Skip to main content
Rural Health Information Hub

Emergency Preparedness and Response Efforts in Critical Access Hospitals

Duration: approximately minutes

Featured Speakers

Alana Knudson Alana Knudson, PhD, Senior Research Director of NORC's Walsh Center for Rural Health Analysis and Program Area, Director in NORC's Public Health Research Department
Gary Hall Gary Hall, Chief Operating Officer (COO) and Chief Information Officer (CIO) at Estes Park Health, Park Hospital District
Steve Barnett Steve Barnett, DHA, CRNA, FACHE, President and Chief Executive Officer (CEO) at McKenzie Health System

Second in a 3-part webinar series on rural emergency preparedness highlighting how Critical Access Hospitals (CAHs) have planned for, responded to, and recovered from disasters and share key points for CAHs responding to and recovering from disasters. Learn about the evacuation of Estes Park Health in Estes, Colorado as well as critical factors that played a role in the response and recovery efforts when a wildfire threatened its community. Also, hear how McKenzie Health System in Sandusky, Michigan responded to a cyberattack. The webinar will also share important considerations for CAHs and other rural hospitals when responding to disasters and emergencies, as featured in the Rural Emergency Preparedness and Response Toolkit. The toolkit and webinar were supported with funding from the Centers for Disease Control and Prevention (CDC).

Case studies featured in this webinar:

From This Webinar


Kristine Sande: I'm Kristine Sande, and I'm the program director for the Rural Health Information Hub. And I'd like to welcome you to today's webinar, Emergency Preparedness and Response Efforts in Critical Access Hospitals.

Today's webinar will feature content and case studies that were included in the Rural Emergency Preparedness and Response Toolkit, which is located on the RHIhub website. The toolkit was developed along with our partners at the NORC Walsh Center for Rural Health Analysis. And I'd especially like to thank the Centers for Disease Control and Prevention for the funding to develop this toolkit as well as for today's webinar.

Also, thanks to the Federal Office of Rural Health Policy for facilitating that funding. We have provided a PDF copy of the presentation on the RHIhub website, and that's accessible through the URL that's on your screen. And now, it is my pleasure to introduce our speakers for today's webinar.

Alana Knudson serves as a senior fellow in the Public Health Research Department at NORC at the University of Chicago and is the director of NORC's Walsh Center for Rural Health Analysis. She has over 25 years of experience leading health research studies, evaluating program effectiveness and translating findings into practice.

Gary Hall is the CIO at Estes Park Health and has been at EPH for 18 years. Gary has overseen many departments and processes over the years including facilities, ancillary clinical departments, and the various physical environments in the hospital's environment of care. Gary was the chair of the emergency preparedness committee for many years and has helped EPH navigate through floods, fires, evacuation, the pandemic, a cyber-attack, communication outages, and other incidents.

And our final speaker will be Steve Barnett. He currently serves as president and CEO of McKenzie Health System, a rural critical access hospital in Sandusky, Michigan. Steve is committed to designing a rural healthcare delivery system that delivers on quality, doesn't compromise access, and is efficient. And with that, I'll turn it over to you, Alana.

Alana Knudson: Great. Well, thank you so much for inviting us to speak today. And I'll go through these introductory slides quickly so that you can hear from our implementers in the field.

Just briefly, for those of you who may not be familiar with the NORC Walsh Center, we are now 27 years old, and we are part of NORC at the University of Chicago. Our team is primarily based in our office in Bethesda, Maryland, and we are an independent, nonpartisan nonprofit research organization. And we are committed to providing timely and actionable information for making decisions about health, public health, and especially rural health.

And as you heard from Kristine, we have partnered with RHIhub for the last almost 15 years on the development of toolkits and are grateful for their partnership. Through these years, we have created 25 different toolkits. Today, we are going to focus on what we have learned and what we have presented in our Emergency Preparedness Toolkit. You can see that has the new button on the website.

