I was recently in a hospital and the security director and I had a chat about potential threats, active shooter scenarios and how to make the overall perimeter of the hospital harder to penetrate and easier to monitor.
He and I walked everywhere, with me taking notes and pictures of everything. In some cases, I pointed directly to potential routes of entry and problematic spots (see attached pics). I walked the director on how I would penetrate the hospital covertly or overtly, what would I use and who I would potential targer for social engineering. We also brainstormed about the different attackers the hospital would see, and how each affected the security.
Finally we focused on the active shooter scenario. They do have trained staff, but as I was describing how I would do it on a mini-tabletop exercise, they realized the holes on their plans and policies, and more importantly, they realized the weakest points in their perimeter.
This simple tabletop, coupled with the walking of the building and specific pinpointing of areas of concern, provided the hospital security staff with a better way to understand the threats, prepare better security countermeasures and put in place better security cotrols.
This whole assessment took 4 hours. The stuff cooperated completely.
Note: Be aware that the issues found have been closed. The hospital implemented every single suggestion to improve security.