Thursday, September 3, 2009

Navigating HIPAA and FERPA in an Interoperable Emergency Communications World

By: Joe Mazzarella, Chief Legal Counsel

The current United States homeland security and national emergency response policy as reflected in the National Response Framework (NRF), National Emergency Communications Plan (“NECP”) and National Incident Management System (NIMS) is correctly focused on implementing a scalable and cohesive “all hazards and all disciplines” emergency planning and incident response capability across all levels of government. The implementation of this policy is facilitated through a seamless interoperable communications continuum and information environment. Through this environment public safety agencies and other critical or key community assets can collaborate and coordinate in real time during incidents to achieve force and resource multiplication, greater situational awareness and enhanced response. In this world first responder agencies are linked with important community assets including schools, hospitals, utilities and other key private entities. The implementation of such a cohesively linked emergency communications sharing environment (which is nothing short of essential to improving overall national emergency preparedness and response capabilities to deal with an increasing array of natural and manmade incidents) must also coexist within a framework of privacy laws such as the Health Insurance and Portability and Accountability Act (HIPAA) and the Family Education Rights and Privacy Act (“FERPA”).


HIPAA is designed to protect medical privacy of individuals and limit the unnecessary sharing and disclosure of personal medical information through or by covered groups that routinely house, access and transmit health information, such as hospitals, medical facilities and medical clearinghouse and billing services. Yet, hospitals and medical facilities play vital roles in emergency incident response and crisis recovery efforts. FERPA, like its HIPAA counterpart, also is a privacy law which is directed at protecting privacy of students and their educational records. Notably, student educational records often contain important family and health information. Like hospitals, schools (albeit for different reasons) are also at the center of emergency planning and response initiatives. It is well recognized that school populations are high priority, vulnerable community assets and close coordination and communication between schools and public safety agencies is essential to improving overall emergency readiness. In both cases, we see two key participants in the overall homeland security and emergency response landscape that have unique information privacy laws that may limit the disclosure and sharing of important information in the event of a crisis.


Fortunately, however, this is not the case. Simply put, neither HIPAA nor FERPA interfere with or hamper emergency response efforts. In fact, in each case, they are narrowly drawn in this area and provide ample room to enable both public and private emergency response entities, including “covered entities”, to communicate and share necessary information to carry out emergency response and crisis management functions.


Within the context of interoperable communications systems the operative function and effect is to enable many diverse parties to communicate and share information across boundaries. In the minds of some, this aspect of multiparty participation raises the concern whether participants within a communications group may not be privy to private or protected information and disclosure within this context raises the potential for inadvertent violation of these laws. This question naturally leads to the next. Do these laws require authorization levels to be established to ensure only certain participants join in group communications where certain types of protected information are to be shared? Further, must the type and scope of information that may be shared or disclosed be tailored based upon the identity of the parties that are participating in joint communication session? Thankfully, the reality is that these questions and concerns are implicitly handled in emergency contexts, assuming covered entities under HIPAA employ standard operating policies that they already have in place and good faith reasonable judgment is used by all in light of the circumstances at hand. As a general proposition, neither privacy law restrains or prevents the flow of important information where it will protect the health, welfare, or safety of the subject individual whose privacy is being protected or those in logical and circumstantial proximity to the individual.


HIPAA. HIPAA, along with imposing uniform data coding practices, generally prohibits the unauthorized electronic disclosure of a patient’s protected health information (PHI). This prohibition is comprised of two main thrusts, one aimed at transactional privacy, and the other at ensuring data security. The rules in this area are manifold and complex. However, HIPPA is limited only to “covered entities” and there are safe harbor exceptions for various circumstances where the public interest outweighs individual privacy.


Generally speaking, covered entities are hospitals, medical facilities, health providers, and medical billing entities. HIPAA does not apply to public safety responders and agencies, including EMS (however private ambulances and those owned by, or affiliated with, a covered entity are subject to the law). Non-health care related entities and schools (except in limited cases of on-site school health clinics) are not covered. Moreover, entities that may store medical information as part of their overall function, such as independent living centers, social agencies, public health care agencies, transit organizations, and non-governmental organizations like the Red Cross, are not covered entities. Thus, most participants within any community-wide or pervasive interoperable communications environment are not subject to HIPAA. Yet, as noted, health and medical entities do play a major role within the emergency response environment and are covered by HIPAA.


