Hospitals can build all the moats and booby traps around their campuses that they like. But none of it matters if those security measures aren't tested and strengthened in the years that follow.

That's one of the lessons that three-hospital Atlantic Health System in New Jersey has learned in recent years. It has developed a rigorous safety program called Red Cell, using undercover agents to test for weaknesses in hospital security. The effort has helped to strengthen Atlantic's protocols, while also earning industry accolades.

"What companies are usually pretty good at is protecting the infrastructure of a facility as far as keeping the bad guys from getting in," says Alan Robinson, director of protection, security services and emergency management. "But they completely neglect looking at lapses of security internally that may not be intentional, but have the same effect."

Atlantic first started scrutinizing its security procedures after 9/11, adding card readers, security cameras and other tools to "harden the target." But Robinson says they realized that those measures weren't protecting against "unthinking" employees who might prop open doors to smoke cigarettes, or accidentally let in a dangerous person claiming to be the pizza guy.

The health system fashioned its approach after similar efforts used to protect U.S. embassies, rolling out Red Cell in 2009. It started, Robinson says, by developing a list of security-sensitive areas that needed extra attention because of vulnerable patients or hazardous materials.

Atlantic brought in former law enforcement officers and security experts, unknown to staff, and had them make random visits to test security. The intention wasn't to embarrass or punish employees, but rather to consult with managers on how to get better. And if undercover agents failed to get in, Robinson made sure to praise staff for following the rules.

Results have been promising, with a noticeable decline in the number of infiltrations over the past few years — from 22 percent in the first year to 5 percent last year. Last month, Atlantic was honored by security and risk magazine CSO for the program. The Joint Commission also cited Red Cell last year as an example of security best practices. "Violence and security in health care are critical safety issues for everyone involved," says Barbara Braun, a project director for the commission's department of health services research. And other hospitals can learn from Atlantic's ability to quantify its performance, she adds.

"Secret shopper" programs, similar to that of Red Cell, are somewhat common in the industry, and absolutely a necessary safeguard, says Lisa Pryse, president of the International Association for Healthcare Security and Safety. But she cautions hospitals to tread lightly to avoid alienating employees.

"It's something that has to be accomplished with kid gloves or with a tender touch so that you're not moving into a mode of mistrust with your staff," Pryse says. "But absolutely, you've got to test it; you've got to be out there and be proactive in some manner."

Robinson believes that Red Cell is easy to try elsewhere. He recommends hospitals seek out retired police officers or other law enforcement professionals. Hospitals should get ahead of possible breaches now and stay proactive about security planning, rather than waiting for the next incident.

"We've always taken the perspective, 'Let's not have an incident tell us what we should have done better,' " he says. "One of my pet peeves is the expression 'beefed up security.' I hate that term, and you always read it after an incident. That shows that somebody didn't do the planning."