OVERVIEW OF EMERGENCY MANAGEMENT SYSTEMS

The public health community is charged with organizing the preparedness and response of the health and medical services in the United States. After years of decay, public health is evolving in its leadership role for domestic disaster organizational response. For healthcare executives to engage in domestic preparedness, it is essential to develop solid relationships with local and regional public health officials, local and area emergency management agencies (EMAs), and local responder organizations.

Before establishing the Department of Homeland Security (DHS), the approach to disaster management for terrorist events was divided into two discrete functions: crisis management and consequence management. Crisis management is a security/law enforcement function focused on identifying the perpetrators of an event, collecting and protecting evidence and the chain of custody, and ensuring justice for those involved. At the federal level, crisis management currently falls under the jurisdiction of the Federal Bureau of Investigation. Consequence management refers to addressing the consequences of a disaster and is currently under the jurisdiction of the Federal Emergency Management Agency (FEMA). Under DHS, federal guidelines will merge the elements of crisis and consequence management into a unified command structure.

 CDC Grant Programs to Improve Public Health Preparedness and Response for Bioterrorism

Planning and readiness assessment establishes strategic leadership, direction, assessment, and coordination of activities (including the Strategic National Stockpile response) to ensure statewide readiness; interagency collaboration; and local and regional preparedness (both intrastate and interstate) for bioterrorism, other outbreaks of infectious disease, and other public health threats and emergencies.

Surveillance and epidemiology capacity focuses on enabling state and local health departments to enhance, design, and/or develop systems for rapid detection of unusual outbreaks of illness that may be the result of bioterrorism, other outbreaks of infectious disease, and other public health threats and emergencies.

Laboratory capacity—biologic agents develops the capability and capacity at all state and major city/county public health laboratories to conduct rapid and accurate diagnostic and reference testing for select biologic agents likely to be used in a terrorist attack.

Health Alert Network (HAN) enables state and local public health agencies to link public health and private partners around the clock through Internet capability. The program provides for rapid dissemination of public health advisories and ensures secure electronic data exchange.

Communication of health risks and dissemination of health information ensures timely information dissemination to citizens during a bioterrorist attack, other outbreak of infectious disease, or other public health threat or emergency.

Education and training assesses the training needs of key public health professionals, infectious-disease specialists, emergency department personnel, and other healthcare providers related to preparedness for and response to bioterrorism, other outbreaks of infectious disease, and other public health threats and emergencies.

Source: Centers for Disease Control and Prevention (CDC). 2003. “Continuation Guidance for Cooperative Agreement on Public Health Preparedness and Response for Bioterrorism—Budget Year Four.” [Online article; retrieved 8/03.] http://www.bt.cdc.gov/planning/continuationguidance/pdf/guidance_intro.pdf.

The Department of Homeland Security, with embedded elements of DHHS, provides a federal structure and system for coordination and oversight of resources that are essential for assisting areas affected by disaster. FEMA’s ten geographical regions work closely with state and local EMAs, ensuring consistency of services to all areas and citizens.

At the state level, EMAs assume a multitude of different organizational structures. The emergency management community consists of professional emergency managers, emergency operations center personnel, 911 telecommunicators, and first responders—that is, fire departments, emergency medical services, medical transport, and law enforcement. When activated for disasters, the EMA expands to coordinate all primary agencies with designated roles in response to a declared disaster. These may vary in number and are dependent on the size and extent of the disaster. However, once a governor has declared a state of emergency, the EMA becomes the coordinating hub for activation of the local and/or state emergency operations plan. Mirroring the Federal Response Plan, representatives from each of the emergency support functions coordinate services from the EMA.

Emergency management uses an “all hazards” framework based on the premise that most incidents will draw on similar resources and will apply a similar structure in managing the response to an incident, as opposed to identifying a different structural response for different types of emergencies. In developing an all-hazards plan, unique aspects of incidents are addressed in annexes to existing plans rather than in a separate plan produced for each event.

Understanding and Implementing Standards and Guidelines for Emergency Management

Several regulations, guidelines, and standards have improved the management of emergencies and disasters in the United States over the last two decades. Such publications have been developed and released by organizations and government agencies such as ASTM International (formerly the American Society for Testing and Materials), the Occupational Safety and Health Administration (OSHA), the Environmental Protection Agency (EPA), the Joint Commission on Accreditation of Healthcare Organizations (JCAHO), the Department of Veterans Affairs (VA), and the National Fire Protection Association (NFPA).

The principles within these standards and guidelines regarding

• mass-casualty incidents,

• hazardous materials,

• decontamination, and

• emergency management program development.