Covered Entities. Given that many covered entities would participate within an interoperable emergency response communication system, an issue that does arise is how covered entities can participate without running afoul of HIPAA. The most likely circumstance where concerns would arise is in the case of emergencies or incidents where responding or participating parties may be requesting medical or health status information on one or more individuals from a covered entity (such as a hospital or medical provider). However, HIPAA makes provision for the disclosure of necessary information in emergencies.


HIPAA Safe Harbors for Emergencies.


Disclosure During Emergencies. The Department of Health and Human Services (“HHS”), the agency responsible for the administration and enforcement of HIPAA, has reaffirmed its position that HIPAA does not prevent the disclosure of medical information in the case of severe emergencies in order to enable necessary medical treatment and related logistical matters. The applicability of HIPAA became a significant issue during Katrina, and HHS acted swiftly and with clarity to provide guidance that HIPAA does not compromise emergency response and relief efforts. Specifically, HHS has articulated the following guidelines:


Treatment Information. Patient medical information may be shared in times of serious emergency


· with other medical providers (hospitals, clinics, etc.) to aid in the delivery of treatment,


- to enable patient referral and linking with available treatment centers, and


· to coordinate care with emergency relief workers.



Notification. Patient information may be shared as is necessary to enable family members, guardians and others charged with the care of an individual to be identified, located and notified of that patient’s condition and whereabouts. However, to the extent verbal permission can be obtained from the patient, it should be obtained.


Imminent Danger. Providers can share patient information with anyone where it is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public -- consistent with applicable law and the provider’s standards of ethical conduct.


See, Department of Health and Human Services-Office of Human Rights, Hurricane Katrina Bulletin: HIPAA Privacy and Disclosure During Emergency Situations, Sep. 2, 2005, and Hurricane Katrina Bulletin 2: Compliance Guidance and Enforcement Statement, Sept. 9, 2005


Hospitals and health care providers, however, should take note that emergencies do not relieve covered entities from establishing appropriate agreements in advance with respect to its business associates (i.e., agents) that house, store, maintain or administer information on its behalf. The HSS makes it clear that business associates and covered entities, must have a business associate agreement in place to ensure general compliance with HIPAA privacy requirements. Within these agreements provision and consideration can be made for information sharing in cases of emergency. HHS has published a sample business associate’s contract that may be used and adapted to meet the relationship that may exist between the covered entity and its business associate. See 45 CFR 164.504(e)(2)(ii)(D). The sample contract can be found on the internet at:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/enforcementstatement.pdf.


Accordingly, as part of any hospital’s or other health care provider’s emergency preparedness efforts, appropriate due diligence should be undertaken to identify whether any third party agents hold or provide information that may be required to be disseminated or shared during a crisis, and make sure a business associate’s agreement is in place to avoid a possible disruption or delay in furnishing key information during an emergency.


FERPA Safe Harbor for Emergencies


While HIPAA governs protected health care information, it does not cover health care information that is part of a student’s educational records. Health care information that is stored and maintained by schools (with the exception of on-site health clinics which process and seek insurance payments), although medical in nature, is considered part of a student’s “educational records” under FERPA rather than HIPAA. See, Department of Health and Human Services and U.S. Department of Education, Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) And the Health Insurance Portability and Accountability Act of 1996 (HIPAA) To Student Health Records, Nov., 2008. Consequently, one must look to FERPA in regards to disclosure of student information in times of emergency.


Again, like HIPAA, under FERPA the disclosure of information within educational records to appropriate third parties is permitted without any consent in connection with an emergency. The information that is permitted to be disclosed however must be necessary to protect the health or safety of the student or other individuals. See 34 CFR §§ 99.31(a)(10) and 99.36.

See, also, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hipaaferpajointguide.pdf.


Conclusion. Overall, neither HIPAA nor FERPA offer any serious obstacles to the implementation of cohesive, real time interoperable communications and information sharing systems for emergency preparedness and response and can coexist quite well with the broad goals of pervasive interoperable communications collaboration envisioned within homeland security and emergency preparedness realms. Express safe harbor provisions are made to accommodate the reasonable disclosure and sharing of information among entities that are participating within the context of an emergency incident. In each case, the protection of the health and safety of individuals under the exigent circumstances of an emergency is the operable standard by which agencies and participants may collaborate.


