Introduction

Prerequisite to the discussion of disaster planning and vulnerability assessment for health care delivery systems is a fundamental appreciation for the unique organizational nature of such systems:

"Health care systems are complex entities that are difficult to operate under normal circumstances. Catastrophes such as natural disasters or terrorist acts can have severe impacts on health care systems by overloading them with casualties. At the same time, these catastrophes can greatly reduce health care systems' capacity for dealing with this demand by damaging health care facilities or causing a loss of critical services such as electric power or telecommunications. The consequences of these major incidents are not straightforward and may be transmitted through health care systems in ways that cannot be anticipated" (Hirsch, 2004).

Accordingly, this lesson examines key challenges in disaster planning, a basic vulnerability assessment model, and the concept of infrastructure system interdependencies from a health care delivery systems perspective.

Objectives

By the end of this lesson, you should be able to:

• Explain three key challenges for health care delivery systems with respect to disaster planning
• Define asset criticality and its role in enterprise-wide prioritization of assets
• Describe the three steps in a basic vulnerability assessment and use a template to perform one
• Describe four classes of infrastructure systems interdependencies and provide an example of each

Note: The purpose of the Lesson Road Map is to give you an idea of what will be expected of you for this lesson. You will be directed to specific tasks as you proceed through the lesson. Each activity in the To Do: section will be identified as individual (I), team (T), graded (G), ungraded (U), or pass/fail (P/F).

To Read

• Required
  • Hanfling, D., Schafer, K., Armstrong, C. (2004, April-June). "Making Healthcare Preparedness a Part of the Homeland Security Equation". Topics in Emergency Medicine, Vol.26, No. 2.
  • Rubin, J. (2004). "Recurring Pitfalls in Hospital Preparedness and Response." Journal Of Homeland Security. Retrieved May 16, 2006, from http://www.homelandsecurity.org/newjournal/articles/rubin.html
• Optional
  • (You may wish to review pp. 104-146 of this report for checklists of key infrastructure systems and considerations for interdependencies among systems.)
    US Department of Energy. (2002). Vulnerability Assessment Methodology, Electric Power Infrastructure. Retrieved May 16, 2006, from http://www.esisac.com/publicdocs/assessment_methods/VA.pdf
  • Spradley, L., Abkowitz, M., Clarke, J. (2006) A Risk Assessment Methodology for Intentional Chemical & Biological Contamination of Distribution Systems. Journal of Homeland Security & Emergency Management, Vol. 3, No. 3

To Do

In this lesson you will complete the following activities:

1. Beaver Stadium Activity
2. Readings and Reflections on ERPs
3. Infrastructure Systems Interdependencies Worksheet
4. Vulnerability Assessment Grid Practice
5. Get to Know Bowling County
6. Optional Survey

Topics

• Health Care Delivery Systems: Disaster Planning Challenges
• Role of Critical Asset Identification in Risk Management
• Vulnerability Assessments
• Infrastructure Systems Interdependencies

In examining the unique organizational nature of health care delivery systems and their ecclectic economic model in the United States, three key challenges emerge with respect to disaster planning. Barbara and Macintyre (2002) laid out these challenges in their report entitled Medical and Health Incident Management (MaHIM) System: A Comprehensive Functional System Description for Mass Casualty Medical and Health Incident Management. Short excerpts from the report are provided below along with discussion of the nature of each of the three key challenges.

Need for a Systems Approach

A systems approach to disaster planning implies discrete phases with clear inputs and outputs that build on each other through feedback loops that ensure iterative quality improvment. In other words, "Adequate mass casualty management and response require systems that achieve rapid, efficient expansion of capacity through local and regional coordination" (Barbera & Macintyre, 2002). The need to develop a comprehensive, systems approach to disaster planning represents a significant challenge for the health care delivery sector, a sector which operates as a loose network of separate entities that are themselves chronically burdened with daily operational stressors including hospital overcrowding, ambulance rerouting, nursing shortages, and many more.

Emphasis on National Planning vs. Local and Regional Planning

Since 9-11, great attention has been given to disaster planning and vulnerability assessment reforms at the national level (e.g. creation of the Department of Homeland Security, high-profile staff changes at FEMA, development of the National Incident Management System, etc.). In contrast, while many local health care delivery systems have also devoted greater attention to disaster planning – for example revising their own Emergency Response Plans – very little of this effort has been in concert with other resources at the local or regional level.

