ASPR Healthcare and Public Health Risk Identification and Site Criticality (RISC)
Toolkit Webinar
January 29, 2019Access the recorded webinar here: https://register.gotowebinar.com/recording/7294835635295782403?assets=true
Access speaker bios here: https://files.asprtracie.hhs.gov/documents/aspr-risc-toolkit-webinar-speaker-bios.pdf
Access Q&A here: https://files.asprtracie.hhs.gov/documents/aspr-risc-toolkit-webinar-qa.pdf
2Saving Lives. Protecting Americans.
Shayne Brannman, MS, MADirector, ASPR’s Technical Resources, Assistance
Center, and Information Exchange (TRACIE)
3Saving Lives. Protecting Americans.
ASPR TRACIE: Three Domains•
••
Self-service collection of audience-tailoredmaterialsSubject-specific, SME-reviewed “Topic Collections”Unpublished and SME peer-reviewed materialshighlighting real-life tools and experiences
•
•
Personalized support and responses to requests forinformation and technical assistanceAccessible by toll-free number (1844-5-TRACIE),email ([email protected]), or web form(ASPRtracie.hhs.gov)
•
•
Area for password-protected discussion amongvetted users in near real-timeAbility to support chats and the peer-to-peerexchange of user-developed templates, plans, andother materials
4Saving Lives. Protecting Americans.
Brittney Seiler, MPAPublic Health Analyst, Division of Critical
Infrastructure Protection, HHS ASPR (Moderator)
5Saving Lives. Protecting Americans.
•••
Provide brief overview of the RISC ToolkitDescribe how users have implemented the RISC ToolkitShare success stories and lessons learned from using the RISC Toolkit
Webinar Objectives
ASPR’s Division of Critical Infrastructure Protection
Risk Identification and Site Criticality (RISC) Toolkit Overview
7Saving Lives. Protecting Americans.
Imagine If You Could…
Easily understand and visualize your facilities’ threat from:
34 External threats/hazards (e.g., active shooters, flood and more)
33 Internal threats/hazards (e.g., water or generator failure, supply shortage and more)
Quickly assess FACILITY-LEVEL: •••••
Emergency preparedness and resiliencePhysical securityCybersecurityCritical dependencies
Estimate the HUMAN, PROPERTY, and
BUSINESS impacts to a facility that may result from a specific threat or hazard
What would you do with the information? How would you better prepare for what may lay ahead?
8Saving Lives. Protecting Americans.
Risk Identification and Site Criticality (RISC) Toolkit
Objective, data driven all-hazards risk assessment that can be used to inform:•••
Emergency preparedness planningRisk Management activitiesResource investments
Consists of three modules allowing healthcare organizations to:
Identify site-specific threats and hazards
Assess site-specific vulnerabilities
Determine criticality & consequences
All modules use objective data
sources & industry standards
9Saving Lives. Protecting Americans.
RISC Toolkit Design
Designed by ASPR’s Division of Critical Infrastructure with input from private sector partners including:
Healthcare & Public Health Sector
Owners & Operators
Pilot Users Security & Risk Experts
Format
•••
••
Excel basedEasy to followMostly yes/no & multiple choicePrintable resultsLocally stored data
10Saving Lives. Protecting Americans.
RISC Toolkit Key Features and Benefits FEATURES
Identify critical infrastructure dependencies and interdependencies
Enable risk trend analysis
Receive a ranked list (from high to low) of threats, hazards, vulnerabilities, and consequences
Compare multiple facilities across systems, coalitions, and regions
BENEFITSInforms preparedness and response plans; exercises; and trainings
Provides objective, empirically-based data
Address cooperative agreement grant guidelines (though not required by the Hospital Preparedness Program)
Gauge the criticality of a facility to the proper functioning of the region/coalition/system as a whole
11Saving Lives. Protecting Americans.