As is the case with any subjective standard regarding what circumstances constitute an “emergency” and “necessary” information, good faith and reasonable judgments must prevail. In this regard, for entities that are covered under HIPAA and in the case of student educational records, establishing clear guidelines and policies that assist in evaluating a request for information within the context of any emergency is important. Integrating these policies into an emergency preparedness and response plan may help to support any subsequent challenge to the necessity and propriety of any disclosure by showing they were undertaken based on a well reasoned policy and on a good faith belief that the disclosure was appropriate and necessary. Perhaps even more importantly, in times of emergency the effective mitigation of harm and a successful aid response may turn on the speed with which critical information is shared with responding parties. Delays in responding to information requests caused by uncertainty or time consuming ad hoc legal or unplanned administrative reviews could adversely impact a timely emergency response effort.

Overall, while participants should be vigilant and make proper efforts to prepare for emergencies and integrate sound and lawful information sharing policies into their plans, it should be fundamentally recognized that neither FERPA nor HIPAA should serve as any obstacle to hospitals and schools participating in an interoperable emergency communications platform with other critical community participants. In fact, based upon the prevailing emergency preparedness and homeland security recommendations and policies, the failure to reasonably do so may be viewed as unreasonable in light of generally accepted standards of good security and emergency preparedness practices to the extent participation is available within your community.


Special Note. This article is provided for general information purposes only and does not constitute legal advice upon which a reader may rely. Interested parties are encouraged to consult with their legal advisers. FERPA and HIPAA are not the only privacy laws which may be applicable to you. Many states also have privacy laws which may apply to you.

Tuesday, April 28, 2009

Twitter® for Public Safety & Emergency Management

By Joseph Mazzarella, Chief Legal Counsel
April 28, 2009

In the world of public safety, obtaining and communicating important information in real time can save lives. In this regard, new communications tools are continually be deployed to improve emergency preparedness and response capabilities within a collaborative “all hazards, all disciplines’” paradigm that implicitly requires coordinated planning and response among responders, supporting agencies and other critical assets. These communications improvements range from employing mass alerting and reverse 9-1-1 solutions to advanced multi-agency communications interoperability solutions that link together an array of disparate systems and equipment. While the emergency management sector forges ahead with innovation, the world at large is also blazing new paths and ways of communicating through internet and mobile data driven social networking utilities. Despite the natural temptation to dismiss them as pedestrian at best and frivolous at worst, these social networks may offer something of value to the public safety and emergency management sector. After all, literally millions of users cannot be all that wrong. One of the fastest growing social networking utilities among them, and the focus of this article, is Twitter®, which may offer emergency management and public safety organizations with another potentially powerful and effective communications utility to add to their communications tool chest.

Twitter® is a deceptively simple, yet powerful social networking based communications tool. As described on its web site, “Twitter is a service for friends, family and co-workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question: What are you doing?” See, http://www.twitter.com. With Twitter®, people can follow one another and receive messages from their network of friends in real time. What makes Twitter powerful is it that it links people together around a topic, cause or person, and it provides an easy way to quickly disseminate and share messages among “followers” in the listening group. It is proving to be a popular and particularly attractive communications medium because it intersects with the “always on and available” status created by data enabled consumer mobile devices. Availability or presence is not limited to whether a user logs on to his or her computer anymore. You are always within range of your friend’s “tweet” (Twitter parlance for a message) courtesy of your Blackberry®, iPhone®, cell phone or other mobile device strapped to your hip.

Before you dismiss its potential utility, consider that Twitter is already being used in certain public safety contexts in both planned and spontaneous ways. This April, the Garden City, Kansas Police Department started using Twitter as a free public messaging tool to send out information on events, missing persons and other community advisories, as did the Franklin, Massachusetts Police Department some 1,000 miles away a few days later. In fact, a recent search of Twitter® reveals over 200 police related Twitter® micro-blogs, the largest being the Boston Police Department with over 2,100 followers. Additionally a number of local and state Offices of Emergency Management have rolled out their own Twitter alert based sites, such as Oregon OEM and University of Medicine and Dentistry of New Jersey’s (UMDNJ) Office of Emergency Management to name a few. Beyond state and local agencies, even federal agencies have jumped on board. The Department of Homeland Security (DHS) has its own Twitter® micro-blog which is used for news and announcements, and another micro-blog at twitter.com/LLIS for its Lessons Learned Information Sharing web site (www.LLIS.gov) which is a community repository of best practices information for state and local homeland security and emergency response personnel. The Center for Disease Control (CDC) Emergency Preparedness and Response site uses Twitter as a mass communications tool and has over 2,000 followers. Similarly, the FDA has employed its own Twitter feed at twitter.com/FDARecalls to alert over 3,000 people of its recall of salmonella-tainted pistachio products. See, “Twitter to the rescue: Agencies apply high-tech tools in crisis response” by Elise Castelli, Federal Times (April 06, 2009). While overall use as measured by followership remains relatively small, most of these initiatives are new and they will likely gain popularity as Twitter® becomes better known as a community alerting and information dissemination point.

