Does Martyn’s Law apply to retail parks?

Yes. Retail parks are publicly accessible premises. Even outdoor-only sites with open units are included, as they typically exceed the minimum capacity threshold of 100 people.

What is the main difference between Standard Duty and Enhanced Duty for retail premises?

Standard Duty requires training, Public Protection Procedures (PPPs), and clear instructions for staff. Enhanced Duty adds more formal requirements such as a detailed Terrorism Risk Assessment, an Emergency Security Plan, testing, auditing, and documentation.

How do shopping centres calculate their legal capacity under Martyn’s Law?

Capacity is based on the maximum number of individuals who can safely occupy the premises at one time. This includes the mall, food courts, common areas, and in some cases, major anchor stores.

Who is responsible for compliance in a shopping centre?

The centre’s operator, owner, or managing agent is typically the Responsible Person. They must coordinate with tenants, contractors, security teams and cleaning staff to ensure a unified approach.

What training do retail staff need under Martyn’s Law?

All staff must receive terrorism awareness training covering suspicious behaviour, evacuation routes, lockdown procedures, and how to respond during an incident.

What are Public Protection Procedures (PPPs)?

PPPs are clear, simple instructions for staff covering threat recognition, evacuation, lockdown routes, communication methods and response steps. These are mandatory under Standard Duty.

Do individual retail units inside a shopping centre need their own Martyn’s Law plans?

Tenants must align with centre-wide procedures. They do not need full, independent security plans under the Standard tier, but they must complete training, follow PPPs and be able to participate in evacuations and lockdowns.

Does Martyn’s Law require shopping centres to hire additional security?

Not necessarily. The law requires proportionate measures, which may include procedural improvements, enhanced staff training, or better communication systems. High-risk sites may choose to increase security presence, but it is not a mandatory requirement.

Do shopping centres need to run evacuation and lockdown drills?

Yes. Centres must conduct regular drills. Enhanced Duty sites must also test procedures, document outcomes, and make improvements based on findings.

What type of incidents does Martyn’s Law prepare retail staff for?

Staff are trained to respond to suspicious behaviour, suspect packages, hostile reconnaissance, vehicle-based threats, and marauding attacks.

Are outdoor retail parks treated differently from indoor shopping centres?

The principles are the same. Outdoor sites still require training, PPPs, and capacity calculations. Car parks and large open spaces must be included in risk assessments.

How should retail parks handle vehicle-based threats?

Procedures must include vehicle exclusion zones, suspicious vehicle reporting, monitoring of car parks, and clear communication channels for rapid staff alerts.

How often should Martyn’s Law documentation be reviewed?

At least once a year, or whenever there is a significant layout change, new tenant mix, major refurbishment, or updated guidance from the Home Office or ProtectUK.

What are the penalties for non-compliance with Martyn’s Law?

The Act includes civil penalties for non-compliance, especially for Enhanced Duty sites. Penalties may include fines, enforcement notices, and legal action following an incident.

Martyn’s Law for Hospitals: Full NHS & Healthcare Guide

Q: Does Martyn’s Law apply to shopping centres?

Yes. Almost all UK shopping centres fall under Martyn’s Law because they are publicly accessible locations with significant footfall. Centres with a capacity of 100–799 fall under Standard Duty, while those with 800+ must meet Enhanced Duty requirements.

Martyn’s Law for Hospitals & Healthcare Facilities

Home > Business > Martyn’s Law for Hospitals & Healthcare Facilities

Why Martyn’s Law Matters for Hospitals

Hospitals and healthcare facilities are among the most complex and sensitive environments in the UK. They operate 24 hours a day, house some of the nation’s most vulnerable people, and manage enormous footfall across entrances, corridors, waiting rooms, treatment areas, car parks and public spaces. These sites must balance clinical care, emergency access, visiting traffic and essential services, all while maintaining a safe, open and trusted environment for the public.

This combination of openness and vulnerability makes hospitals a key focus of Martyn’s Law (the Terrorism Protection of Premises Act 2025). Unlike many other premises types, healthcare facilities cannot simply close their doors or evacuate a building in response to a threat. Patients may be undergoing surgery, receiving critical care, or unable to move. This makes preparedness, rapid communication and flexible lockdown/evacuation planning critical.

Martyn’s Law aims to raise the safety baseline across all publicly accessible sites, but for hospitals, the stakes are even higher. A well-prepared healthcare facility can protect patients, staff and visitors, minimise disruption to clinical operations, and prevent chaos in the event of a real attack. For hospital trusts, the Act is not just a compliance exercise, it is a vital component of patient safety, business continuity, and organisational resilience.

This guide explains exactly how Martyn’s Law applies to hospitals and healthcare settings, what the legal duties require, how to prepare, and how to implement practical, proportionate plans that work in challenging clinical environments. Whether you operate a major hospital, community clinic or healthcare campus, this resource will help you build a compliant and robust safety strategy.

Does Martyn’s Law Apply to Shopping Centres & Retail Parks?

Yes, Martyn’s Law applies to almost every hospital and most healthcare facilities in the UK. Because these environments are publicly accessible and routinely exceed the key capacity thresholds, they fall squarely within the scope of the Terrorism Protection of Premises Act 2025.

The Act applies to any premises that:

Is publicly accessible,
Has a capacity of 200 or more, and
Operates as a place where the public can enter, gather, wait, receive services or move freely.

Hospitals, by design, meet these conditions. They have large entrances, busy waiting rooms, multiple public departments, and open access areas that support high volumes of footfall. Even smaller hospitals frequently exceed the 200–799 threshold, while medium and large general hospitals usually fall into the Enhanced Duty category (800+).

But Martyn’s Law does not stop at hospitals. Many other healthcare settings also qualify.

Healthcare Sites That Qualify Under Martyn’s Law

The Act is intentionally broad, covering a wide range of healthcare premises, including:

Hospitals

General hospitals
District hospitals
Teaching hospitals
Specialist centres (cancer, cardiac, orthopaedic, maternity, etc.)
Children’s hospitals
Acute care sites
A&E departments (individual entrances often exceed capacity thresholds alone)

Healthcare Campuses & Multi-building Sites

NHS Trust campuses
Multi-block hospitals with shared public areas
Health villages

Community Healthcare Facilities

Walk-in centres
Urgent care centres
Outpatient clinics
Diagnostic hubs
Minor injury units
Renal dialysis centres
Blood donation centres

Mental Health Units

Inpatient wards
Trust headquarters
Dual-access clinical buildings
Secure facilities (with public areas such as receptions)

Private Healthcare Providers

Private hospitals
Private surgical day units
Cosmetic clinics
Fertility clinics
Oncology centres

Primary Care, Case-by-Case Basis

Premises such as GP surgeries, dental practices and opticians may only qualify if:

Public capacity exceeds 200,
Or they form part of a larger integrated healthcare site.

Standalone GP surgeries generally sit below the threshold, but a large medical centre with multiple practices may qualify.

Capacity Thresholds: Which Duty Applies?

The core distinction under Martyn’s Law is between Standard Duty and Enhanced Duty. Here’s how they apply to healthcare environments:

Standard Duty (Capacity 200–799)

Likely applies to:

Small hospitals
Community clinics
Outpatient centres
Medium-sized private hospitals
Walk-in centres
Urgent treatment centres
Mental health units with public reception areas
Multi-practice medical centres

Requirements include:

Staff training
Procedures for responding to attacks
Basic security planning
Reporting suspicious activity
Evacuation/lockdown considerations

Enhanced Duty (Capacity 800+)

Almost all general hospitals fall into this tier.
Likely applies to:

Regional hospitals
Trust hospitals with A&E
Specialist centres
Children’s hospitals
Large private hospitals
Hospital campuses
Multi-building sites with shared public space

Enhanced Duty requires:

A Terrorism Risk Assessment (TRA)
A full Emergency Security Plan (ESP)
Testing & exercising requirements
Strong documentation
Evidence of governance
Post-exercise reviews
Coordination across departments and estates/security teams

Read our article: Martyn’s Law for Shopping Centres

Healthcare Facility Types vs Likely Martyn’s Law Tier

Healthcare Facility Types vs Likely Duty Tier (Preview, full HTML added later)

Healthcare Facility Type	Typical Capacity	Likely Martyn’s Law Duty Tier
District General Hospital (DGH)	1,000–5,000+ people on site	Enhanced Duty
Large City / Teaching Hospital	3,000–10,000+ people on site	Enhanced Duty
Community Hospital / Cottage Hospital	200–700 people on site	Standard Duty
Walk-In Centre / Urgent Treatment Centre (UTC)	100–500 people on site	Standard Duty
GP Practice / Medical Centre	20–200 people on site	Out of Scope (Too small)
Private Hospitals (e.g., BMI, Spire, Nuffield)	200–900 people on site	Standard Duty (Some may reach Enhanced)
Mental Health Hospitals / Secure Units	100–600 people on site	Standard Duty
Rehabilitation Centres / Specialist Clinics	50–300 people on site	Standard Duty
Dental Hospitals / Outpatient Complexes	200–700 people on site	Standard Duty

Areas Within Hospitals That Are Automatically in Scope

Even if a hospital tried to argue against capacity (they can’t), certain parts are unequivocally publicly accessible and meet the definitions:

Main entrances
A&E reception
Outpatient waiting areas
Maternity reception and waiting rooms
Cafes and retail spaces
Car parks
Hospital atriums
Main corridors linking public-facing wards

These alone often approach or exceed 200–400 people during routine operation.

