Pandemic Preparedness & Crisis Management in the Media Age

This is a reprint of a feature Article published with EMSResponder.com in March 2010. All rights are reserved to EMS Magazine and the author, respectively.

By: Joe Mazzarella. Chief Legal Counsel, Mutualink, Inc.

Date: March 26, 2010

The initial stages of the HINI flu virus raised much alarm due to the real fear that it could turn into a major health disaster. Although widespread, it has fortunately proven to have limited lethality thus far. Nonetheless, the H1N1 pandemic stressed and continues to place heavy demands on our public health response systems, and it demonstrates that we need to remain vigilant and ready to act, because the next pandemic is surely around the corner, and its severity and impact could be much worse. The Spanish Flu pandemic of 1918 killed an estimated 20 to 50 Million people worldwide may seem anachronistic because modernity offers us advanced medical care, the modern environment offers new challenges in disease transmission through a a highly mobile world where a single infected individual in Hong Kong can infect hundreds in New York in less than 24 hours. Much like a category 5 hurricane that looms offshore ready to potentially strike, public health and civil emergency preparedness organizations need to be prepared for the potentially catastrophic effects of a major pandemic that is highly contagious and lethal. In any large scale pandemic with significant lethality, there is a low, but nonetheless real risk that basic social systems may unravel through a series of cascading and interdependent events. While the health care system remains ground zero in any pandemic outbreak, other sectors of society that provide essential services can be significantly impacted or disrupted in major outbreak. Major civil strife can be triggered when a critical mass of individuals no longer trust that the basic support mechanisms of civil society will protect them and they begin to change behavior and challenge public order because it is in their best interest to do so. Public information officers are front in center in preempting these events before they reach an unmanageable and self reinforcing state. While public officials struggled to communicate with large portions of the population in 1918, the opposite problem exists today. Ironically, the virulent and uncontrollable virus which could be the catalyst for major disorder is not the actual virus itself, but our modern viral communications environment. The Internet and a 24x7 news media culture enable sensationalism, misinformation and distortions to be quickly and uncontrollably and indiscriminately spread far and wide. Social media sites, blogs, email, and text messaging are power mediums that allow individuals to quickly disseminate and propagate information, opinions, and speculations. With the increasing presence of mobile cameras coupled with web enabled publishing and viewing forums, inflammatory content can be captures and instantly broadcasted throughout cyberspace. The opportunity to instill fear, insight panic and instigate hostility has never been greater for so many with such little consequence for so few, whether they are willful or sadly in error. Additionally, due to the legacy of Hurricane Katrina, today’s citizenry is conditioned to embrace messages that affirm a view of the government which is dispassionately incompetent in handling large scale emergencies. Consequently, the pervasive modern digital media environment has made communications ground zero for public information officers and liaison officers. Improved communications and sophisticated dissemination strategies must be used to effectively combat and counteract disinformation, and ensure vital public information reaches its audience. At the core of the of this effort, emergency response planners and officials must pro-actively manage and disseminate information, enlist and collaborate with key community representatives and groups, and anticipate and seek to mitigate inaccurate information before its emerges with irreversible momentum. The recommendations listed below are not exhaustive (fn 1), but serve to demonstrate the many issues and dynamics that come into play when a major pandemic or mass health crisis strikes. Pandemic planning must be comprehensive and take an expanded view of the social dynamics and impacts that occur at both the community and individual level when engaging in disaster communications. The audience, substance, truthfulness, timing, consistency, frequency and method of delivery are all important factors in successfully achieving an effective and sustained communications initiative. It might be that a few well placed words could be the difference between devolution into chaos or a quieting refuge that safely weathers the storm.

H1N1 Pandemic Flu Public Safety Preparedness and Communications Management Tips

1. Frontline Multi-agency Communication and Information Sharing. Basic, accurate and consistent health information should be shared among all agencies and their personnel. Information includes facts about prevention and precautions, symptoms, treatments, recovery rates, high risk groups, and fatality rates. Agency personnel that interface with the public must project confidence and a general command of the subject matter.

