.
A security risk assessment for a healthcare facility needs to address all of this. It needs to be structured around how the facility actually operates, not around a generic checklist that doesn’t account for clinical workflows, patient acuity, or the specific obligations that apply to WA health entities.
What AS 4485:2021 Requires
The primary Australian Standard for security in healthcare settings is AS 4485:2021 — Security for Healthcare Facilities. Published in 2021 as a substantial revision of the original 1997 standard, it is structured across two parts:
AS 4485.1:2021 — General Requirements sets out the policy, principles, and procedural requirements for protecting patients, workers, visitors, controlled substances, information, and property in healthcare facilities. It establishes the baseline that all healthcare facilities in Australia should be working toward.
AS 4485.2:2021 — Procedures Guide provides the supporting guidance and explanatory material to assist facilities in implementing the requirements of Part 1. It includes guidance on security risk assessments, record-keeping, and the development of effective security systems across different types of healthcare environments.
Taken together, AS 4485.1 and AS 4485.2 provide the benchmark against which healthcare security arrangements should be assessed and documented. A security risk assessment that doesn’t reference this standard is missing the most relevant framework for the sector.
Under AS 4485.2:2021, security risk assessment records are required to be retained for a period of seven years. This is not a minor administrative detail — it signals that the standard treats the risk assessment as a formal governance document, not an informal review. The format, methodology, and content of the assessment matters, because it may need to be produced and defended over a significant timeframe.
WA-Specific Obligations
Healthcare facilities in Western Australia operate within a layered set of obligations that shape how security risk must be managed and documented.
Health Services Act 2016 (WA) governs the operation of public health service providers in WA, including the major hospital networks and WA Country Health Service. Risk management — including security risk — is a mandatory governance responsibility under this framework. Health Service Providers are required to conduct risk assessment processes that identify, analyse, evaluate, and treat risks, and to demonstrate that risk management is being performed.
Work Health and Safety Act 2020 (WA) replaced the previous occupational safety and health legislation and brought WA into alignment with the national harmonised WHS framework. Under this Act, healthcare employers have a primary duty of care to ensure the health, safety, and welfare of workers — which expressly includes the risk of violence and aggression. The WA Health System’s own WHS framework specifically identifies violence from patients and visitors as a key risk category requiring assessment and control.
WA Health Risk Management Policy — applicable across WA Health Service Providers — requires that risk management practices be consistent with the relevant Australian Standard and that risks be documented and managed through formal processes. For security risks, this means the assessment needs to align with both the AS 4485 framework and ISO 31000:2018, which the WA health system references as its risk management methodology.
Private hospital and aged care operators in WA face their own regulatory environment, including obligations under the Aged Care Act and the standards enforced by the Aged Care Quality and Safety Commission. While the specific requirements vary, the expectation that security risk has been formally assessed and managed is increasingly embedded across both public and private healthcare settings.
What a Healthcare Security Risk Assessment Covers
A well-structured security risk assessment for a healthcare facility goes considerably beyond a physical walkthrough and a checklist. The scope typically includes the following.
Operational context and threat environment. Understanding how the facility operates — hours, patient population, staffing model, incident history, and the specific clinical areas that present elevated security risk. Emergency departments, mental health inpatient units, pharmacy and drug storage areas, and after-hours access points each carry different threat profiles that need to be assessed on their own terms.
Physical security controls. Assessment of access control arrangements across the facility — including entry and exit points, staff-only zones, pharmacy and drug store access, after-hours entry management, and the integration of electronic access control with operational workflows. CCTV coverage and quality, lighting across internal and external areas, duress alarm systems, and perimeter arrangements are all evaluated against the specific risks present at the site.
Aggression and violence risk. This is one of the most operationally significant elements for most healthcare facilities. The physical environment either supports or undermines the management of aggression. Reception desk configuration, waiting area sightlines, duress system placement, the presence or absence of physical barriers between staff and the public — all of these design factors affect how early a staff member can detect an escalating situation and how effectively they can respond. A good assessment identifies where the built environment is creating unnecessary risk and where proportionate changes would improve staff safety.
Controlled substances and high-value asset security. Pharmacy areas, medication rooms, and dispensary arrangements require specific assessment against the access control, monitoring, and procedural standards relevant to controlled substance management. This is not a cyber security question — it is a physical security and procedural one, and it is a consistent area of vulnerability in both hospital and aged care settings.
