CMS has recently recommended the inclusion of CyberSecurity into Emergency Preparedness planning for post-acute and long term care providers as part of the required “all hazards” approach. Although at first glance, Emergency Preparedness and CyberSecurity may appear to be two separate disciplines, the core message CMS is emphasizing to healthcare providers is one of integrated risk management. This blog post will address how the two are connected.
The NIST CyberSecurity Framework and the NIMS Incident Management System have been designed by government institutions as ways to manage the risk associated with CyberSecurity and Emergencies respectively. These are part of the overall National Preparedness Goal and National Planning Exercises. The Emergency Preparedness Plan (EPP) regulation, which is a subset of the overall NIMS Framework, is comprised of 4 legs:
- Emergency Plan
- Policies and Procedures
- Communication Plan
- Training and Testing
Recovery is not included in the CMS rule, as noted in their FAQ, but it is not something that an organization should ignore. The ability to recover from any event that disrupts operations affects staff, the resident population, as well as potentially affecting the outside community. The NIST Framework adheres to many of the same underlying concepts, methods, and approaches as NIMS, and therefore, the EPP rule. So, why do providers need to be thinking about risk management? Many people are familiar with financial risk and reputational risk, but what about considering operational risk in a formal fashion? A properly developed risk management practice addresses the goals of the Emergency Preparedness planning rule, while providing additional value in several ways:
- Operational speedbumps and efficiency – Although EPP seems primarily focused on large scale disaster or disruptive events, daily operations have numerous “speedbumps,” where a pre-planned response restores efficient operations quickly. What would happen in your nursing facility if your EMR was offline for 24 hours due to a technical issue? That technical issue, may or may not, as CMS has pointed out in the recently released S&C memo, the result of a cyberattack.
- Standardized procedures – In following a standardized approach to operations, business services are delivered consistently regardless of the employee involved. In the event of the catastrophic incident that your Emergency Plan addresses but hopes never occurs, some key members of your staff are unavailable to fulfill their duties. What would happen if your daily facility operations were interrupted for several hours by something as simple as a traffic accident? Would other staff truly be able to “pitch in” by reviewing your procedures and following them until other staff arrived? What would happen if your pharmacy provider cannot deliver needed medications?
- Continuous quality improvement – When instrumenting processes across an organization to measure risk, the measures collected provide an excellent foundational data set to address areas of weakness and prevent adverse events, both of which are important as facilities develop and implement their QAPI programs. Although nursing homes only need to provide a written copy of their program to surveyors once Phase 2 is effective November 28, 2017, the methodology for the program should incorporate data sets such as these.
Stay tuned for the next part of this series with a deeper dive into Emergency Preparedness planning and CyberSecurity for nursing homes and healthcare providers.