Just to give you a little background on this Emergency Preparedness Toolkit, as Kristine mentioned, this was supported through funding through CDC and facilitated by the Federal Office of Rural Health Policy. And these toolkits are intended to support and strengthen our rural programs and also to help us build an evidence base. So many of the programs that are tagged as evidence-based programs have been implemented in an urban environment. And the programs that we highlight have been implemented and demonstrated success in rural communities.

When we developed these toolkits, we go through a process, and we did the same types of process or just followed the same process for the emergency preparedness. We conducted a literature review and looked at the different resources available. We conducted numerous expert interviews, in fact, with over 35 people who were subject matter experts in Rural Emergency Preparedness and Response.

We also examined findings from case studies so that you would see how different situations resulted in a response and a recovery in 30 different rural and tribal organizations. And lastly, we developed the toolkit, and we also include resources as well as the information pertaining to the case studies. And you'll hear highlights from those case studies from Gary and Steve today.

As with all of our toolkits, our toolkit is developed in a modular format, so it meets you where you are, wherever rural community members are interested in getting started. And today's discussion, I will focus on primarily modules four, five, and six with our guest speakers speaking to their case studies.

But I wanted to put a context to how it matters for critical access hospitals. And as many of you know, part of the conditions of participation include the requirement to have a comprehensive emergency preparedness program.

This program needs to include an all-hazards approach, which also includes emerging infectious diseases. The plan needs to incorporate a communication plan, one that addresses issues for not only contacting staff and providers under emergency situations, but also how to be able to relay important patient information in the situation, for example, where there is an immediate evacuation of, for example, the critical access hospital.

It also needs to include information pertaining to policies and procedures and also demonstrate how training and testing is going to be provided. These emergency preparedness programs need to be reviewed and updated every two years according to the conditions of participation. And it also needs to include a component about addressing patient populations, especially special populations, for example, older adults and those at risk and provide information about evacuation and also services that can be provided, for example, when we have lost power or access to potable water. So how are you going to maintain a system when those infrastructure pieces may go down?

There's also a component in these emergency preparedness plans that has an outline of how the critical access hospital will participate in cooperating and collaborating with other first responders and other emergency providers in communities.

One thing we've learned through our many discussions is that we need to also take into consideration what does it mean when we have volunteers, particularly volunteers that may have a medical background. How do we account for them and ensure that we are providing the highest level of care in an emergency situation?

And so, these types of plans that also include the cooperation and collaboration of volunteers and other responders are really important and need to be consistently updated. As I said, I'll focus on three modules. And module four really provides some great background information on types of public health emergencies and disasters.

And again, these examples can help you as you continue to revise and update your own emergency plans for your critical access hospitals. In our infectious disease outbreaks, for example, we have a resource called the Hospital Personal Protective Equipment Planning Tool that identifies what is the most appropriate PPE given the situation that presents itself. We also have some excellent examples about natural disasters and ag impacts. We're going to hear today a couple of those stories as well as what happens when your equipment and infrastructure fails.

There's a couple of examples of the chemical and radiation emergencies and mass casualty incidents. And we have, for example, a really interesting case study on a train derailment that happened in Chester, Montana. And again, lessons learned from that have been helpful in further developing these pieces of the module four.

As I mentioned in your emergency preparedness plan, you need to identify all-hazards responses. And again, there are some really great examples and specific information included for each of these that may be helpful as you continue to revise and update your emergency preparedness plan.

This is an important slide because what we are also trying to better do as we go through the myriad of responses that many of our rural communities and our critical access hospitals face is to be able to capture what happened during a post-emergency assessment and to share those lessons learned.

And I had the opportunity of attending the American Hospital Association's Rural and Small Hospital Conference in San Antonio this past February. And one of the presenters from Uvalde, Texas made the comment that efficiency is the enemy of preparedness. He noted that, oftentimes, we have real-time supplies at hand, and that includes food. And so when you have a mass casualty event, you may not have adequate supplies available.