Three Self-Assessment ModulesModules can be completed independently & work can be saved/paused
at any point during the modules
Threat/Hazard Assessment Module
(THAM)
Rapid Infrastructure Survey Tool
Vulnerability (RIST-V)
Rapid Infrastructure Survey Tool Consequence
& Criticality (RIST-C)
Interact in the dashboard to automatically calculate risk
Entire assessment takes approx. 3-4 hours to complete
12Saving Lives. Protecting Americans.
RISC Toolkit Modules
THAM
Likelihood of a threat or hazard occurring
•••
Intentional ActsNatural HazardsUnintentional Manmade events
RIST-V
Vulnerability for disruption
••••
ResiliencePhysical SecurityDependenciesCyber Security
RIST-C
Hazard specific consequences & Criticality to the healthcare
system
••
ConsequenceCriticality
13Saving Lives. Protecting Americans.
Organizational Leadership
Information Security Officer Coalition Partners
Organizational Emergency Managers
Knowledge Insight into facility operations
Cybersecurity & IT
Coalition response plans & procedures
Emergency operations plan & regulatory
compliance
Module THAM, RIST-V, RIST-C RIST-V THAM, RIST-V, RIST-C THAM, RIST-V, RIST-C
Key ContributorsEasy-to-follow format requiring multiple contributors:
Organizational Leadership
Information Security Officer Coalition Partners
Organizational Emergency Managers
Knowledge Insight into facility operations
Cybersecurity & IT
Coalition response plans & procedures
Emergency operations plan & regulatory
compliance
Module THAM, RIST-V, RIST-C RIST-V THAM, RIST-V, RIST-C THAM, RIST-V, RIST-C
14Saving Lives. Protecting Americans.
RISC Toolkit Results The dashboard identifies top facility-based risks informed by user
responses
Next Steps•••
••
Incorporate results into planning considerationsDiscuss results with coalition partnersLearn more about risk mitigation in ASPR TRACIE topic collections & RISC Toolkit resourcesEngage with local law enforcementJoin the Healthcare & Public Health Sector
We want to hear from you! Email [email protected] to share feedback & how you use the tool
15Saving Lives. Protecting Americans.
Additional RISC Toolkit ResourcesType Description Resource
Introductory Resources
These high-level resources provide information on how to download the tool and other tips on getting started
1. Getting Started Guide: Easy to follow instructions on how to download andstart using the RISC Toolkit.
2. At-A-Glance/Factsheet: A brief overview of the tool and its functionalities.
3. Frequently Asked Questions: For additional information and assistance ongetting started with the tool, consult the Frequently Asked Questions document.
Technical Resources
A deeper level of information, these resources cover RISC Toolkit components, methodology, and calculations
1. Reference Guide: A brief introduction to the components of the RISC Toolkit,followed by detailed explanations of the calculations performed within each ofthe three RISC Toolkit modules.
2. THAM Narrative: A technical explanation of the methodology and sources usedfor the Threat/Hazard Assessment module.
Additional Reference Materials: phe.gov/cip/hphrisc
16Saving Lives. Protecting Americans.
Questions?Download & learn more at:
phe.gov/cip/hphrisc
For issues and troubleshooting, contact the Help Desk: [email protected]
RISC Toolkit Implementation and Lessons Learned
Scott Cormier, VP EM, EC, SafetyJeff Butler, Regional EM Officer-IL
Toby Hatton, Regional EM Officer-TXStacy Voliva, Regional EM Officer-IN
17
Large Health System PerspectiveClinical StatsNumber of BirthsED VisitsOutpatient VisitsSurgical Visits – OutpatientEquivalent Discharges
>84k>3.1M>23M>400k>1.6M
18
151Hospitals
2,600Sites of Care
21 States and the District of Columbia
More than 22kAvailable Beds
34k Affiliated Physicians
156k Associates
Largest sole provider of healthcare facilities services in the U.S., using an integrated model to best serve our customers.
