Emergency Preparedness and Response Efforts in Critical Access Hospitals
Date: Duration: approximately
Alana Knudson, PhD, Senior
Research Director of NORC's Walsh Center for Rural
Health Analysis and Program Area, Director in
NORC's Public Health Research Department
Gary Hall, Chief Operating Officer
(COO) and Chief Information Officer (CIO) at Estes
Park Health, Park Hospital District
Steve Barnett, DHA, CRNA, FACHE,
President and Chief Executive Officer (CEO) at
McKenzie Health System
Second in a 3-part webinar series on rural emergency
preparedness highlighting how Critical Access Hospitals
(CAHs) have planned for, responded to, and recovered from
disasters and share key points for CAHs responding to and
recovering from disasters. Learn about the evacuation of
Estes Park Health in Estes, Colorado as well as critical
factors that played a role in the response and recovery
efforts when a wildfire threatened its community. Also,
hear how McKenzie Health System in Sandusky, Michigan
responded to a cyberattack. The webinar will also share
important considerations for CAHs and other rural
hospitals when responding to disasters and emergencies,
as featured in the
Rural Emergency Preparedness and Response Toolkit.
The toolkit and webinar were supported with funding from
the Centers for Disease Control and Prevention (CDC).
Kristine Sande: I'm Kristine Sande, and
I'm the program director for the Rural Health Information
Hub. And I'd like to welcome you to today's webinar,
Emergency Preparedness and Response Efforts in Critical
Today's webinar will feature content and case studies
that were included in the Rural Emergency Preparedness
and Response Toolkit, which is located on the RHIhub
website. The toolkit was developed along with our
partners at the NORC Walsh Center for Rural Health
Analysis. And I'd especially like to thank the Centers
for Disease Control and Prevention for the funding to
develop this toolkit as well as for today's webinar.
Also, thanks to the Federal Office of Rural Health Policy
for facilitating that funding. We have provided a PDF
copy of the presentation on the RHIhub website, and
that's accessible through the URL that's on your screen.
And now, it is my pleasure to introduce our speakers for
Alana Knudson serves as a senior fellow in the Public
Health Research Department at NORC at the University of
Chicago and is the director of NORC's Walsh Center for
Rural Health Analysis. She has over 25 years of
experience leading health research studies, evaluating
program effectiveness and translating findings into
Gary Hall is the CIO at Estes Park Health and has been at
EPH for 18 years. Gary has overseen many departments and
processes over the years including facilities, ancillary
clinical departments, and the various physical
environments in the hospital's environment of care. Gary
was the chair of the emergency preparedness committee for
many years and has helped EPH navigate through floods,
fires, evacuation, the pandemic, a cyber-attack,
communication outages, and other incidents.
And our final speaker will be Steve Barnett. He currently
serves as president and CEO of McKenzie Health System, a
rural critical access hospital in Sandusky, Michigan.
Steve is committed to designing a rural healthcare
delivery system that delivers on quality, doesn't
compromise access, and is efficient. And with that, I'll
turn it over to you, Alana.
Alana Knudson: Great. Well, thank you so
much for inviting us to speak today. And I'll go through
these introductory slides quickly so that you can hear
from our implementers in the field.
Just briefly, for those of you who may not be familiar
with the NORC Walsh Center, we are now 27 years old, and
we are part of NORC at the University of Chicago. Our
team is primarily based in our office in Bethesda,
Maryland, and we are an independent, nonpartisan
nonprofit research organization. And we are committed to
providing timely and actionable information for making
decisions about health, public health, and especially
And as you heard from Kristine, we have partnered with
RHIhub for the last almost 15 years on the development of
toolkits and are grateful for their partnership. Through
these years, we have created 25 different toolkits.
Today, we are going to focus on what we have learned and
what we have presented in our Emergency Preparedness
Toolkit. You can see that has the new button on the
Just to give you a little background on this Emergency
Preparedness Toolkit, as Kristine mentioned, this was
supported through funding through CDC and facilitated by
the Federal Office of Rural Health Policy. And these
toolkits are intended to support and strengthen our rural
programs and also to help us build an evidence base. So
many of the programs that are tagged as evidence-based
programs have been implemented in an urban environment.