And so, to be able to better understand the impact and how response was supported during the emergency really helps in the documenting of how we responded, and it provides us some important evaluation lessons learned so that we can incorporate these and put those in our updated plans as well as share those lessons learned with others because we don't need to reinvent the wheel. We need to learn from one another.

This slide provides an important feedback loop that we can identify on the things that we have done well and areas where we want to improve. We can evaluate our response, integrate those findings, and then disseminate them.

And one piece that we have learned is the importance of considering mental health. And again, in the Uvalde, Texas presentation, there was a great deal of emphasis placed on that year anniversary following an incident or a major disaster in a community, and really thinking about the mental health of the responders and especially your critical access hospital staff.

As in all things rural, we need to know where our funding and resources are available. This particular module has specific information and you can see that you can click on and identify how local disasters qualify for public assistance.

I think one thing is really important is that rural communities always need to identify an individual. If a community doesn't have an emergency manager, for example, there needs to be a designated person who will coordinate this effort, and that needs to be aligned and coordinated with our critical access hospital because of the importance of getting support during a response and supporting the recovery phase.

So today, we're going to talk about two important case studies, and you're going to hear what happened, some of the successes, some of the barriers, and what we've learned. We're also going to get some advice. So stay tuned for Gary who is up next. And thank you very much.

Gary Hall: A lot of what Alana said really resonates as an officer at Estes Park Health, a small mountain hospital right outside Rocky Mountain National Park. We've had our share of fun over the years, but also, we, of course being CMS mandated to do an all-hazards risk assessment. In fact, we have to update our all-hazards assessment every year. Our accreditation bureau keeps us honest with that and make sure that we have taken care of that every year.

And when I look at the checklist of what we have on our all-hazards vulnerability assessment, risk assessment, we check a lot of boxes on that over the years. So we'll chat about that. But first, we'll go back and get through the slides and then talk lessons learned at the end. Let's harken back to 2020. Everybody remembers 2020. What a great year 2020 was. The pandemic started up early in the year, and all kinds of fun.

We didn't get to the vaccine point until the very end of the year or the turn into 2021. But we were having a lot of other challenges in Colorado. And I know we're not the only state that suffers from the wildfire issues. But ours have been very, very aggravated by many years of beetle kill, pine beetle kill in the forests. And I kept telling everybody it was going to go nuclear one of these years.

Well, finally went nuclear. Here's a picture of one of the exploding fires in the course of the summer and the fall. So we've had all kinds of stuff. 2013, we had floods that knocked out all the highways into and out of Estes Park. We had the National Guard up here. We have winter storms. We've had communication outages where the fiber gets cut and cuts off all internet and cell and long-distance activity.

Yeah, we had a cyber-attack. Everybody knows about the pandemic. But 2020 was the year when the fires began erupting. With that history of challenges though, that has helped keep us sharp in our emergency management planning. We do drills and exercises regularly, although there have been some years that we've had so many crises that we didn't have to, for CMS, put together any drills.

And ultimately, the planning that we had done in the practice were keys to our evacuation success. It was late in the summer or late, as far as summer in Estes Park goes, that this fire started northwest of the National Park and burned. Throughout the summer, we kept being worried about that and other fires that were cropping up. We put together an incident command. We had every department plan evacuation. At the time, we had a nursing home, which we have since shut down in 2021. We shut that down.

But we kept getting saved by favorable changes in the wind and some tremendous heroic firefighting as that fire, the Cameron Peak, became the largest in Colorado history. We even got to watch it burn past us on the north one night or a couple nights. Everybody stood out including the elk and deer out there on the high school field. You can see as it burned four or five miles to the north and passed us by. And the winds continued from a favorable westerly direction, favorable for us, not favorable for Fort Collins and other places down the hill.