Emergency Management, EC & Safety
Direct Chain of Command Ensures:
Standardization
Optimization
Communication
19
Why use the RISC Toolkit (Toby)Data-driven
Standard definition of hazards/threats to match healthcare nomenclature
Evidence-based versus subjective opinion
Comprehensive tool Single or multiple facilities All facets of healthcare continuum
21
Gathering Information (Stacy)
Internal Partners:Risk Management Safety and SecurityFinance/InsuranceFacilities Management
External Partners:Local – Homeland Security, Police, Fire, EMS Regional/State- Coalitions, Dept. of Health National- FBI, NOAA, USGS, DOT, NRC
22
Lessons Learned/Tips and Tricks (Jeff)Download a local drive version of toolkit
For each individual site- if not using the Risk multi-viewer option
Provide key partners questions specific to their subject matter expertise ahead of time, to decrease input time.
Start tool modules (THAM, RIST C, RIST V) through the Dashboard File
23
Lessons Learned/Tips and TricksComprehensive process is made easier by reviewing all questions prior to tool input.
Each additional update of tool requires less time after initial information gathering
Expect discussion related to evidence based results versus subjective.
24
Questions
Thank you for all that you do to keep our patients and communities safe!
25
26Saving Lives. Protecting Americans.
Jennifer N. Johnson, MPAPreparedness Field Assignee: Tennessee Department of Health
U.S. Centers for Disease Control and PreventionCenter for Preparedness and ResponseDivision of State and Local Readiness
27Saving Lives. Protecting Americans.
Overview: Key TDH RISC Assessment Themes
Preparation Implementation Analysis Action
The findings and conclusions in this report are those of the authors and do not necessarily represent the official position of the Centers for Disease Control and Prevention.
28Saving Lives. Protecting Americans.
Preparation I
•
•
•
•
Participated in HPH RISC toolkitpilot with 11 public health sitesDesigned a data collection andassessment strategyDeveloped a centralized system forsupport and tracking progressTailoring: Regional vs. MetropolitanJurisdictions
29Saving Lives. Protecting Americans.
Preparation II••••
Completed all regional THAM modules in advanceDeveloped and distributed survey link to capture internal hazardsDeveloped toolkit guidance for public health regionsPrepped toolkits before regional distribution
30Saving Lives. Protecting Americans.
Implementation I
••
•
Toolkits were shared via REDCapTM
A resource repository was created inSharePoint▪▪▪
▪
Threat/hazard assessment modulesToolkit guidance documentsPDF versions of rapid infrastructureand criticality survey toolsThreat/hazard definitions
Technical assistance provided asneeded
31Saving Lives. Protecting Americans.
Implementation II•
•
13 Emergency ResponseCoordinators oversaw HPH RISCassessments of health offices ineach regionVaried methods of completingsurvey tools were used:▪▪▪
VirtualIn-personGroup Discussions
32Saving Lives. Protecting Americans.
Implementation III
Key stakeholders involved include:▪▪▪▪▪▪▪
Regional and County Health DirectorsEmergency Response CoordinatorsRegional Hospital CoordinatorsHealthcare CoalitionsState and Local Law EnforcementInformation Security OfficersState and Local Emergency Management
33Saving Lives. Protecting Americans.
Analysis I••••
Compiling assessment data for regional and statewide analysisDeveloping regional and metropolitan RISC profilesData visualization for reportingProcess evaluation
34Saving Lives. Protecting Americans.
Analysis II: Lessons Learned
Successes
•
•
•
•
107 RISCassessmentsMultiple levels ofrisk analysisCentralized datarepositoryTime saved onfuture assessments
Challenges
•••
Lengthy surveysFile sharingLimited socialvulnerability elements
35Saving Lives. Protecting Americans.
Action I •••
Data VisualizationGIS - Mapping RISC ResultsCreating RISC Dashboards
Sample Map of Criticality Ratings
36Saving Lives. Protecting Americans.
Action II••
▪▪▪▪
•▪▪
Incorporate social vulnerability dataInformation-sharing
Regional Healthcare CoalitionsState and local emergency managementCommunity partnersFederal partners
Develop recommendations:Public health risk mitigation strategiesPlanning, training, and exercises
40Saving Lives. Protecting Americans.