"Medical care and public health resources are primarily locally managed assets, yet much of the current national focus has been at a higher level of government or is being directed from that level. Most troubling is that progress in local and regional planning for mass casualty care falls far short of that made in other areas of emergency management and disaster response in recent years.... Individual components and capabilities for medical and health response exist, but they are not comprehensively addressed in an overall system. This has led to inefficiencies and confusion, risking organizational failure in a truly mass casualty incident.... Systems engineering research in emergency response demonstrates that if organizational and technological systems do not match the local reality created by an actual event, complete systems failure may occur, causing needless societal impacts" (Barbera & Macintyre, 2002).

This lack of coordinated disaster planning at the local and regional level represents a second critical challenge for health care delivery systems. Although more resources have begun to flow into efforts at the state and local levels, there is a dearth of leadership and coordination in applying them most effectively.

Necessity for Public/Private Collaboration

Because of the ecclectic nature of the economic, organizational, and regulatory models of health care delivery systems in the United States, the result has been a loose network of public and private interests that must collaborate and coordinate their activities in the event of a disaster to provide the best possible response.

"The strategy to implement these objectives requires close coordination of many diverse and only loosely connected health and medical entities. Preparedness for all-hazard mass casualty response is a complex undertaking, in part because medical infrastructure resides predominantly in the private sector, in many disparate resources.... Full community preparedness must involve the coordination of health and medical assets across both jurisdictional and public-private boundaries" (Barbera & Macintyre, 2002).

This need to coordinate the resources of public and private assets presents a third central challenge to effective disaster planning for health care delivery systems.

Disaster planning for health care delivery systems is a broad and emerging field replete with challenges. For the purposes of this course, we will focus on a critical infrastructure protection approach to addressing these challenges. Furthermore, as is the case in any emerging field, we will continually return to more established fields to inform our understanding. In doing so, we will start with the elements of the federal government's National Infrastructure Protection Program (NIPP) that are founded in the well established field of risk management.

As represented in Figure 1 below, the cornerstone of the NIPP is its risk management framework. This framework establishes the processes for combining consequence, vulnerability, and threat information to produce a comprehensive, systematic, and rational assessment of risk. The risk management framework promotes continuous improvement by focusing on efforts in six areas:

1. Set security goals
2. Identify assets, systems, networks, and functions
3. Assess risk based on consequences, vulnerabilities, and threats
4. Establish priorities based on risk assessments
5. Implement protective programs
6. Measure effectiveness

Figure 1: NIPP Risk Management Framework

(Department of Homeland Security, 2006)

Furthermore, the NIPP notes that "The risk management framework is tailored and applied on an asset, system, network, or function basis, depending on the fundamental characteristics of the individual CI/KR [critical infrastructure/key resources] sectors. Sectors that are primarily dependent on fixed assets and physical facilities may use a bottom-up, asset-by-asset approach, while sectors (such as Telecommunications and Information Technology) with diverse and logical assets may use a top-down business or mission continuity approach" (Department of Homeland Security, 2006).

This distinction between sectors that are primarily dependent on fixed assets and physical facilities and those that are dependent on diverse and logical assets is one way to frame the approach to critical infrastructure protection. Overall the NIPP risk management framework will prove quite valuable as you explore critical infrastructure protection of health care delivery systems. However, since the health care delivery sector straddles both sides of that dichotomy — depending heavily on both physical facilities and logical assets — it is useful to consider other risk management schemas that may inform your analysis throughout the course.

The U.S. Department of Energy (2002) provided a perspective on risk management as a process that emphasizes an enterprise-wide approach to critical asset identification:

"It is important to use an approach that evaluates all the important corporate assets against a common (across the enterprise) set of criteria. The result is a uniform enterprise-wide prioritization, rather than a business unit by business unit prioritization. This uniformity avoids the disparity in ranking that frequently develops when each business unit conducts its own prioritization. It also provides uniform treatment to common assets such as communications and information technology (IT) networks services."

"Identifying asset criticality is a vital element of assessing and managing risk. A typical security based risk management process is depicted [in Figure 1 below]."

Figure 1: Example Risk Management Process

(U.S. Department of Energy, 2002)

"Identification of asset criticality serves several functions:

• It enables more careful consideration of factors that affect risk, including threats, vulnerabilities, and consequences of loss or compromise of the asset.
• It enables more focused and thorough consideration of risk mitigation options.
• It enables leaders to develop robust methods for managing consequences of asset loss (restoration).
• It provides a means to increase awareness of a broad range of employees to protect truly critical assets and to differentiate in policies and procedures the heightened protection they require."

The U.S. Department of Energy (2002) provided a standard three-step model for conducting vulnerability assessments. The model includes steps for pre-assessment, assessment, and post-assessment. (See Figure 2.) While the model was designed to support vulnerability assessments for electric power infrastructure, it is easily transferable to other infrastructure systems, including those that support health care delivery systems, and should serve as your point of reference throughout this course.