While mass outbound public communication is a natural use for Twitter®, it may also serve potentially other equally useful purposes. Twitter® is not a one way conversation utility. Namely, it is a tool for information gathering and quick interactive information updating. Followers can send messages too. In fact, Twitter® was reportedly used in the aid of a Swiss Alps mountain rescue operation. As the Alpine rescue unfolded, members of a snowboarding party were sending “tweets” to friends who were, in turn, passing on information to aid in finding their location and providing updated status details regarding their condition. See, “Mountain rescue played out on Twitter; 1 dead”, Associated Press (March 3, 2009). In one the earliest celebrated cases of “Twitter to the rescue”, it was widely used during the 2007 Southern California wildfires to track and report fire movements in real time and alert people of potential oncoming danger. See, “California Fire Followers Set Twitter Ablaze” by Michael Calore, Wired Blog Network (Oct. 2007).

In this vein of emerging communications and cooperation, it is worth noting one particular Twitter micro-blog that is very interesting – twitter.com/HoustonFireDept. The Houston Fire Department is sending out incidents generated from its CAD system as “tweets” with hypertext linked mapped location information. It is quite easy to imagine extending this type of alert into an interactive web based information gathering portal through which the public can contribute information, and also follow incident updates at an incident defined level.

The above examples provide a glimpse into the potential utility that Twitter® may offer in the realm of emergency response and public safety. Imagine what thousands of eyes and typing hands can do to provide important information to public safety agencies during a large distributed, evolving crisis such as a natural disaster. Or, perhaps what a handful of people in the right place and at the right time can offer in the case of a manmade disaster or terrorist attack. In the case of Citizen Corps, 2,342 local councils have formed across that United States. These Corps are local citizen based civic emergency preparedness organizations designed to assist local communities with civilian emergency planning and response. Twitter might play a constructive role in providing quick updates to diverse members. Or, consider how Twitter® or a secure private Twitter-like service might be used for NIMS Incident Command System (ICS) communications functions for providing quick updates from branches, divisions, tactical units or groups. Each of these applications presents potentially useful benefits. Like any good communication tool, it has the ability to act as a force multiplier by increasing information flow and raising real time situational awareness.

As is the case with many new communications tools, functional or pseudo-functional overlap with legacy systems is not uncommon. In the area of crisis information management, for example, there are a variety of web-enabled emergency operations center solutions which purport to offer real time information sharing for emergency management personnel. These solutions range from highly sophisticated environments with extensive integrated data views to rudimentary topic driven message boards, many of which purport to comply with Incident Command System (ICS) and Emergency Support Functions (ESF) standards. However, in reality, ICS and ESF are not technology standards or explicit functional requirements inasmuch as they are organizational and process frameworks with rules meant to rationalize and organize command and control, drive coordinated planning, foster continuing training, prompt exercises, assess results, and make improvements, all within a uniformly understandable and scalable way. In this regard, any system claiming or asserting ICS standards compliance (and by implication “completeness or suitability”) misses the mark in that the very essence of the thing they purport to meet contemplates a dynamic and continuing cycle of evolutionary improvement towards an increasingly better state of active preparedness. Improving, replacing and supplementing legacy communications systems and methods to advance efficient, cohesive, real time coordinated communications and information sharing is a core principle of NIMS and ICS. So, the mere fact the there may exist other modalities of communication in use providing “similar” functions should not necessarily preclude an examination as to how the overall environment can be improved by cohesively integrating or introducing new modes of communication such as micro-blogging capabilities.

Of course, integrating Twitter® or a Twitter-like capability into a public safety or emergency management environment raises unique suitability considerations based upon its use context. These considerations include security and privacy, user identity management and authentication, evidence preservation and chain of custody, and practical possession and control matters. In the context of public alerting, for example, maintaining a permanent record of the alert content, its time of dissemination and the party who sent it are all important. These records must be maintained in a secure and controlled environment to ensure their integrity in the event of subsequent litigation or an investigation. Moreover, as with any alerting mechanism, the actual credentials and permissions of the person authorized to send alerts must be carefully managed. While external threats and breaches from hackers may permit unauthorized users to send out fraudulent alerting messages, unauthorized messaging can also occur from within the agency through lax credentials access and control procedures.