Contact Us
RISC Tool: www.phe.gov/Preparedness/planning/RISCRISC Tool Questions: [email protected]
ASPR’s Technical Resources, Assistance Center, & Information Exchange:
asprtracie.hhs.gov 1-844-5-TRACIE [email protected]
Med}·{Cel
~ M,, , 11> ....... --•· •,. » •~"'•A• ....... ,~ ....... . . ... ___ ~ , , ,. ~ __ , , ... , A la•• t ,1,, • ~••-
_._:,,.-•_.., --, - •M..,,_"• •'-'"• ,,,.,. .. ,., .. ,._nu•
The 11-1 l RISC Tool-::
n-,w.,..,._,.,1><,., • ., , (• IIC 1.11 <•""'• ,,.a-• :•.,.11 u:.i._~ :, "ii'~'"~ •-~• ''"'"'""'"'"'" U:,r:,,m,:>,c-<:.-1>r .. :n>1:,a-o~~ ... Nll<:WbH\.,w: .:1<= , ... , .. _ , . , .......... d~ ............. .., •• ,,f.,f<'!<.Tt.- •- • - n••••--•
tt•n< ,..,.«, .. .,.,.. ......... ,.. • ...,,,.,,-•~uMT,_, __ ,.,,., •• ,n,•,..,,..,. ,..,n:b t <Je :t, ,..o,n ~:::k,,._.<INl<;lr·":"'"°'"""t-- , 1:_,,,.....,:t, :1>-..~: r-:,.M..,.,.1.-.li•Nst<<lt;<o·J,,....,__,,.,,. .,.lfi~a,.,.,,~.,1,,:, ,.-._,1!':T>o.<1 - · - · ·· .... , ••••• · - - · - • • • , .... 1 , , .,_ ,. __ • • •• , .. . ..... . ...... _ _ , .
,,,.,t-<.,.,. :p,i:I < u t -1,o k t oo."' : ~n""''" ...-::,: : ,,n.
Tncl I SP<ftm
RIST'; 1.1.1 RIST'; 1.1.2
HISI> 1.1.~
P.IS1'1 1.1.d
R
Key Partners Questions H
R
IST'; 1.1.5
RIST'i 1.1.6 ISI ·• 1.1./
RIST..- 7.1 .1
IST'; 2.1.2
RIS1', 2 1,2.l
HI.SI ·• 2.1.2.2
RIST', 2.1.2.3
RIST'; 2.1.2.-1
RIST'; 2.1.2.5
RIST',1 2.1.2.&
RIST', 2.l.2.7 P.ISl'; 7.1 .7.R.
RIST'; 2.1.3
RIS1'; 2.1.4
~1~1. 1,1,:,
P.ISl'; ?.1 .n
Rcc,immondc,d Cort<Ult.Jnt,;
SPdinnNamP Prim.1ry SPn:>rvfary TP<tiary
General Safefy Offi~ r REMO General Safefy Officer REMO
C;;cru .JI Suf~ly Uffll,._., H~MU r,~rw=,r;il So!Pt,, (Jltl(:Fr Rrll.1CJ
General Laboratory Dire-:tor Safety oncer REMO
General Satefy Otticer REMO
e:i1:!11fd1:tl ~1::t rt:!'ty u rr1U::1 Hl MU
~11"inf":;r; r.nntim1r• C:hif'f Fi1.iflf.~'l I Offir.rr f.hif"f Opt"t"Atim r.; C.hirf F'll,'N'".utivf' OffiN'r
Busiless Continui:-,• ChiefFilar,cial Officer Chief Operati ons Chief Elcecutive Offic~·
Busft=ss COntlnur::-,, ChlefFilar,~ial Cfflcer ChlefOnHat l ons Chief Executive Offlc~·
IJU3� 1t:!~.:, U mllr1UL'1' <.;I llt:!( 1-1 l l::lli.C 1::1 I L(fo.l:::1 l:'111::!r U~ 1:1l1ur1~ t:1111:::!!r l:..xeof..!ULIVt:!' Offil-t:! '
Bu5~55 Continui:-• ChicfFilanc ·a1 Officer Chic f 0ocrat i on5 Chief UCC:utivc Offic-cr