We had all kind of plans that we did through our incident command. We had a planned offsite emergency staging area. We had agreements ready to move the nursing home residence and our inpatients if we needed to. Considerations were, what to take. Will we have a hospital if and when we returned? Will the network stay up?

And that was a really critical aspect of it. Who could work remotely? Well, one of the wonderful things about COVID, if there's anything wonderful about it, is that telehealth and telecommuting and videoconferencing had really exploded in 2020. And so, it was a great tool for us.

We also wondered how are we going to communicate with our community if we do have to actually evacuate? What we really didn't consider thoroughly was the incredible time compression that ended up happening when the real problem hit.

So it was on October 14th that a second fire started and, and immediately within a couple days, grew to 100,000 acres and eventually outsized even the Cameron Peak fire. Nobody believed that it could get over the rocky continental divide. And on October 22nd, it did that, and it was spotted just a few miles from Estes on our side of the divide.

The mandatory evacuation order was given to the town around noon on October 22nd. Denver sent a whole bunch of fire trucks up to spray down the hospital and trees and everything around the important buildings. The nursing home and the inpatients became our immediate and primary focus.

This is what it looked like at about two o'clock in the afternoon as the fire was approaching rapidly from the west. The entire town was evacuated with high emergent urgency. EPH was completely shut down by 4:00 PM that afternoon.

The nursing home was the most challenging, but we had practiced and planned for that well. The fire continued to approach. We started losing a lot of staff members who were leaving to evacuate their own homes and get their own families out. And we had quite a traffic jam on the exit roads out of Estes Park. This is what it looked like, kind of like after a rock concert, right?

One of the last things that I did, I grabbed a stack of laptops and a whole bunch of other related equipment; printers and other components, and we shoveled them into cars and vans and headed down the hill. I stayed at a friend's house for the next several days and set up not only communication operation, but some immediate help to the place where we'd moved our nursing home residents and other kind of support that we were doing.

That was one of the big challenges. We knew our folks were going to be calling for prescription refills or medical advice or other kind of things, and we had to create some alternative paths for the population of Estes to be able to, even while they were scattered across the front range and across several states, to be able to contact their physician, their providers, and other resources.

One of the wonderful things that occurred is the fire never hit our hospital. The electricity stayed up. My network stayed up. My various key clinical equipment stayed up through the several days. And in fact, we also got some real help from the federal government when they fast tracked some alternative broadband options into Estes Park that we'd been trying to get for years. And they opened very quickly when this occurred.
It was about four days later that a major winter snowstorm moved in. Fortunately, the firefighters had managed to stave off the fire. It never got closer than oh, about a half mile from the edge of town. It almost made it, but not quite. They did a whole lot of clear cutting up there.

If you take a tour of Rocky Mountain National Park, you can see some of the devastation on our side and particularly on the Grand Lake side as that 200,000 plus acre fire burned. We were able to move back into the hospital on October 28th, six days later. We had to do a state CMS survey in order to reopen.

As you might imagine, there was an awful lot of ash and debris all over the place, but we were able to begin opening services by October 30th, eight days after the full town and hospital evacuation.

So, some of the key lessons, the pandemic I already mentioned, really had already started moving us toward so much more telehealth, telecommuting, video conferencing. It was really terrific that we had had that jumpstart because a lot of people could continue working. Some of the billers could keep working. Human resources could keep working. IT kept working throughout.

But one of the biggest things we realized after the fact was we needed to spend time considering the highly improbable because it is possible. We just did not imagine that when the time to evacuate came that we'd be asked to evacuate in 90 minutes and evacuate our nursing home hospital and the entire town, and somehow get out of the way. But the way the winds were coming and the fire was sweeping, it really became that.

Evacuation planning, we know, has to be kept up to date. So we now have a regular plan out of our emergency management team to review those and have each department director review their evacuation plans and test it against the committee on an annual basis. You also have to be prepared for your staff that are trying to support the last services that you're doing. They begin to think of their family and their own process of evacuation. And that happened very rapidly as the afternoon occurred.