Finally, as with any official public communications outlet, an integrated administrative review and approval workflow component is important to ensure that appropriate quality control standards, legal review requirements, and internal policies are followed, obtained and recorded. In the case where Twitter® might be used to collect information from the public, concerns are present that are similar to those that arise in the context of tip lines and other inbound telephone calls. Chiefly among them is being able to process potentially large volumes of information that may be submitted as well as being able to determine its relevancy, verify or assess its likely accuracy and truthfulness, and assess its actionable value in a timely manner. Finally, in the case of internal communications for crisis or emergency management purposes, a broad array of considerations are at play, including the security, authentication and records management issues previously described along with evidentiary and chain of custody matters associated with communications logs. Finally, the use of third party systems where the agency is not in possession and control of its communications data records also leaves the information vulnerable to legal discovery. If information resides in another party’s possession, the agency may have no or limited opportunity to contest or challenge a demand for disclosure, particularly since the party in possession of the data may have no duty to notify the agency, or worse yet, voluntarily chooses to disclose data without due consideration for the agency’s rights or concerns.

Finally, beyond these particular considerations, there are more rudimentary issues that must be addressed when dealing with public safety communications, namely reliability. As this article was being written, Twitter served up a page at 9:39PM EST on April 19, 2009 stating “Twitter is over capacity. Please Wait and try again”. In the public safety, those aren’t welcome words.

Notwithstanding the above, it is reasonable to expect the use of Twitter® to continue to rapidly grow within the public safety and emergency management space primarily as an adjunct to existing mass alerting modalities. It is further likely that Twitter® can and will be used by innovative agencies as a means to enhance information gathering through public participation - in essence enabling “virtual neighborhood watch” capabilities. However, it is very unlikely Twitter® could be adopted for any internal public safety and emergency management communications use because of the additional security, data integrity assurance, information management and control, and most importantly, reliability needs. Instead, it is more likely that private, in-house “Twitter-like” communications utilities will be created that are more suitable for public safety needs that could augment existing internal communications and information management environments, particularly where resources and assets are geographically diverse. But even within a more robust private framework, the public Twitter® environment still can play an important role as a public interface through integration and the application of appropriate information vetting and verification filters to allow relevant two-way information sharing.

Do these things like Twitter® matter? You bet. For someone, somewhere it just might make all the difference in the world. Here is one of my favorite tweets which came from the Oregon Office of Emergency Management (twitter.com/BailyJN):

“Here's the scenario - You are at work, kids at school. Big earthquake. No phone service or power. Roads closed. Tell me your plan.” 3:46 PM Mar 13th

Post Script: As this article was completed and waiting for general publishing, Microsoft announced a beta release of Vine, a new Twitter-like service for emergency communications. As they say “timing is everything” but then again there is a certain obviousness for the reasons described above. See,
http://www.pcworld.com/article/163974/microsofts_vine_emergency_social_networking.html

*****************************************************************************
The author is not affiliated with Twitter, and the assessments and characterizations made within the article reflect the author’s opinions and do not constitute any endorsement of Twitter or its suitability or reliability for public safety or any other use. Neither the author nor publisher of this article asserts any claim or rights in or to the trade names or marks of Twitter, Inc., all of which are expressly reserved to Twitter.

You can follow the Author’s updates and commentary on Twitter at “@Interoperable”.

Thursday, April 23, 2009

Public Safety Agencies and School Emergency Communications Connected under NIMS

Reprinted from Preparedness Today February 2009

"NIMS Implementation Activities for Schools and Higher Education Institutions’ presents a set of key school and campus emergency management activities that will enhance the relationship between schools and campuses, their respective local governments, and their community partners as they communicate, collaborate, and coordinate on these NIMS activities." - US Dept. of Education Announcement – NIMS Implementation Activities For Schools and Higher Education Institutions

In central Connecticut, steps are being taken to establish comprehensive communications interoperability between schools and local public safety response assets. The Rocky Hill, CT. Police Department, Cromwell, CT. Police and Fire Departments, and Berlin High School and Berlin, CT. Police Department have deployed Mutualink’s communication resource sharing platform, enabling seamless, real-time interoperable communications among all of the network participants. This effort is a major step towards an emergency preparedness and response communications capability that meets the collaborative “all disciplines, all hazards” approach established under the National Response Framework (NRF), and enabling a National Incident Management System (NIMS) compliant environment with an institutionalized and operational understanding of the Incident Command System (ICS).