And the programs that we highlight have been implemented
and demonstrated success in rural communities.
When we developed these toolkits, we go through a
process, and we did the same types of process or just
followed the same process for the emergency preparedness.
We conducted a literature review and looked at the
different resources available. We conducted numerous
expert interviews, in fact, with over 35 people who were
subject matter experts in Rural Emergency Preparedness
We also examined findings from case studies so that you
would see how different situations resulted in a response
and a recovery in 30 different rural and tribal
organizations. And lastly, we developed the toolkit, and
we also include resources as well as the information
pertaining to the case studies. And you'll hear
highlights from those case studies from Gary and Steve
As with all of our toolkits, our toolkit is developed in
a modular format, so it meets you where you are, wherever
rural community members are interested in getting
started. And today's discussion, I will focus on
primarily modules four, five, and six with our guest
speakers speaking to their case studies.
But I wanted to put a context to how it matters for
critical access hospitals. And as many of you know, part
of the conditions of participation include the
requirement to have a comprehensive emergency
This program needs to include an all-hazards approach,
which also includes emerging infectious diseases. The
plan needs to incorporate a communication plan, one that
addresses issues for not only contacting staff and
providers under emergency situations, but also how to be
able to relay important patient information in the
situation, for example, where there is an immediate
evacuation of, for example, the critical access hospital.
It also needs to include information pertaining to
policies and procedures and also demonstrate how training
and testing is going to be provided. These emergency
preparedness programs need to be reviewed and updated
every two years according to the conditions of
participation. And it also needs to include a component
about addressing patient populations, especially special
populations, for example, older adults and those at risk
and provide information about evacuation and also
services that can be provided, for example, when we have
lost power or access to potable water. So how are you
going to maintain a system when those infrastructure
pieces may go down?
There's also a component in these emergency preparedness
plans that has an outline of how the critical access
hospital will participate in cooperating and
collaborating with other first responders and other
emergency providers in communities.
One thing we've learned through our many discussions is
that we need to also take into consideration what does it
mean when we have volunteers, particularly volunteers
that may have a medical background. How do we account for
them and ensure that we are providing the highest level
of care in an emergency situation?
And so, these types of plans that also include the
cooperation and collaboration of volunteers and other
responders are really important and need to be
consistently updated. As I said, I'll focus on three
modules. And module four really provides some great
background information on types of public health
emergencies and disasters.
And again, these examples can help you as you continue to
revise and update your own emergency plans for your
critical access hospitals. In our infectious disease
outbreaks, for example, we have a resource called the
Hospital Personal Protective Equipment Planning Tool that
identifies what is the most appropriate PPE given the
situation that presents itself. We also have some
excellent examples about natural disasters and ag
impacts. We're going to hear today a couple of those
stories as well as what happens when your equipment and
There's a couple of examples of the chemical and
radiation emergencies and mass casualty incidents. And we
have, for example, a really interesting case study on a
train derailment that happened in Chester, Montana. And
again, lessons learned from that have been helpful in
further developing these pieces of the module four.
As I mentioned in your emergency preparedness plan, you
need to identify all-hazards responses. And again, there
are some really great examples and specific information
included for each of these that may be helpful as you
continue to revise and update your emergency preparedness
This is an important slide because what we are also
trying to better do as we go through the myriad of
responses that many of our rural communities and our
critical access hospitals face is to be able to capture
what happened during a post-emergency assessment and to
share those lessons learned.
And I had the opportunity of attending the American
Hospital Association's Rural and Small Hospital
Conference in San Antonio this past February. And one of
the presenters from Uvalde, Texas made the comment that
efficiency is the enemy of preparedness. He noted that,
oftentimes, we have real-time supplies at hand, and that
includes food. And so when you have a mass casualty
event, you may not have adequate supplies available.