Figure 2: Vulnerabilty Assessment Model

(U.S. Department of Energy, 2002)

Pre-Assessment

"The pre-assessment phase involves defining the scope of the assessment, establishing appropriate information protection procedures, and identifying and ranking critical assets. Each of these activities is critical in ensuring the success of the assessment" (U.S. Department of Energy, 2002).

Assessment

The assessment methodology consists of ten sub-steps as detailed below:

1. Network architecture
2. Threat environment
3. Penetration testing
4. Physical security
5. Physical asset analysis
6. Operations security
7. Policies and procedures
8. Impact analysis
9. Infrastructure interdependencies
10. Risk characterization

Post-Assessment

"The post-assessment phase involves prioritizing assessment recommendations, developing an action plan, capturing lessons learned and best practices, and conducting training. The risk characterization element results provide the basis for the post-assessment by providing prioritized lists of recommendations that are ranked by key criteria" (U.S. Department of Energy, 2002).

In considering health care delivery systems, it is certainly important to subject them to analysis, breaking them down into component systems and analyzing each system's vulnerabilities discretely. However, perhaps even more important is the need to subject the multitude of systems that support health care delivery to a thorough process of synthesis, viewing the discrete systems as parts of a larger whole that provides a comprehensive infrastructure environment to support the many operational aspects of health care delivery.

From this perspective of synthesis, it is the examination of the interdependencies among systems that provides the framework for assessing vulnerabilities. Rinaldi, Peerenboom, & Kelly (2001) have laid out a model of interdependencies that will be used as the basis for analysis and synthesis of critical infrastructures for health care delivery systems throughout the rest of this course. Excerpts of text describing their model appear below.

Types of Interdependencies

"Interdependencies vary widely, and each has its own characteristics and effects on infrastructure agents. In the sections that follow, we define and examine in detail four principal classes of interdependencies: physical, cyber, geographic, and logical. Although each has distinct characteristics, these classes of interdependencies are not mutually exclusive."

Physical Interdependency

"Two infrastructures are physically interdependent if the state of each is dependent on the material output(s) of the other. As its name implies, a physical interdependency arises from a physical linkage between the inputs and outputs of two agents: a commodity produced or modified by one infrastructure (an output) is required by another infrastructure for it to operate (an input). For example, a rail network and a coal-fired electrical generation plant are physically interdependent, given that each supplies commodities that the other requires to function properly.... In this manner, perturbations in one infrastructure can ripple over to other infrastructures. Consequently, the risk of failure or deviation from normal operating conditions in one infrastructure can be a function of risk in a second infrastructure if the two are interdependent."

Cyber Interdependency

"An infrastructure has a cyber interdependency if its state depends on information transmitted through the information infrastructure. Cyber interdependencies are relatively new and a result of the pervasive computerization and automation of infrastructures over the last several decades. To a large degree, the reliable operation of modern infrastructures depends on computerized control systems, from SCADA [Supervisory Control And Data Acquisition] systems that control electric power grids to computerized systems that manage the flow of railcars and goods in the rail industry. In these cases, the infrastructures require information transmitted and delivered by the information infrastructure. Consequently, the states of these infrastructures depend on outputs of the information infrastructure. Cyber interdependencies connect infrastructures to one another via electronic, informational links; the outputs of the information infrastructure are inputs to the other infrastructure, and the “commodity” passed between the infrastructures is information."

Geographic Interdependency

"Infrastructures are geographically interdependent if a local environmental event can create state changes in all of them. A geographic interdependency occurs when elements of multiple infrastructures are in close spatial proximity. Given this proximity, events such as an explosion or fire could create correlated disturbances or changes in these geographically interdependent infrastructures. Such correlated changes are not due to physical or cyber connections between infrastructures; rather, they arise from the influence the event exerts on all the infrastructures simultaneously. An electrical line and a fiber-optic communications cable slung under a bridge connect (geographically) elements of the electric power, telecommunications, and transportation infrastructures. The interdependency in these cases is simply due to proximity; the state of one infrastructure does not influence the state of another. Traffic across the bridge does not influence the transmission of messages through the optical fiber or the flow of electricity. Because of the close spatial proximity, however, physical damage to the bridge could create correlated perturbations in the electric power, communications, and transportation infrastructures. Note that more than two infrastructures can be geographically interdependent based on their physical proximity...."