Schools of all levels are encouraged to be ready to handle emergencies, and the US Department of Education (ED) has issued important guidance to assist educators and administrators in implementing NIMS compliant preparedness and response programs. As part of its effort, ED has established the Readiness and Emergency Management for Schools (REMS) Technical Assistance Center. The REMS resource center can guide schools in emergency preparedness activities and also assist them with funding applications under the ED Readiness and Emergency Management for Schools (REMS) and Emergency Management for Higher Education (EMHE) Discretionary Grant Program.

In addition to the programmatic drive to achieve a higher state of preparedness and response readiness, the practical imperative interoperable communications between public safety agencies and schools as a pragmatic step to improved safety has been further magnified over the past decade by a series of high-profile tragic events such as the ones that occurred at Columbine High School and Virginia Tech University. In the aftermath of the Virginia Tech tragedy, the International Association of Campus Law Enforcement Administrators (IACLEA) published an analysis and blueprint for safer campuses. In this report, the IACLEA reaffirmed the importance of interoperable communications for effective critical incident response.

In preparation for the operational deployment and use of Mutualink between the schools and police and fire departments, personnel at Berlin High School and Berlin Police Department have worked with Mutualink on completing FEMA Incident Command System, ICS-100 certification. In January, all participants will begin taking part in routine check-in exercises. We invite your jurisdiction to take the next step in making community-wide emergency preparedness and response a reality.

Below, we have compiled a guide of key Emergency Management and Response resources for schools and higher education institutions.

NIMS & Emergency Management Related Resources for Schools:

Lesson Learned from the Mumbai Attacks

Reprint from December 2008 Article - Preparedness Today
By: Joe Mazzarella, Chief Legal Counsel, Mutualink, Inc.

While the precise details of the November 30, 2008 terrorist attack on Mumbai, India continue to emerge, there is enough information available to provide a portrait of events that can offer many valuable lessons for public safety and security leaders. We tread lightly to avoid any notion of opportunism, however, as dedicated public safety communications professionals, the Mumbai attacks reveal the fundamental importance that a real time, community-wide incident based emergency communications sharing platform can play in effective emergency preparedness and response.

Without reproducing the event timeline in detail, the operational signature of the Mumbai attacks provides important information that will assist in preparing for and responding to potentially similar events in the future. As history amply demonstrates, terrorist groups tend to copy and emulate methods that they deem to be successful. Law enforcement and security professionals should recognize that the “success” of the Mumbai operation will provide both a strategic and tactical template for others. The Mumbai attacks are the realization of a predicted security threat scenario – coordinated multi-site urban terror assaults.

