Document 6490090

Transcription

Document 6490090
OBJECTIVES
We will discuss
 Natural and man-made disasters that have had public health consequences
 Need for future disaster planning
 Business continuity for health care
WHAT KINDS OF DISASTERS?
Man-Made
Explosion
Fire
Weapon Violence
Structure Collapse
Transportation event
HazMat event
NBC Event
Natural
Hurricane
Flood
Earthquake
Landslide/avalanche
Tornado
Wildfire
Volcano
Meteor
WHAT DHS THINKS OUR THREATS
ARE…
1.
Improvised Nuclear Device
2.
Aerosol Anthrax
3.
Pandemic Influenza
4.
Plague
5.
Blister Agent
6.
Toxic Industrial Chemical
7.
Nerve Agent
THREATS
8.
Chlorine Tank Explosion
9.
Major Earthquake
10.
Major Hurricane
11.
Radiological Dispersal Device
12.
Improvised Explosive Device
13.
Food Contamination
14.
Foreign Animal Disease
15.
Cyber Threat
DISASTERS WITH PUBLIC HEALTH CONSEQUENCES
Typhoon Haiyan
Superstorm Sandy
Haiti Earthquake
Hurricane Katrina
September 11
NEED FOR PLANNING
Response planning has been fairly extensive in last 12 years
RECOVERY planning has not
We have (empirically) found that: THE FACILITY THAT DOES NOT HAVE A RECOVERY
PLAN DOES NOT REOPEN.
NEED FOR PLANNING
It’s the right thing to do.
It’s mandated by a number of agencies here in the US
 FEMA is the lead federal agency in this presidentially mandated initiative (Federal
Preparedness Circular-65)
 Executive Branch agencies are mandated to have a Continuity of Operations Plan
(COOP)
WHAT WOULD A HOSPITAL DISCUSSION BE
WITHOUT…
Throwing HIPAA into the mix?
 164.308(a)(7)(ii)(A) –
Data Backup Plan
 164.308(a)(7)(ii)(B) –
Disaster Recovery Plan
 164.308(a)(7)(ii)(C) –
Emergency Mode Operations Plan
 164.308(a)(7)(ii)(D) –
Testing & Revision Procedure
 164.308(a)(7)(ii)(E) –
Applications and Data Criticality Assessment
REGULATIONS PERTAINING TO
DISASTER MANAGEMENT
Laws and Standards pertaining to Disaster
Management:
OSHA – 29 CRF 1910.120 –(Source: Federal Register Vol. 54, No.
42, pp 9328-9330)
NFPA Status – NFPA 99: 11-43 –(Source: National Fire
Protection Association 99 Standard for Healthcare Facilities
Chapter 11.
JCAHO: Developed whole new survey titled EM
Homeland Security Presidential Directives
#s 5 and 8 of 2006
NEED FOR PLANNING
Business Continuity Planning is good practice for Health Care
It is incumbent on us that we remain open through disasters. Hospitals are a
cornerstone of a community
In today’s volatile economic environment, lack of continuity planning will finish a
business if disaster strikes
NEXT STEPS
You came to this conference because you believe this is important. You probably
already believe a Continuity of Operations Plan (or Business Continuity Plan) is
necessary.
You do not have to reinvent the wheel.
 FPC-65 and IS-546 for the Yanks
 http://www.health.qld.gov.au/chrisp/sterilising/csd-bcp-eg.pdf For the Canadians
(I know it’s Australian, but I couldn’t find a Canadian BCP)
 Email me at [email protected] for other examples
NEXT STEPS
1.
Perform a Risk Assessment
2.
Perform a Business Impact Analysis
3.
Design Response & Recovery Strategies
4.
Develop & Distribute Plan
5.
Test & Maintain Plan
RISK ASSESSMENT
Start with your Hazards Vulnerability Analysis
An HVA does not replace a Risk Assesment
Consider
 Pharmacy/Medications
 Security of patients/staff
 Medical Supplies
 Interoperable Communications with Hospitals, Health Departments, and the
State
 Family Support Planning for staff
 Continuity Insurance
RISK ASSESSMENT
Take the threats from the HVA
one-by-one and consider:
Speed of onset: sudden or gradual?
Forewarning: yes or no?
Preparedness of your critical vendors:
prepared or unprepared?
Preparedness of your own staff:
prepared or unprepared?
17
RISK ASSESSMENT
How would each threat affect your
department in 3 ways:
How likely is the event?
How much impact would it have on your
ability to operate?
How long would it impact your operation?
