Transcript Document

Making a CHC EM Program
Work— Tools, Tips &
Strategies
Amelia Muccio
[email protected]
Director of Emergency Management
NJPCA
Objectives
• Tools, Tips and Strategies for Everyday
Preparedness
• Accreditation Standards
• Planning, Training, Exercising Needs
• Health Information Technology and Future
of Center’s IT
• Instilling a Culture of Preparedness
CHCs & Emergency Preparedness
• NATIONALLY
• 50 States and US
Territories
• 1,250 Centers
• 20 million patients
served annually
• NEW JERSEY
• 20 Centers with 100
sites
• 425,000 patients
served annually
• Provide services to at risk
populations
• Triage, screen and treat
lower acuity patients
“walking wounded”
• Provide surge capacity
during emergency
• Provide mass vaccination
• Serve as Point of
Dispensing
• Decompress healthcare
system
• Serve as Alternate Care
Site
Accreditation
• FQHC accreditation standards for
emergency preparedness:
– Bureau of Primary Health Care Policy
Information Notice 2007-15 (PIN)
– Joint Commission (JC)
– Accreditation Association for Ambulatory Care
(AAAHC)
– National Committee for Quality Assurance
(NCQA)
– National Incident Management System (NIMS)
Personal Preparedness
• Do you have a family communications
plan?
• Do you have a go bag?
• Do you have a pet go bag?
• Have you made arrangements for childcare
if you are needed at work?
• What about your other family members
including elderly and pets?
HVA
• Identifies potential emergencies and the direct/indirect
effects these emergencies may have on CHC’s operation
and demand for services
• The risks identified should be prioritized based on
likelihood of occurrence and severity
Risk Management
• Identifying and assessing risk, reducing it
to an acceptable level and implementing
mechanisms to maintain that level
• Risk reduction (countermeasures, HVA)
• Risk transference (insurance)
• Risk acceptance (may happen)
• Risk rejection (do nothing)
What Threatens Information?
•
•
•
•
•
•
•
•
•
Misuse
Disasters
Data interception
Computer theft
Identify/Password theft
Malicious software
Data theft/corruption
Vandalism
Human error
Planning Elements
• Continuity of
Operations
• Command and
Control
• Staffing
• Surge Patients
• Medical and NonMedical Supplies
• Pharmaceuticals
• Security
•
•
•
•
•
•
•
•
Evacuation
Decontamination
Isolation
Power Supply
Transportation
Water/Sanitation
Communications
Medical Records
Security and Access
Plans
• EOPs-how org will respond to emergencies
– Basic plan
– Functional annexes
– Incident-Specific appendices
• Procedures-SOPs
• Preparedness plans-training needs
• Corrective action/mitigation plans-activities
required to implement lessons learned
• Recovery plans-long term actions needed
Policies and Procedures
• Establish security culture
• Establish best security practices
• Define goals and structure of security
program
• Educate personnel
• Maintain compliance with any regulations
• Ex: email policy, Internet usage, physical
security
Business Continuity Plans
• A comprehensive written plan to maintain
or resume business operations in the event
of a disruption
• Continue critical business operations
• Jeopardize normal operations
• Most critical operations
• May require alternate sites (hot, warm,
cold)
• What do we need to KEEP going?
Disaster Recovery Plan
• A comprehensive written plan to return
business operations to the pre-disruption
state following a disruption
• Restore IT functions (prep and restore)
• Jeopardize the normal operations
• Includes all operations
• RETURN TO NORMAL BUSINESS
OPERATIONS
• WHAT DO WE NEED TO DO IN CASE
OF A DISASTER?
Plan Testing, Training and Exercising
• Testing is a critical to ensure a viable
contingency capability
• Conduct plan exercises
• Tabletops are useful tools!
Exercises—Building Block Approach
•
•
•
•
•
•
•
Seminar (Discussion)
Workshop (Discussion)
Tabletop Exercise (TTX) (Discussion)
Games (Discussion)
Drills (Operations)
Functional Exercises (FXE) (Operations)
Full Scale Exercises (FSE) (Operations)
Exercise Planning Team Structure
.
Electronic Health Records
• Vulnerabilities discovered, reported to
eHealth vendor and then patched
• Patches take A LOT of time to fix
• 2,211 days (vendor) vs. 284 days
(Microsoft)
• No one eHealth vendor in charge
EHR Vulnerabilities
• Unauthorized users can compromise
integrity and confidentiality
• Unauthorized access to computer networks
• Password protection (hacks and policies)
• Subversive software (malware)
• Disaster
Personal Information Security Countermeasures
• Password policies
• Backup
• Spoofing
countermeasures
• Malware detection
and prevention
• 93% of companies that
lost their data center for
10 days or more due to a
disaster filed for
bankruptcy within one
year of the disaster
• 50% of businesses that
found themselves without
data management for this
same period filed for
bankruptcy immediately
Security and Assurance Program
•
•
•
•
•
•
•
•
•
•
Protective measures include:
Firewalls and virus protection systems
Password procedures
Information encryption software
Computer access control systems
Computer security staff background checks (at initial hire
and periodically)
Computer security staff training & 24/7 on-call technical
support
Computer system recovery and restoration plans
Intrusion detection systems
Redundant & backup systems, & offsite backup data
storage
Additional Resources
• Planning/Trainings/Exercises
• HAZMAT, MCI, workplace violence,
severe weather, fit-testing, novel influenza,
hostile patient, active shooter, foodborne
outbreak, hostage situation, bomb scare,
communications, ICS/NIMS, PINS, cyber
security, power outages, COOP, business
continuity, personal preparedness…