Building Resilience for Critical InfrastructureA Focus on the Healthcare Sector

BCP Asia Henry Ee, FBCI, CBCPenquiry@BCPASIA.com

IGNITE STAGE

04 JULY 2018

Henry Ee FBCI, CBCPFounder / Managing Director

Certified◦ BCM Professional: FBCI (BCI)◦ BCM Professional: CBCP (DRII)◦ Certified Management Consultant (PMC)◦ ACTA certified Trainer by WDA◦ Certified ISO 22301 Lead Auditor (BCI/ICOR/ANSI)◦ ISO22301 Lead Implementer, PECB

◦ ESCAPE & UNISDR Private Sector Advisory Group Member

◦ 20 years of experience in Business Continuity, IT-Disaster Recovery & Crisis Management. He is appointed President of BCI Asia Chapter and a Board Member of RIMAS (Singapore)

◦ Undertaken over 300 BCM Projects across APAC and has guided and trained over 5000 professionals

◦ Was previously Regional BCM Manager for ABN AMRO, Chase Manhattan Bank & JP Morgan

Critical Infrastructure Sectors

INFORMATION &

COMMUNICATIONS

TECHNOLOGY

FINANCE MANUFACTURING HEALTHCARE FOOD

ENERGY & UTILITIES WATER TRANSPORTATION GOVERNMENT LEGAL & SAFETY

Physical and virtual systems or aggregation of assets that provide essential functions and services that support societal, economic and environmental systems

We rely on them to work without fail!

A Focus on Healthcare Sector

When it comes to healthcare Critical Infrastructure (CI),

downtime simply is not an option

• Healthcare sector is perhaps the most fragile sector and is the most dependent on all the othersectors

• Life & safety of patients are top priorities!

• The nation depends on the continuity of its healthcare CI & systems, especially during disasters andemergencies

• If CI that the healthcare sectors rely on stops working, that could disrupt their ability to provideessential services to the public

Current Issues in Healthcare SectorHEALTHCARE

2017 2018

Top 3 Threats 1. Data breach (42%)

2. Cyber attack (39%)

3. Unplanned telecom & IT outages

(34%)

1. Cyber attack (62%)

2. Unplanned telecom & IT outages

(54%)

3. Data breach (38%)

Top 3

Disruptions

1. Unplanned IT and telecom outages

(65%)

2. Adverse weather (56%)

3. Interruption to utility supply (53%)

1. Unplanned IT and telecom outages

(70%)

2. Cyber attack (51%)

3. Interruption to utility supply (49%)

No of respondents: 657

No of countries: 76

No of respondents: 726

No of countries: 79

Based on annual survey conducted by Business Continuity Institute Horizon Scan 2017 & 2018

to organisations worldwide

Building Resilience to Healthcare Critical Infrastructures

Factors of Consideration

1A. Risks & Vulnerabilities AssessmentConduct comprehensive risk assessment so that healthcare providers may better

understand and catalog present and future risks:

Climate Risks Assessmentse.g. flood, hurricane, earthquake

Network & Cybersecurity Assessmentse.g. malwares, patients record theft, viruses

Physical Security Assessments e.g. theft

Pandemic Assessmentse.g. H5N1, H1N1, H7N9

Man-made Disaster

Risks Assessments e.g. fire, gas leak, terrorism

1B. Risks & Vulnerabilities Assessment3 main aspects of hospital vulnerabilities to be taken into account:

STRUCTURAL

• Structural design to combat hazard forces

• Quality of building materials, construction & maintenance

• Building configuration

NON-STRUCTURAL

• Architectural components such as windows, roof, ceilings, walls

• Installations – air ventilation, electrical & piping systems

• Water disposal• Emergency power supply• Equipment & furnishings• Electronic communication systems

ORGANIZATIONAL

• Evacuation considerations –shelter, accessibility

• Just-in-time delivery & replenishment of critical supplies

2. Building Design & Regulatory FrameworksUnderstand the building design & regulatory framework under which existing health care buildings were

constructed

• Building Design - A multi-hazard risk reduction approacho Help identify potentially conflicting effects of certain mitigation measures and help to

avoid aggravating the vulnerability of many hospital building components and systems

• Regulatory Frameworko Compliance to building code design baselines; address minimum requirements for building

resistance to major hazards based on historical experienceo Buildings’ compliance to regulations

3. Infrastructure Protection & Resilience

POWER SUPPLY

WATER SUPPLY

COMMUNICATIONS

MEDICAL

INFORMATION

DIGITAL

INFRASTRUCTURE

3. Infrastructure Protection & ResiliencePOWER SUPPLY

Determine the current anticipated length of time you can operate without grid power or refueling• Are all critical facilities equally equipped to operate without grid power for extended outages?• Given the location of the building and weather risks, is your refueling supply chain resilient to extreme weather disruptions?