Busiless Gontinur.,• Chief Filar,c,il Officer Chief Operati ons Chief Executive Cffic~·
Busiless Continur:-,• Chief Filar,cial Officer Chief Ooerati ons Chief Elcecutive Cffice·
Bus~ss Conllnut:-,, Chlet Filanclal Cttlcer Chi et Operati ons Chlet Elcecutlve Ottlc-e·
Bu~ilc~J Continur.,· ChicfFilor,:ol aficcr Chief Op-,,.oti ono Chicl E>l<:<:utivc Offic<: · R111.,SlP,;;,;; r.nntim1r111 C:hiPf firum.-:lRI Offir.Fr f.hiPf OpPOtti ~ ,;; C:h~ F~1rtivP r:ffir.P'
Busiless Continur.,• Chief Filar,cial Officer Chief Ooerati ons Chief Elcecutive Office·
Bus~ss COntlnut:-,• Chlet Filar,:ial Cttl cer Ch let Operat i ons Chief Elcecutlve Citic~ ·
~u:.,1..::.-:., i..:u11tJr1u1.\' 1;111dt-11an,· al Uff1cc1 l'111c f c_ip 1."t iJL1t.111:i th..:f 1:.>o:.,:uL1vc urr,,..,, R11c;D:u;<; f"nntin11r: C:hiPffin~n..-:irll Ctfia=r fhiPf OnPFrlltinnc; C.hiPf F'lcP<':1rtivP C:ffir,1=v
Gathering Information Who are your partners in preparedness?
Internal Partners: Risk Management, Safety and Security, Finance/Insurance and Facilities Management
External Partners: Local – Homeland Security, Police, Fire, EMS Regional/State-Coalitions, Dept. of Health, National- FBI, NOAA, USGS, DOT, NRC
Lessons Learned/ Tips and Tricks
Download a local drive version of the toolkit for each individual site - if not using the Risk Multi-viewer option.
Provide key partners questions specific to their subject matter expertise ahead of time, to decrease input time.
Tllreatltiamrd
• - V~n«• blltV ConHQu•r"• Tx V Riak
Cyber 4 0
a TrlUnc)cF.,;t()fm{Lighllling) 30 +-
tnimfll Gh(fflteai t-N.th\ l bl)OSl:a"O, H1Jf"rway ?1
,o U3·'11:11)11KJ W.rt<l 2;,o ,, tt;zi,I 22
12 l~Cllmg 20
13 VIOlootCRnc 20 +-,. '""" '8 ,~ blunt1I Ch1:m1wl t-J\lM,\I t.apu:;uc, Raihruy 'r ,. :-W,,l-,r,,111¥100(811)11;1-.olt:!) 1.7
17 Fmll flOO(I l.3 ,. Touooo ' ' " ll'IIO'YMbon I 001 l 0
i!O tlllb.,:Jnt,;~ OS ,, At1fl_JHI ff1f111:ii111A I-fa1Ar11tr. 0.8 ,, Spo~Wealhcr 0.7
l3 0 Iougn1 00
l� Sl'ICM'Fhl.'Rn(u'<I o.e 2~ t:1lupnuHui:I OS ,. w.r , .. a 0.5
27 ""™'"''"""" 0.-1
28 EJ;tuml Che1111c;;!il t-1'lMl\1 Ell)O"..uo, P pd1110 0·1
l'l le,'lt~rla 04 Maln r nhr.11ty
Start tool modules (THAM, RIST C, RIST V) through the Dashboard File
1. ALWAYS start from the Dashboard. 2. Select which tool you wish to complete. Once finished with each module, you will be prompted to save the file.