Multiple- and Mass-Casualty Incident Standards

ASTM standard F-1288, Standard Guide for Planning for and Responding to a Multiple Casualty Incident, covers planning, needs assessment, training, interagency coordination, mutual aid, and other important issues as they relate to multiple-casualty incidents. It identifies key terms and activities and explains how the incident management process is organized at the scene (ASTM 1990).

In addition to that standard, George Washington University recently developed a peer-reviewed model for mass-casualty response that integrates the functional requirements of medical, public health, and emergency management agencies in the Medical and Health Incident Management System (MaHIM) (available online at http://www.gwu.edu/~icdrm/). The model was based on the definition of a mass-casualty incident involving 5,000 casualties, 10 percent of which would be considered significant (Barbera and Macintyre 2002). Casualty refers to any human accessing health or medical services, including mental health services and fatality care, as a result of a hazard impact. The MaHIM model clarifies the types of activities that may become necessary at the community-health-system level and how they would be organized in a mass-casualty incident.

It is a useful tool for jurisdictional and regional system development, education, and planning. The Department of Health and Human Services (U.S. DHHS 2002) and the Department of Homeland Security (U.S. DHS 2003) promote this type of management-system framework and are considering applying MaHIM to support current public health and hospital bioterrorism preparedness (CDC 2003). MaHIM is entirely consistent with broader efforts to create a national incident-management system (The White House 2003).

Hazardous-Materials Legislation

A sentinel event occurred in 1985 in Bhopal, India, in which thousands were killed and injured as a result of the release of a toxic gas from a nearby industrial facility. Congress responded to the concerns of such a disaster occurring in the United States by enacting the Superfund Amendments and Reauthorization Act (SARA) of 1986, amending the Comprehensive Environmental Response, Compensation and Liability Act of 1980.

SARA Title III

The basic purpose of SARA Title III, also known as the Emergency Planning and Community Right-to-Know Act, was to promote emergency planning to respond to chemical releases and to ensure that information regarding chemicals in the community is available to the public and emergency response agencies. These goals are accomplished by

• establishing state emergency response commissions and local emergency planning committees (LEPCs) with responsibility to develop emergency plans to be followed in the event of a chemical release and

• implementing a series of notification and reporting requirements to state and local emergency planning activities with respect to type and quantities of specific chemicals.

Environmental Protection Agency

As part of SARA Title III, the EPA will not enforce HAZWOPER for environmental consequences stemming from necessary and appropriate actions such as decontamination during the phase of an emergency response where an imminent threat to human health and life is present. However, once this phase passes, every attempt should be made to contain the runoff and dispose of it properly (Makris 1999).

Beyond industrial or transportation accidents involving hazardous materials, recent events have directed major emphasis on preparedness for occurrences involving weapons of mass destruction. Because of this threat, hospitals and health departments have become much more involved in communitywide emergency preparedness efforts.

One question that has been hotly debated is how SARA Title III, or more specifically HAZWOPER, applies to healthcare facility preparedness for these types of hazardous materials. OSHAs position until lately had been that if the contaminating substance was unknown, staff performing decontamination at a hospital who were not in the immediate area of the release were required to wear Level B personal protective equipment (PPE), including a mask supplied by an external air source.

Many experts disputed the necessity of this elevated measure of pro tection, contending that Level C PPE using a full face mask with powered or nonpowered canister filtration systems was adequate for hospital decontamination (Macintyre et al. 2000). In September 2002, OSHA took the position that as long as the choice of PPE was based on a risk assessment conducted by the employer, the agency would not require any particular level of PPE and respiratory protection (Fairfax 2002).

Decontamination

Healthcare facilities that do not prepare for the potential arrival of contaminated patients face a dilemma. Refusing to assess and, if necessary, stabilize a contaminated patient is a violation of the Emergency Medical Treatment and Active Labor Act (U.S. GAO 2001). Employees who have not been adequately trained or equipped to deal with the situation can refuse to participate, leaving the facility only one choice: to dial 911 and request support from the local public safety system. These same resources, however, may already be fully involved at the site of the release.

Department of Vetemns Affairs

The VA developed a mass-casualty decontamination program that is based on a site-specific hazards vulnerability and capability analysis of the facility and surrounding community. Permanent or semipermanent showering facilities (in smoking shelters, along an external wall, etc.) are seen as advantageous over temporary tent-type facilities because of the speed of setup and lower expense (VA 2002a). Macintyre et al. (2000) believe that the following aspects are key to an effective decontamination protocol:

1. Event recognition

2. Activation

3. Primary triage

4. Patient registry

5. Collection of clothing and personal property

6. Decontamination

7. Secondary triage

8. Treatment and post-incident activities (e.g., media and family relations, medical surveillance, critique, etc.)

Healthcare-facility-decontamination training programs should follow NFPA standard 473, Standard for Competencies for EMS Personnel Responding to Hazardous Materials Incidents (Beatty 2003). NFPA 473 (this standard may be reviewed at http://www.nfpa.org/PDF/473.pdf?STC=nfpa) identifies the levels of competence required of emergency medical services personnel who respond to hazardous-materials incidents (NFPA 2002a). It specifically covers requirements for basic (Level I) and advanced (Level II) life-support personnel in the prehospital setting. This standard also provides information on training, recommended support resources, medical treatment considerations, patient decontamination, and hazardous-materials characteristics and references.