2. Cross Agency Collaboration and Policy Consistency. While agencies may serve different functions, they will intersect and overlap in key areas and interdependent ways. Ensure that each agency’s policies and procedures dovetail with one another in collaborative response scenarios. Agencies that are subject matter experts within their functional domain should take the lead in establishing recommended inter-agency policies coordination, and judgments should not be supplanted by non-expert agencies. For example, disorderly conduct and civil control should be established by law enforcement professionals, while first aid response and emergency medical treatment procedures should be established by medical professionals. Although expert agencies should take the lead, expert agencies need to collaborate and refine procedures to deal with unique concerns or issues that may be raised other agencies in relation to the particular health emergency circumstance.

3. Interoperable Emergency Communications. Key agencies such as public health agencies, hospitals, EMS, Offices of Emergency Management, and police should have effective real time interoperable communications and information sharing systems in place.

4. Engaged Public Information Management. Proactive and engaged public information out reach is necessary to educate the citizenry and also preempt and combat misinformation and distortions. Engaged public information management includes:

a. Educating and Preparing Public Leadership. Ensure the timely dissemination of official positions and policies among chief executives and other public officials that may interact with the media or public. Information should be updated frequently and address evolving issues and circumstances. Officials empowered with information will pre-empt speculative, conflicting or speculative commentary which may raise uncertainty among the public.

b. Deal Straight with the Public.

i. Truth and Accuracy. Provide truthful, accurate and complete information. Withholding, minimizing or slanting information will be quickly exposed and undermine public confidence and fuel anxiety.

ii. Use Plain Language. Use plain language, data driven facts, be explanatory and avoid jargon. If medical terms or jargon must be used, explain it.

iii. Explain Your Policies and What People Can Expect. Explain your health emergency policies, activities and policies, and the rationale for them in advance. By explaining your rationale in advance it will diffuse misconceptions and potential claims of bias, arbitrariness or insensitivity. Also, describing what people can expect when interfacing with the public health system will help alleviate anxiety.

c. Modernize Your Communications Strategy

i. Communicate Routinely and Frequently. Merely establishing a web site, even if it is chock full of information and updated often, is still a passive form of communication. It requires individuals to consciously seek out and choose to visit on a repeated basis. Officials should use multi-channel strategies to disseminate information that leverage and reinforce one another, including methods that push information to subscribers. Routinely providing updates is an important strategy to maintain the public’s attention and establish an ongoing conversation.

ii. Proactively Engage Traditional Media. Make access easy for traditional news media by updating journalists and reporters on a frequent basis, and making sure key representatives are available to speak with them. A public media relations officer should be designated as a single point of contact to disseminate news briefing information and assist journalists in establishing contact with various representatives. Requests that are received by operational officials should be directed back to the central point of contact to eliminate confusion, eliminate overlap and distractions, and improve resource and time efficiencies.

iii. Proactively Use New Media Venues. Use real time notification technologies and new social media venues to quickly disseminate important information. Email, SMS, MMS, and RSS subscription based alerting should be routinely employed to push out informational alerts with embedded HTML links to informational landing pages with more information. Using share enabling and viral bookmarking and tagging tools should also be employed like Digg, Del.icio.us, Furl, and Reddit, StumbleUpon. Social media venues like Twitter, FaceBook, and MySpace should also be employed.

iv. Disinformation Management. Another important strategy that can pay dividends is actively monitoring popular internet gathering places and communities for information and rumors that are erroneous or distorted, and taking steps to disseminate corrective or clarifying information. Simple methods such as using Google Alerts with custom key words can help bring new information to your attention. Similarly, establishing a Twitter Account and following parties with relevant topical or subject matter interests can also provide an automated way to check the pulse of public concerns in near real time. Formally designating a member of your public information office to undertake these efforts is recommended.

d. Establish Advisory Communications with Frontline Clinical Health Points. Establish known and repeatable methods of communication for information updates and advisories for all frontline health care professionals, such general practitioners, pediatricians, visiting nurses and emergency room personnel. Advisory information should extend to best practices for waiting room management and segregation, updates on symptoms, treatments, public health reporting, monitoring, testing and hospitalization. As noted previously, employing email alert blasts and other push oriented information delivery methods should be used.