Key Takeaway

Martyn’s Law applies to almost every hospital in the UK and many healthcare facilities.
Most general hospitals will fall under Enhanced Duty, meaning they require detailed risk assessments, emergency security plans and testing programs.

Healthcare organisations cannot assume they are exempt, nor can they rely solely on fire procedures or clinical emergency plans. This Act introduces new legal obligations that demand dedicated security thinking, cross-team cooperation and documented resilience strategies.

Unique Risks in Healthcare Environments

Hospitals and healthcare sites face security challenges that are significantly different from retail, hospitality, offices or public venues. These environments are inherently open, complex, emotionally charged and unpredictable, making them uniquely vulnerable to terrorism and hostile intent. Martyn’s Law recognises these risks and requires hospitals to put in place tailored, proportionate protections that reflect the realities of clinical care.

Below are the core risks that make healthcare facilities a priority environment for enhanced preparedness.

High Concentration of Vulnerable People

Unlike most premises covered by Martyn’s Law, hospitals house:

Patients who cannot walk or move
Individuals undergoing surgery or treatment
Elderly or disabled patients
Urgent and emergency cases
People reliant on life-supporting equipment
Staff who must prioritise clinical care over physical evacuation

This means a full building evacuation, which is possible in retail, hotels or offices, is not feasible in hospitals. Any security incident must consider mobility, dependency and the critical nature of ongoing treatment.

24/7 Public Access and Constant Footfall

Healthcare sites rarely stop operating. Hospitals experience:

Round-the-clock visitation
High volumes of A&E walk-ins
Shift changes involving hundreds of staff
Deliveries, contractors and ambulance arrivals
Continual public movement through corridors

The continuous flow of people makes controlled access challenging and increases vulnerability to:

Hostile reconnaissance
Tailgating/unauthorised entry
Opportunistic attacks
Vehicle-borne threats

Martyn’s Law requires hospitals to manage these risks through proportionate public protection procedures and improved awareness.

Large, Complex, Multi-Zone Layouts

Hospitals are often made up of:

Multiple buildings
Bridge-linked structures
Long public corridors
Mixed-use wards
Public cafés and shops
Car parks
Shared entrances

This makes identifying “publicly accessible” zones more complex and can complicate emergency responses.

Attackers typically target:

A&E entrances
Crowded waiting areas
Reception zones
Cafés and shops
Car parks and drop-off bays

Because these are naturally high-footfall and less controlled.

Hospitals Cannot Fully Evacuate During Most Threats

Hospitals must be prepared for:

Evacuation
Lockdown
Partial evacuation
Protect-in-place strategies

Many departments, such as ICU, maternity, theatres, dialysis, and neonatal units, cannot be moved without severe risk to life. This means hospitals require:

Pre-defined alternative routes
Ward-level lockdown capability
Department-specific action plans
Faster internal communications systems

This complexity is why Martyn’s Law obliges Enhanced Duty hospitals to develop detailed, department-specific Emergency Security Plans (ESPs).

Emotional and High-Stress Environments Increase Unpredictability

Hospitals experience unique pressures that can escalate security risk:

High-emotion situations (bereavement, trauma, emergencies)
Extended waiting times
Aggressive behaviour
Mental health incidents
Substance misuse
Domestic or gang-related spillover incidents

These can distract staff, overwhelm reception areas, and expose security gaps that an attacker could exploit.

Open and Trusted Public Image

Unlike a stadium or secure office, hospitals must remain:

Welcoming
Accessible
Approachable

This positioning, while essential, also makes them vulnerable to:

Unrestricted public access
Insider threats
Coaching by attackers during reconnaissance
Lack of suspicion around visitors

Staff awareness and public protection training become essential to counter this.

High Dependency on Emergency Access Routes

Hospitals rely heavily on:

Ambulance bays
Drop-off points
Blue-light access roads
Helipads
Supply roads

These are critical lifelines. They also create vulnerabilities:

Vehicle-as-a-weapon attacks
Blocking or ramming access routes
Attacks targeting ambulance queues
Dropped devices in high-traffic zones

Martyn’s Law encourages hospitals to assess and mitigate these vehicle-related risks.

High Staff Turnover & Temporary Staff Usage

Hospitals frequently employ:

Agency nurses
Locum doctors
Contractors
Temporary cleaning/catering staff
Visiting specialists

This creates challenges:

Consistent training
Shared situational awareness
Documentation of responsibilities
Ensuring all personnel understand public protection procedures

Regular onboarding and simple, accessible training tools are therefore essential.

Key Takeaway

Hospitals face a unique blend of clinical, operational and public-access risks. These environments require security solutions that:

Never compromise patient care
Allow for flexible evacuation or lockdown
Support continuous operations
Integrate with existing emergency and clinical procedures
Work across large, complex, multi-zone buildings

Martyn’s Law provides the framework, but hospitals must translate it into real, practical, and clinically safe actions.

Read our article: Martyn’s Law for Hotels

Requirement	Included Under Standard Duty?	Retail-Specific Notes
Basic Terrorism Protection Plan (TPP)	Required	Simple, practical plan covering evacuation, lockdown & communication.
Basic staff awareness training	Required	Must include retail workers, cleaners, security, and seasonal staff.
Evacuation & lockdown procedures	Required	Particularly important for open-fronted stores & food courts.
Terrorism Risk Assessment	Not Required	This is only for Enhanced Duty centres.
Mandatory security equipment	Not Required	No need for scanners, bollards, gates, etc. under Standard Duty.

Standard Duty Requirements for Healthcare Sites (200–799 Capacity)

Some healthcare facilities, such as community hospitals, urgent treatment centres, walk-in clinics, outpatient hubs and medium-sized private hospitals, fall into the Standard Duty level of Martyn’s Law. Although this is the lower tier of legal responsibility, the requirements remain critical for settings where vulnerable individuals, staff and visitors rely on rapid and coordinated responses to security threats.

Standard Duty is designed to provide a minimum level of preparedness that improves public safety without introducing operational disruption. For healthcare sites, it ensures that staff can recognise suspicious activity, follow clear procedures and respond confidently during an incident, all while continuing to prioritise patient care.

Below is a detailed explanation of what Standard Duty means in a hospital or healthcare environment.

What Standard Duty Requires in Healthcare Settings

Standard Duty has five core legal requirements, all of which apply to any healthcare facility with a public capacity of 200–799 people.

Basic Terrorism Awareness Training for Staff

Healthcare staff must understand:

What suspicious behaviour looks like
What suspicious items look like
How to report concerns quickly
How to respond during a threat
Simple lockdown or evacuation instructions
How their specific role fits into wider procedures

Training does not need to be intensive. It must be:

Simple
Consistent
Easily accessible
Suitable for clinical and non-clinical staff

Hospitals may need different versions for:
Nurses, receptionists, security teams, cleaners, porters, volunteers, contractors and administrative staff.

Clear Public Protection Procedures (PPPs)

Healthcare sites must have clearly documented procedures covering:

How to handle suspicious items
How to report suspicious behaviour
How to respond to a threat
How to communicate with staff, patients and visitors
Whether lockdown or evacuation is preferred in each public area

These procedures must be:

Written
Shared
Understandable
Relevant to how the building operates

In healthcare settings, PPPs must align with:

Fire procedures
Clinical emergency protocols
Major incident plans
Existing hospital security guidance

Evacuation and Lockdown Considerations

Standard Duty hospitals must have procedures that outline:

When to evacuate
When to lock down
When to use “protect in place” as an alternative
How to move people who cannot self-evacuate
Who makes decisions during an incident
How they will communicate instructions to staff

Because healthcare environments include wards, treatment rooms and dependency-related risks, these procedures need careful tailoring.

A Named Responsible Person

Every healthcare site must designate a Responsible Person for Martyn’s Law compliance.

This person must ensure:

Staff receive training
Procedures are created, updated and followed
Risks are monitored
Documentation is accessible
Communication pathways are clear

In healthcare, this typically sits with:

Head of Security
Head of Estates & Facilities
Operational Director
Risk & Governance Manager
Trust Board Representative

Reporting Concerns & Incident Communication

All sites covered by Standard Duty must demonstrate the ability to:

Receive and pass on security alerts
Quickly communicate across departments
Mobilise evacuation or lockdown orders
Report suspicious behaviour internally and externally
Coordinate with emergency services

Hospitals should align this requirement with:

Existing critical incident alert systems
Ward communication tools
PA or Tannoy systems
Internal radio channels
Secure messaging platforms

Clear pathways must be documented and rehearsed.