We also realized that cybersecurity needs don't change even during this type of a disaster. We had to keep high attention to that, especially since we did have people scattered all over the place trying to communicate with each other. And so, we had to still stay attuned to what kind of devices they were using and making sure that nobody was getting into our network unprotected.

And so, options for communication and continued work are just super important in an incident like this when you have to leave the building where all of your tools reside. Well, living in the virtual world that I live in, it's even more virtual than it used to be. So we keep all of our options open. Better to over-prepare and not have to use, some of the tools that you put together. It's like our over-preparation of having an emergency staging area right to the east of town became a complete moot point during the actual disaster because that also would've gotten run over.

One of the advantages of being such a small hospital and not having 25 or 30,000 employees'; we only have about 250 full-time employees, communication was very quick. It took very little time to get the word through to everyone. And everyone leaped into action and helped the cause.

We have concerns about the coming years because there are many other parts of the Colorado forest, even the ones close to us that could explode into the same kind of situation. COVID, fortunately, has gotten to an endemic stage, and that's a good thing. But I think we can anticipate more pandemics in the future.

We also realized that we hadn't given much planning to the reinstitution of services. And so that's now part of our emergency management planning to make sure that our evacuation plans also include all of the steps necessary to resume work when you come back.

Now, if we had had a long-term closure, how could we serve our community and patients? We gave some thought to that, but well, we know we didn't have to do that at the time. I hope we never have to do that. This little critical access hospitals, well, we're probably one of the most important of all the critical access hospitals because of the mountain roads between us and all of the other front range hospitals. We know during the flood 10 years ago, you couldn't get to the other hospitals.

So, it's been a wonderful thing for us. We have liaisons, memos of understanding for various resources. We have FEMA, IC training for new management coming in. We try to keep a goodly number of folks because you never know who's going to be on site when the disaster strikes. And so, we have a certain minimal level of required IC training and practice that we force with all of our management. That's about it for me. So I rest my case. And I think, at this point, I pass it over to Steve Barnett.

Steve Barnett: Thank you, Gary. What a fascinating story. And fortunately, we didn't have to deal with the fear of having fire approaching the organization with our presentation that I'm going to talk about.

Cyber-attacks are something that I think most have entertained that can happen at any given time. Healthcare, it seems, is getting increasing attention. And the individuals that attempt to get in, it appears, are targeting our patient health information and see some value on that.

It seems that to varying degrees, the focus on getting into hospital systems and holding us hostage doesn't really matter what size you are. I'm not sure how big of a factor that plays from those who are trying to access your system, but it certainly can be very disruptive for a small critical access hospital.

So, what happened? It started in March of 2022, and it happened to be a Saturday. Of course, everything seems to happen on weekends. But what really resulted in notification that we are under attack clearly began at least 24 hours before on Friday and maybe late Thursday night.

So, the process or the breach, if you will, occurred at least a day, maybe even a day and a half before we became aware that our system was going down. Normally, people reacted to systems going down like we typically react anyway because it does happen where our electronic medical record is not performing at the level that it's supposed to, or some other system we have in place is not working, or maybe even how we're connected to the internet is challenging us.

So, to be clear that we were under attack didn't occur to us for at least a day or so. Once we determined that that was what was occurring, the IT folks at our place, which is not a large staff, we only have four or five people. And as you can imagine, the skillset in a small critical access hospital in rural America probably does not rise to the level of an urban IT department.

So, trying to unravel how is this really an attack, are we really being held hostage, and how much of the system do we not have access to? The good fortune that we practice or have drills regarding systems going down probably served us well in this case.

What we learned on that call, and it was about eight o'clock at night on Saturday in March, was that we were being held ransom, and that the individuals that had penetrated our system were holding us hostage for well into the seven-figure ransom range for our patient health information.

