Document 6490090
Transcription
Document 6490090
OBJECTIVES We will discuss Natural and man-made disasters that have had public health consequences Need for future disaster planning Business continuity for health care WHAT KINDS OF DISASTERS? Man-Made Explosion Fire Weapon Violence Structure Collapse Transportation event HazMat event NBC Event Natural Hurricane Flood Earthquake Landslide/avalanche Tornado Wildfire Volcano Meteor WHAT DHS THINKS OUR THREATS ARE… 1. Improvised Nuclear Device 2. Aerosol Anthrax 3. Pandemic Influenza 4. Plague 5. Blister Agent 6. Toxic Industrial Chemical 7. Nerve Agent THREATS 8. Chlorine Tank Explosion 9. Major Earthquake 10. Major Hurricane 11. Radiological Dispersal Device 12. Improvised Explosive Device 13. Food Contamination 14. Foreign Animal Disease 15. Cyber Threat DISASTERS WITH PUBLIC HEALTH CONSEQUENCES Typhoon Haiyan Superstorm Sandy Haiti Earthquake Hurricane Katrina September 11 NEED FOR PLANNING Response planning has been fairly extensive in last 12 years RECOVERY planning has not We have (empirically) found that: THE FACILITY THAT DOES NOT HAVE A RECOVERY PLAN DOES NOT REOPEN. NEED FOR PLANNING It’s the right thing to do. It’s mandated by a number of agencies here in the US FEMA is the lead federal agency in this presidentially mandated initiative (Federal Preparedness Circular-65) Executive Branch agencies are mandated to have a Continuity of Operations Plan (COOP) WHAT WOULD A HOSPITAL DISCUSSION BE WITHOUT… Throwing HIPAA into the mix? 164.308(a)(7)(ii)(A) – Data Backup Plan 164.308(a)(7)(ii)(B) – Disaster Recovery Plan 164.308(a)(7)(ii)(C) – Emergency Mode Operations Plan 164.308(a)(7)(ii)(D) – Testing & Revision Procedure 164.308(a)(7)(ii)(E) – Applications and Data Criticality Assessment REGULATIONS PERTAINING TO DISASTER MANAGEMENT Laws and Standards pertaining to Disaster Management: OSHA – 29 CRF 1910.120 –(Source: Federal Register Vol. 54, No. 42, pp 9328-9330) NFPA Status – NFPA 99: 11-43 –(Source: National Fire Protection Association 99 Standard for Healthcare Facilities Chapter 11. JCAHO: Developed whole new survey titled EM Homeland Security Presidential Directives #s 5 and 8 of 2006 NEED FOR PLANNING Business Continuity Planning is good practice for Health Care It is incumbent on us that we remain open through disasters. Hospitals are a cornerstone of a community In today’s volatile economic environment, lack of continuity planning will finish a business if disaster strikes NEXT STEPS You came to this conference because you believe this is important. You probably already believe a Continuity of Operations Plan (or Business Continuity Plan) is necessary. You do not have to reinvent the wheel. FPC-65 and IS-546 for the Yanks http://www.health.qld.gov.au/chrisp/sterilising/csd-bcp-eg.pdf For the Canadians (I know it’s Australian, but I couldn’t find a Canadian BCP) Email me at [email protected] for other examples NEXT STEPS 1. Perform a Risk Assessment 2. Perform a Business Impact Analysis 3. Design Response & Recovery Strategies 4. Develop & Distribute Plan 5. Test & Maintain Plan RISK ASSESSMENT Start with your Hazards Vulnerability Analysis An HVA does not replace a Risk Assesment Consider Pharmacy/Medications Security of patients/staff Medical Supplies Interoperable Communications with Hospitals, Health Departments, and the State Family Support Planning for staff Continuity Insurance RISK ASSESSMENT Take the threats from the HVA one-by-one and consider: Speed of onset: sudden or gradual? Forewarning: yes or no? Preparedness of your critical vendors: prepared or unprepared? Preparedness of your own staff: prepared or unprepared? 17 RISK ASSESSMENT How would each threat affect your department in 3 ways: How likely is the event? How much impact would it have on your ability to operate? How long would it impact your operation? 18 BUSINESS IMPACT ANALYSIS What are your critical business functions? What are functions you perform to support other department’s critical business functions? Resources needed Impact on Safety/Operations Financial impact Customer/Reputation impact 19 BUSINESS IMPACT ANALYSIS Recovery Time Objective (RTO) How long can the organization survive without your critical business function? Current business day? Tomorrow? A week? What resources are needed to ensure the restoration of the function within the RTO? 21 BCP EXAMPLE BUSINESS IMPACT ANALYSIS Recovery Point Objective (RPO) For data-reliant processes, how current does the data need to be once systems are restored? Last night’s backup? Last transaction? If you have a manual backup, how long is it feasible to run the manual backup before restoration is impossible? 