What Standard Duty Does Not Require

Healthcare sites under Standard Duty do not need:

A full terrorism risk assessment
A full emergency security plan
Recorded testing or exercising
Formal governance structures
Complex documentation
Annual audits

However, many hospitals choose to implement some Enhanced Duty practices voluntarily because they significantly improve resilience.

4Why Standard Duty Still Matters to Healthcare Facilities

Although Standard Duty is comparatively light touch, it plays a major role in the healthcare sector by providing:

A consistent baseline of staff awareness

This is especially important in hospitals with:

High turnover
Agency staff
Temporary contractors
High visitor numbers

Clear procedures that reduce panic

Healthcare sites become chaotic very quickly during emergencies.
PPPs help calm staff and improve response efficiency.

A legally defined framework for public protection

This strengthens accountability and ensures security is no longer an afterthought.

Better coordination with emergency services

Clear procedures make responses faster and more effective.

Reduced liability for NHS Trusts and private operators

Proper compliance significantly reduces organisational risk.

Key Takeaway

Standard Duty healthcare facilities must focus on:

Raising staff awareness
Creating simple public protection procedures
Ensuring staff know how to report concerns
Establishing clear evacuation/lockdown actions
Assigning a Responsible Person

Although Standard Duty is less demanding than Enhanced Duty, it forms the essential security baseline that all healthcare environments need, regardless of size or complexity.

Strengthen Your Hospital’s Security Today

Your Hospital’s Preparedness Starts Here

,p>Hospitals face some of the UK’s most complex security challenges. Our specialist team helps Trusts and healthcare operators build compliant, clinically safe emergency plans — including TRA development, ESP creation, staff training, and full implementation support.

Enhanced Duty Requirements for Hospitals (Most Will Fall Here)

Most UK hospitals, especially general hospitals, Trust-operated sites, major treatment centres, maternity hospitals and teaching hospitals, will fall under the Enhanced Duty level of Martyn’s Law. This is due to their large capacity, extensive public areas and high daily footfall, often exceeding thousands of people across entrances, corridors, wards, waiting rooms and outpatient zones.

Enhanced Duty applies to any publicly accessible premises with a capacity of 800 or more, meaning that most hospitals are legally required to meet significantly higher standards of security preparedness, planning and documentation than smaller healthcare facilities.

Enhanced Duty is designed to ensure that large, complex environments have:

A documented understanding of their risks
A structured emergency security plan
Trained and capable staff
Clear communication pathways
The ability to respond rapidly and proportionately
Evidence of testing and exercising

For hospitals, this is not optional, it is mandatory, enforceable and essential for operational resilience.

Below is a full breakdown of what Enhanced Duty requires in a healthcare context.

The Three Core Components of Enhanced Duty

Enhanced Duty introduces three major legal obligations for hospitals:

A full Terrorism Risk Assessment (TRA)
A detailed Emergency Security Plan (ESP)
Testing and exercising to prove the plans are effective

Each obligation must be properly documented, reviewed and managed by designated personnel.

Terrorism Risk Assessment (TRA) for Hospitals

A TRA is a structured, documented assessment that identifies:

Vulnerabilities
Likely attack methods
High-risk areas
Operational weaknesses
Visitor/footfall patterns
Existing mitigations
Gaps requiring action

For hospitals, this assessment must be far more detailed than in other sectors because:

Evacuation is not always possible
Many patients cannot move
Clinical care continues during crises
Access routes must stay open for emergency services
There are multiple public-facing entrances
Staff work across hundreds of different rooms and wards

A hospital TRA typically includes:

Key Risk Areas Identified

A&E entrances
Reception and atriums
Public waiting areas
Cafés, restaurants and retail spaces
Multi-storey car parks
Ambulance bays
Drop-off zones
Outpatient departments
Lift lobbies and main corridors
Public toilets and staircase access points
Pedestrian walkways between buildings

Common Threat Types

Vehicle-as-a-weapon attacks
Marauding terrorist attacks
IEDs (Improvised Explosive Devices)
Hostile reconnaissance
Insider threats
Threats to emergency access routes
Abandoned bags/devices
Lone-actor attacks

The TRA forms the foundation for the Emergency Security Plan, making it a critical legal requirement.

The Emergency Security Plan (ESP)

The ESP is the central document that explains how the hospital will respond to different types of terrorist incidents. For Enhanced Duty premises, the ESP is mandatory and must be proportionate to the complexity of the hospital.

A hospital-level ESP typically includes:

Roles and Responsibilities

Including:

Chief Executive or Trust Board
Head of Security
Head of Estates & Facilities
Senior Clinical Leaders
Ward Managers
Control room teams
Reception staff
Security officers

Communication Pathways

Hospitals must document:

How alerts will be issued
How to communicate silently if needed
How to notify wards
How to contact emergency services
Who escalates decisions
How to coordinate across buildings

This includes:

PA/Tannoy systems
Radios
Secure messaging platforms
Bleeps/pagers
Emergency phones
Secure digital alerts

Lockdown Procedures

Hospitals need multi-layered lockdown options, such as:

Site-wide lockdown
Building lockdown
Ward lockdown
Theatre/ICU lockdown
Reception shield protocols
Protect-in-place for non-mobile patients

Lockdown in a hospital is highly complex and must not jeopardise patient safety. Plans must reflect clinical realities.

Evacuation Procedures

Evacuation is still required for certain threats, but must be:

Partial
Phased
Clinically appropriate
Based on mobility and dependency levels
Risk-assessed by ward

Plans must identify:

Primary and secondary routes
Clinical priorities
Staff required for assisted evacuation
Mobility equipment
Safe zones

Coordination with External Agencies

Hospitals must define how they will work with:

Police
Counter-terrorism teams
Fire and rescue
Emergency planners
Mutual aid partners
Adjacent facilities

Medical and Clinical Continuity

The ESP must consider:

Ongoing surgeries
Critical care and ICU
Neonatal and maternity units
Oncology treatments
Mental health wards
Haemodialysis sessions
Fracture clinics
Emergency operations

Not all clinical activity can stop; the ESP must reflect this.

Public Information and Visitor Communication

Hospitals must document:

How to direct visitors
How to share real-time instructions
How to manage panic
What messaging is used
Which areas can act as temporary safe zones

Testing, Exercising & Continuous Improvement

Enhanced Duty sites must prove their procedures work by conducting:

Tabletop exercises
Internal lockdown tests
Partial evacuation drills
Department-by-department testing
Out-of-hours simulations
Multi-agency exercises with police

These tests must be:

Planned
Documented
Evaluated

And the ESP must be updated after each significant drill or incident.

Hospitals must also store an audit trail demonstrating compliance.

Required Documentation for Enhanced Duty Hospitals

Hospitals must maintain:

TRA reports
ESP documentation
Training logs
Exercise records
Decision logs
Communication protocols
Governance structures
Site maps and access plans
Risk summaries
Review records

This documentation is mandatory and must be produced upon request by the regulator.

Key Takeaway

Enhanced Duty places significant legal responsibility on hospitals. But it also gives them a structured framework for managing complex risks, protecting vulnerable people and ensuring continuity of care during major emergencies.

Most hospitals will fall under Enhanced Duty, meaning they must:

Carry out a detailed Terrorism Risk Assessment
Create a tailored Emergency Security Plan
Test and exercise their plan regularly
Maintain evidence of compliance

This section positions Leisure Guard as a specialist capable of supporting NHS Trusts and private hospitals through this entire process.

Evacuation & Lockdown in a Healthcare Setting

Evacuation and lockdown procedures are at the heart of Martyn’s Law, but hospitals face unique and often conflicting challenges that make them fundamentally different from other premises. In retail, hospitality or offices, a full evacuation is almost always the preferred response. In a hospital, however, hundreds of patients cannot be moved safely or quickly, and clinical care cannot simply stop.

This makes evacuation, lockdown and protect-in-place strategies far more complex in healthcare environments. Hospitals must be ready to combine all three response types depending on the threat, the location, the clinical environment and the mobility of patients.

Why Evacuation Is More Complex in Hospitals

Many hospital departments simply cannot evacuate without putting lives at risk. These include:

Intensive Care Units (ICU)
Coronary and cardiac units
Operating theatres
Neonatal units (NICU/SCBU)
Dialysis wards
Oncology infusion suites
High-dependency units
Trauma bays

Even in departments that can evacuate, the process is slower and requires more staff coordination than in other sectors.

Key challenges include:

Patients on ventilators
Patients with mobility impairments
Patients undergoing surgery
Medication and equipment dependencies
Vulnerable groups (children, elderly, distressed)
Logistical challenges with escorts and equipment

This complexity requires carefully designed evacuation procedures, backed by rehearsed staff actions.