Of course, that strikes terror in the hearts of any leadership team at a small hospital because we've been told how responsible we are for protecting and maintaining all of that information. So we were certainly on alert and trying to figure out just what was going on.

What IT described, and this is probably the easiest way and maybe the least malignant way that a breach can occur, is this was a smash and grab. So you've seen on the news from time to time where a bunch of people come in, they grab whatever they can, and then they run. And that's really what they did here. They got through our firewall. And then, they shut down whatever they could. They implemented the virus, and that virus started creeping through the system making things worse for us.

So, what our initial response was the question, are we going to pay or are we not going to pay a ransom fee? Based on the fee feedback that we had from our IT director and what he was able to determine as he went out into the dark web, is that it looks like this is an offshore breach, and it does not look like we would be assured if we did pay a ransom, that we would get the key back and be able to unlock our system.

And so, we made the painful decision to not pay the ransom and try to string these guys along for a little bit as we looked more deeply into our own system to figure out exactly what went wrong and how much recovery we might have ahead of us.

We immediately went back to paper. And that's something that I would always advise any hospital to be prepared to do, and most are likely always prepared to go to paper just because many of the software systems that we use have not achieved a level of reliability that would allow us to just eliminate the paper process.

We also began cleaning the servers. And this may have been one of the lessons learned, is we probably should not have been as eager to get those servers cleaned up until we engaged the other people that we would find out from our insurance carrier we would need to engage specifically legal firm that specializes in managing cyber-attacks and is aware of those other companies, in particular, companies that can do forensics and even companies that specialize in negotiating with what they're fondly referred to as threat actors. This tends to push off them from unleashing or opening up your files on the dark web for other people to access too early.

So, we brought our backup system up as quickly as we could. And the reason why I say maybe too quickly is because there's information there that the forensic staff, once they were on board, may have been able to glean that they no longer had access to because we had cleaned some of it already and started rebuilding the information.

So planning, what we've clearly discovered is that keeping our firewalls up to date is important. And like many of us in rural America, we're on tight budgets. IT seems to be consuming a great deal of that budget as it becomes a larger and larger part of just about everything we do in healthcare. And so, you don't want to skimp on those pieces of software that help mitigate threat actors from penetrating the system.

We began enhancing or actually redoing again the education for everyone that's on staff. In our system, we have emails that are set up for everyone, much like I'm sure most hospitals have. Well, that is inside the system, inside the firewall. So that is something that a threat actor can use, and we think that's what they did to penetrate in the first place. They use that using phishing techniques to get people to hit buttons that unlock the system and allow them to penetrate and start shutting things down.

Having an offsite disaster recovery system is clearly key to getting back online quickly. And what we needed to determine is just how many hours were we not going to be able to pull the information for as we began to rebuild our information system and those servers? And it turned out it was about 48 hours' worth of information that we needed to access in the future from the paper charting that we had quickly engaged in.

So, keeping that paper charting and making sure that billing and all the other areas that need to be able to rebuild those charts or make sure a chart even exists in the future, keeps that paperwork intact so that we can get it on board.

So, we also discovered that there is a system in place with our existing EMR through, I think, a notes page is what it turned out to be, that may have been unidentified by the threat actors and was actually safe. So for some providers, we learned that we had some ability to continue to do some work that we were not aware of.

So, revisiting your electronic medical record system and trying to take a deeper dive into some of the capabilities that exist within that system might be useful as well. And then, as I said earlier, be sensitive to communicating with forensics before removing any evidence of an attack as you're trying to rebuild your servers.

The period between when we were attacked, when we identified it, and when we got forensics on board was probably 7 to 10 days which, give or take, a couple of days, we probably would've benefited from being able to move a lot quicker than that.

So, what I can tell you is that as you would imagine, the word gets out pretty quickly in the community. And so trying to mitigate those local inquiries and making sure that there's not incorrect information being put out on the radio or in the local newspapers or just through the grapevine becomes a matter of a crafting and making sure that the messages that are going out are clear, they're brief, they're precise. And you really need to work with the local community to try and get some cooperation.