And so, to be able to better understand the impact and
how response was supported during the emergency really
helps in the documenting of how we responded, and it
provides us some important evaluation lessons learned so
that we can incorporate these and put those in our
updated plans as well as share those lessons learned with
others because we don't need to reinvent the wheel. We
need to learn from one another.
This slide provides an important feedback loop that we
can identify on the things that we have done well and
areas where we want to improve. We can evaluate our
response, integrate those findings, and then disseminate
And one piece that we have learned is the importance of
considering mental health. And again, in the Uvalde,
Texas presentation, there was a great deal of emphasis
placed on that year anniversary following an incident or
a major disaster in a community, and really thinking
about the mental health of the responders and especially
your critical access hospital staff.
As in all things rural, we need to know where our funding
and resources are available. This particular module has
specific information and you can see that you can click
on and identify how local disasters qualify for public
I think one thing is really important is that rural
communities always need to identify an individual. If a
community doesn't have an emergency manager, for example,
there needs to be a designated person who will coordinate
this effort, and that needs to be aligned and coordinated
with our critical access hospital because of the
importance of getting support during a response and
supporting the recovery phase.
So today, we're going to talk about two important case
studies, and you're going to hear what happened, some of
the successes, some of the barriers, and what we've
learned. We're also going to get some advice. So stay
tuned for Gary who is up next. And thank you very much.
Gary Hall: A lot of what Alana said
really resonates as an officer at Estes Park Health, a
small mountain hospital right outside Rocky Mountain
National Park. We've had our share of fun over the years,
but also, we, of course being CMS mandated to do an
all-hazards risk assessment. In fact, we have to update
our all-hazards assessment every year. Our accreditation
bureau keeps us honest with that and make sure that we
have taken care of that every year.
And when I look at the checklist of what we have on our
all-hazards vulnerability assessment, risk assessment, we
check a lot of boxes on that over the years. So we'll
chat about that. But first, we'll go back and get through
the slides and then talk lessons learned at the end.
Let's harken back to 2020. Everybody remembers 2020. What
a great year 2020 was. The pandemic started up early in
the year, and all kinds of fun.
We didn't get to the vaccine point until the very end of
the year or the turn into 2021. But we were having a lot
of other challenges in Colorado. And I know we're not the
only state that suffers from the wildfire issues. But
ours have been very, very aggravated by many years of
beetle kill, pine beetle kill in the forests. And I kept
telling everybody it was going to go nuclear one of these
Well, finally went nuclear. Here's a picture of one of
the exploding fires in the course of the summer and the
fall. So we've had all kinds of stuff. 2013, we had
floods that knocked out all the highways into and out of
Estes Park. We had the National Guard up here. We have
winter storms. We've had communication outages where the
fiber gets cut and cuts off all internet and cell and
Yeah, we had a cyber-attack. Everybody knows about the
pandemic. But 2020 was the year when the fires began
erupting. With that history of challenges though, that
has helped keep us sharp in our emergency management
planning. We do drills and exercises regularly, although
there have been some years that we've had so many crises
that we didn't have to, for CMS, put together any drills.
And ultimately, the planning that we had done in the
practice were keys to our evacuation success. It was late
in the summer or late, as far as summer in Estes Park
goes, that this fire started northwest of the National
Park and burned. Throughout the summer, we kept being
worried about that and other fires that were cropping up.
We put together an incident command. We had every
department plan evacuation. At the time, we had a nursing
home, which we have since shut down in 2021. We shut that
But we kept getting saved by favorable changes in the
wind and some tremendous heroic firefighting as that
fire, the Cameron Peak, became the largest in Colorado
history. We even got to watch it burn past us on the
north one night or a couple nights. Everybody stood out
including the elk and deer out there on the high school
field. You can see as it burned four or five miles to the
north and passed us by. And the winds continued from a
favorable westerly direction, favorable for us, not
favorable for Fort Collins and other places down the
We had all kind of plans that we did through our incident
command. We had a planned offsite emergency staging area.
We had agreements ready to move the nursing home
residence and our inpatients if we needed to.