Emergency Management Standards

Joint Commission on Accreditation of Healthcare Organizations

In January 2001, JCAHO updated its emergency preparedness standards (standards EC.1.4, EC.2.4, and EC.2.9.1^[1.] found in the Environment of Care, or EC, section), adopting the four phases of comprehensive emergency management: mitigation, preparedness, response, and recovery. Other key additions to the emergency management standards were requirements for a hazards vulnerability analysis (HVA), the requirement that healthcare organizations implement an incident command system (ICS) consistent with that used by their community, and the acceptance of tabletop exercises for one of two required annual drills. Specific requirements for drills include the following:

• A facility designated as business occupancy must execute one drill annually.

• Hospitals, long-term-care organizations, ambulatory care facilities, and behavioral health facilities not classified as business occupancy must conduct drills twice a year at least four months, but not more than eight months, apart.

• Facilities offering emergency services or designated as disaster receiving stations must base one exercise on an external disaster, and it must include volunteer/simulated patients who must be triaged, put on stretchers or in wheelchairs, and transported through the system as if they were actual patients.

• An organization must participate in a community drill that is relevant to its priority emergencies and that will assess communications, coordination, and the effectiveness of the organization’s and the community’s command structures.

The events of terrorism that took place in the United States in fall 2001 brought several more changes to the overall 2002 standards, including clarification on the process and products of the HVA (in particular, that procedures should be developed for each priority hazard identified), a requirement for cooperative planning with other healthcare facilities in the geographic area, and procedures for emergency credentialing. In 2003, components of the hospital emergency management standards were extended to long-term care, ambulatory care, behavioral health care, and home health care settings (Environment of Care News 2002). For 2004, the EC standards have been renumbered and reformatted but have not undergone any substantive changes in requirements.

National Fire Protection Association

NFPA emergency management Standard 99, entitled “Healthcare Facilities,” contains very similar requirements to JCAHO (NFPA 2002b). One big difference between the standards is the additional material in the annexes of the NFPA standard: explanatory material, references, and additional planning considerations (NFPA 2002a).

NFPA Standard 1600, Emergency Management and Business Continuity Programs, has gained international recognition and consensus among the public and private sectors. This standard articulates the generic elements of these programs and serves as the basis for an emergency management program evaluation and accreditation system by state, local, and tribal governments (NEMA 2001). Thus, NFPA 1600 represents a standard for communitywide emergency management programs (NFPA 2002c).

Incident and Problem Management

Incident and problem management processes are intended to handle problems that are raised through the service desk as well as responses to major incidents and problems, restoration of IT services, and resolution of the root cause of any issue. Other subprocesses involved include incident and problem escalation as well as root cause analysis.

Incident Management

The objective of incident management is to restore operations as soon as possible, whereas the objective of problem management is to minimize the adverse impact of incidents and problems on the organization caused by errors within the IT infrastructure and prevent reoccurrence of incidents related to these errors. The Information Technology Infrastructure Library (ITIL) definition of an incident is “an incident is any event which is not part of the standard operation of a service and which causes, or may cause, an interruption to, or a reduction in, the quality of that service.” The aim of incident management is to restore service to the customer as quickly as possible, often through a workaround, rather than through the determination of a permanent resolution.

Problem Management

Problem management is a process that is used to report, log, correct, track, and resolve problems within the hardware, software, network, telecommunications, and computing environment of an organization. Problems can be anything from a customer being unable to print a report to a line connecting the computer to the controller going down (dropping). Problem management provides the framework to open, transfer, escalate, close, and report problems. It establishes procedures and standards for handling customer problems. The ITIL definition of a problem is “a problem is a condition often identified as a result of multiple incidents that exhibit common symptoms.” Problems can also be identified from a single significant incident, indicative of a single error, for which the cause is unknown, but for which the impact is significant. Problem management differs from incident management in that its main goal is the detection of the underlying causes of an incident and their subsequent resolution and prevention.

Roles and Responsibility

Clearly defined roles and responsibilities are critical in problem management to make sure problems are reported, routed to individuals with the ability to resolve the problem, and resolution or workaround communicated to the end user.

• Gatekeeper. This role coordinates the consolidated reporting, tracking of service interruptions, problem notification and escalations, and problem coordination and facilitation.