I think once we spoke with media locally, they were sensitive too and I think even sympathetic to what we were trying to accomplish and working with us to make sure that the messaging to the population at large was dripped out at a pace that was appropriate and that we could stand behind based on what we'd already learned.

What we also found, and that's where the legal folks who specialize in these things were very handy at helping us begin to assemble patient notification lists, which coupled with forensics was something that you have to go through your entire system and figure out how many people have been exposed potentially and what kind of information was exposed? How important is that to those who might want to try and take advantage of it?

We know that Social Security numbers are part of that unfortunately. And I think that was probably more important to threat actors than the actual patient health information itself. We did offer credit monitoring, which we were advised to do for at least a year. And, of course, we would extend that from time to time if we had someone who was particularly concerned or allowed in the community and they may have asked for that to be extended.

We have also learned, and actually working with the forensics folks, were able to identify some additional monitoring software that reduces some of the attempts. And it really keeps a close eye on how many people are trying to get into our system on a daily frequency or even by the minute for that matter.

And I almost feel as if I don't need to say this, but I'll say it anyway, because it's worth repeating. And that is if you're operating in an electronic environment as most of us are, it's not if you'll suffer from a cyber-attack, it is when you become a victim. So organizations should make sure they're educating, communicating, and preparing for disaster recovery.

Threat actors will get into your system eventually. That's just the way it is, and it scares me. I probably get a dozen, sometimes even two dozen, attempts through email on almost every day of the week where they're trying to get me to push the wrong button. So you really have to pay attention to where did this email come from? And they're becoming increasingly sophisticated with making it look like something that you should be comfortable going ahead and opening. So with that, I will move it to, I guess, questions and answers.

Kristine Sande: So, Steve, the first question for you is related to going back to paper records. The question is wouldn't you be able to do a weekly or biweekly backup to a secure hard drive with patient data instead of going to paper? What do you think about that?

Steve Barnett: Well, I think the answer is certainly we could. What we didn't have in place is a secure hard drive to go to and flip to. And we would've needed to use that EMR software to some extent in order to be able to continue to operate as if we were in that same environment. So I just don't know if... Well, it certainly wasn't something that we considered. Paper seemed to be the easiest and something that we do practice from time to time, but I don't disagree at all. But I leave that to the IT people to really tell me how would we make that a reality and would it be a better one?

Kristine Sande: All right. Thank you. So going back to Gary, you talked about the evacuation and the staff having to worry about their own personal affairs and their families. So in that situation, how do you ensure that you do have enough staffing? How do you work through that process?

Gary Hall: I think that you move very quickly, and that really was the key to our success. Everybody hopped on board and really helped with the inpatient and nursing home evacuation very, very quickly. And it really is a matter of time in that case because there was such a high sense of urgency to get out of the building and out of your house and out of town. But I think it's just the nature of healthcare workers. There was more than enough arms and heads to keep things going. I think it's just that level of commitment.

Kristine Sande: All right. Also for you, Gary, so did you have any healthcare professionals from outside of your community that offered to help with your response during this time?

Gary Hall: Every time that we've had some type of disaster, we've had the volunteerism. We've had nurses offer to help, providers of other types, and physicians, of course. And so, as you know and as Alana mentioned during some of the FEMA training and everything, that's one of the key components you have to have in your plan, is how are you going to handle, identify, categorize, assign volunteers?

We did not, for this event, use any outside assistance or volunteers. However, there are certainly events that we've had where we did take advantage of some of the rampant and eager volunteerism. But the number one thing, of course, is to make sure they're truly qualified for what they want to come do and to properly identify them so that they can go where they need to go.

Kristine Sande: All right. And then a question for both of you. Do you have any advice for communicating effectively and efficiently during a disaster?

