Earl J.Motzer, Ph.D.

Retired Hospital CEORetired Adjunct Graduate School ProfessorVolunteer Federal Force Multiplier DHS, FBI, HHS, NSC & ODNI

Scott Cormier

Vice President,

Emergency Management, Environment of Care and Safety

Medxcel

Critical Infrastructure DefinedHealthcare and Public Health Sector Coordinating CouncilVulnerability and Risk AssessmentsWorkplace ViolenceHealthcare Active Shooter New CMS Conditions of Participation for Emergency ManagementTerrorist & Counterintelligence Attacks

Systems and assets, whether physical or virtual, so vital to the United States that their incapacitation or destruction …would have a debilitating impact on security, … economic security, … public health or safety, or any combination of those matters. §1016(e) of the USA Patriot Act of 2001 (42 U.S.C. §5195c(e))

• Voluntary Partnership-not tied to regulation or funding

• Critical Infrastructure Protection Advisory Council (CIPAC)

• FACA-exempted

• Protected Critical Infrastructure Information (PCII)

By providing a venue for public and private sector partners to collaborate, we:

Promote risk management activities;Share threat information;Socialize best practices; and Develop useful tools and policies;

to mitigate impacts of disasters and enhance resilience of the entire health care system to minimize disruptions in care for all Americans.

6

Security Resilience

7

• Implement recommendations of the Healthcare Industry Cybersecurity Task Force

• Support cyber-dependent critical infrastructure

• Support DHS Regional Assessment of NY County Healthcare Resilience Coalition supply chain challenges

• Work to coordinate federal activities• Pilot our comprehensive risk assessment tool

with Healthcare Coalitions and health systems• Finalize public version of tool by November

2017

• Engage Sector partners in Gotham Shield exercise

• Foster relationship with FEMA Nat’l Business Operations Center

Cybersecurity

Supply Chain

Risk Assessment Tool

Response

8

The HSIN-HPH web portal is designed specifically for those responsible for collecting, analyzing, and using information for the protection of our nation’s healthcare and public health infrastructure. HSIN-HPH was developed to give the government and private sector a tool that enables the timely exchange of information for preparing for and responding to disease outbreaks, natural disasters, terrorist attacks, and other all-hazards events. The content of the site includes:

Incident information – continuous updates during all-hazards events Alerts, warnings and notifications of credible threatsEffective practices and protective measures for sector organizationsPolicy analysis and research reportsAccess to other subject matter experts

https://www.empcenter.org/wp-content/uploads/2017/09/CF_Resilient_Hospitals_Handbook_edits-cm_Version3b2.pdf

https://www.fbi.gov/file-repository/active_shooter_planning_and_response_in_a_healthcare_setting.pdf/view

THAM

RIST-V

RIST-C

Dashboard Navigator

Multi-facility Viewer

Threat and Hazard Assessment Module (THAM) uses Internet-available, authoritative data sources to calculate likelihood of occurrence across event types

Aligned with Joint Commission & CMS Emergency Preparedness Rule standards & best practices

Includes:Comprehensive narrative methodology (event type descriptions + likelihood of occurrence calculation for each)Automated tool using self-populating data fields from authoritative national or sector level sources w/embedded user guide

13

14

Rapid Infrastructure Survey Tool

Assess Vulnerability & Consequence/Criticality components of risk using survey-based approach

Used in conjunction with THAM to link V&C-related info to individual threats/hazards

Baseline framework of tools derived from DHS Rapid Survey Tool, with additional info drawn from:

Joint Commission & CMS Emergency Preparedness StandardsNIST Cybersecurity FrameworkHPH Sector SME Inputs

15

16

17

18

19

Objective allocation of scarce resources

Valuation

MitigationRisk

Assessment

Valuation

t

Zig Zag

122454%36%

Running in a zig zag pattern did NOT reduce the percentage of hits. It did however, reduce the chance that the runner will get hit in the torso or head.

Crouch

102055%50%

# Trials# Shots Fired% Hits% Center Mass or head hits (out of total shots fired)

Straight Line122152%47%

The runners were moving so fast that in three of the test runs (25%), the shooters were unable to fire a second round

Regulatory Compliance• Three phase approach to compliance assurance• Compliant facilities means safe facilities

Emergency Management & Safety• Local, regional and national support teams• Business plan continuity

Facility Operations

Environment of Care• Baseline assessment, review of your data and a plan of

action.• Security, hazardous materials, fire safety, medical

equipment and utility systems

Practicing an integrated model to best serve large healthcare systems

STATISTICS

Number of Births >84kED Visits >3MOutpatient Visits >23MSurgical Visits – Outpatient >400kEquivalent Discharges >1.5M

2,500 Sites of Care:141 Hospitals

24 States and the District of Columbia

150k Associates

40k Affiliated Physicians

More than 22k Available Beds

Approximately 20% of Catholic Health Services in the U.S.

From 2002 to 2013, incidents of seriousworkplace violence were four times more common in healthcare than in private industry on average.