Lockdown: The More Common Response in Hospitals

In many terrorist threat scenarios, lockdown is safer and more practical than evacuation. Hospitals must be able to:

Restrict access quickly
Secure public-facing areas
Protect high-risk zones (A&E, maternity, reception)
Move staff and patients away from exposed areas
Avoid bottlenecks where crowds gather
Isolate wards and theatres
Maintain continuity of care

Hospitals may need multi-layered lockdown actions, such as:

Site-wide lockdown: preventing entry and exit
Building lockdown: isolating a specific building
Department lockdown: securing A&E, paediatrics, maternity, etc.
Ward-level lockdown: preventing movement in/out of clinical rooms
Protect-in-place: safest option for non-mobile patients

This flexibility must be built into the Emergency Security Plan.

Protect-in-Place for Non-Mobile Patients

For many patients, moving them could worsen their condition or be physically impossible. Protect-in-place allows staff to:

Close ward doors
Draw blinds and curtains
Reduce visibility
Move patients away from windows and entrances
Shut down adjacent corridors
Stand down non-essential activity

Protect-in-place is often the correct response for:

ICU and HDU patients
Post-operative patients
Complex cardiac cases
Neonatal patients
Individuals attached to life-supporting equipment

Hospitals must document when protect-in-place should be used instead of evacuation or lockdown.

Ward-Level Decision Making

Wards are clinically autonomous spaces with their own staff, procedures and patient groups. In an emergency:

Not every ward will do the same thing
Some may need to evacuate
Some may need to lockdown
Some may protect-in-place

This decentralisation must be accounted for in the ESP, and staff must know exactly what action applies to their area.

Ward managers need:

Department-specific instructions
Clear communication pathways
Ability to escalate decisions
A mapped understanding of escape routes

The Role of A&E in Evacuation and Lockdown

A&E is the most vulnerable zone in any hospital:

High footfall
Open access
Emotional and unpredictable environment
Queueing and congestion
Limited ability to control visitors

A&E may require its own tailored plans, such as:

Immediate A&E lockdown
Redirecting ambulances
Securing triage areas
Closing public entrances
Internal relocation of patients

Because A&E is a known high-risk target, it must be a major part of the site’s Emergency Security Plan.

Public Areas Create Additional Challenges

Entrances, lobbies, corridors, cafés and waiting rooms accumulate people quickly and offer multiple access points for attackers. During an incident, hospitals must:

Prevent bottlenecks
Avoid crowd panic
Sweep public areas
Secure staff-only routes
Direct crowds safely

This requires staff training and clear visitor communication protocols.

Stairwells, Lifts and Corridors Must Be Planned

Hospitals must pre-assess:

Primary evacuation routes
Secondary (fallback) routes
Lift restrictions during incidents
Stairs as high-traffic or high-risk areas
Corridor choke points
Areas where patients may require escort teams

Without this planning, evacuation can become chaotic.

Evacuation vs Lockdown: Hospital Comparison Table

Hospital Area	Evacuate?	Lockdown?	Protect-in-Place?	Notes
Accident & Emergency (A&E)	Sometimes	Frequently	Rarely	High-risk public zone. Often locked down while patients are moved deeper into the department.
Outpatient Departments	Yes (where safe)	Sometimes	Sometimes	Generally suitable for evacuation, but may move to lockdown or protect-in-place depending on threat location.
General Wards	Sometimes	Yes	Yes	Decision guided by patient mobility and threat proximity. Often a mix of ward lockdown and protect-in-place.
Operating Theatres	Rarely	Yes	Yes	Evacuation is usually unsafe mid-surgery. Theatres typically move into lockdown and protect-in-place.
ICU / HDU	No	Yes	Yes	Highly dependent patients. Lockdown and protect-in-place are the primary responses in most scenarios.
Maternity / Neonatal Units	Sometimes	Yes	Yes	Case-by-case basis. Vulnerable mothers and babies often require protect-in-place with strong lockdown controls.
Public Cafés / Shops	Yes	Sometimes	Rarely	Generally evacuated unless the threat is too close. May be locked down temporarily while areas are secured.
Main Entrances / Lobbies	Yes	Yes	No	High footfall areas. Often evacuated quickly and then locked down to prevent further entry.
Car Parks & External Areas	Yes	No	No	Usually lower density but vulnerable to vehicle-based threats. Evacuation and perimeter control are typical responses.

Key Takeaway

Hospitals cannot rely on a single emergency strategy. Terrorist threats may require:

Evacuation of some departments
Lockdown of others
Protect-in-place for critical care areas
Coordination between clinical and security teams
Clear communication across the entire site

This level of complexity is exactly why Enhanced Duty applies to most hospitals, and why the Emergency Security Plan must be detailed, rehearsed and understood by everyone.

Communication Systems for Hospitals

Clear, reliable and rapid communication is the backbone of an effective response under Martyn’s Law. In hospitals, communication must work across multiple buildings, hundreds of departments, complex layouts, and a 24/7 workforce. It must also support clinical care, maintain patient safety and reach the right staff instantly, even during high-stress, chaotic incidents.

Because hospitals often cannot fully evacuate during an attack, communication systems become even more critical. They determine whether departments lock down, evacuate or protect-in-place, and how quickly these actions occur.

Hospitals must therefore build communication strategies that are multi-layered, resilient, clinically safe and capable of operating under pressure.

Why Communication Is More Complex in Hospitals

Hospitals have:

Diverse staff roles (clinical, admin, estates, security, porters, contractors)
Large visitor footfall
Thousands of patients with different care needs
Multiple public entrances
Separate and sometimes disconnected buildings
A mixture of old and modern infrastructure
Varied communication technologies
Multiple shift patterns and rotations
Out-of-hours staffing challenges

This complexity means no single communication method is sufficient. Hospitals must rely on multiple simultaneous systems.

Core Communication Channels Required Under Martyn’s Law

Public Address (PA) / Tannoy Systems

Hospitals need the ability to:

Broadcast site-wide or building-specific messages
Deliver clear emergency instructions
Activate lockdown or evacuation notices
Direct visitors away from danger
Override background music or announcements

PA systems must be:

Audible over hospital noise
Clear in corridors and waiting areas
Available during power disruptions

Two-Way Radios (Security, Porters, Clinicians, Estates)

Radios allow instant communication between:

Security officers
Porters
Clinical teams (especially A&E and wards)
Estates & Facilities
Fire response teams
Incident control rooms

Hospitals may need separate channels for:

Security
Emergency response
Clinical teams
Estates
Coordination teams

Radios must be tested frequently and reach all buildings.

Silent Alert Systems for Sensitive Areas

Certain zones, such as paediatrics, maternity, ICU and theatres, cannot use loud alarms. Silent or discreet alerts may include:

Secure messaging apps
Alert beacons
Staff-only screens
Coded phrases
Pagers/bleepers

These systems reduce panic and maintain clinical safety.

Internal Phone Systems & Emergency Extensions

Hospitals often use:

Dedicated emergency hotlines
Direct lines to security
Internal extensions for ward escalation
Theatre-to-security communication

These must be listed in the Emergency Security Plan and well publicised.

Staff Messaging Platforms

Hospitals are increasingly using:

Secure mobile apps
Digital pagers
Instant messaging tools
Emergency broadcast notifications

These allow fast alerts to:

Ward managers
Department leads
Senior clinical staff
Out-of-hours on-call teams

Visitor Communication Systems

Hospitals must plan how they will inform visitors during incidents:

Digital screens
Announcements
Printed signage
Marshals directing movement
Controlled communication at reception
Public messaging for car parks

Visitor communication is essential to avoid panic and prevent bottlenecks.

Role-Specific Communication Needs

Clinical Staff

Need quick instructions that don’t disrupt patient care, including silent alerts for sensitive departments such as:

ICU
NICU
Theatres
Maternity
Oncology

Security Teams

Need:

Constant radio contact
Real-time threat information
Ability to initiate lockdown
Visibility of CCTV feeds
Clear escalation routes

Estates & Facilities

Must coordinate:

Door locking systems
Access controls
Alarms
Barrier systems
Power overrides

Reception, Admin & Volunteers

Need to:

Direct patients and families
Stop entry to closed areas
Redirect people safely
Communicate changes quickly

Integration with Technical Systems

Hospitals may integrate communication with:

Building Management Systems (BMS)
Fire alarm control panels
Access control locking
CCTV
Panic alarm points
Mass-notification systems
Automatic door mechanisms

This enables coordinated, automated responses such as:

Automatic lockdown of certain doors
Immediate alerts to security
Simultaneous notifications to clinical staff
Visual cues on ward screens

Testing and Resilience Requirements

Under Enhanced Duty, hospitals must test communication pathways during drills.

This includes:

PA announcements
Radio coverage
Silent alerts
Incident control room communication
Out-of-hours communication tests
Activation of lockdown notifications
Backup communication pathways

Hospitals must also have fallback methods for:

Power outages
Network failures
Radio dead spots
Unreachable staff

Key Takeaway

Hospitals require layered, resilient, multi-channel communication systems capable of reaching staff and the public quickly during a terrorist incident. Martyn’s Law requires these systems to be clearly documented, consistently tested and fully integrated with the hospital’s Emergency Security Plan.