Considerations were, what to take. Will we have a
hospital if and when we returned? Will the network stay
And that was a really critical aspect of it. Who could
work remotely? Well, one of the wonderful things about
COVID, if there's anything wonderful about it, is that
telehealth and telecommuting and videoconferencing had
really exploded in 2020. And so, it was a great tool for
We also wondered how are we going to communicate with our
community if we do have to actually evacuate? What we
really didn't consider thoroughly was the incredible time
compression that ended up happening when the real problem
So it was on October 14th that a second fire started and,
and immediately within a couple days, grew to 100,000
acres and eventually outsized even the Cameron Peak fire.
Nobody believed that it could get over the rocky
continental divide. And on October 22nd, it did that, and
it was spotted just a few miles from Estes on our side of
The mandatory evacuation order was given to the town
around noon on October 22nd. Denver sent a whole bunch of
fire trucks up to spray down the hospital and trees and
everything around the important buildings. The nursing
home and the inpatients became our immediate and primary
This is what it looked like at about two o'clock in the
afternoon as the fire was approaching rapidly from the
west. The entire town was evacuated with high emergent
urgency. EPH was completely shut down by 4:00 PM that
The nursing home was the most challenging, but we had
practiced and planned for that well. The fire continued
to approach. We started losing a lot of staff members who
were leaving to evacuate their own homes and get their
own families out. And we had quite a traffic jam on the
exit roads out of Estes Park. This is what it looked
like, kind of like after a rock concert, right?
One of the last things that I did, I grabbed a stack of
laptops and a whole bunch of other related equipment;
printers and other components, and we shoveled them into
cars and vans and headed down the hill. I stayed at a
friend's house for the next several days and set up not
only communication operation, but some immediate help to
the place where we'd moved our nursing home residents and
other kind of support that we were doing.
That was one of the big challenges. We knew our folks
were going to be calling for prescription refills or
medical advice or other kind of things, and we had to
create some alternative paths for the population of Estes
to be able to, even while they were scattered across the
front range and across several states, to be able to
contact their physician, their providers, and other
One of the wonderful things that occurred is the fire
never hit our hospital. The electricity stayed up. My
network stayed up. My various key clinical equipment
stayed up through the several days. And in fact, we also
got some real help from the federal government when they
fast tracked some alternative broadband options into
Estes Park that we'd been trying to get for years. And
they opened very quickly when this occurred.
It was about four days later that a major winter
snowstorm moved in. Fortunately, the firefighters had
managed to stave off the fire. It never got closer than
oh, about a half mile from the edge of town. It almost
made it, but not quite. They did a whole lot of clear
cutting up there.
If you take a tour of Rocky Mountain National Park, you
can see some of the devastation on our side and
particularly on the Grand Lake side as that 200,000 plus
acre fire burned. We were able to move back into the
hospital on October 28th, six days later. We had to do a
state CMS survey in order to reopen.
As you might imagine, there was an awful lot of ash and
debris all over the place, but we were able to begin
opening services by October 30th, eight days after the
full town and hospital evacuation.
So, some of the key lessons, the pandemic I already
mentioned, really had already started moving us toward so
much more telehealth, telecommuting, video conferencing.
It was really terrific that we had had that jumpstart
because a lot of people could continue working. Some of
the billers could keep working. Human resources could
keep working. IT kept working throughout.
But one of the biggest things we realized after the fact
was we needed to spend time considering the highly
improbable because it is possible. We just did not
imagine that when the time to evacuate came that we'd be
asked to evacuate in 90 minutes and evacuate our nursing
home hospital and the entire town, and somehow get out of
the way. But the way the winds were coming and the fire
was sweeping, it really became that.
Evacuation planning, we know, has to be kept up to date.
So we now have a regular plan out of our emergency
management team to review those and have each department
director review their evacuation plans and test it
against the committee on an annual basis. You also have
to be prepared for your staff that are trying to support
the last services that you're doing. They begin to think
of their family and their own process of evacuation. And
that happened very rapidly as the afternoon occurred.
We also realized that cybersecurity needs don't change
even during this type of a disaster. We had to keep high
attention to that, especially since we did have people
scattered all over the place trying to communicate with
each other. And so, we had to still stay attuned to what
kind of devices they were using and making sure that
nobody was getting into our network unprotected.