Gary Hall: Do it early and often. Stay ahead of it. Stay in front of it, because you're still going to have some other reactive kinds of things. And even when we did evacuate and set up shop down the hill, we were trying to get the word out before a question would come in from one of our patients or staff members or whatever. So we communicate early and often. And honestly, be very honest.

Kristine Sande: Right. Thank you. Steve?

Steve Barnett: I think the more you practice anything, the better you get at it. And the more you communicate, to Gary's point and be doing that as effectively and honestly as you can. I don't want to give people false hope. And I have to say that when you have something like this happen and that PHI is at risk along with other information that people value, you just feel terrible that it happened, and you've exposed a population who trusted you to maintain that level of security.

So, I think everyone takes it personally, and I don't know if we could have provided a level of education that would've been taken as seriously prior to the attack as it probably is being taken after the attack.

So then, there's the work that goes into recovering from this, and the length of time, and the expense. It's not inexpensive by any means, and I can't tell you what that number was. But it was several hundred thousand dollars. And then, you can expect that the next time you have your contract or insurance come up, that cybersecurity is probably going to be a little bit more expensive than it was the last time.

So, educate, communicate, take those folks in the community who have heard about what's going on, and make sure you get them on the phone and try and deescalate their concerns, and make sure that they understand that you're doing everything you possibly can both internally as well as externally.

Kristine Sande: Right. So Steve, do you feel like the incident affected trust in your organization? And then, what do you do to address and rebuild that?

Steve Barnett: I think to some extent, to Gary's point, the more we're communicating both internally and externally and the more we understand about what has happened as we go along, and the more people begin to wrap their heads around the fact that, yeah, this is a reality of today, I think people have viewed it or viewed us as being responsible and managing it well and not trying to hide anything.

And that's probably the most important piece, is to continue to work with your local press and social media to make sure the people understand you're really managing this to the best of your ability. There are going to be a couple people that'll never come here again. But anything would've probably tripped them up in that regard anyway.

Kristine Sande: Sure. Sure. Thank you. Question for Gary. Did you need to engage backup power at any point during the wildfire evacuation?

Gary Hall: We did not. There was never electrical loss, and it was obviously a terrific testament to the firefighters to be able to do that. When I say that, everyone evacuated, well, some of our EMS personnel stayed in town and supported the firefighters, and they would make regular rounds through the building to make sure things were holding together.

But no. We have had to use our emergency generators of which we have three several times for other incidents, but not for that incident. I will take, as long as I'm talking, I want to mention one thing in regard to Steve's, for better or worse, we also got attacked in June of 2019 cyber-attack. And it was our cloud backups that ultimately saved us that those did not get infected.

And so, our very regular and constant cloud backups of our key application databases were ultimately our method for rebuilding. So I highly encourage you to make sure that you have cloud alternatives in addition to whatever physical backups you're doing.

Kristine Sande: Thank you. And maybe one last question for both of you. What has been the most surprising aspect of preparedness and response as you've worked through these emergencies and disasters that you've experienced?

Steve Barnett: I think it's the calm. I was probably more excited about this in a negative way than most of the staff at the organization. I think they're accustomed, as many people are in rural America, when things are broke, you fix them, and you don't worry about it too much. You just keep moving forward and make sure you're collecting the most important information, and make sure you continue to serve the patient population.

So, I think that the team of staff that we have delivering care did a wonderful job of just continuing to deliver care, recognizing the systems down, not complaining or finger pointing, just moving on until we were able to figure out how to get them back on and into an electronic environment.

Gary Hall: He got it right. My EMS director and I often say, "Well, the people we want on our emergency management team are the ones whose pulse rates go down in a disaster." And while obviously that's not physically true, you want that clarity of thinking that what's the next step? Work the problem. How do we get through this particular issue? It reminds me of the Apollo 13 movie. What do we have that works? And proceed from there.

Kristine Sande: Thank you so much to everyone who joined our webinar, and thanks to our speakers for the great information that they shared. The slides that we use today are available at