Need Help Creating Your Emergency Security Plan?

strong>Get a Fully Compliant ESP Tailored to Your Site

A generic emergency plan won’t meet Martyn’s Law requirements — your hospital needs a tailored, risk-based approach designed around patient mobility, zoning, clinical operations and public footfall. We create clear, actionable ESPs that integrate seamlessly with existing NHS frameworks.

Staff Training Requirements for Healthcare Facilities

Hospitals are among the most complex staffing environments in the UK. They operate 24 hours a day, have thousands of employees, and depend heavily on temporary, agency and multi-disciplinary staff. This makes Martyn’s Law training requirements both critical and challenging.

Under both Standard and Enhanced Duty, hospitals must ensure that staff receive appropriate terrorism awareness training. Enhanced Duty hospitals (which includes almost all large hospitals) must go further by integrating training into governance structures, clinical operations, and multi-department coordination.

Training must be simple, proportionate and tailored to clinical realities, but it must be effective enough to change behaviour, improve awareness and save lives in an emergency.

Why Training in Hospitals Is More Complex

Hospitals have:

Thousands of staff across multiple disciplines
Constant shift rotations
A high volume of agency and temporary workers
24/7 operations
Volunteers and third-party contractors
Public and private spaces
Highly varied risk zones

This makes consistent training delivery challenging. Staff may work in:

Wards
A&E
Outpatient areas
Labs
Imaging departments
Theatres
Administration
Catering
Security
Estates
Mental health units

Each group needs a tailored level of understanding.

Core Training Requirements (All Hospital Staff)

Regardless of role, all staff must be trained in:

Identifying suspicious behaviour

Including:

Loitering
Unusual interest in layouts, entrances, CCTV
Attempts to avoid security
Inappropriate clothing
Repeated visits without reason

Identifying suspicious items

Such as:

Unattended bags
Items left in unusual locations
Bags placed deliberately near crowded areas

How to report concerns

Hospitals must specify:

Who to call
Which number to use
Whether to alert security first or clinical leads
When to escalate to counter-terrorism teams

What to do during an incident

Staff must understand:

Whether to lockdown, evacuate or protect-in-place
How to communicate silently when needed
How to support patient safety
How to avoid moving towards danger

Their specific responsibilities

Every role has a different function in an incident.

Training Requirements for Clinical Staff

Clinical teams must receive training that aligns with patient care duties.

Training includes:

Protecting patients during lockdown
Moving mobile patients away from risk
Safe evacuation procedures
Preparing wards for protect-in-place
Communicating calmly with the public
Managing panic in vulnerable groups
Ensuring medication and equipment safety

Clinical staff often take leadership roles during incidents, so training must be role-specific and scenario-based.

Training Requirements for Security Staff

Security officers require:

Advanced suspicious behaviour recognition
Counter-terrorism awareness (CTAW)
Radio communication protocols
Response sequencing (lockdown → sweep → secure)
Identifying hostile reconnaissance
External patrol awareness
A&E-specific safeguarding
Corridor control techniques
Managing evacuation routes
Managing vehicle threats

Security staff should also participate in multi-agency exercises.

Training for Reception, Admin, Volunteers & Front-Facing Teams

These are often the first to encounter suspicious behaviour.

Training must include:

De-escalation skills
Visitor direction and crowd management
Reporting routes
How to close entrances quickly
Preventing tailgating
Safety protocols for abandoned items
Understanding lockdown procedures

Front-facing staff often manage public panic, so communication training is essential.

Training for Estates & Facilities Teams

They must understand how to:

Secure doors and access points
Support lockdown procedures
Assist with evacuation route controls
Communicate with the command centre
Provide technical support
Override systems where needed
Coordinate with emergency services

Estates staff often play a crucial role during drills and real incidents.

Training for Porters & Support Services

Porters may need to:

Move vulnerable patients
Assist with evacuations
Provide equipment during incidents
Support clinical teams in theatres or wards
Respond rapidly under instruction

Their training must be practical and scenario based.

Agency, Locum & Temporary Staff Training

Hospitals must ensure that all temporary staff receive basic training, including:

Identification of suspicious behaviour
How to report concerns
What to do during an incident
Understanding local procedures

This is often overlooked and is a major compliance risk.

Solutions may include:

Short induction videos
Quick reference leaflets
QR-coded training guides
Mandatory sign-off before first shift

How Often Training Must Be Updated

Under Enhanced Duty, training should be refreshed:

Annually (recommended)
After major plan updates
After testing and exercising
During onboarding for new staff

Hospitals may also update training after:

Security incidents
Premises changes
New access systems
Internal or external audits

Key Takeaway

Hospitals require a multi-tiered, role-specific training programme that equips staff with the confidence and capability to respond during terrorist incidents, without compromising patient care. Martyn’s Law requires that:

Training is proportionate
Staff understand their responsibilities
Communication pathways are embedded
Incident response is consistent across all departments
Temporary and clinical staff are not overlooked

The goal is not fear, it is preparedness, calm action, and patient safety.

Terrorism Risk Assessment (TRA) for Hospitals (Full Guide)

For Enhanced Duty hospitals, the Terrorism Risk Assessment (TRA) is one of the most important legal requirements under Martyn’s Law. It forms the foundation of the Emergency Security Plan (ESP), influences training, informs communication strategies, and shapes evacuation/lockdown decision-making.

A hospital TRA must be far more detailed than risk assessments conducted in retail, hospitality or offices because hospitals have:

Multiple high-risk zones
Varied levels of patient dependency
Critical care units that cannot evacuate
24/7 staffing
Heavy public footfall
Emergency vehicle traffic
Significant visitor movement
Unique clinical constraints

This section provides a full explanation of how hospitals must conduct TRAs, what they must include, and how they should be used to build safer, more resilient healthcare facilities.

What a Hospital TRA Must Achieve

A compliant TRA must:

Identify vulnerabilities

Including physical, operational and procedural weaknesses.

Identify likely attack methods

Using threat intelligence and realistic scenarios.

Assess the impact on clinical care

For each type of attack.

Identify risk levels for each hospital zone

Not all areas face the same level of threat.

Provide clear recommendations

That link directly to the Emergency Security Plan.

Support proportionate decision-making

Not every risk requires heavy investment, but all must be addressed.

The TRA must be written, auditable and proportionate to the size of the hospital.

TRA Inputs Unique to Healthcare

Hospitals require specialist TRA inputs not seen in other sectors:

Patient Mobility & Clinical Dependency

Patients who cannot move
Life-support equipment
Ongoing surgery
Dialysis and chemotherapy
Maternity and neonatal care

Public Footfall Patterns

A&E peak times
Visiting hours
Outpatient clinics
Cafeteria rush periods
Shift changes

Operational Layout

Link corridors
Atriums
Multi-storey car parks
Bridged walkways
Entrances and exits
Public-facing routes vs clinical routes

Critical Infrastructure

Power supply
Oxygen and gas storage
Medical equipment rooms
Pharmacy stores
Laboratories
IT and server rooms

These must be included in the risk calculation.

Hospital Zones Most at Risk

A TRA must identify which areas of the hospital are most vulnerable to different types of attack. This typically includes:

Highest-Risk Areas

A&E entrance and triage
Main hospital reception
Large atriums and lobbies
Public cafés and retail units
Bus stops, taxi ranks and pick-up zones
Car parks adjacent to entrances
Visitor escalators
Main corridors connecting public-facing areas

These are attractive to attackers due to:

High density crowds
Soft access
Low visibility of staff
Minimal control at entry points

Moderate-Risk Areas

Lift lobbies
Waiting rooms
Outpatient departments
Canteens
Staff changing areas
Pharmacy counters (public-facing)

Lower-Risk Areas (But Still Included in TRA)

Administrative offices
Plant rooms
Clinical labs (access restricted)
Secure treatment areas

These are less attractive to external attackers but may face insider threats.

Common Threat Types Hospitals Must Assess

A hospital TRA must cover realistic threat scenarios, typically including:

Marauding Terrorist Attack (MTA)

An attacker with a weapon moving through public areas.

Vehicle-as-a-Weapon (VAW) Attack

Targeting:

A&E bays
Drop-off zones
Entrances
External walkways

Improvised Explosive Devices (IED)

Including:

Abandoned bags
Vehicle-borne devices
Concealed items

Hostile Reconnaissance

Attackers studying:

Entrances
CCTV blind spots
Staff patterns
Ambulance routes

Insider Threats

Staff, contractors or volunteers with malicious intent.

Chemical, Biological, Radiological or Nuclear (CBRN) Risks

Rare but must be considered due to hospital vulnerability.

Attempting to Cause Disruption

E.g., blocking ambulance access or activating fear.