23 IMPACT SCENARIOS Loss or denial of physical space Your work area has been destroyed and/or become inaccessible Access to space, but loss of technology Your area is intact, but without data/power/water/etc. Both 25 IMPACT CATEGORIES Financial The cost to recover all functions + loss of revenue Example: BP oil spill cost billions to clean + lost billions in product Operational The ability to physically execute a critical business function 26 IMPACT CATEGORIES Legal/Regulatory The ability to be fined, sued, or shut down Customer The ability to retain customer base when operating in Emergency Mode Reputation The ability to retain customer base when the story gets out 27 DEVELOPING THE BCP Shoot for simple – your staff must be able to read, understand, and implement the plan under stressful conditions. A good plan doubles as a progress-monitoring tool for your recovery team. Plans should be organized so they are easy to follow from response to recovery. Write in plain language using only the amount of technical jargon needed. 28 DEVELOPING YOUR BCP There are Nine (9) Essential elements for creating a viable COOP/Business Continuity Plan, which include: 1. Essential Functions 2. Delegations of Authority 3. Alternative Facilities 4. Interoperable Communications 5. Vital Records and Databases 6. Human Capital Management 7. Test, Training and Exercises 8. Devolution 9. Reconstitution INTRODUCTION TO BCP Straight-forward list of justifications (Purpose) and planning assumptions. Most BCPs are written for a worst-case scenario that involves multiple impact types. 30 SCENARIOS Response procedures for specific scenario types Different from Downtime Procedures How would this specific scenario impact your business area? vs. How would you continue to perform your critical function? Should be high-level, but still thought-through 31 LOSS OF WORK AREA Evacuation plan? What technology, utilities, equipment, size, etc. are needed to function? Identify an alternate work area ahead of time Can your critical functions be performed by staff from their homes? If so, are they set up to do so? 32 RESPONSE TEAM Detail Response Team members, leaders, and contact information Should have primary and alternate leaders Always include a scribe role in your Response Team to document actions! Identify critical vendors if they should be considered part of Response Team (i.e., data-recovery contractors) 33 DISASTER ACTIVATION & NOTIFICATION What triggers your BCP? How will staff be notified? What is your staff’s expected response? Does everyone report at once, or is there a first response team and a relief team? Does anyone report in the middle of the night? Downtime kits: Where are they? What’s in them? 34 RESPONSE ACTIONS (DOWNTIME PROCEDURES) Where the “rubber meets the road” of the plan Highly specific depending on department and function Should be written in a way that can be understood and managed by supervisor (consider checklists) Should include vendor information, if not identified in Response Team 35 1. ESSENTIAL FUNCTIONS A central component of developing your COOP is to determine and prioritize the essential functions at your agency. Essential functions are the agency’s business functions that must continue with no or minimal disruption. Essential functions are based on the agency’s customers and needs. It is important to remember that a broad brush approach should not be used when determining essential functions at your health center. The continuity of essential functions will be driven by the availability of: Training personnel, Vital records/databases, Supplies and Equipment/Systems SUGGESTIONS WHEN DETERMINING ESSENTIAL FUNCTIONS For health centers some suggestions in prioritizing essential functions are to examine the functions that enable an organization to: Provide vital services Maintain the safety of the general public and staff within your health center Sustain your agency financially during a crisis and beyond. 2. DELEGATION OF AUTHORITY Delegation of Authority is used for a specific purposes during an EP event for Business Continuity Planning. Delegations should be predetermined and documented in writing. The document should specify any limitations on the delegated authority and should be as specific as possible. Delegation of Authority specifies who is authorized to make decision are act on behalf of: The Department or Agency Head Other Key Individuals 2. DELEGATION OF AUTHORITY-ORDER OF SUCCESSION Orders of succession are provisions for the assumption of senior agency’ leadership positions during an emergency when the incumbents are unable or unavailable to execute their duties. Succession is the order of who is in charge where in delegation of authority is the responsible from one person to another. Director Assistant Director Associate Director 3. ALTERNATIVE FACILITIES During an EP event, if necessary, an alternative facility may need to be established. The alternative facility should be pre-determined. All health centers should examine