Definition: Violent acts, including physical assaults and threats of assault, directed toward persons at work or on duty.

Definition: Workplace bullying is repeated, unreasonable behavior directed towards a worker or group of workers, that creates a risk to health and safety.

Address concerns about threatening or potentially

threatening behavior that could result in violence.

Formal training

Patients and family members, visitors, staff, or

other persons brought to the attention of the team

What they do:

Healthcare facility administratorsCounselorsCurrent employeesMedical and behavioral health professionalsResidential lifePublic safetyLaw enforcement personnel

Who they are:

Type 1: No relationship to workplace

Type 2: Customers or clients

Type 3: Employment relationship (current or former)

Type 4: Relationship with employee

Establish Crisis

Management Team

1

Planning and Team Training

2

Violence Vulnerability Assessment

(DATA)

3

Policy, Procedures,

andProtocols

4

Professional Threat

Assessment

5Training and

Communication for Staff

6

Organizational Collaboration

7

Incident Response

(timely)

8

Evaluate Efficiency

9

Sustain Process

10

Objectifying and dehumanizing othersChallenging authorityRegularly becoming argumentativeAlienating customers or clientsOriginating and spreading lies about othersVerbal abuseSuicidal thoughtsAngry outbursts/ signs of frustration

Arguing frequently or intenselyBlatantly ignoring policies/proceduresSetting traps for othersStealing/vandalismSuicidal threats/intent to harm othersConveying unwanted sexual attention/violence by voice, email, letterHolding others responsible for others/feeling persecuted

Hands on violenceVery dangerous, clear intent to hurtRisk of psychological harmRequires law enforcement or mental health intervention

DiffusingIf employee, immediate manager or supervisorRecord incidentNotify chain of command

Call for Help

Active Shooter is not:Person with a gunHostage situationMurder or murder/suicide

Active Shooter: Actively engaged in killing or attempting to kill people in a populated area.

Mass Killing:Three or more killed.

7 incidents between 2000-2017

It’s not part of a bundle

s between 2000-2017

Learn the signs of a potentially volatile situation and ways to prevent an incident.

Learn the best steps for survival when faced with an active shooter situation.

Be prepared to work with law enforcement during the response.

What is a healthcare setting?Hospital (teaching, critical access)ClinicPhysician practiceMedical schoolFree standing MRIOncology clinicAmbulatory surgery centerLong term care

Vulnerable populationHazardous materialsOpennessVisitors“Duty to Act” and “Abandonment” concernsAbility to provide care

Updated guidance released February 2017Additional content includes

Warm zone operationsUpdated law enforcement tacticsIEDsUnified commandPSYStart triageQuick guideWorkplace violence

December 14, 201220 Children, six adults killedPerpetrator also killed mother and himselfShot through glass panel in door to enter16 killed hiding in bathroom6 killed hiding in classroom, 9 fled and survived15 survived hiding in class bathroom with window coveredOthers survived in barricaded closet

People tend to make a choice of run or hide, and stick with it.

During the process of running, you may need to hide and fight, but keep running.

Is running abandonment?Is there an ethical or moral obligation to stay?Can you require someone NOT to run?Helpless patients

Operating roomVentilatorsNon-ambulatory

Golden Rule:Less People in Hot Zone = Less Victims

Healthcare facilities can be largeMultiple buildingsMultiple floors/wingsEducational campus

Response depends on where it is occurringRun, hide, fight are un-numbered optionsSituations are fluid

Training will decrease deathsIndividual facilities will make a plan appropriate for themPre-planning how to “barricade” at the unit level will decrease deathsAs shooter moves, response will changeSelf preservation is a personal issuePeople do heroic things, but not by policy

PanicResearch shows warnings do not induce panicPeople need accurate information and clear instructions

Codes vs. Plain LanguageCommunication barriers (multi-lingual, hearing impaired, learning disabled)

https://healthinfotranslations.org

Share plan with respondersConsider pre-placed maps and access badgesExercisesEquipment cache locationIntegrating into the care/security teamsTransport or treat at the facility decisionsIntegrated command postWarm zone operationsCasualty collection pointsHemorrhage control

A survey conducted in 2008 showed only six hospitals had an active shooter policyA team was formed to develop a model active shooter and hostage policyPolicy was not mandatoryPlaced on SharePoint siteBy 2009

16 hospitals had adopted the policy4 held active shooter exercises

But we still had this:“Under no circumstances are staff, patients and visitors to flee from the area or leave the facility unless instructed to do so by law enforcement officers or to protect themselves from imminent physical dangers.”

Aurora Colorado Shooting: July 20, 2012

Sandy Hook Elementary School Shooting: December 14, 2012

Executive Team MeetingNeed for a standardized policyIncentivesVerification of implementationLeadership ResponsibilityCompany–wide; both clinical and non-clinical sites

90 Days to ImplementAdopt PolicyTraining for all StaffFacility Executive to Sign AttestationPolicy and Attestation posted to facility SharePoint page

It’s great to implement a plan, but tougher to maintain it.