And so, options for communication and continued work are
just super important in an incident like this when you
have to leave the building where all of your tools
reside. Well, living in the virtual world that I live in,
it's even more virtual than it used to be. So we keep all
of our options open. Better to over-prepare and not have
to use, some of the tools that you put together. It's
like our over-preparation of having an emergency staging
area right to the east of town became a complete moot
point during the actual disaster because that also
would've gotten run over.
One of the advantages of being such a small hospital and
not having 25 or 30,000 employees'; we only have about
250 full-time employees, communication was very quick. It
took very little time to get the word through to
everyone. And everyone leaped into action and helped the
We have concerns about the coming years because there are
many other parts of the Colorado forest, even the ones
close to us that could explode into the same kind of
situation. COVID, fortunately, has gotten to an endemic
stage, and that's a good thing. But I think we can
anticipate more pandemics in the future.
We also realized that we hadn't given much planning to
the reinstitution of services. And so that's now part of
our emergency management planning to make sure that our
evacuation plans also include all of the steps necessary
to resume work when you come back.
Now, if we had had a long-term closure, how could we
serve our community and patients? We gave some thought to
that, but well, we know we didn't have to do that at the
time. I hope we never have to do that. This little
critical access hospitals, well, we're probably one of
the most important of all the critical access hospitals
because of the mountain roads between us and all of the
other front range hospitals. We know during the flood 10
years ago, you couldn't get to the other hospitals.
So, it's been a wonderful thing for us. We have liaisons,
memos of understanding for various resources. We have
FEMA, IC training for new management coming in. We try to
keep a goodly number of folks because you never know
who's going to be on site when the disaster strikes. And
so, we have a certain minimal level of required IC
training and practice that we force with all of our
management. That's about it for me. So I rest my case.
And I think, at this point, I pass it over to Steve
Steve Barnett: Thank you, Gary. What a
fascinating story. And fortunately, we didn't have to
deal with the fear of having fire approaching the
organization with our presentation that I'm going to talk
Cyber-attacks are something that I think most have
entertained that can happen at any given time.
Healthcare, it seems, is getting increasing attention.
And the individuals that attempt to get in, it appears,
are targeting our patient health information and see some
value on that.
It seems that to varying degrees, the focus on getting
into hospital systems and holding us hostage doesn't
really matter what size you are. I'm not sure how big of
a factor that plays from those who are trying to access
your system, but it certainly can be very disruptive for
a small critical access hospital.
So, what happened? It started in March of 2022, and it
happened to be a Saturday. Of course, everything seems to
happen on weekends. But what really resulted in
notification that we are under attack clearly began at
least 24 hours before on Friday and maybe late Thursday
So, the process or the breach, if you will, occurred at
least a day, maybe even a day and a half before we became
aware that our system was going down. Normally, people
reacted to systems going down like we typically react
anyway because it does happen where our electronic
medical record is not performing at the level that it's
supposed to, or some other system we have in place is not
working, or maybe even how we're connected to the
internet is challenging us.
So, to be clear that we were under attack didn't occur to
us for at least a day or so. Once we determined that that
was what was occurring, the IT folks at our place, which
is not a large staff, we only have four or five people.
And as you can imagine, the skillset in a small critical
access hospital in rural America probably does not rise
to the level of an urban IT department.
So, trying to unravel how is this really an attack, are
we really being held hostage, and how much of the system
do we not have access to? The good fortune that we
practice or have drills regarding systems going down
probably served us well in this case.
What we learned on that call, and it was about eight
o'clock at night on Saturday in March, was that we were
being held ransom, and that the individuals that had
penetrated our system were holding us hostage for well
into the seven-figure ransom range for our patient health
Of course, that strikes terror in the hearts of any
leadership team at a small hospital because we've been
told how responsible we are for protecting and
maintaining all of that information. So we were certainly
on alert and trying to figure out just what was going on.