18
BUSINESS IMPACT ANALYSIS
What are your critical business functions?
What are functions you perform to support other department’s critical
business functions?
Resources needed
Impact on Safety/Operations
Financial impact
Customer/Reputation impact
19
BUSINESS IMPACT ANALYSIS
Recovery Time Objective (RTO)
How long can the organization survive
without your critical business function?
Current business day?
Tomorrow?
A week?
What resources are needed to ensure the
restoration of the function within the RTO?
21
BCP EXAMPLE
BUSINESS IMPACT ANALYSIS
Recovery Point Objective (RPO)
For data-reliant processes, how current does
the data need to be once systems are
restored?
Last night’s backup?
Last transaction?
If you have a manual backup, how long is it
feasible to run the manual backup before
restoration is impossible?
23
IMPACT SCENARIOS
Loss or denial of physical space
Your work area has been destroyed and/or
become inaccessible
Access to space, but loss of
technology
Your area is intact, but without
data/power/water/etc.
Both
25
IMPACT CATEGORIES
Financial
The cost to recover all functions
+ loss of revenue
Example: BP oil spill cost billions to clean +
lost billions in product
Operational
The ability to physically execute a critical
business function
26
IMPACT CATEGORIES
Legal/Regulatory
The ability to be fined, sued, or shut down
Customer
The ability to retain customer base when
operating in Emergency Mode
Reputation
The ability to retain customer base when the
story gets out
27
DEVELOPING THE BCP
Shoot for simple – your staff must be able to read, understand, and
implement the plan under stressful conditions.
A good plan doubles as a progress-monitoring tool for your recovery team.
Plans should be organized so they are easy to follow from response to
recovery.
Write in plain language using only the amount of technical jargon needed.
28
DEVELOPING YOUR BCP
There are Nine (9) Essential elements for creating a viable COOP/Business
Continuity Plan, which include:
1. Essential Functions
2. Delegations of Authority
3. Alternative Facilities
4. Interoperable Communications
5. Vital Records and Databases
6. Human Capital Management
7. Test, Training and Exercises
8. Devolution
9. Reconstitution
INTRODUCTION TO BCP
Straight-forward list of justifications
(Purpose) and planning
assumptions.
Most BCPs are written for a
worst-case scenario that involves
multiple impact types.
30
SCENARIOS
Response procedures for specific
scenario types
Different from Downtime Procedures
How would this specific scenario impact your
business area? vs. How would you continue
to perform your critical function?
Should be high-level, but still
thought-through
31
LOSS OF WORK AREA
Evacuation plan?
What technology, utilities, equipment,
size, etc. are needed to function?
Identify an alternate work area ahead of
time
Can your critical functions be
performed by staff from their homes?
If so, are they set up to do so?
32
RESPONSE TEAM
Detail Response Team members,
leaders, and contact information
Should have primary and alternate leaders
Always include a scribe role in your
Response Team to document actions!
Identify critical vendors if they should
be considered part of Response
Team (i.e., data-recovery
contractors)
33
DISASTER ACTIVATION & NOTIFICATION
What triggers your BCP?
How will staff be notified?
What is your staff’s expected response?
Does everyone report at once, or is there a first
response team and a relief team?
Does anyone report in the middle of the night?
Downtime kits: Where are they?
What’s in them?
34
RESPONSE ACTIONS
(DOWNTIME PROCEDURES)
Where the “rubber meets the road” of the plan
Highly specific depending on department and function
Should be written in a way that can be understood and managed by
supervisor (consider checklists)
Should include vendor information, if not identified in Response Team
35
1. ESSENTIAL FUNCTIONS
A central component of developing your COOP is to determine
and prioritize the essential functions at your agency.
Essential functions are the agency’s business functions that
must continue with no or minimal disruption.
Essential functions are based on the agency’s customers and
needs. It is important to remember that a broad brush
approach should not be used when determining essential
functions at your health center.
The continuity of essential functions will be driven by the
availability of: Training personnel, Vital records/databases,
Supplies and Equipment/Systems
SUGGESTIONS WHEN DETERMINING
ESSENTIAL FUNCTIONS
For health centers some suggestions in
prioritizing essential functions are to
examine the functions that enable an
organization to:
 Provide vital services
 Maintain the safety of the general public and staff
within your health center
 Sustain your agency financially during a crisis and
beyond.
2. DELEGATION OF AUTHORITY
Delegation of Authority is used for a specific purposes during an EP event
for Business Continuity Planning. Delegations should be predetermined and documented in writing. The document should specify
any limitations on the delegated authority and should be as specific as
possible.