e. Establish Outreach and Communications with Key Groups:

i. Critical Infrastructure and Key Business Assets. Officials should establish key sector outreach representatives to interact with large business, critical infrastructure entities and other important community assets. (fn 2) Pandemic planning documents should be made available to assist business leaders and facilities operators in handling an outbreak and ensuring continuity of operations. Additionally, functional capacity and operational impact reporting should be considered so that public emergency management officials can monitor potential interruption or degradation of key services due to workforce impacts. Areas of monitoring include utilities, particularly field technicians and facilities repair personnel, municipal and regional transportation operators and personnel, such as bus drivers and train operators, law enforcement and fire personnel, acute and primary care facilities. Additionally, specific communications channels should be opened for all mass gathering facilities such as stadiums, theaters, malls and similar venues.

ii. Historically Underserved Populations. Officials should actively engage community leaders, including churches, educators, and neighborhood advocacy groups, to explain policies and procedures, shares information and resources, and provide an official liaison contact to mitigate any problems with access and delivery.

iii. Aged, Handicapped and other Vulnerable Populations. Officials should actively engage group homes and retirement communities to explain policies and procedures, shares information and resources, and provide an official liaison contact to address elderly issues. Special emphasis should also be placed on establishing methods of communication for the blind and hearing impaired.

iv. Schools and Universities. Officials should actively engage with schools and universities (fn 3), both private and public, to regarding recommended prevention, response policies and procedures, monitoring and reporting. Grade schools should also be used as a vehicle to disseminate information back into community households. The state, regional and local education officials should be continually collaborating with public health officials, means for advisory communication and updates should be established and an official liaison contact should be provided.

v. Immigrant and Multilingual Populations. As our society has become increasing diverse and mobile, officials should be aware that there are many non-English speaking residents and visitors, and all critical materials and instructions should be accessible in all major languages represented within the community. Appropriate emergency staffing and response should also include multi-lingual speakers and translators.

5. Monitoring and Preempting Escalation. Officials should be vigilant in monitoring trends in behavior, particularly any rise in occurrence of acts of public disorder and the circumstances under which and places where they are occurring. As discussed, potential flash points are emergency rooms, inoculation centers and dispensaries, among others. Threats and incidents that have any reasonable nexus to the pandemic should be reported into a central repository for analysis and establishing prevention and mitigation strategies. For example, if significant potential for disturbances are occurring at hospitals, then deploying uniformed law enforcement personnel at these locations may temper behavior, but also help contain any disturbance. Implementing real time interoperable communications between security personnel and law enforcement and establishing video monitoring at key locations with real time video sharing with law enforcement is also be a good strategy for force multiplication, situation awareness, and reducing response times.

6. Legal Services Collaboration. Pandemics impact not only the sick, but also their families and care givers. Many people do not have the basic legal documents in place to effectively manage and care for incapacitated family members and friends, such as healthcare proxies to make medical decisions and durable powers of attorney to handle financial affairs. Even worse, the restrictions imposed by medical privacy laws, such as HIPPA, in many cases denies care givers, family members and friends access to important information about their loved one’s medical condition and even works to block information from being given regarding the admission status of a patient at health care facilities. It is essential that individuals be properly advised regarding the need to establish HIPPA privacy waivers for their friend and relatives. Moreover, many have not attended to fundamental matters regarding estate management, particularly if they are younger individuals. In the event of a major pandemic, officials should be working with state and local Bar Associations and other legal profession organizations to build a network of available support advocates for patients and families. The recommendations listed above are not exhaustive (fn 4), but serve to demonstrate the many issues and dynamics that come into play when a major pandemic or mass health crisis strikes. Pandemic planning must be comprehensive and take an expanded view of the social dynamics and impacts that occur at both the community and individual level. In the age of real time electronic and social media, there are opportunities to improve effective communication and planning, but there is also a potential downside. These powerful technologies can act as a major catalyst for panic and social disorder, and emergency response planners and officials must pro-actively manage and disseminate information, enlist and collaborate with key community representatives and groups, and anticipate and seek to mitigate behavioral risks before they emerge and gain irreversible momentum.