What IT described, and this is probably the easiest way
and maybe the least malignant way that a breach can
occur, is this was a smash and grab. So you've seen on
the news from time to time where a bunch of people come
in, they grab whatever they can, and then they run. And
that's really what they did here. They got through our
firewall. And then, they shut down whatever they could.
They implemented the virus, and that virus started
creeping through the system making things worse for us.
So, what our initial response was the question, are we
going to pay or are we not going to pay a ransom fee?
Based on the fee feedback that we had from our IT
director and what he was able to determine as he went out
into the dark web, is that it looks like this is an
offshore breach, and it does not look like we would be
assured if we did pay a ransom, that we would get the key
back and be able to unlock our system.
And so, we made the painful decision to not pay the
ransom and try to string these guys along for a little
bit as we looked more deeply into our own system to
figure out exactly what went wrong and how much recovery
we might have ahead of us.
We immediately went back to paper. And that's something
that I would always advise any hospital to be prepared to
do, and most are likely always prepared to go to paper
just because many of the software systems that we use
have not achieved a level of reliability that would allow
us to just eliminate the paper process.
We also began cleaning the servers. And this may have
been one of the lessons learned, is we probably should
not have been as eager to get those servers cleaned up
until we engaged the other people that we would find out
from our insurance carrier we would need to engage
specifically legal firm that specializes in managing
cyber-attacks and is aware of those other companies, in
particular, companies that can do forensics and even
companies that specialize in negotiating with what
they're fondly referred to as threat actors. This tends
to push off them from unleashing or opening up your files
on the dark web for other people to access too early.
So, we brought our backup system up as quickly as we
could. And the reason why I say maybe too quickly is
because there's information there that the forensic
staff, once they were on board, may have been able to
glean that they no longer had access to because we had
cleaned some of it already and started rebuilding the
So planning, what we've clearly discovered is that
keeping our firewalls up to date is important. And like
many of us in rural America, we're on tight budgets. IT
seems to be consuming a great deal of that budget as it
becomes a larger and larger part of just about everything
we do in healthcare. And so, you don't want to skimp on
those pieces of software that help mitigate threat actors
from penetrating the system.
We began enhancing or actually redoing again the
education for everyone that's on staff. In our system, we
have emails that are set up for everyone, much like I'm
sure most hospitals have. Well, that is inside the
system, inside the firewall. So that is something that a
threat actor can use, and we think that's what they did
to penetrate in the first place. They use that using
phishing techniques to get people to hit buttons that
unlock the system and allow them to penetrate and start
shutting things down.
Having an offsite disaster recovery system is clearly key
to getting back online quickly. And what we needed to
determine is just how many hours were we not going to be
able to pull the information for as we began to rebuild
our information system and those servers? And it turned
out it was about 48 hours' worth of information that we
needed to access in the future from the paper charting
that we had quickly engaged in.
So, keeping that paper charting and making sure that
billing and all the other areas that need to be able to
rebuild those charts or make sure a chart even exists in
the future, keeps that paperwork intact so that we can
get it on board.
So, we also discovered that there is a system in place
with our existing EMR through, I think, a notes page is
what it turned out to be, that may have been unidentified
by the threat actors and was actually safe. So for some
providers, we learned that we had some ability to
continue to do some work that we were not aware of.
So, revisiting your electronic medical record system and
trying to take a deeper dive into some of the
capabilities that exist within that system might be
useful as well. And then, as I said earlier, be sensitive
to communicating with forensics before removing any
evidence of an attack as you're trying to rebuild your
The period between when we were attacked, when we
identified it, and when we got forensics on board was
probably 7 to 10 days which, give or take, a couple of
days, we probably would've benefited from being able to
move a lot quicker than that.
So, what I can tell you is that as you would imagine, the
word gets out pretty quickly in the community. And so
trying to mitigate those local inquiries and making sure
that there's not incorrect information being put out on
the radio or in the local newspapers or just through the
grapevine becomes a matter of a crafting and making sure
that the messages that are going out are clear, they're
brief, they're precise. And you really need to work with
the local community to try and get some cooperation.