Hospital Risk Matrix (Example)

Hospital Zone	Likelihood	Impact	Overall Risk Level	Notes
A&E Entrance / Triage	High	High	Severe	High footfall, emotional environment, multiple entry points and vehicle access.
Main Hospital Reception / Atrium	High	High	Severe	Busy public access zone, attractive for hostile reconnaissance and crowded attacks.
Public Cafés / Retail Units	Medium	High	High	Dense crowds at peak times, limited supervision, mixed public and staff.
Outpatient Waiting Areas	Medium	Medium	Medium	Crowded at clinic changeover times. Vulnerable to suspicious items or disruptive behaviour.
Main Public Corridors	Medium	Medium	Medium	Key movement routes. Risk of crowding, bottlenecks and movement towards danger if not controlled.
Car Parks / Drop-Off Zones	Low	High	Medium	Exposure to vehicle-as-a-weapon and parked IED threats near key entrances and ambulance routes.
General Wards	Low	High	Medium	Restricted access, but vulnerable patients and staff if attackers breach public zones.
Operating Theatres	Low	High	Medium	High impact if compromised. Strong control and zoning reduce likelihood.
Administrative Offices	Low	Low	Low	Lower footfall and controlled access. More exposed to insider or targeted threats than public attacks.

This matrix becomes the backbone for the hospital’s Emergency Security Plan.

Recommendations Generated by the TRA

The TRA must include proportionate, reasonable, hospital-appropriate recommendations, such as:

Physical Improvements

Improved CCTV coverage
Reinforced access control
Anti-ram bollards
Remote-locking doors
Improved lighting
Visitor routing redesign

Procedural Improvements

Stronger visitor screening
Better out-of-hours protocols
Increased patrols
A&E-specific procedures

Training Requirements

Enhanced hostile reconnaissance training
Role-specific drills
Reception and volunteer training
Agency staff onboarding enhancements

Communication Upgrades

Better PA clarity
More radios
Silent alert systems in sensitive areas
Updated emergency contact structures

Drill Recommendations

Ward-specific lockdown rehearsals
A&E response drills
Full-site simulation every 12 months

How Often the TRA Must Be Reviewed

The TRA should be updated:

Annually (recommended)
After any major building or layout change
After any incident or near-miss
After police or CT guidance updates
After major exercises identifying new risks

Hospitals evolve constantly, their TRA must evolve too.

Key Takeaway

The Terrorism Risk Assessment is the foundation of Martyn’s Law compliance for hospitals. It identifies vulnerabilities, prioritises risks and shapes the Emergency Security Plan.

“Tick-box” TRAs are not acceptable for hospitals. They must be:

Detailed
Evidence-based
Tailored
Updated
Thoroughly integrated

A strong TRA can dramatically improve a hospital’s resilience and potentially save lives.

Testing, Exercising & Multi-Team Drills

Testing, Exercising & Multi-Team Drills

Under Enhanced Duty, hospitals must prove that their Emergency Security Plan (ESP) works in real-world conditions. This means testing and exercising procedures regularly, documenting the results, reviewing performance and updating the plan accordingly.

Unlike fire drills, which are familiar and routine, terrorism-related drills require hospitals to simulate complex, multi-department, high-pressure scenarios where different parts of the organisation must act quickly and cohesively. Because hospitals cannot always evacuate, these drills must consider lockdown, protect-in-place and partial-evacuation simultaneously.

Testing and exercising are not optional, they are required by law and are essential for ensuring patient safety, operational resilience and compliance.

Why Drills Are Essential in Hospitals

Hospitals face unique challenges that make response testing vital:

Staff rotate constantly
Clinical duties may override evacuation capability
Multiple buildings require coordinated communication
Visitors may panic or fail to follow instructions
Wards must make independent decisions
ICU, theatres and neonatal cannot halt treatment
Security teams must react instantly
A&E is an unpredictable, high-risk environment

Effective drills reveal:

Weak communication channels
Delays or failures in decision-making
Departments unclear on responsibilities
Lockdown doors that do not function properly
Routes that become overcrowded
Staff who cannot execute their role under pressure

Types of Tests Required Under Enhanced Duty

Enhanced Duty hospitals must conduct regular, well-documented tests. These include:

Tabletop Exercises (Non-Disruptive)

These are scenario-based discussions, usually held in meeting rooms.
Participants “walk through” an incident using:

Maps
Timelines
Radio logs
Communication plans
Department-specific action cards

These exercises identify procedural weaknesses without operational disruption.

Live Lockdown Drills

Hospitals must simulate a lockdown, including:

Securing entrances
Locking ward doors
Restricting movement
Turning away visitors
Directing staff via PA or silent alerts
Communicating with clinical leads

Because full lockdown may disrupt clinical care, drills may be partial or run out-of-hours.

Partial Evacuation Drills

For departments where evacuation is possible (e.g., clinics, public areas), hospitals must test:

Evacuation routes
Staff roles
Visitor movement
Timing and congestion
Safe zone selection

Clinical departments should participate when appropriate and safe.

Protect-in-Place Simulations

Critical-care areas must test:

Closing blinds/doors
Moving patients away from windows
Silent communication
Clinical safety checks
Internally securing the ward

These drills ensure staff know exactly how to protect immobile patients.

Multi-Agency Exercises

Hospitals must be prepared to collaborate with:

Police
Fire and Rescue
Counter Terrorism teams
Local authorities
Mutual aid partners
Ambulance services

Full-scale exercises may involve actors, simulations and real-time decision-making, invaluable for Enhanced Duty compliance.

Communication System Testing

Testing must include:

PA/Tannoy announcements
Radios across buildings
Digital alert systems
Out-of-hours escalation
Backup communication pathways

Failures must be logged and resolved.

Frequency of Testing & Exercising

Enhanced Duty hospitals should test and exercise:

At minimum:

Tabletop exercises: annually
Lockdown tests: annually
Partial evacuations: annually (where clinically safe)
Full or multi-agency drills: every 1–3 years
Communication system tests: quarterly

After major changes:

New building openings
Ward relocations
Updated security procedures
Major incident reviews
TRA updates

Hospitals evolve constantly; testing must evolve with them.

Documentation Requirements

Hospitals must maintain detailed records of:

Exercise type
Date/time
Departments involved
Scenario details
Actions taken
What worked well
Identified weaknesses
Required improvements
Names and roles of participants
Update logs for ESP changes

This documentation must be available to inspectors and aligns directly with legal compliance.

What Drills Typically Reveal in Hospitals

Common issues uncovered during hospital drills include:

Communication delays
Conflicting instructions between departments
Staff unaware of lockdown procedures
Difficulty securing entrances
Lack of backup radios
Wards making inconsistent decisions
Visitor confusion
Choke points in corridors
Doors that do not lock properly
Reception overwhelmed during incidents
Slow response in A&E
Clinical teams unsure how to balance care with security

Testing is the only reliable method for identifying these problems before a real incident occurs.

How Hospitals Improve After Drills

Hospitals often refine:

Procedures

Faster escalation routes
Improved signage
Updated action cards
Clearer ward instructions

Physical Infrastructure

Door locks
CCTV coverage
Bollards
Access control improvements
Better lighting

Training Programs

Role-specific refreshers
Volunteer training
Agency/locum onboarding

Communication Tools

Improved PA clarity
Radio upgrades
Staff messaging solutions

Governance

New working groups
Revised ESP sections
Regular review cycles

Key Takeaway

Testing and exercising are not just legal obligations; they are critical safety investments. For hospitals, drills expose weaknesses, save lives, and ensure that Martyn’s Law procedures work under pressure.

Enhanced Duty requires:

Realistic testing
Multi-team coordination
Regular documentation
Annual exercise cycles
Continuous improvement

Hospitals cannot rely on theory. They must rehearse their response.

Complete Your Hospital’s Terrorism Risk Assessment

TRA Experts for Complex Healthcare Environments

Our security specialists conduct full terrorism risk assessments covering every publicly accessible area, clinical interface, vehicle access point and operational vulnerability. We provide practical recommendations hospitals can implement immediately — without disrupting patient care.

Hospital Readiness Scorecard (10-Point Self-Assessment)

Hospital Readiness Scorecard (10-Point Self-Assessment)

Hospitals are among the most complex premises covered by Martyn’s Law. With multiple buildings, thousands of visitors, high-risk public zones and clinically vulnerable patients, compliance requires far more than a simple checklist. The following 10-point Hospital Readiness Scorecard allows NHS Trusts and private healthcare providers to quickly benchmark their preparedness against the key legal requirements of the Act.

Each of the following questions requires a simple Yes or No.
A single “No” indicates an area that requires attention before full compliance can be achieved.

The 10-Point Hospital Readiness Scorecard

Do you know your hospital’s official Martyn’s Law duty tier?

(Almost all hospitals will be Enhanced Duty.)

Yes / No

Have you designated a Responsible Person for Martyn’s Law governance?

This must be a specific named individual, not a team.

Yes / No

Do you have a written Terrorism Risk Assessment (TRA) tailored to your hospital?

General safety documents cannot be used, it must be terrorism specific.