Logical Interdependency

"Two infrastructures are logically interdependent if the state of each depends on the state of the other via a mechanism that is not a physical, cyber, or geographic connection. Logical interdependencies may be more closely likened to a control schema that links an agent in one infrastructure to an agent in another infrastructure without any direct physical, cyber, or geographic connection.... [An] example is that summer vacationers may flock to the highways when gasoline prices are low, resulting in increased traffic congestion. In this case, the logical interdependency between the petroleum and transportation infrastructures is due to human decisions and actions and is not the result of a physical process."

© 2006 IEEE. "This material is posted here with permission of the IEEE. Permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution must be obtained from the IEEE by writing to pubs-permissions@ieee.org. By choosing to view this document, you agree to all provisions of the copyright laws protecting it."

Beaver Stadium Activity

• We will be doing a live meeting on Elluminate Live to lay out expectations in order to provide helpful tips for activities in the course.

Readings and Reflections on ERPs

As you work through this week's required readings, focus on the following questions:

• What critical infrastructure systems for health care delivery are addressed in the readings?
• Are these systems addressed at all in the Bowling County EMS or Hospital ERPs? (See these ERPs in your team's Team Files area (Communicate > Team Files)
  • If so, in what way are they addressed?
  • If not, how/where might they be incorporated into the ERPs?

Based on your reflections, post to the class Lesson Readings discussion as follows:

1. By 11:59 p.m. EST on Wednesday, post a 3-5 sentence summary of your responses to each question.
2. By 11:59 p.m. EST on Friday, post a 3-5 sentence response to at least two other students' responses.

Infrastructure Systems Interdependencies Worksheet

In this activity, you will complete a worksheet in which you provide real world examples of the four classes of interdependencies identified in this lesson.

Vulnerability Assessment Grid Practice

In this activity, your team will apply the Vulnerability Assessment Grid to a familiar local entity to gain practice in the process. For the purpose of this activity, your team should select *one* of the following entities and complete a vulnerability assessment using the grid:

• Elementary school
• Shopping center
• Public library

(Note that you will have to self organize to decide how you want to approach this activity. You do have access to a team discussion area for collaboration). Each team should submit its completed document to the Vulnerability Assessment: Practice drop box. 

An example of how to complete a vulnerability assessment grid can be found in Appendix A: Critical Assets Methodology (pp. 21-24), US Department of Energy. (2002). Vulnerability Assessment Methodology, Electric Power Infrastructure. Retrieved May 16, 2006, from http://cipbook.infracritical.com/book3/chapter7/ch7ref9.pdf. This construction of this grid specifically addresses corporate assets.

Get to Know Bowling County

Throughout this course, you will be exploring hypothetical Bowling County with an eye toward critical infrastructure protection for its health care delivery systems. For the purpose of this activity, you should peruse the Bowling County web site to get a quick, high level picture of the region.

Optional Survey

Please complete the optional survey at the end of this week to provide feedback on your experience with the course so far. The survey is anonymous, so please be honest!

Works Cited

Barbera, J., & Macintyre, A. (2002). Mass Casualty Medical and Health Incident Management. Washington, DC: The George Washington University. Retrieved May 16, 2006, from http://www.gwu.edu/~icdrm/publications/MaHIM%20V2%20final%20report%20sec%202.pdf

Hirsch, G. (2004). \"Modeling the Consequences of Major Incidents for Health Care Systems.\" Retrieved March 17, 2006, from http://www.systemdynamics.org/conf2004/SDS_2004/PAPERS/121HIRSC.pdf

Rinaldi, S.M., Peerenboom, J.P., & Kelly, T.K. (2001, December). \"Identifying, understanding, and analyzing critical Infrastructure interdependencies.\" Control Systems Magazine, IEEE, Vol. 21, No. 6. Retrieved March 17, 2006, from http://ieeexplore.ieee.org/xpls/abs_all.jsp?isnumber=20901&arnumber=969131&count=11&index=1"

Rosen, J., Grigg, E., McKnight, M., Koop, C., Lillibridge, S., Kindberg, B., et al. (2004) \"Transforming Medicine for Biodefense and Healthcare Delivery.\" IEEE Engineering in Medicine and Biology Magazine, Vol. 23, No. 1. Retrieved May 15, 2006, from http://ieeexplore.ieee.org/iel5/51/28843/01297179.pdf?isnumber=&arnumber=1297179

U.S. Department of Homeland Security (DHS). (2006). National Infrastructure Protection Plan. Retrieved July 3, 2006, from http://www.dhs.gov/interweb/assetlibrary/NIPP_Plan.pdf

US Department of Energy. (2002). Vulnerability Assessment Methodology, Electric Power Infrastructure. Retrieved May 16, 2006, from http://www.esisac.com/publicdocs/assessment_methods/VA.pdf