After-hours vulnerability. Healthcare facilities often operate with reduced staffing overnight. The security arrangements that work during business hours may not be adequate after midnight. A healthcare security risk assessment should specifically examine after-hours access, monitoring, response capability, and the adequacy of duress arrangements during lower-staffing periods.
Mental health environment considerations. Mental health inpatient units, community mental health centres, and emergency department psychiatric areas have specific environmental security requirements. Ligature risks, seclusion room arrangements, patient observation, and staff safety in confined clinical spaces all require assessment through a security lens as well as a clinical one.
Risk rating and prioritisation. All findings are rated using a likelihood-consequence matrix aligned with ISO 31000:2018, producing a risk register that gives the facility a clear, prioritised view of where to direct resources. Not every gap can be addressed immediately — a good assessment tells you which ones matter most.
Report suitable for governance. Healthcare facilities in WA operate under significant governance obligations. The risk assessment report needs to be suitable for presentation to facility management, health service board or audit committees, and regulators. It needs to reference the relevant standards, document the methodology clearly, and produce recommendations that are specific, achievable, and supported by evidence.
Why Independent Assessment Matters in Healthcare
Healthcare facilities frequently rely on security service providers — guards, monitoring companies, and system installers — for advice on their security arrangements. This is understandable: these providers are embedded in the facility’s operations and have direct knowledge of what’s happening on the ground.
The problem is that providers who deliver a service or supply a product have an inherent interest in the outcome of any assessment. A security guarding company assessing whether additional patrols are needed is not in a position to give genuinely impartial advice. A CCTV supplier assessing whether the existing system is adequate has a commercial interest in the answer.
An independent security consultant has no stake in the outcome. The role is to assess what the risk actually is, evaluate whether existing controls are adequate, and recommend what is proportionate — which sometimes means recommending fewer controls than a provider might suggest, or redirecting budget toward procedural improvements rather than technology.
For healthcare facilities operating under the governance requirements of WA health system policy, independent assessment also provides a stronger evidentiary position. An assessment conducted by an independent, credentialed consultant — aligned with AS 4485:2021 and ISO 31000:2018 — carries more weight in a governance or regulatory context than an assessment conducted by the facility’s security provider.
Types of Healthcare Facilities in WA That Commission Security Risk Assessments
Security risk assessments in the WA healthcare sector are commissioned across a wide range of facility types and contexts.
Public hospitals and health campuses — from major metropolitan sites like Royal Perth and Fiona Stanley through to regional hospitals managed by WACHS — require assessments that address both the complexity of large, multi-building sites and the specific threat profiles of emergency, mental health, and after-hours environments.
Private hospitals and day surgeries face their own obligations and, increasingly, insurer expectations that security risk has been formally assessed. The AS 4485 standard applies regardless of ownership model.
Aged care facilities across Perth and regional WA are under increasing scrutiny following the Royal Commission into Aged Care Quality and Safety. Security risk — including the management of aggressive behaviour, after-hours vulnerability, and access control for residents with dementia — is now a recognised element of facility governance.
Community health centres, mental health community services, and Aboriginal health services operate in environments where staff are often working with patients presenting complex needs, sometimes in locations with limited physical security infrastructure and limited after-hours support.
General practices, medical centres, and allied health practices are less commonly assessed formally, but face real security risks — particularly around drug storage, cash handling, and the management of distressed or aggressive patients.
Engaging Smartsec for Healthcare Facility Security Risk Assessments in WA
Smartsec Security Solutions is an independent physical security consultancy based in Perth, delivering security risk assessments across healthcare, local government, education, and commercial environments throughout Western Australia.
Our healthcare security risk assessments are aligned with AS 4485.1:2021 and AS 4485.2:2021, and apply ISO 31000:2018 as the risk management methodology. We are vendor-neutral — we do not supply or install security systems or provide security personnel — which means every recommendation is based on what the facility actually needs, not on what someone wants to sell.
We understand the WA health system context: the obligations under the Health Services Act 2016, the WHS Act 2020, and the risk management policy frameworks that govern WA Health Service Providers and contracted health entities. Our reports are structured to meet the governance and documentation standards that healthcare facilities operate under.
Assessments are available for single facilities or as part of a portfolio review across multiple sites. If your facility is preparing for a regulatory review, responding to an incident, planning a capital works project, or simply wants a current, independent view of its security risk position, Smartsec can help.
Contact Smartsec Security Solutions to arrange a scoping conversation. There is no obligation — just a direct conversation about your facility and what an independent assessment would involve.