Yes / No

Have you completed a full Emergency Security Plan (ESP)?

Covering lockdown, evacuation, protect-in-place, communication and governance.

Yes / No

Are all staff trained in identifying and reporting suspicious behaviour?

Including reception teams, porters, cleaners, volunteers and clinical staff.

Yes / No

Do you have clear procedures for lockdown, evacuation and protect-in-place?

Mapped out and relevant to wards, theatres, A&E, outpatient areas and public zones.

Yes / No

Is your hospital able to lock down specific buildings or wards quickly?

Including silent lockdown for theatres, ICU, maternity and neonatal.

Yes / No

Have you tested your procedures through drills or tabletop exercises?

Enhanced Duty requires testing and exercising of the ESP.

Yes / No

Do you have documented communication routes for emergencies?

Including PA/tannoy, radios, silent alerts, and backup systems.

Yes / No

Is all your evidence documented and ready to present during inspection?

Drill logs, training records, updated ESPs, TRA reviews and decision logs.

Yes / No

Scoring Guide

Score (Yes Answers)	Rating	What It Means
9–10 Yes answers	Strong Compliance	You are well-positioned for Martyn’s Law but still need regular reviews, testing and documentation to maintain resilience.
6–8 Yes answers	Moderate Compliance	You have made good progress but still have several gaps to close before you can be considered robustly prepared.
3–5 Yes answers	Needs Improvement	Significant work is required. Key elements of Martyn’s Law compliance, such as planning, training or testing, may be missing.
0–2 Yes answers	High Risk / Non-Compliant	Immediate action is required. The hospital is highly vulnerable and at risk of serious operational and regulatory consequences once the Act is in force.

How Hospitals Should Use This Scorecard

Hospitals can use this scorecard to:

Benchmark each building or site
Identify governance or documentation gaps
Prioritise areas needing urgent improvement
Guide budget planning for protective security
Prepare for internal or external audits
Inform Board-level reporting

It can be used by:

Hospital Trust leadership
Heads of Estates & Facilities
Heads of Security
Operational Directors
Clinical Governance teams
Risk & Compliance departments
Incident Command teams

Key Takeaway

The Readiness Scorecard helps hospitals understand how close they are to compliance, but it is only the first step. Large healthcare environments must adopt a structured, documented approach to:

Risk assessment
Emergency planning
Staff training
Testing and exercising
Communication upgrades
Governance and review cycles

A single “No” in this scorecard can indicate a critical vulnerability. Closing these gaps early ensures smoother compliance, stronger resilience and greater patient safety when the Act comes into force.

Implementation Plan for Hospitals & Trusts

Because hospitals are large, complex, high-risk environments, Martyn’s Law compliance cannot be achieved through a single policy document or training session. It requires a structured, staged implementation plan involving multiple teams, clinical leads, senior leadership and estates/security departments. This section outlines a complete 10-step implementation framework designed specifically for healthcare environments.

This plan ensures hospitals move from “understanding the law” to meeting, proving and sustaining compliance, regardless of the site’s size, complexity or public footfall.

Step 1, Confirm Your Duty Tier

For most hospitals, this is straightforward:

Capacity 800+ = Enhanced Duty
Multi-building hospitals must consider combined capacity.
Maternity units, A&E and outpatient spaces all count toward capacity.

This step should be formally recorded and approved at Trust level.

Step 2, Appoint a Responsible Person and Governance Structure

Hospitals must identify:

The Responsible Person

A senior individual accountable for:

Compliance
Risk assessments
Training
Testing
Documentation
Policy updates
Reporting

Supporting Governance Group

This may include:

Head of Security
Head of Estates & Facilities
Chief Operating Officer
Head of Clinical Governance
A&E Leadership
IT/Communications
Fire safety teams

This group meets regularly to progress compliance and review actions.

Step 3, Map Your Hospital and Identify Publicly Accessible Areas

Hospitals should create a full premises map showing:

Entrances
Exits
Public corridors
Waiting areas
Cafés and shops
Car parks and drop-off zones
Link corridors
Ambulance routes
Multi-storey blocks
Wards near public-facing areas

This map is essential for the TRA and Emergency Security Plan.

Step 4, Conduct a Full Terrorism Risk Assessment (TRA)

The TRA must:

Identify high-risk zones (e.g., A&E)
Assess vulnerabilities in layout, staffing, and access
Evaluate threats (VAW, IED, MTA, hostile reconnaissance)
Consider patient mobility and clinical realities
Rate each department’s risk level
Provide recommendations for improvement

This is the foundation of the hospital’s entire Martyn’s Law strategy.

Step 5, Develop a Hospital-Specific Emergency Security Plan (ESP)

The ESP must integrate with:

Fire procedures
Major incident plans
Clinical emergency pathways

It must include:

Lockdown protocols
Evacuation and partial-evacuation routes
Protect-in-place procedures
Governance and decision-making
Communication systems
Department-specific instructions
A&E specialist procedures
Out-of-hours plans

The ESP must be written, shareable and regularly updated.

Step 6, Upgrade Communication Systems Where Required

Hospitals must ensure:

PA/tannoy messages reach all public areas
Radios work across all buildings
Ward-level alerts are available
Silent alerts can be used in clinical areas
Backup systems are in place

Communication failures are one of the most common weaknesses identified during drills.

Step 7, Deliver Role-Specific Staff Training

Training must be tailored to:

Clinical staff
Reception and volunteers
Porters
Security teams
Estates
Admin and operational staff
Temporary/agency workers

Training should include:

Suspicious behaviour recognition
Suspicious item handling
Lockdown/evacuation procedures
Ward-level responsibilities
Communication protocols
How to support patient safety

Training must be refreshed regularly.

Step 8, Test, Exercise & Evaluate

Hospitals must conduct:

Tabletop exercises
Lockdown tests
Partial evacuation drills
Protect-in-place simulations
Multi-agency drills

After each exercise, hospitals must produce:

A written evaluation
Identified weaknesses
Actions required
Updates to the ESP

Testing proves compliance and strengthens real-world preparedness.

Step 9, Document Evidence & Maintain an Audit Trail

Hospitals must keep:

TRA reports
ESP versions (with update logs)
Records of staff training
Exercise logs
Communication system tests
Meeting minutes for governance groups
Incident and near-miss reports

All documentation should be accessible during inspection.

Step 10, Review Annually and After Any Significant Change

Hospitals evolve constantly.

Reviews must occur:

Annually
After building changes
After major incidents
After new security technology deployment
After clinical layout changes
After new police or CT guidance
After feedback from drills

This ensures the hospital remains compliant and resilient long-term.

Key Takeaway

Martyn’s Law implementation requires hospitals to:

Understand their risks
Improve their procedures
Strengthen communication
Train the workforce
Document their evidence
Rehearse their plans
Review and update regularly

A structured implementation plan turns legal requirements into practical, life-saving action, ensuring that hospitals protect their patients, staff and visitors with confidence and clarity.

Realistic Hospital Scenarios & Correct Responses

Hospitals face some of the most challenging environments for terrorism response because evacuation is often impossible, visitor numbers are unpredictable, and clinical care cannot simply stop. Martyn’s Law requires hospitals to think through realistic, proportionate responses based on real-world threats.

Below are six high-risk scenarios, each followed by the appropriate hospital-specific actions aligned with Martyn’s Law principles.

Scenario 1, Suspicious Bag in a Busy Waiting Area

Situation:
A backpack is found left under a chair in a main outpatient waiting room during peak hours. No owner is identified after multiple announcements.

Correct Response:

Do not touch, move or x-ray the bag.
Clear people from the immediate area.
Move patients and visitors away using calm, controlled messaging.
Notify security and the Responsible Person immediately.
Begin a partial evacuation of that zone while avoiding corridor congestion.
Use alternative waiting areas if possible.
Review CCTV for last known owner.
Contact police following local protocols.
Document the incident and update procedures if needed.

Key Martyn’s Law Principles:
Suspicious item awareness, controlled evacuation, proportionality, communication, documentation.

Scenario 2, Armed Individual Approaches A&E Entrance

Situation:
A member of the public reports seeing a male carrying a large, concealed object (possibly a weapon) moving quickly toward A&E.

Correct Response:

Initiate immediate A&E lockdown.
Activate local lockdown doors and restrict access to triage and ambulance bays.
Alert all clinical staff via radios, PA system or silent alerts.
Move mobile patients deeper into the department.
Direct ambulances to a secondary access route if available.
Notify police immediately.
Security should not attempt to intervene unless trained and able to do so safely.
Nearby departments prepare to support protect-in-place strategies.
Reassure staff and patients with clear instructions.

Key Martyn’s Law Principles:
Rapid lockdown, communication, protecting vulnerable patients, supporting emergency services.

Scenario 3, Vehicle Rams the Front Entrance

Situation:
A small car accelerates into the main entrance glass doors during visiting hours, injuring several people.