In this attack, we note that a massive and multi-faceted emergency response effort unfolded. It included local police, anti-terrorism police units, military units, fire rescue, bomb detection units, medical response, port authority, traffic control, and railway and airport transportation authorities. We can only speculate about the level of cohesive and interoperable communications that existed, however, the response efforts as reported appear to have been chaotic and nominally coordinated. This condition reduced and impaired force effectiveness. It also is apparent that poor and/or delayed communication and information sharing limited situational awareness, response assessments and planning.
Based upon publicly available information, we make the following observations for future emergency preparedness and response planning efforts:
  • Multiple Site Coordinated Attack – Coordinated urban attacks occurred at 10 separate locations, with 8 being within an approximately 4 mile area and the others occurring approximately 15 miles away near the Mumbai international airport. The effect and impact of the operation was catastrophic, spanned 3 days and paralyzed a major financial center with over 12 million people. Yet, it was carried out by a relatively small number of actors, consisting of an operational cell of 10 to possibly 18 people. Identifying that the singular attacks were part of an orchestrated whole took several hours.
  • Key Infrastructure and Community Assets Targeted – Key community assets were targeted or played important roles in the attacks. The targets appear to have been consciously chosen in advance of the operation. The assets were: Hospitals, Police Stations, Railways Stations, Airport Facilities, Port Facilities, Hotels, Cinemas, Cafes and Religious Sites.
  • Targeted Sites Served Multiple Reinforcing Objectives - The choice of sites provides valuable information in assessing the nature and type of facilities that may make attractive targets for future coordinated multi-site urban assaults. Specifically, we note the following:
  • Police Stations - Public Safety Command and Control – Attacking this facility type slows down the security response apparatus and provided other actors time to execute their objectives in other locations. It should be noted that the Security Chief and other high ranking counter-terrorism officers were essentially targeted and assassinated. This tactic appears to have been designed to disrupt command and control, and hobble security response effectiveness.
  • Hotels – Hotels are emerging as high risk terrorism targets. Security personnel should be focusing on vulnerability assessments and preparedness and response plans.
    Hotels, which are historically publicly open environments with a transient guest population, are emerging as preferred targets. The Mumbai hotel attacks were patterned off the success of an earlier Marriott Hotel attack in Karachi, Pakistan. However, interest in tourism related sites and hotels extend back much further, including the Bali hotel bombing in 2002.
The Mumbai Hotel attacks reveal a variety of valuable information and insights:
  1. Symbolic Buildings. The multiple hotel buildings that were targeted had a symbolic purpose from a historical and socio-political aspect.
    Staging Points. The hotels themselves were used as planning, staging and storage points for weapons caches in anticipation of the attack. Some the terrorists were guests.
    Bottleneck Control. Once the public access floor was under control, the remaining floors were effectively controlled and a mass hostage opportunity arose.
  2. Identifying Friend from Foe. External security personnel had a difficult time identifying the actual terrorists and clearing the hotels. Only a few video shots of terrorists’ faces were shared through conventional electronic distribution means hours after the event unfolded.
  3. Closed Circuit Video Feeds. Closed circuit video feeds were limited and in most instances unmanned. Real time feeds could not be shared.
    Layout Plans. Hotel layout plans were not available for response teams. This lack of information undoubtedly hindered planning and delayed a tactical response effort.
  4. Mass Communication. Communications to hotel guests stranded and barricaded in their rooms were handled from within the hotel by hotel personnel over the telephone. Mass communication and updates could not be delivered through the system by outside responders.
  5. Inside Intelligence. Despite ongoing firefights, Hotel guests were actively texting and communicating with family members from mobile devices within the hotels. This represented a valuable intelligence information gathering opportunity that could have been leveraged and shared with responders.
  • Hospitals – Attacking these targets helped to further impair public safety response efforts and cause mass casualty response coordination to be more complicated. It also created psychological fear by attacking a facility which is universally accepted as a place of safety and care.
  • Airport Facilities – A taxi was blown up at one of the main roadways leading to the Mumbai International Airport. This tactic had the effect of creating a disproportionate resource response and diversion, because airports have received the lion’s share of security focus due to their status as classic terrorism targets. Assaults on airport related facilities may be used in a diversionary fashion, particularly in urban areas that host nearby airports which rely upon local emergency response assets.
  • Cinemas and Cafés – These targets are attractive mass casualties’ opportunities and create general mayhem. They instill immediate fear in the civilian population. In the United States, malls, cineplexes and similar predictable and routine gathering locations would be prime targets.
  • Ports – The use of water ports as a covert means of entering a targeted environment raises new concerns. Small vessels provide the ability to surreptitiously move material and men with a minimum of risk of detection by the general public. Cities with navigable water bodies that provide quick access to key parts of an urban environment should be aware of this vulnerability.
  • Railway Stations – Railway stations provide large masses of people in transit and make an attractive target for causing mass casualties. It also is an attractive site for early engagement because it creates general transportation chaos, provides a good environment to blend in with other transient people carrying articles and baggage, and makes identification and apprehension difficult.
  • Religious Targets – These targets are attractive for their political and religious value and are usually designed solely to send a message and create terror. The last targets occupied in the Mumbai attacks were religious in nature and it is possible to assume that terrorists seeking a final glorifying act will move to these symbolic targets as their last place of defense and final mayhem. Being able to quickly identify, notify and communicate with these vulnerable targets early in an unfolding attack of this nature may save lives.
Overall, we have no doubt that continued and careful study and examination by security assessment professionals and strategists will yield important and valuable preparedness and response practices. Even absent those forthcoming insights, the Mumbai attacks clearly demonstrate the significant value that cohesive and adaptable community-wide emergency communications and information sharing capabilities can offer in events of this nature.
1 The information used for this article was gathered from generally available public news sources, including reports published by the BBC News, Times of India, New York Times, Washington Post, and Wall Street Journal.