if they had to have bare bones operations and could not utilize their primary site location could they create an alternative site location in the community. Moreover, how long would it take to be operational at that alternative site location. Any staff that requires relocation to the alternative facility are part of the Emergency Relocation Group (ERG). Alternate facility sites may include: Other health centers Community Locations (e.g. library) Telecommuting for your staff 4. INTEROPERABLE COMMUNICATIONS Interoperable Communications are communications that provide the capacity to perform essential functions, in conjunction with other agencies, until normal operations can be resumed. In order to have effective interoperable communications an agency must be able to communicate: Externally with the organization’s customers and business partners Internally with the organization’s leadership and co-workers The KEY to interoperable communications is Connectivity 4. INTEROPERABLE COMMUNICATIONS-2 Interoperable communications must also be: Redundant Available within 12 hours of activation, or less, depending on the mission and requirements of the organization. Sustainable for up to 30 days 5. VITAL RECORDS AND DATABASES In Business Continuity Planning or COOP, there are 2 main types of records: 1. Emergency Operating Records-which includes plans, directives, delegations of authority, or staffing assignments and orders of succession in order to implement your Business Continuity Plan. 2. Legal and Financial Records-which includes, medical records, personnel records, payroll records, insurance records and contractor records (e.g. agreements). Copies of medical records as well as offsite computer file storage is strongly recommending. 6. HUMAN CAPITAL MANAGEMENT During COOP activation, health centers will have to perform their essential functions with reduced staffing. Human capital, then, is critical to ensuring the flexibilities required of ERG personnel. Agencies should ensure that all ERG personnel are adequately trained and cross-trained to enable the performance of all essential functions. All employees, ERG and non ERG need to be kept informed during the course of an emergency Family Emergency Planning is important for any emergency but is strongly to be encouraged for a COOP event FAMILY EMERGENCY PLANNING A COOP situation will affect you and your team’s families: There will be a period of uncertainty about what is happening, how bad the situation is, and what you should do to protect yourself and your loved ones. You may feel unsure of your job security, particularly if the threat is severe You may also be concerned for your financial well being. It is imperative that your agency develop a family emergency plan. At a minimum the plan should include: Contact and communication information An immediate emergency checklist that includes medical, financial and legal information and other important documents. Supplies, including medication, for at least 72 hours 7. TEST, TRAINING AND EXERCISES Test, Training and Exercises include measures to ensure that agencies COOP program is able to support the continued execution of its essential functions throughout an EP event. Health Centers perform TTE to ensure that: All equipment and systems work as required Employees are able to deploy to the alternative facility within the required time frame. The alternate facility includes everything that is needed for the ERG to perform essential functions. 8. DEVOLUTION Devolution is the capability to transfer and delegate authority to other members of the team in order to carry out essential functions when primary team members are incapable of performing necessary functions. Remember that this is generally for a specified time period and limited authority that has been delegated. Think of it is brining in the reserve players! 9. RECONSTITUTION/RECOVERY Reconstitution is the process by which agency personnel resume normal operations from the original or replacement primary operating facility. Agencies must identify and outline a plan to return to normal operations. This plan should have time lines, resources needed (including $$$) and be as specific as possible. It is encouraged that health centers appoint a Reconstitution Manager to oversee the reconstitution process. TEST AND MAINTAIN THE PLAN No plan is of any value in a file cabinet Sun Tzu said this in 500 BC: Bloody training leads to bloodless battles You need to evaluate the effectiveness of the plan in frequent exercises Then rewrite the plan to address what you have to fix or might be out of date
Similar documents
Information Security Management: Business Continuity Planning Presentation by Stanislav Nurilov
More information
Business Continuity and Disaster Recovery Planning: The Essentials for Any Business
More information