Review locations of utility infrastructure relative to extreme weather hazards• Are your generators, fuel pumps, fuel tanks located above flood elevations?• Are emergency generators located above design flood elevations?• How often is your emergency generator system tested to assure reliable startup and sustained operation?

Having back-up power sources available to supply electricity to critical areas• Do you have redundancy (N+1) for all emergency generators?• Does your emergency generator fuel capacity allow for the projected hours of operation?• Do you have external connections for portable emergency generators?

Invest in on-site power generation through combined heat and power technologies to improve resilience

3. Infrastructure Protection & ResilienceWATER SUPPLYEnsure sufficient plans for water resources in the event of a water related emergency• Are there two independent water sources to the facility?• Is the water source potable without treatment?

Having protocols to secure back-up supplies of water in the event of a water related emergency• How much on-site emergency water storage do you have (in gallons)?• What duration of operation can this storage provide (hours)?• If your water supply is disrupted, do you know how long you can shelter in place before you need to evacuate?• How often is your emergency generator system tested to assure reliable startup and sustained operation?

Determine water usage under normal operating conditions• Have you audited and benchmarked your water usage (gallon/day)?• Do you monitor cost savings of water use reduction strategies?• Has your healthcare facilities adopted water conservation strategies:

o Low flow toiletso Water efficient landscaping practiceso Food service equipment

3. Infrastructure Protection & ResilienceCOMMUNICATIONS

Having multiple communication systems in the event of extreme weather emergencies• Landline telephone systems, Mobile phone systems, Radio systems

Take a Multi-tiered Approach to Information Sharing• Establish detailed & regularly updated contact lists with multiple methods of contacting each one of your staff members.• Prior to an incident, educate and familiarize staff with social media channels they may use on personal devices should facility

communication systems fail

Plan Ahead & Empower Your Staff• Work with your entire staff to devise detailed emergency response and business continuity plans. These plans should

include detailed roles and responsibilities and a list of essential positions that must be filled in the event of an emergency.• Emergency response training

Know Your Local Partners• Establish links with your local emergency managers, responders, and public health officials in emergency planning and drills.• Collaborate with community partners to participate in exercise scenarios to allow for a synchronized approach.• Identify and test communication redundancies.

3. Infrastructure Protection & ResilienceMEDICAL INFORMATION

Medical Information Systems (MIS) to remain available in order to continue to deliver patient care. Doesyour facility or system have the following systems in place?• Electronic Medical Records• Paper Record Storage in safe rooms (and above flood level)• Off-site data centres

Having MIS that will operate in the event of extreme weather emergencies• Are Medical Information Systems (MIS) on emergency power?• Is there a backup telecommunications system if the telephone infrastructure fails?

Inventory record storage systems and locations and assess their safety• Are medical records safe from flooding?• Are building infrastructure record documents safe from flooding?• Are all building infrastructure records digitized?

3. Infrastructure Protection & ResilienceDIGITAL INFRASTRUCTURE

Protect computer hardware & technological equipment• Secure all computer equipment and servers in a locked storage area with specific individual access permissions• Develop and implement a detailed plan of how to address potential cybersecurity vulnerabilities with medical

devices

Protect local networks & other computer software• Conduct a computer network assessment to obtain the information you need to develop a cybersecurity plan to

reduce cyber attacks & address breaches• Backup data regularly and develop a plan to access information quickly in case of a natural or manmade disaster

Encourage safe computer & cyber practices from all staff• Employees should also be aware of how to report and respond to suspicious cyber events• Require frequent password resets for all systems• Establish policies prohibiting the transmittal of protected health information using unencrypted public networks (i.e.

free Wi-Fi hotspots)

Thank you for your attention!

www.unisdr.org/amcdrr2018Henry Ee, FBCI, CBCP

enquiry@bcpasia.com

Visit us at: bcpasia.com

Download the Slide : bit.ly/2KgFlYy