I think once we spoke with media locally, they were
sensitive too and I think even sympathetic to what we
were trying to accomplish and working with us to make
sure that the messaging to the population at large was
dripped out at a pace that was appropriate and that we
could stand behind based on what we'd already learned.
What we also found, and that's where the legal folks who
specialize in these things were very handy at helping us
begin to assemble patient notification lists, which
coupled with forensics was something that you have to go
through your entire system and figure out how many people
have been exposed potentially and what kind of
information was exposed? How important is that to those
who might want to try and take advantage of it?
We know that Social Security numbers are part of that
unfortunately. And I think that was probably more
important to threat actors than the actual patient health
information itself. We did offer credit monitoring, which
we were advised to do for at least a year. And, of
course, we would extend that from time to time if we had
someone who was particularly concerned or allowed in the
community and they may have asked for that to be
We have also learned, and actually working with the
forensics folks, were able to identify some additional
monitoring software that reduces some of the attempts.
And it really keeps a close eye on how many people are
trying to get into our system on a daily frequency or
even by the minute for that matter.
And I almost feel as if I don't need to say this, but
I'll say it anyway, because it's worth repeating. And
that is if you're operating in an electronic environment
as most of us are, it's not if you'll suffer from a
cyber-attack, it is when you become a victim. So
organizations should make sure they're educating,
communicating, and preparing for disaster recovery.
Threat actors will get into your system eventually.
That's just the way it is, and it scares me. I probably
get a dozen, sometimes even two dozen, attempts through
email on almost every day of the week where they're
trying to get me to push the wrong button. So you really
have to pay attention to where did this email come from?
And they're becoming increasingly sophisticated with
making it look like something that you should be
comfortable going ahead and opening. So with that, I will
move it to, I guess, questions and answers.
Kristine Sande: So, Steve, the first
question for you is related to going back to paper
records. The question is wouldn't you be able to do a
weekly or biweekly backup to a secure hard drive with
patient data instead of going to paper? What do you think
Steve Barnett: Well, I think the answer
is certainly we could. What we didn't have in place is a
secure hard drive to go to and flip to. And we would've
needed to use that EMR software to some extent in order
to be able to continue to operate as if we were in that
same environment. So I just don't know if... Well, it
certainly wasn't something that we considered. Paper
seemed to be the easiest and something that we do
practice from time to time, but I don't disagree at all.
But I leave that to the IT people to really tell me how
would we make that a reality and would it be a better
Kristine Sande: All right. Thank you. So
going back to Gary, you talked about the evacuation and
the staff having to worry about their own personal
affairs and their families. So in that situation, how do
you ensure that you do have enough staffing? How do you
work through that process?
Gary Hall: I think that you move very
quickly, and that really was the key to our success.
Everybody hopped on board and really helped with the
inpatient and nursing home evacuation very, very quickly.
And it really is a matter of time in that case because
there was such a high sense of urgency to get out of the
building and out of your house and out of town. But I
think it's just the nature of healthcare workers. There
was more than enough arms and heads to keep things going.
I think it's just that level of commitment.
Kristine Sande: All right. Also for you,
Gary, so did you have any healthcare professionals from
outside of your community that offered to help with your
response during this time?
Gary Hall: Every time that we've had
some type of disaster, we've had the volunteerism. We've
had nurses offer to help, providers of other types, and
physicians, of course. And so, as you know and as Alana
mentioned during some of the FEMA training and
everything, that's one of the key components you have to
have in your plan, is how are you going to handle,
identify, categorize, assign volunteers?
We did not, for this event, use any outside assistance or
volunteers. However, there are certainly events that
we've had where we did take advantage of some of the
rampant and eager volunteerism. But the number one thing,
of course, is to make sure they're truly qualified for
what they want to come do and to properly identify them
so that they can go where they need to go.
Kristine Sande: All right. And then a
question for both of you. Do you have any advice for
communicating effectively and efficiently during a
Gary Hall: Do it early and often. Stay
ahead of it. Stay in front of it, because you're still
going to have some other reactive kinds of things. And
even when we did evacuate and set up shop down the hill,
we were trying to get the word out before a question
would come in from one of our patients or staff members
or whatever. So we communicate early and often. And
honestly, be very honest.