3. Then go back to the Dashboard to complete the next module.
0 .AIS. An$wers IO R1sJc Questions 201 e 6/13/20HI 8:25 AM File folder
.... O.lta 11/212018 11:2i A... File- folder
.,.. Ma11Uals 6/13/20 I 8 8:25 AM F,h_. folde,
l ?,epQ1b 6/13/2018 8:25 AM Fill' folde,
fJ_ HPH_R,i~D~shboard 1/4/2019 7.39 AM Microsoft Excel t-11-. 16'1 KB
8.:- HPH_R!ISTC 9/25,/2018 8:36 I\M Mw:rosoft Excel M 493 K8
l'J .: HPH_R,ISTV 8/1/20181:07 l)M Microsoft Excel M ~.780 KB
l'J .: HPH_THAM 8/1/2018 10:S1 AM Microsoft Excel M __ 5.012 KB
9.!' R,,k Multi.V'iewu 10/31/2017 9:43 A... Microwfl Excel M- U39KB
o o
o o
o o o o
o o o o
Lessons Learned/Tips and Tricks Comprehensive process is made easier by reviewing all questions prior to tool input.
5 Cybersecurity Management Profile
5.1 Identify
5.1.2 Asset Management
5.1.1.1 How frequently are physical IT devices and systems and back ups within the organization inventoried?
At least semiannually (twice per year) Annually (once per year) Biannually or longer (every two years or more) Inventory of physical IT Devices, systems, and backups is not conducted
5.1.1.2 How frequently are IT software platforms and applications and back-ups within the organization inventoried?
At least semiannually (twice per year) Annually (once per year) Biannually or longer (every two years or more) Inventory of physical IT Devices, systems, and backups is not conducted
5.1.1.3 Are IT resources (e.g., hardware, devices, and software) prioritized based on their classification, critically, and business value?
Yes No
5.1.1.4 Has a compliance audit been conducted of all identified primary and back-up critical IT assets?
Yes No
- Sector Criticali ' Facility Date
Ascension Texas Ministrv
1/4/2019 10:49
Sector Critic11lity R11ting
Sectol' ( •nficali · Katin°s
R3tlng
l
category
LOW
M oderat e
ve,y High
�h ~--,_
/. /Y I I I
'
. ~--
De<alptlon L:>ss cf function atthe fa(llftf would have m m1rral 1mpacr on the Healthcare and Publl::: l-lt!Mth S~ctor er r~glonal l~v~I HPH S~ctor tuncHons and ;~rvl~;.. Th~
ocrvi:co provided bythc facil ity could be readi ly an d quickly rcplacc:J by other
L::>ss. c-f rum.· .. uon at the facil itf would have a snu ll impact on the Heal t i-care and
l-'u lJl1:: ll~dlth ~~l'lUI l:•I rll!glut l l:i l lt:!Vt:!I IHJII ~ !:'L'lU I fUf1l'ltUrl'.) dllLi :,..!:!I '.'IL"=!,. 'S ~l'lll L't:!~
m11·t bFt dPIAyPd or pi:rtiPrt~ m,;y nPPd to trPIVPI farthPr thi.n tJ-:.u =1I to rP~PivP
L:)SS ct function at the taclllt!f \'rould have a substantial Impact o r t he Healthcare
.)nd 1-'ubl1c Health ~ctor or r~g,onal leve l HPH s~ctor f unct1ons: .lnc ~r11ce-s:.
Certe1 n critical or ~pe;1alty f1,. nct1on) may be un~ve1 lable or delayeC :or multiple
L~s.s cf function at the fE1c1lit1 would have a cr1t1eal impact on the Healthcare and Publl: Heatth Sector or reglonnl level HPti Se-ctor tuncttons and ;@ri: lcei;.
I rc-.Jtmcnt c.J .=Jcrtv IY'.J be~ m f1c.)ntlv rcdu=cd .Jn d ~~rv,cc::; m J be ccb· c d for
It Gets Easier Each additional update of tool requires less time after initial information gathering.
Data-Driven, Evidence Based Expect discussion related to evidence based results versus subjective opinion.