Incidents in hospitals are not uncommon. Statistics show that every day there is a cyberattack, every week a fire, every month an external threat (e.g., supply shortages), and every year a police incident that can present challenges to hospitals.
The most recent example is the hacker attack on the University Hospital in Düsseldorf, North Rhine-Westphalia. The actual extortion letter was directed at the university in Düsseldorf, however the hospital also suffered massive impact. Due to the encryption of patient data, normal operations were no longer possible. As a result, patients of the ambulance service were diverted. One person died in the process, resulting in a charge of involuntary manslaughter. Through contact between the police and the blackmailers, the danger to people was pointed out, whereupon a decryption code was issued. Nevertheless, repercussions are still present today and normal operations have not yet been fully restored.
This example shows that events such as IT failures, in particular, are not yet sufficiently taken into account in hospital crisis management. Instead, the focus lies on medical events, which is also due to the fact that medical personnel are primarily responsible for creating crisis management. However, IT is an area that is growing in size and complexity and is essential to the hospital’s ability to remain operational. However, other medical facilities such as doctors’ offices are also dependent on IT and a failure of these offices can also impact hospitals as they have to deal with an increased volume of patients.
Another scenario is an accident or attack involving CBRN hazards (chemical, biological, radioactive and nuclear hazards). Such an event is a matter of awareness among those responsible after the recent terrorist attacks, but it can also occur within a hospital. CBRN substances are also used there and an accident can have severe consequences.
In order to keep hospitals operational after an event has occurred and to be able to handle all events, a so-called crisis management is carried out, which is also called hospital alert and emergency planning (german: Krankenhausalarm- und Einsatzplanung, KAEP). This is planning that analyzes different events and plans preparedness as well as response to them. The goal is to manage resource and capacity constraints. As already described, the most frequent focus is on mass casualty incidents (german: Massenanfall von Verletzten, MANV). However, events such as a power outage, an evacuation (e.g., after a bomb has been discovered), and the IT emergency plan must also be included in this planning and combined into a holistic hospital alarm plan, because the events often intertwine. Another aspect of the KAEP is the cooperation between hospitals, which is useful and necessary in order to manage events and also to be able to carry out measures such as evacuations in a timely manner.
For hospitals that are considered Critical Infrastructure, stricter requirements for the KAEP are already in place, especially in the area of IT. However, it should also be noted that a hospital that does not exceed the threshold of 30,000 full inpatient treatments per year, but ensures medical care for a region, should be defined as Critical and must imperatively maintain its functionality.
Responsibility for the KAEP usually rests with the emergency department leadership. This makes sense for MANV, but not for IT events. Especially after September 11, the concepts for MANV have been revised and improved, but an IT failure is considered much more likely, so people from other departments must also be involved in the creation of the KAEP. The hospital must consider and analyze all risks by means of a business impact analysis and then set priorities in order to be prepared for infrastructure failures, e.g., of oxygen.
Legal requirements for the KAEP are only partially in place. Most federal states in Germany require such plans to be drawn up, but without specifying what they should contain. If hospitals are viewed as companies, the transferability of standards and guidelines from other areas can be assessed as possible. These include BSI Standard 100-4 and ISO/IEC 27001 for IT security, DIN EN ISO 22301 for the Business Continuity Management System and the Ordinance on the Designation of Critical Infrastructures under the BSI Act (BSI Critical Infrastructure Ordinance). In the context of critical infrastructures, it must also be considered which service providers supply the hospital with infrastructures, because not every service provider, e.g., electricity provider, also counts as critical infrastructure and must fulfill the corresponding requirements.
One way of integrating KAEP is through quality management, which is already used in hospitals. Implementation is possible either via the requirements of DIN EN ISO 9001 or via the Cooperation for Quality and Transparency in Healthcare (German: Kooperation für Qualität und Transparenz im Gesundheitswesen, KTQ).
However, drawing up plans alone is not enough to be prepared for events. In addition, training and exercises are necessary to learn and gain experience. It is also important to exercise different events and not just focus on the MANV. Furthermore, exercises should not take place in isolation, but should also involve the rescue service and other facilities.
For the KAEP, it is not of interest who provides the impetus for its creation, but it is important that the management supports its creation. As an aid, professional support from outside is possible. The involvement of employees can be relieved by this.
In summary, the KAEP is a robust, modern, holistic, controllable, certifiable and financially secure hospital crisis management system. It must address all risks, address emergency preparedness, and provide action instructions for managing an event.
If you also want to set up and improve your hospital crisis management holistically and need help in doing so, please feel free to contact us!
An article by Anna Müller, published on 17 September 2020
Translated by Charlotte Ley