• Reporter. This role is responsible for documenting service interruptions, trending analysis, problem resolution, root cause analysis, and proactive problem avoidance.

• Change management. This role is responsible for documenting and facilitating a structured change management process, including tracking, scheduling change meetings, and reporting problems caused as a result of change.

• Site coordinator. This role is responsible for problem coordination at key service locations, quickly reporting problems, analysis, escalating high-impact problems, resolution, and communicating with the site.

• Crisis coordinator. This role is responsible for coordinating the identification and resolution of high-impact problems.

Procedures

Effective problem management procedures are vital to the long-term control over the performance of an IT organization. At most installations, these procedures have been developed piecemeal, as the need for recognizing and resolving specific problems in the organization has arisen. In the early stages of growth, this approach works well, but as the organization grows, this piecemeal approach limits its ability to identify and solve problems effectively.

Problem management procedures should include audit trails for problems and their solutions, timely resolution, prioritization, escalation procedures, incident reports, accessibility to configura-tion, information coordination with change management, and a definition of any dependencies on outside services.

The problem management procedures should ensure that all unexpected events (errors, problems, etc.) are recorded, analyzed, and resolved in a timely manner. Incident reports should be established in the case of significant problems.

Escalation procedures ensure that problems are resolved in the most timely and efficient way possible. Escalation procedures include prioritizing problems based on the impact severity as well as the activation of a business continuity plan when necessary.

Problems should be traceable from the incident to the source cause (e.g., new software release and emergency change). The problem management process should be closely associated with change management.

Problem Severity

In today’s complex environment combined with a high volume of transactions, it is inevitable that problems will occur. The cost of resolving problems must be weighed against the benefit. Thus, a system is needed to identify the severity of problems to ensure the problems with the greatest impact are resolved first. Impact definitions will depend on the organization, but, in general, the following areas are to be considered:

• Number of users impacted (as a percentage of total users)

• Critical nature of the application (e.g., online banking)

• Regulatory/compliance issues

• Length of outage

• Dependency on system (no workaround)

Problem Escalation

The service desk will not be able to resolve all problems. Some problems will need to be escalated due to the severity or complexity of the issue. A problem escalation process is needed to ensure high-impact issues are routed to the appropriate groups for resolution and communicated to impacted groups.

Root Cause Analysis

For critical and major problems, a full problem review should be undertaken to ensure that the root cause has been understood and appropriate mitigating actions taken. The results of such a review should be communicated to key organization contacts.

Service Improvement Programs

Processes should be implemented to identify those areas of the organization that are most impacted by IT problems (beyond those affected by specific severity issues that are resolved in isolation). Specific service improvement programs should be investigated and jointly developed, with priorities agreed among the IT, relationship manager, and key organization contacts.

Tools

Problem management is a service delivery process that focuses on proactive outage prevention and standardized diagnostic and postrecovery processes. An efficient problem management process flow includes infrastructure and application reporting, communication, tracking, root cause analysis, proactive trending analysis, with an ultimate goal of problem avoidance. To accomplish this requires a common set of tools integrated with asset management, change management, and the service desk.

Problem Reporting

A problem reporting process identifies and collects problems for both the technical and application system environments. It monitors the resolution of these problems, in terms of initial- and long-term response, and reports on the impact the problem has had on the user community. During the process

• A problem is identified and reported by a user

• The report is recorded in a problem database

• Technical personnel are consulted if a problem requires immediate attention, in which case an emergency resolution may be applied

• The problem is assigned to the technical group that is responsible for its long-term resolution

• The cause of the problem is determined, and its full impact is evaluated

• The problem is resolved, and documentation is restored in the problem database

Although individual problems are managed based on severity, daily summary reports are needed for IT organizations to identify issues that impact operational availability. Problems should be collected and combined into a single daily report and reviewed by a team of representatives from all areas of IT (e.g., operations, security). During a daily service meeting, problems are reviewed for root cause, permanent resolution, customer impact, and proactive outage prevention. Follow-up action responses are assigned to the manager who supports the platform or application.

Daily problem reporting can be aggregated and summarized on a weekly or monthly basis for management reporting. Reporting should include the number of incidents, problems, resolution, and trends for key systems and applications.

Availability reporting is based on outages and incidents reported in the daily report. Such reports include information such as the outage or incident’s length, duration, and impact to users. The availability report is used for measuring performance against agreed SLAs. This information can be used to communicate service availability and incidents to both business and IT senior management.

Because it is basically reactive—wait for a problem to develop and then fix it—the IT organization creates a perception of poor performance in its user community. At some point in its growth, it is best to develop procedures that allow anticipation of problems. Having a reliable problem management system will allow the organization to anticipate, report, track, and solve problems in a timely and effective manner.