Correct Response:

Initiate an immediate partial evacuation of the damaged area.
Direct staff to begin major incident protocols.
Lock down secondary entrances to prevent follow-on attacks.
Divert footfall away from debris and risk zones.
Keep A&E open for casualty flow unless directed otherwise.
Deploy estates staff to isolate electrics and secure structural risks.
Activate the hospital’s ESP and inform command teams.
Prepare for media, police and counter-terrorism engagement.
Log all decisions with timestamps.

Key Martyn’s Law Principles:
Impact assessment, multi-zone response, partnership with emergency services, documentation.

Scenario 4, Marauding Attack in Public Cafeteria

Situation:
An attacker enters a busy hospital cafeteria and begins threatening or harming people.

Correct Response:

Trigger site-wide or building lockdown depending on layout.
Secure wards, theatres, NICU, ICU and paediatrics immediately.
Begin protect-in-place for immobile patients.
Staff near the incident should evacuate if safe to do so.
Use PA/silent alerts to prevent movement towards danger.
Direct security to coordinate with police, not engage.
Close public access doors.
Establish safe zones away from attack trajectory.
Prepare A&E for casualties.

Key Martyn’s Law Principles:
Run–Hide–Tell integration, lockdown layering, communication, casualty flow management.

Scenario 5, Suspicious Person Conducting Hostile Reconnaissance

Situation:
A man is noticed taking repeated photographs of CCTV cameras, entrances and ambulance routes over several days.

Correct Response:

Log and escalate the behaviour immediately.
Security gathers CCTV evidence.
Staff are briefed discreetly to stay alert.
No public alarm is raised unless necessary.
Police and CT officers are contacted for intelligence review.
Adjust patrol routes and increase visibility in targeted areas.
Reassess entrance security and access control.
Add notes to the TRA for updated risk likelihood.

Key Martyn’s Law Principles:
Suspicious behaviour reporting, early intervention, updating the TRA, multi-agency coordination.

Scenario 6, Lockdown Triggered During Major Surgery

Situation:
A site-wide lockdown alert is issued while surgical teams are mid-operation in multiple theatres.

Correct Response:

Theatre staff continue the procedure; evacuation is not possible.
Protect-in-place protocols activate:
- Doors lock
- Communications switch to silent channels
- Non-essential staff moved away from entrances
- Runners positioned for support
Clinical leads coordinate with security for real-time updates.
Estates ensure all connecting corridors are secured.
After immediate threat confirmation, theatres remain in protect-in-place until all-clear.

Key Martyn’s Law Principles:
Clinical integration, protect-in-place, safety over movement, silent communication pathways.

Key Takeaway

Hospitals require scenario-specific, clinically safe, and proportionate responses. Martyn’s Law recognises that:

Evacuation is not always possible
Lockdown may need to be layered
Protect-in-place is critical for many departments
Communication must reach everyone instantly
Clinical care continues during most incidents

These scenarios must be built into the Emergency Security Plan, trained, rehearsed and documented to ensure legal compliance and operational readiness.

Preparing Hospitals for a Safer, Stronger Future

Martyn’s Law represents one of the most significant changes to UK security legislation in decades, and for hospitals and healthcare facilities, its impact is both profound and necessary. Hospitals sit at the heart of every community. They are places of safety, vulnerability, and continuous public access, making them uniquely exposed during security threats.

The legislation does not aim to burden healthcare operators with unrealistic expectations. Instead, it provides a clear, structured framework that helps hospitals strengthen their security posture in ways that are practical, proportionate, and clinically safe.

Throughout this guide, several themes have become clear:

Hospitals Need More Than Generic Security Plans

Healthcare environments cannot simply adopt traditional evacuation-only strategies. The presence of neonatal units, operating theatres, ICUs, dementia wards, oncology suites, and fragile patients means bespoke, proportionate planning is not just recommended, it is essential.
Martyn’s Law provides a legal foundation to formalise that planning.

Lockdown & Protect-in-Place Are Just as Critical as Evacuation

Hospitals cannot always move people away from danger. Many patients cannot walk, cannot be disconnected from life-support equipment, and cannot be relocated quickly.
This makes layered lockdown, zoning, safe rooms and internal refuge areas indispensable features of a compliant Emergency Security Plan.

Training Is the Real Determinant of Safety

A beautifully written plan is useless if staff do not understand it.
Security officers, porters, reception staff, clinical teams, estates engineers, domestic teams, and volunteers all need:

clear instructions
simple decision-making frameworks
regular drills
everyday situational awareness

Martyn’s Law requires this, but more importantly, lives depend on it.

Terrorism Threats Continue to Evolve

Hospitals must prepare for:

suspicious items
marauding attacks
vehicle-borne threats
insider risks
hostile reconnaissance
chemical or disruptive attacks
cyber-physical overlap (e.g., a cyberattack during a physical breach)

The law compels hospitals to update TRAs, adapt ESPs, and treat security as a living, evolving discipline rather than a one-off project.

Compliance Protects More Than Your Organisation, It Protects Your People

Implementing Martyn’s Law ensures hospitals can:

safeguard staff
protect patients
maintain continuity of care
reduce panic
support emergency services more effectively
minimise operational disruption

Ultimately, Martyn’s Law is not about punishment or bureaucracy.
It is about creating safer spaces where people can trust the environment around them, even during the most critical moments of their lives.

Final Message

Hospitals cannot eliminate risk, but with the right planning, training, and protective measures, they can dramatically reduce the impact of a security incident.

By embracing Martyn’s Law proactively, hospitals take a powerful step toward a future where vulnerabilities are reduced, preparedness is increased, and the ability to save lives extends beyond clinical care and into the realm of comprehensive security resilience.

FAQs for Martyn’s Law for Hospitals & Healthcare Facilities

What is Martyn’s Law and why does it apply to hospitals?

Martyn’s Law is the Terrorism Protection of Premises Act, requiring publicly accessible locations to assess terrorism risks and prepare emergency response plans. Hospitals have large public footfall and multiple access points, making them especially vulnerable. The Act ensures hospitals plan effectively for lockdowns, evacuations, and protect-in-place scenarios.

Do all hospitals fall under Martyn’s Law?

Yes. Almost every NHS hospital, private hospital, and major healthcare facility qualifies because they exceed the minimum capacity threshold and allow unrestricted public access.

Are hospitals considered Standard or Enhanced Duty under Martyn’s Law?

Most hospitals fall under Enhanced Duty, as capacity typically exceeds 800 people. Smaller community hospitals, clinics and rehabilitation centres may fall under Standard Duty.

What is considered a “publicly accessible area” in a hospital?

Entrances, A&E, waiting rooms, corridors, lifts, cafés, chapels, outpatient departments, shops, and car parks all qualify as publicly accessible areas (PAAs).

What plans do hospitals need to create to comply with Martyn’s Law?

Hospitals must create a detailed Terrorism Risk Assessment (TRA) and a robust Emergency Security Plan (ESP) covering lockdown, evacuation, zonal control, communication, and protect-in-place measures.

What does a Terrorism Risk Assessment for a hospital include?

A hospital TRA assesses vulnerabilities in entrances, public areas, clinical zones, communication systems, vehicle access, choke points, and crowding. It also evaluates risks from suspicious items, hostile reconnaissance, and marauding attacks.

What is an Emergency Security Plan (ESP) in a hospital?

An ESP is a written document outlining how the hospital will respond to different types of terrorist threats. It includes lockdown procedures, evacuation routes, safe areas, communication protocols, roles, responsibilities, and incident escalation paths.

How does Martyn’s Law affect hospital staff training?

Training becomes mandatory. Staff must understand recognising threats, responding to suspicious items, supporting lockdown/evacuation, and following internal protective measures. Frontline clinical staff, porters, security teams, and receptionists all require training.

How often must hospitals test their emergency security plans?

Hospitals must carry out regular exercises, including table-top drills, communication tests, and partial/full scenario-based exercises. Records of each test must be documented.

Does Martyn’s Law affect A&E departments differently?

Yes. A&E is one of the highest-risk zones due to unpredictable behaviour, high footfall, and emotional volatility. Lockdown procedures, zoning, and rapid decision-making models are essential.

How do lockdowns work in hospitals?

Hospitals may use layered or zonal lockdowns. Public entrances may close, internal corridors may be sealed, and wards may restrict movement. Lockdowns must be secure but clinically safe for staff and patients.

What about evacuation? Many hospital patients cannot be moved.

Correct — many patients cannot be safely evacuated. For these areas, protect-in-place strategies are used. Evacuation is prioritised for mobile patients and public spaces.

How should hospitals manage visitors under Martyn’s Law?

Hospitals must improve situational awareness, monitor access points, train reception and security teams, and ensure staff know how to respond to suspicious behaviour. Clear communication during lockdowns and evacuations is essential.

How can hospitals prepare for compliance now?

Hospitals should map their PAAs, complete a TRA, draft the ESP, identify governance structures, train staff, test procedures, and begin documenting all actions. Early preparation will make statutory compliance far easier when the Act comes into force.