Footnotes:

[1] There are a significant number of resources available from international, federal and state agencies covering a broad array of planning issues. The following informational guide is directed specifically at information officers: Effective Media Communication during Public Health Emergencies, WHO Handbook (2005). Ref. at: http://www.who.int/csr/resources/publications/WHO%20MEDIA%20HANDBOOK.pdf. The U.S. Centers for Disease Control and Prevention (CDC) has also created an online instructional course for public information officers called “Crisis and Emergency Risk Communication Training “. It is located at: http://emergency.cdc.gov/cerc/CERConline/index.html.

[2] For a comprehensive resource guide, please see Pandemic Influenza, Preparedness, Response and recovery, Guide for Critical Infrastructure and Key Resources, Department of Homeland Security (2006). Ref.: http://www.pandemicflu.gov/plan/pdf/cikrpandemicinfluenzaguide.pdf.

[3] See, CDC Guidance for State and Local Public Health Officials and School Administrators for School (K-12) Responses to Influenza during the 2009-2010 School Year at http://pandemicflu.gov/professional/school/schoolguidance.html. For universities, see, CDC Guidance for Responses to Influenza for Institutions of Higher Education during the 2009-2010 Academic Year at http://pandemicflu.gov/professional/school/higheredguidance.html.

[4] There are a significant number of resources available from international, federal and state agencies covering a broad array of planning issues. The following informational guide is directed specifically at information officers: Effective Media Communication during Public Health Emergencies, WHO Handbook (2005). Ref. at: http://www.who.int/csr/resources/publications/WHO%20MEDIA%20HANDBOOK.pdf. The U.S. Centers for Disease Control and Prevention (CDC) has also created an online instructional course for public information officers called “Crisis and Emergency Risk Communication Training “. It is located at: http://emergency.cdc.gov/cerc/CERConline/index.html.

Navigating HIPAA and FERPA in an Interoperable Emergency Communications World

By: Joe Mazzarella, Chief Legal Counsel

The current United States homeland security and national emergency response policy as reflected in the National Response Framework (NRF), National Emergency Communications Plan (“NECP”) and National Incident Management System (NIMS) is correctly focused on implementing a scalable and cohesive “all hazards and all disciplines” emergency planning and incident response capability across all levels of government. The implementation of this policy is facilitated through a seamless interoperable communications continuum and information environment. Through this environment public safety agencies and other critical or key community assets can collaborate and coordinate in real time during incidents to achieve force and resource multiplication, greater situational awareness and enhanced response. In this world first responder agencies are linked with important community assets including schools, hospitals, utilities and other key private entities. The implementation of such a cohesively linked emergency communications sharing environment (which is nothing short of essential to improving overall national emergency preparedness and response capabilities to deal with an increasing array of natural and manmade incidents) must also coexist within a framework of privacy laws such as the Health Insurance and Portability and Accountability Act (HIPAA) and the Family Education Rights and Privacy Act (“FERPA”).

HIPAA is designed to protect medical privacy of individuals and limit the unnecessary sharing and disclosure of personal medical information through or by covered groups that routinely house, access and transmit health information, such as hospitals, medical facilities and medical clearinghouse and billing services. Yet, hospitals and medical facilities play vital roles in emergency incident response and crisis recovery efforts. FERPA, like its HIPAA counterpart, also is a privacy law which is directed at protecting privacy of students and their educational records. Notably, student educational records often contain important family and health information. Like hospitals, schools (albeit for different reasons) are also at the center of emergency planning and response initiatives. It is well recognized that school populations are high priority, vulnerable community assets and close coordination and communication between schools and public safety agencies is essential to improving overall emergency readiness. In both cases, we see two key participants in the overall homeland security and emergency response landscape that have unique information privacy laws that may limit the disclosure and sharing of important information in the event of a crisis.

Fortunately, however, this is not the case. Simply put, neither HIPAA nor FERPA interfere with or hamper emergency response efforts. In fact, in each case, they are narrowly drawn in this area and provide ample room to enable both public and private emergency response entities, including “covered entities”, to communicate and share necessary information to carry out emergency response and crisis management functions.

