Physical security risk management for healthcare
Your clinical staff absorb more workplace violence than any other workforce in the country, and your facilities have to stay open to the public anyway. Holtium brings every hospital, clinic, and campus into one place, puts a dollar figure on the risk at each site, and helps your team decide what to fix first.
If your operation is pharma, biotech, or medtech, labs and plants rather than hospitals and clinics, see Holtium for Life sciences.
The stakes
of the nonfatal workplace violence injuries in US private industry happen to healthcare and social assistance workers, who are injured by violence at about five times the all-industry rate.
US Bureau of Labor Statistics, 2021 to 2022 data.
is what workplace and community violence cost US hospitals in 2023, counting treatment for victims, security staffing, and prevention programs.
American Hospital Association, The Burden of Violence to U.S. Hospitals, 2025.
are assaulted every hour on average in US hospitals, most often in psychiatric units, emergency departments, and pediatric units.
Press Ganey analysis of NDNQI data.
The most violent workplace in America also has to keep its doors open
A hospital cannot lock its doors. Patients, families, and visitors move through around the clock, the emergency department takes whoever arrives, and your staff work inches from people in crisis. The openness that care requires is the exposure your security program has to manage.
Most healthcare security teams manage it with incident counts, site assessments in separate documents, and a rating scale that calls everything medium. When leadership asks after the next headline incident whether your people and patients are protected, and what it would cost to do better, there is no evidence behind the answer. That is the gap this page is about.
Business risk through a physical security lens
Healthcare and social assistance workers absorb about 73 percent of the nonfatal workplace violence injuries in US private industry, about five times the all-industry rate (Bureau of Labor Statistics).
The American Hospital Association puts the cost to hospitals at $18.27 billion in 2023, across treatment, security staffing, and prevention. Each incident carries a safety response cost, and the pattern behind the incidents shows up as lost days, turnover, and legal exposure long after the report is filed.
Violence in healthcare is not evenly spread: on average two nurses are assaulted every hour in US hospitals, most often in psychiatric units, emergency departments, and pediatric units (Press Ganey).
These settings cannot be hardened the way an office lobby can, so the decisions are about duress alarms, screening, design, staffing, and response, and since 2022 the Joint Commission's workplace violence prevention standards have made those decisions an accreditation subject rather than an internal preference.
DEA diversion control makes the secure storage and handling of controlled substances a physical security requirement with registration exposure attached, at every pharmacy, medication room, and loading dock that touches them.
A diversion event is a replacement cost on paper, but the real losses are fines and judgments, the investigation time behind them, and the reputation cost when diverted product reaches patients or the press.
Infant security, patient elopement, and violence between patients are low-frequency risks with severe consequences, and after an event the question from courts, regulators, and families is always the same: what did you know, and what did you do about it.
The regulatory floor keeps rising, with CMS requiring a documented all-hazards risk assessment as a condition of Medicare participation, OSHA citing hospitals for workplace violence under the General Duty Clause, and states like California requiring written violence prevention plans for healthcare and beyond. Duty of care you cannot evidence compounds into legal exposure, in amounts that dwarf the controls that would have documented it.
A hospital has to stay welcoming while controlling access, so every visitor policy, entrance closure, and screening decision is a trade-off between care and exposure.
Most systems make those trade-offs site by site, on judgment, which means nobody can say what the open entrance is actually costing until an incident prices it. Treating access decisions as risk decisions, with a dollar figure attached, is how the trade-off becomes defensible.
The platform your security team runs the program on, tuned to how healthcare operates
Holtium brings your risks, controls, locations, and spending into one place, helps your team decide what to do next, and measures it all in dollars so leadership can act on it. A Holtium team works alongside yours, so you get the analysis without building it.
Your risk register covers the risks this industry actually carries: violence against clinical staff, incidents in emergency departments and behavioral health units, drug diversion, patient and infant safety, and access across an open campus. Build it in the platform, or bring in the one you already have.
Control mapping connects every control you already run, security officers, duress alarms, cameras, visitor management, weapons screening, and infant security systems, to the risks it reduces and the sites it covers, so you can see that the main campus is well protected while three outpatient clinics are carrying more exposure than anyone had written down.
The roadmap turns decisions into tasks with owners, budgets, and tracking, and the What-If simulator shows the effect of a decision before you commit a dollar to it, such as weapons screening at the emergency department versus visitor management upgrades across your clinics, so prioritization across the system is an evidenced decision rather than an instinct.
A dollar figure your CFO will question, built to survive the questioning
We start with your baseline, the risk each site would face with nothing but doors, walls, and locks, then subtract what your current controls already prevent. What remains is your exposure today, broken into the losses behind it, such as the response and lost time an assault costs, the legal exposure when duty of care cannot be evidenced, and the license exposure a diversion event carries.
It is built on recognized standards and loss data, the same quantitative discipline used in cyber, operational risk, and engineering. It begins as a range rather than a false-precise figure and sharpens as we verify your controls, and every figure traces back to what drove it.
Each quarter, leadership gets an executive risk report that reads like finance: where exposure stands across the system, what moved it, and what comes next.
Inherent, losses avoided, and residual risk exposure, split into loss types. Healthcare sample data.
Your incident reports and site assessments are the input, not wasted work
You share what you already track, in any format: incident data, partner provider assessments, guard post orders, insurance schedules. We map it to your risks and sites for you, and most teams are up and running within weeks. Your job is to review and confirm, not to do the heavy lifting.
Questions healthcare security teams ask
How do you put a dollar figure on workplace violence risk?
We model each risk at each site using recognized standards and loss data, the same quantitative discipline used in cyber, operational risk, and engineering, and we start from the incident history you already track. The figure starts as a range, sharpens as your controls are verified, and always traces back to what drove it, so your team can defend it in front of a CFO or a board.
Is this a hospital security risk assessment?
It produces one, and then keeps it alive. We ingest the assessments you already have, map the findings to risks, controls, and sites, and maintain a quantified risk picture per site that updates as controls change, instead of a point-in-time report that ages in a drawer. The assessment covers access control and visitor management, cameras and duress alarms, emergency department and behavioral health measures, pharmacy and medication room security, parking structures, and the policies, training, and emergency preparedness behind them. Each finding maps to a risk and a dollar exposure, so the output is a prioritized plan rather than a static report.
Does this help with the Joint Commission workplace violence prevention standards?
Holtium is not a compliance tool, but it keeps the record those standards ask about in one place: which risks you identified, which controls exist at which sites, what is on the roadmap, and which risks leadership formally accepted and why. Teams use that record to answer surveyors with documentation instead of recollection.
How long until we see a risk picture across all our sites?
Most teams are up and running within weeks. You share what you already track, we structure and map it, and the first quantified picture covers your full system rather than one pilot site.
See what your exposure is worth across every hospital, clinic, and campus
You stay in charge of the program. We do the analysis, so you get the evidence without building it.