Prerequisite to the discussion of disaster planning and vulnerability assessment for health care delivery systems is a fundamental appreciation for the unique organizational nature of such systems:
"Health care systems are complex entities that are difficult to operate under normal circumstances. Catastrophes such as natural disasters or terrorist acts can have severe impacts on health care systems by overloading them with casualties. At the same time, these catastrophes can greatly reduce health care systems' capacity for dealing with this demand by damaging health care facilities or causing a loss of critical services such as electric power or telecommunications. The consequences of these major incidents are not straightforward and may be transmitted through health care systems in ways that cannot be anticipated" (Hirsch, 2004).Accordingly, this lesson examines key challenges in disaster planning, a basic vulnerability assessment model, and the concept of infrastructure system interdependencies from a health care delivery systems perspective.
By the end of this lesson, you should be able to:
Note: The purpose of the Lesson Road Map is to give you an idea of what will be expected of you for this lesson. You will be directed to specific tasks as you proceed through the lesson. Each activity in the To Do: section will be identified as individual (I), team (T), graded (G), ungraded (U), or pass/fail (P/F).
In this lesson you will complete the following activities:
In examining the unique organizational nature of health care delivery systems and their ecclectic economic model in the United States, three key challenges emerge with respect to disaster planning. Barbara and Macintyre (2002) laid out these challenges in their report entitled Medical and Health Incident Management (MaHIM) System: A Comprehensive Functional System Description for Mass Casualty Medical and Health Incident Management. Short excerpts from the report are provided below along with discussion of the nature of each of the three key challenges.
A systems approach to disaster planning implies discrete phases with clear inputs and outputs that build on each other through feedback loops that ensure iterative quality improvment. In other words, "Adequate mass casualty management and response require systems that achieve rapid, efficient expansion of capacity through local and regional coordination" (Barbera & Macintyre, 2002). The need to develop a comprehensive, systems approach to disaster planning represents a significant challenge for the health care delivery sector, a sector which operates as a loose network of separate entities that are themselves chronically burdened with daily operational stressors including hospital overcrowding, ambulance rerouting, nursing shortages, and many more.
Since 9-11, great attention has been given to disaster planning and vulnerability assessment reforms at the national level (e.g. creation of the Department of Homeland Security, high-profile staff changes at FEMA, development of the National Incident Management System, etc.). In contrast, while many local health care delivery systems have also devoted greater attention to disaster planning – for example revising their own Emergency Response Plans – very little of this effort has been in concert with other resources at the local or regional level.
"Medical care and public health resources are primarily locally managed assets, yet much of the current national focus has been at a higher level of government or is being directed from that level. Most troubling is that progress in local and regional planning for mass casualty care falls far short of that made in other areas of emergency management and disaster response in recent years.... Individual components and capabilities for medical and health response exist, but they are not comprehensively addressed in an overall system. This has led to inefficiencies and confusion, risking organizational failure in a truly mass casualty incident.... Systems engineering research in emergency response demonstrates that if organizational and technological systems do not match the local reality created by an actual event, complete systems failure may occur, causing needless societal impacts" (Barbera & Macintyre, 2002).
This lack of coordinated disaster planning at the local and regional level represents a second critical challenge for health care delivery systems. Although more resources have begun to flow into efforts at the state and local levels, there is a dearth of leadership and coordination in applying them most effectively.
Because of the ecclectic nature of the economic, organizational, and regulatory models of health care delivery systems in the United States, the result has been a loose network of public and private interests that must collaborate and coordinate their activities in the event of a disaster to provide the best possible response.
"The strategy to implement these objectives requires close coordination of many diverse and only loosely connected health and medical entities. Preparedness for all-hazard mass casualty response is a complex undertaking, in part because medical infrastructure resides predominantly in the private sector, in many disparate resources.... Full community preparedness must involve the coordination of health and medical assets across both jurisdictional and public-private boundaries" (Barbera & Macintyre, 2002).This need to coordinate the resources of public and private assets presents a third central challenge to effective disaster planning for health care delivery systems.
Disaster planning for health care delivery systems is a broad and emerging field replete with challenges. For the purposes of this course, we will focus on a critical infrastructure protection approach to addressing these challenges. Furthermore, as is the case in any emerging field, we will continually return to more established fields to inform our understanding. In doing so, we will start with the elements of the federal government's National Infrastructure Protection Program (NIPP) that are founded in the well established field of risk management.
As represented in Figure 1 below, the cornerstone of the NIPP is its risk management framework. This framework establishes the processes for combining consequence, vulnerability, and threat information to produce a comprehensive, systematic, and rational assessment of risk. The risk management framework promotes continuous improvement by focusing on efforts in six areas:
Furthermore, the NIPP notes that "The risk management framework is tailored and applied on an asset, system, network, or function basis, depending on the fundamental characteristics of the individual CI/KR [critical infrastructure/key resources] sectors. Sectors that are primarily dependent on fixed assets and physical facilities may use a bottom-up, asset-by-asset approach, while sectors (such as Telecommunications and Information Technology) with diverse and logical assets may use a top-down business or mission continuity approach" (Department of Homeland Security, 2006).
This distinction between sectors that are primarily dependent on fixed assets and physical facilities and those that are dependent on diverse and logical assets is one way to frame the approach to critical infrastructure protection. Overall the NIPP risk management framework will prove quite valuable as you explore critical infrastructure protection of health care delivery systems. However, since the health care delivery sector straddles both sides of that dichotomy — depending heavily on both physical facilities and logical assets — it is useful to consider other risk management schemas that may inform your analysis throughout the course.