Kristine Sande: Right. Thank you. Steve?
Steve Barnett: I think the more you
practice anything, the better you get at it. And the more
you communicate, to Gary's point and be doing that as
effectively and honestly as you can. I don't want to give
people false hope. And I have to say that when you have
something like this happen and that PHI is at risk along
with other information that people value, you just feel
terrible that it happened, and you've exposed a
population who trusted you to maintain that level of
So, I think everyone takes it personally, and I don't
know if we could have provided a level of education that
would've been taken as seriously prior to the attack as
it probably is being taken after the attack.
So then, there's the work that goes into recovering from
this, and the length of time, and the expense. It's not
inexpensive by any means, and I can't tell you what that
number was. But it was several hundred thousand dollars.
And then, you can expect that the next time you have your
contract or insurance come up, that cybersecurity is
probably going to be a little bit more expensive than it
was the last time.
So, educate, communicate, take those folks in the
community who have heard about what's going on, and make
sure you get them on the phone and try and deescalate
their concerns, and make sure that they understand that
you're doing everything you possibly can both internally
as well as externally.
Kristine Sande: Right. So Steve, do you
feel like the incident affected trust in your
organization? And then, what do you do to address and
Steve Barnett: I think to some extent,
to Gary's point, the more we're communicating both
internally and externally and the more we understand
about what has happened as we go along, and the more
people begin to wrap their heads around the fact that,
yeah, this is a reality of today, I think people have
viewed it or viewed us as being responsible and managing
it well and not trying to hide anything.
And that's probably the most important piece, is to
continue to work with your local press and social media
to make sure the people understand you're really managing
this to the best of your ability. There are going to be a
couple people that'll never come here again. But anything
would've probably tripped them up in that regard anyway.
Kristine Sande: Sure. Sure. Thank you.
Question for Gary. Did you need to engage backup power at
any point during the wildfire evacuation?
Gary Hall: We did not. There was never
electrical loss, and it was obviously a terrific
testament to the firefighters to be able to do that. When
I say that, everyone evacuated, well, some of our EMS
personnel stayed in town and supported the firefighters,
and they would make regular rounds through the building
to make sure things were holding together.
But no. We have had to use our emergency generators of
which we have three several times for other incidents,
but not for that incident. I will take, as long as I'm
talking, I want to mention one thing in regard to
Steve's, for better or worse, we also got attacked in
June of 2019 cyber-attack. And it was our cloud backups
that ultimately saved us that those did not get infected.
And so, our very regular and constant cloud backups of
our key application databases were ultimately our method
for rebuilding. So I highly encourage you to make sure
that you have cloud alternatives in addition to whatever
physical backups you're doing.
Kristine Sande: Thank you. And maybe one
last question for both of you. What has been the most
surprising aspect of preparedness and response as you've
worked through these emergencies and disasters that
Steve Barnett: I think it's the calm. I
was probably more excited about this in a negative way
than most of the staff at the organization. I think
they're accustomed, as many people are in rural America,
when things are broke, you fix them, and you don't worry
about it too much. You just keep moving forward and make
sure you're collecting the most important information,
and make sure you continue to serve the patient
So, I think that the team of staff that we have
delivering care did a wonderful job of just continuing to
deliver care, recognizing the systems down, not
complaining or finger pointing, just moving on until we
were able to figure out how to get them back on and into
an electronic environment.
Gary Hall: He got it right. My EMS
director and I often say, "Well, the people we want on
our emergency management team are the ones whose pulse
rates go down in a disaster." And while obviously that's
not physically true, you want that clarity of thinking
that what's the next step? Work the problem. How do we
get through this particular issue? It reminds me of the
Apollo 13 movie. What do we have that works? And proceed
Kristine Sande: Thank you so much to
everyone who joined our webinar, and thanks to our
speakers for the great information that they shared. The
slides that we use today are available at www.ruralhealthinfo.org/webinars.