Within the context of interoperable communications systems the operative function and effect is to enable many diverse parties to communicate and share information across boundaries. In the minds of some, this aspect of multiparty participation raises the concern whether participants within a communications group may not be privy to private or protected information and disclosure within this context raises the potential for inadvertent violation of these laws. This question naturally leads to the next. Do these laws require authorization levels to be established to ensure only certain participants join in group communications where certain types of protected information are to be shared? Further, must the type and scope of information that may be shared or disclosed be tailored based upon the identity of the parties that are participating in joint communication session? Thankfully, the reality is that these questions and concerns are implicitly handled in emergency contexts, assuming covered entities under HIPAA employ standard operating policies that they already have in place and good faith reasonable judgment is used by all in light of the circumstances at hand. As a general proposition, neither privacy law restrains or prevents the flow of important information where it will protect the health, welfare, or safety of the subject individual whose privacy is being protected or those in logical and circumstantial proximity to the individual.

HIPAA. HIPAA, along with imposing uniform data coding practices, generally prohibits the unauthorized electronic disclosure of a patient’s protected health information (PHI). This prohibition is comprised of two main thrusts, one aimed at transactional privacy, and the other at ensuring data security. The rules in this area are manifold and complex. However, HIPPA is limited only to “covered entities” and there are safe harbor exceptions for various circumstances where the public interest outweighs individual privacy.

Generally speaking, covered entities are hospitals, medical facilities, health providers, and medical billing entities. HIPAA does not apply to public safety responders and agencies, including EMS (however private ambulances and those owned by, or affiliated with, a covered entity are subject to the law). Non-health care related entities and schools (except in limited cases of on-site school health clinics) are not covered. Moreover, entities that may store medical information as part of their overall function, such as independent living centers, social agencies, public health care agencies, transit organizations, and non-governmental organizations like the Red Cross, are not covered entities. Thus, most participants within any community-wide or pervasive interoperable communications environment are not subject to HIPAA. Yet, as noted, health and medical entities do play a major role within the emergency response environment and are covered by HIPAA.

Covered Entities. Given that many covered entities would participate within an interoperable emergency response communication system, an issue that does arise is how covered entities can participate without running afoul of HIPAA. The most likely circumstance where concerns would arise is in the case of emergencies or incidents where responding or participating parties may be requesting medical or health status information on one or more individuals from a covered entity (such as a hospital or medical provider). However, HIPAA makes provision for the disclosure of necessary information in emergencies.

HIPAA Safe Harbors for Emergencies.

Disclosure During Emergencies. The Department of Health and Human Services (“HHS”), the agency responsible for the administration and enforcement of HIPAA, has reaffirmed its position that HIPAA does not prevent the disclosure of medical information in the case of severe emergencies in order to enable necessary medical treatment and related logistical matters. The applicability of HIPAA became a significant issue during Katrina, and HHS acted swiftly and with clarity to provide guidance that HIPAA does not compromise emergency response and relief efforts. Specifically, HHS has articulated the following guidelines:

Treatment Information. Patient medical information may be shared in times of serious emergency

· with other medical providers (hospitals, clinics, etc.) to aid in the delivery of treatment,

- to enable patient referral and linking with available treatment centers, and

· to coordinate care with emergency relief workers.

Notification. Patient information may be shared as is necessary to enable family members, guardians and others charged with the care of an individual to be identified, located and notified of that patient’s condition and whereabouts. However, to the extent verbal permission can be obtained from the patient, it should be obtained.

Imminent Danger. Providers can share patient information with anyone where it is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public -- consistent with applicable law and the provider’s standards of ethical conduct.

See, Department of Health and Human Services-Office of Human Rights, Hurricane Katrina Bulletin: HIPAA Privacy and Disclosure During Emergency Situations, Sep. 2, 2005, and Hurricane Katrina Bulletin 2: Compliance Guidance and Enforcement Statement, Sept. 9, 2005

Hospitals and health care providers, however, should take note that emergencies do not relieve covered entities from establishing appropriate agreements in advance with respect to its business associates (i.e., agents) that house, store, maintain or administer information on its behalf. The HSS makes it clear that business associates and covered entities, must have a business associate agreement in place to ensure general compliance with HIPAA privacy requirements. Within these agreements provision and consideration can be made for information sharing in cases of emergency. HHS has published a sample business associate’s contract that may be used and adapted to meet the relationship that may exist between the covered entity and its business associate. See 45 CFR 164.504(e)(2)(ii)(D). The sample contract can be found on the internet at:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/enforcementstatement.pdf.