The U.S. Department of Energy (2002) provided a perspective on risk management as a process that emphasizes an enterprise-wide approach to critical asset identification:
"It is important to use an approach that evaluates all the important corporate assets against a common (across the enterprise) set of criteria. The result is a uniform enterprise-wide prioritization, rather than a business unit by business unit prioritization. This uniformity avoids the disparity in ranking that frequently develops when each business unit conducts its own prioritization. It also provides uniform treatment to common assets such as communications and information technology (IT) networks services."
"Identifying asset criticality is a vital element of assessing and managing risk. A typical security based risk management process is depicted [in Figure 1 below]."
"Identification of asset criticality serves several functions:
The U.S. Department of Energy (2002) provided a standard three-step model for conducting vulnerability assessments. The model includes steps for pre-assessment, assessment, and post-assessment. (See Figure 2.) While the model was designed to support vulnerability assessments for electric power infrastructure, it is easily transferable to other infrastructure systems, including those that support health care delivery systems, and should serve as your point of reference throughout this course.
"The pre-assessment phase involves defining the scope of the assessment, establishing appropriate information protection procedures, and identifying and ranking critical assets. Each of these activities is critical in ensuring the success of the assessment" (U.S. Department of Energy, 2002).
The assessment methodology consists of ten sub-steps as detailed below:
"The post-assessment phase involves prioritizing assessment recommendations, developing an action plan, capturing lessons learned and best practices, and conducting training. The risk characterization element results provide the basis for the post-assessment by providing prioritized lists of recommendations that are ranked by key criteria" (U.S. Department of Energy, 2002).
In considering health care delivery systems, it is certainly important to subject them to analysis, breaking them down into component systems and analyzing each system's vulnerabilities discretely. However, perhaps even more important is the need to subject the multitude of systems that support health care delivery to a thorough process of synthesis, viewing the discrete systems as parts of a larger whole that provides a comprehensive infrastructure environment to support the many operational aspects of health care delivery.
From this perspective of synthesis, it is the examination of the interdependencies among systems that provides the framework for assessing vulnerabilities. Rinaldi, Peerenboom, & Kelly (2001) have laid out a model of interdependencies that will be used as the basis for analysis and synthesis of critical infrastructures for health care delivery systems throughout the rest of this course. Excerpts of text describing their model appear below.
As you work through this week's required readings, focus on the following questions:
Based on your reflections, post to the class Lesson Readings discussion as follows:
In this activity, you will complete a worksheet in which you provide real world examples of the four classes of interdependencies identified in this lesson.
In this activity, your team will apply the Vulnerability Assessment Grid to a familiar local entity to gain practice in the process. For the purpose of this activity, your team should select *one* of the following entities and complete a vulnerability assessment using the grid:
(Note that you will have to self organize to decide how you want to approach this activity. You do have access to a team discussion area for collaboration). Each team should submit its completed document to the Vulnerability Assessment: Practice drop box.
An example of how to complete a vulnerability assessment grid can be found in Appendix A: Critical Assets Methodology (pp. 21-24), US Department of Energy. (2002). Vulnerability Assessment Methodology, Electric Power Infrastructure. Retrieved May 16, 2006, from http://cipbook.infracritical.com/book3/chapter7/ch7ref9.pdf. This construction of this grid specifically addresses corporate assets.
Throughout this course, you will be exploring hypothetical Bowling County with an eye toward critical infrastructure protection for its health care delivery systems. For the purpose of this activity, you should peruse the Bowling County web site to get a quick, high level picture of the region.
Please complete the optional survey at the end of this week to provide feedback on your experience with the course so far. The survey is anonymous, so please be honest!
Barbera, J., & Macintyre, A. (2002). Mass Casualty Medical and Health Incident Management. Washington, DC: The George Washington University. Retrieved May 16, 2006, from http://www.gwu.edu/~icdrm/publications/MaHIM%20V2%20final%20report%20sec%202.pdf
Hirsch, G. (2004). \"Modeling the Consequences of Major Incidents for Health Care Systems.\" Retrieved March 17, 2006, from http://www.systemdynamics.org/conf2004/SDS_2004/PAPERS/121HIRSC.pdf
Rinaldi, S.M., Peerenboom, J.P., & Kelly, T.K. (2001, December). \"Identifying, understanding, and analyzing critical Infrastructure interdependencies.\" Control Systems Magazine, IEEE, Vol. 21, No. 6. Retrieved March 17, 2006, from http://ieeexplore.ieee.org/xpls/abs_all.jsp?isnumber=20901&arnumber=969131&count=11&index=1"
Rosen, J., Grigg, E., McKnight, M., Koop, C., Lillibridge, S., Kindberg, B., et al. (2004) \"Transforming Medicine for Biodefense and Healthcare Delivery.\" IEEE Engineering in Medicine and Biology Magazine, Vol. 23, No. 1. Retrieved May 15, 2006, from http://ieeexplore.ieee.org/iel5/51/28843/01297179.pdf?isnumber=&arnumber=1297179
U.S. Department of Homeland Security (DHS). (2006). National Infrastructure Protection Plan. Retrieved July 3, 2006, from http://www.dhs.gov/interweb/assetlibrary/NIPP_Plan.pdf
US Department of Energy. (2002). Vulnerability Assessment Methodology, Electric Power Infrastructure. Retrieved May 16, 2006, from http://www.esisac.com/publicdocs/assessment_methods/VA.pdf