• Ambulatory Surgical Center • Hospital• Clinics, Rehabilitation and

Therapy • Immediate Care Facility –

Intellectual Disability• Community Mental Health Center • Long Term Care Facility• Comprehensive Outpatient

Rehab • Organ Procurement Organization• Critical Access Hospital

• Program for the All Inclusive Care for the Elderly

• End Stage Renal Disease • Psychiatric Residential Treatment

Facility• Home Health Agency • Religious Non-Medical

Healthcare Institution• Hospice• Rural Health Care-FQHC• Transplant Center

Risk Assessment and Planning Policies and Procedures

Communication Plan Training and Testing

Emergency Preparedness

Program

• Outpatient providers are not required to have policies and procedures for the provision of subsistence needs

• Home health agencies and hospices required to inform officials of patients in need of evacuation

• Long-term care and psychiatric residential treatment facilities must share information from the emergency plan with residents and family members or representatives

14

• Under the Policies and Procedures, Standard (b) there are requirements for subsistence needs and temperature controls.

• Additional requirements for hospitals, critical accesshospitals, and long-term care facilities are located within the Final Rule under Standard (e) for Emergency Power and Stand-by Systems.

During the period 1981 to 2013, 103 terrorist attacks on hospitals in 43 countries on every continent, killing 775 people and wounding 1,217.

55 of the attacks were deadly (19 resulted in the death of 10 or more people).

Availability of healthcareSuspension of healthcare programsDegradation of health infrastructureFlight of healthcare workersOutbreaks of illnesses and diseaseInability to treat existing conditions

Consumption and sharing of media glorifying violent extremist acts in attempting to mobilize others to violence.Loitering, standing, parking or unattended vehicles in the same area over multiple days with no reasonable explanation.Photography or videography focused on security features, including cameras, security personnel, gates and barriers.Unattended packages, bags and suitcases.

Unusual or prolonged interest in or attempts to gain sensitive information about security measures of personnel, gates and barriers; peak days and hours of operation, and access controls such as alarms or locks.

Individuals wearing bulky clothing or clothing inconsistent with the weather or season, or wearing official uniforms or being in authorized without official credentials.

Individuals presenting injuries consistent the use of explosives or explosive material without a reasonable explanation .

Harden the perimeter through the use of fencing, bollards and video.

Reduce the number of public entrances open 24/7 and staff them if possible. At some point it may be necessary to use metal detectors for humans and vehicles including ambulances.

Modify all job descriptions to include a security role, especially to emphasize “If you see something, say something timely”

Conduct mandatory training at least annually for all employees, contractors, students, licensed practitioners, volunteers, managers, CEO and Board of Directors.

Meet regularly with community leaders and responders to coordinate emergency planning (including reducing the crime scene footprint, assistance program, legal requirements, at least annual exercises, behavioral health issues, news media/press releases, use of plain language communication, facility tours on all three shifts, understanding improvised explosive and nuclear devices, unified command, facility clearing/evacuation/lockdown.

Law Enforcement, Fire, EMS, EM, Judicial, City/County Executives/Politicians, Coroner, Media, Clergy, Behavioral Health, Other Healthcare Facilities, Physician, Nurse, Public Health, CERT, MRC, SMEs, Engineers, Cyber

Education, Chamber of Commerce, Legal, Financial,Aging, Non-Profit, Real Estate, Transportation

Pre-planned and alternate areas for evacuation/assembly, infectious disease/radiation/chemical/nuclear/ biohazard exposure checklists, family assistance center, psychological first aid, media, command post, etc.

Operate a security badging system that accounts for all on campus.

Belong to one or more physical and cybersecurity intelligence organizations that monitor social media as well to provide timely action for appropriate action.

Be alert to major events occurring in the area to take appropriate action on a timely basis.

Intelligence activities concerned with identifying individuals engaged in espionage or sabotage or subversion or terrorism.

Espionage is the acquisition of information through clandestine means and as proscribed by the laws of the country against which it is committed. CI embraces all activities, human and technical, whether home or abroad, undertaken to identify, assess, neutralize and exploit foreign intelligence threats.

Data breaches involving personal information result in a broad to individuals and organizations, including identity theft, targeting of individuals with knowledge of sensitive information and internal business processes, and other activities that use personal information of U.S. citizens to undermine national security.

Do not provide personal, financial or sensitive information about yourself, your family or associates.

Beware of opening attachments or clicking on links.

Install and maintain up-to-date anti-virus and anti-malware software. Transmit electronic safely using encryption and known websites.

Share electronic files and photographs only with those you know as they contain embedded metadata.

Select highest level of privacy.

Regularly monitor your credit history.

Maintain positive control of electronic devices.

Report all suspicious work activity to your supervisor.

PhishingSpearphishingSocial Media DeceptionHuman TargetingUnsolicited Telephone and/or Text MessagesIdentity ImpersonationInsider Threat

Thank you for all you do in keeping our patients, staff, and visitors safe!

Earl Motzer: emotzer@aol.com

Scott Cormier: scott.cormier@medxcelfm.com