Accordingly, as part of any hospital’s or other health care provider’s emergency preparedness efforts, appropriate due diligence should be undertaken to identify whether any third party agents hold or provide information that may be required to be disseminated or shared during a crisis, and make sure a business associate’s agreement is in place to avoid a possible disruption or delay in furnishing key information during an emergency.

FERPA Safe Harbor for Emergencies

While HIPAA governs protected health care information, it does not cover health care information that is part of a student’s educational records. Health care information that is stored and maintained by schools (with the exception of on-site health clinics which process and seek insurance payments), although medical in nature, is considered part of a student’s “educational records” under FERPA rather than HIPAA. See, Department of Health and Human Services and U.S. Department of Education, Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) And the Health Insurance Portability and Accountability Act of 1996 (HIPAA) To Student Health Records, Nov., 2008. Consequently, one must look to FERPA in regards to disclosure of student information in times of emergency.

Again, like HIPAA, under FERPA the disclosure of information within educational records to appropriate third parties is permitted without any consent in connection with an emergency. The information that is permitted to be disclosed however must be necessary to protect the health or safety of the student or other individuals. See 34 CFR §§ 99.31(a)(10) and 99.36.

See, also, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hipaaferpajointguide.pdf.

Conclusion. Overall, neither HIPAA nor FERPA offer any serious obstacles to the implementation of cohesive, real time interoperable communications and information sharing systems for emergency preparedness and response and can coexist quite well with the broad goals of pervasive interoperable communications collaboration envisioned within homeland security and emergency preparedness realms. Express safe harbor provisions are made to accommodate the reasonable disclosure and sharing of information among entities that are participating within the context of an emergency incident. In each case, the protection of the health and safety of individuals under the exigent circumstances of an emergency is the operable standard by which agencies and participants may collaborate.

As is the case with any subjective standard regarding what circumstances constitute an “emergency” and “necessary” information, good faith and reasonable judgments must prevail. In this regard, for entities that are covered under HIPAA and in the case of student educational records, establishing clear guidelines and policies that assist in evaluating a request for information within the context of any emergency is important. Integrating these policies into an emergency preparedness and response plan may help to support any subsequent challenge to the necessity and propriety of any disclosure by showing they were undertaken based on a well reasoned policy and on a good faith belief that the disclosure was appropriate and necessary. Perhaps even more importantly, in times of emergency the effective mitigation of harm and a successful aid response may turn on the speed with which critical information is shared with responding parties. Delays in responding to information requests caused by uncertainty or time consuming ad hoc legal or unplanned administrative reviews could adversely impact a timely emergency response effort.

Overall, while participants should be vigilant and make proper efforts to prepare for emergencies and integrate sound and lawful information sharing policies into their plans, it should be fundamentally recognized that neither FERPA nor HIPAA should serve as any obstacle to hospitals and schools participating in an interoperable emergency communications platform with other critical community participants. In fact, based upon the prevailing emergency preparedness and homeland security recommendations and policies, the failure to reasonably do so may be viewed as unreasonable in light of generally accepted standards of good security and emergency preparedness practices to the extent participation is available within your community.

Special Note. This article is provided for general information purposes only and does not constitute legal advice upon which a reader may rely. Interested parties are encouraged to consult with their legal advisers. FERPA and HIPAA are not the only privacy laws which may be applicable to you. Many states also have privacy laws which may apply to you.

Twitter® for Public Safety & Emergency Management

By Joseph Mazzarella, Chief Legal Counsel
April 28, 2009

In the world of public safety, obtaining and communicating important information in real time can save lives. In this regard, new communications tools are continually be deployed to improve emergency preparedness and response capabilities within a collaborative “all hazards, all disciplines’” paradigm that implicitly requires coordinated planning and response among responders, supporting agencies and other critical assets. These communications improvements range from employing mass alerting and reverse 9-1-1 solutions to advanced multi-agency communications interoperability solutions that link together an array of disparate systems and equipment. While the emergency management sector forges ahead with innovation, the world at large is also blazing new paths and ways of communicating through internet and mobile data driven social networking utilities. Despite the natural temptation to dismiss them as pedestrian at best and frivolous at worst, these social networks may offer something of value to the public safety and emergency management sector. After all, literally millions of users cannot be all that wrong. One of the fastest growing social networking utilities among them, and the focus of this article, is Twitter®, which may offer emergency management and public safety organizations with another potentially powerful and effective communications utility to add to their communications tool chest.