Delegation of Authority specifies who is authorized to make decision are
act on behalf of:
 The Department or Agency Head
 Other Key Individuals
2. DELEGATION OF AUTHORITY-ORDER
OF SUCCESSION
Orders of succession are provisions for the assumption of senior
agency’ leadership positions during an emergency when the
incumbents are unable or unavailable to execute their duties.
Succession is the order of who is in charge where in delegation
of authority is the responsible from one person to another.
Director
Assistant
Director
Associate
Director
3. ALTERNATIVE FACILITIES
During an EP event, if necessary, an alternative facility may need to be
established. The alternative facility should be pre-determined. All
health centers should examine if they had to have bare bones
operations and could not utilize their primary site location could
they create an alternative site location in the community. Moreover,
how long would it take to be operational at that alternative site
location. Any staff that requires relocation to the alternative facility
are part of the Emergency Relocation Group (ERG).
Alternate facility sites may include:
 Other health centers
 Community Locations (e.g. library)
 Telecommuting for your staff
4. INTEROPERABLE COMMUNICATIONS
Interoperable Communications are communications that provide the
capacity to perform essential functions, in conjunction with other
agencies, until normal operations can be resumed.
In order to have effective interoperable communications an agency must be
able to communicate:
 Externally with the organization’s customers and business partners
 Internally with the organization’s leadership and co-workers
 The KEY to interoperable communications is
Connectivity
4. INTEROPERABLE COMMUNICATIONS-2
Interoperable communications must also
be:
Redundant
Available within 12 hours of activation, or
less, depending on the mission and
requirements of the organization.
Sustainable for up to 30 days
5. VITAL RECORDS AND DATABASES
In Business Continuity Planning or COOP, there are 2 main types of
records:
1. Emergency Operating Records-which includes plans, directives,
delegations of authority, or staffing assignments and orders of
succession in order to implement your Business Continuity Plan.
2. Legal and Financial Records-which includes, medical records,
personnel records, payroll records, insurance records and contractor
records (e.g. agreements).
Copies of medical records as well as offsite computer file storage is strongly
recommending.
6. HUMAN CAPITAL MANAGEMENT
During COOP activation, health centers will have to perform their essential
functions with reduced staffing. Human capital, then, is critical to
ensuring the flexibilities required of ERG personnel. Agencies should
ensure that all ERG personnel are adequately trained and cross-trained
to enable the performance of all essential functions.
All employees, ERG and non ERG need to be kept informed during the
course of an emergency
Family Emergency Planning is important for any emergency but is strongly
to be encouraged for a COOP event
FAMILY EMERGENCY PLANNING
A COOP situation will affect you and your team’s families:
 There will be a period of uncertainty about what is happening, how bad the
situation is, and what you should do to protect yourself and your loved
ones.
 You may feel unsure of your job security, particularly if the threat is severe
 You may also be concerned for your financial well being.
It is imperative that your agency develop a family emergency
plan. At a minimum the plan should include:
 Contact and communication information
 An immediate emergency checklist that includes medical, financial and
legal information and other important documents.
 Supplies, including medication, for at least 72 hours
7. TEST, TRAINING AND EXERCISES
Test, Training and Exercises include measures to ensure that agencies
COOP program is able to support the continued execution of its
essential functions throughout an EP event.
Health Centers perform TTE to ensure that:
 All equipment and systems work as required
 Employees are able to deploy to the alternative facility within the required time
frame.
 The alternate facility includes everything that is needed for the ERG to perform
essential functions.
8. DEVOLUTION
Devolution is the capability to transfer and
delegate authority to other members of the team
in order to carry out essential functions when
primary team members are incapable of
performing necessary functions. Remember
that this is generally for a specified time period
and limited authority that has been delegated.
Think of it is brining in the reserve players!
9. RECONSTITUTION/RECOVERY
Reconstitution is the process by which agency personnel resume normal
operations from the original or replacement primary operating facility.
Agencies must identify and outline a plan to return to normal operations.
This plan should have time lines, resources needed (including $$$) and
be as specific as possible.
It is encouraged that health centers appoint a Reconstitution Manager to
oversee the reconstitution process.
TEST AND MAINTAIN THE PLAN
No plan is of any value in a file cabinet
Sun Tzu said this in 500 BC: Bloody training leads to bloodless battles
You need to evaluate the effectiveness of the plan in frequent exercises
Then rewrite the plan to address what you have to fix or might be out of date