Twitter® is a deceptively simple, yet powerful social networking based communications tool. As described on its web site, “Twitter is a service for friends, family and co-workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question: What are you doing?” See, http://www.twitter.com. With Twitter®, people can follow one another and receive messages from their network of friends in real time. What makes Twitter powerful is it that it links people together around a topic, cause or person, and it provides an easy way to quickly disseminate and share messages among “followers” in the listening group. It is proving to be a popular and particularly attractive communications medium because it intersects with the “always on and available” status created by data enabled consumer mobile devices. Availability or presence is not limited to whether a user logs on to his or her computer anymore. You are always within range of your friend’s “tweet” (Twitter parlance for a message) courtesy of your Blackberry®, iPhone®, cell phone or other mobile device strapped to your hip.

Before you dismiss its potential utility, consider that Twitter is already being used in certain public safety contexts in both planned and spontaneous ways. This April, the Garden City, Kansas Police Department started using Twitter as a free public messaging tool to send out information on events, missing persons and other community advisories, as did the Franklin, Massachusetts Police Department some 1,000 miles away a few days later. In fact, a recent search of Twitter® reveals over 200 police related Twitter® micro-blogs, the largest being the Boston Police Department with over 2,100 followers. Additionally a number of local and state Offices of Emergency Management have rolled out their own Twitter alert based sites, such as Oregon OEM and University of Medicine and Dentistry of New Jersey’s (UMDNJ) Office of Emergency Management to name a few. Beyond state and local agencies, even federal agencies have jumped on board. The Department of Homeland Security (DHS) has its own Twitter® micro-blog which is used for news and announcements, and another micro-blog at twitter.com/LLIS for its Lessons Learned Information Sharing web site (www.LLIS.gov) which is a community repository of best practices information for state and local homeland security and emergency response personnel. The Center for Disease Control (CDC) Emergency Preparedness and Response site uses Twitter as a mass communications tool and has over 2,000 followers. Similarly, the FDA has employed its own Twitter feed at twitter.com/FDARecalls to alert over 3,000 people of its recall of salmonella-tainted pistachio products. See, “Twitter to the rescue: Agencies apply high-tech tools in crisis response” by Elise Castelli, Federal Times (April 06, 2009). While overall use as measured by followership remains relatively small, most of these initiatives are new and they will likely gain popularity as Twitter® becomes better known as a community alerting and information dissemination point.

While mass outbound public communication is a natural use for Twitter®, it may also serve potentially other equally useful purposes. Twitter® is not a one way conversation utility. Namely, it is a tool for information gathering and quick interactive information updating. Followers can send messages too. In fact, Twitter® was reportedly used in the aid of a Swiss Alps mountain rescue operation. As the Alpine rescue unfolded, members of a snowboarding party were sending “tweets” to friends who were, in turn, passing on information to aid in finding their location and providing updated status details regarding their condition. See, “Mountain rescue played out on Twitter; 1 dead”, Associated Press (March 3, 2009). In one the earliest celebrated cases of “Twitter to the rescue”, it was widely used during the 2007 Southern California wildfires to track and report fire movements in real time and alert people of potential oncoming danger. See, “California Fire Followers Set Twitter Ablaze” by Michael Calore, Wired Blog Network (Oct. 2007).

In this vein of emerging communications and cooperation, it is worth noting one particular Twitter micro-blog that is very interesting – twitter.com/HoustonFireDept. The Houston Fire Department is sending out incidents generated from its CAD system as “tweets” with hypertext linked mapped location information. It is quite easy to imagine extending this type of alert into an interactive web based information gathering portal through which the public can contribute information, and also follow incident updates at an incident defined level.

The above examples provide a glimpse into the potential utility that Twitter® may offer in the realm of emergency response and public safety. Imagine what thousands of eyes and typing hands can do to provide important information to public safety agencies during a large distributed, evolving crisis such as a natural disaster. Or, perhaps what a handful of people in the right place and at the right time can offer in the case of a manmade disaster or terrorist attack. In the case of Citizen Corps, 2,342 local councils have formed across that United States. These Corps are local citizen based civic emergency preparedness organizations designed to assist local communities with civilian emergency planning and response. Twitter might play a constructive role in providing quick updates to diverse members. Or, consider how Twitter® or a secure private Twitter-like service might be used for NIMS Incident Command System (ICS) communications functions for providing quick updates from branches, divisions, tactical units or groups. Each of these applications presents potentially useful benefits. Like any good communication tool, it has the ability to act as a force multiplier by increasing information flow and raising real time situational awareness.

As is the case with many new communications tools, functional or pseudo-functional overlap with legacy systems is not uncommon. In the area of crisis information management, for example, there are a variety of web-enabled emergency operations center solutions which purport to offer real time information sharing for emergency management personnel. These solutions range from highly sophisticated environments with extensive integrated data views to rudimentary topic driven message boards, many of which purport to comply with Incident Command System (ICS) and Emergency Support Functions (ESF) standards. However, in reality, ICS and ESF are not technology standards or explicit functional requirements inasmuch as they are organizational and process frameworks with rules meant to rationalize and organize command and control, drive coordinated planning, foster continuing training, prompt exercises, assess results, and make improvements, all within a uniformly understandable and scalable way. In this regard, any system claiming or asserting ICS standards compliance (and by implication “completeness or suitability”) misses the mark in that the very essence of the thing they purport to meet contemplates a dynamic and continuing cycle of evolutionary improvement towards an increasingly better state of active preparedness. Improving, replacing and supplementing legacy communications systems and methods to advance efficient, cohesive, real time coordinated communications and information sharing is a core principle of NIMS and ICS. So, the mere fact the there may exist other modalities of communication in use providing “similar” functions should not necessarily preclude an examination as to how the overall environment can be improved by cohesively integrating or introducing new modes of communication such as micro-blogging capabilities.

Of course, integrating Twitter® or a Twitter-like capability into a public safety or emergency management environment raises unique suitability considerations based upon its use context. These considerations include security and privacy, user identity management and authentication, evidence preservation and chain of custody, and practical possession and control matters. In the context of public alerting, for example, maintaining a permanent record of the alert content, its time of dissemination and the party who sent it are all important. These records must be maintained in a secure and controlled environment to ensure their integrity in the event of subsequent litigation or an investigation. Moreover, as with any alerting mechanism, the actual credentials and permissions of the person authorized to send alerts must be carefully managed. While external threats and breaches from hackers may permit unauthorized users to send out fraudulent alerting messages, unauthorized messaging can also occur from within the agency through lax credentials access and control procedures.

Finally, as with any official public communications outlet, an integrated administrative review and approval workflow component is important to ensure that appropriate quality control standards, legal review requirements, and internal policies are followed, obtained and recorded. In the case where Twitter® might be used to collect information from the public, concerns are present that are similar to those that arise in the context of tip lines and other inbound telephone calls. Chiefly among them is being able to process potentially large volumes of information that may be submitted as well as being able to determine its relevancy, verify or assess its likely accuracy and truthfulness, and assess its actionable value in a timely manner. Finally, in the case of internal communications for crisis or emergency management purposes, a broad array of considerations are at play, including the security, authentication and records management issues previously described along with evidentiary and chain of custody matters associated with communications logs. Finally, the use of third party systems where the agency is not in possession and control of its communications data records also leaves the information vulnerable to legal discovery. If information resides in another party’s possession, the agency may have no or limited opportunity to contest or challenge a demand for disclosure, particularly since the party in possession of the data may have no duty to notify the agency, or worse yet, voluntarily chooses to disclose data without due consideration for the agency’s rights or concerns.

Finally, beyond these particular considerations, there are more rudimentary issues that must be addressed when dealing with public safety communications, namely reliability. As this article was being written, Twitter served up a page at 9:39PM EST on April 19, 2009 stating “Twitter is over capacity. Please Wait and try again”. In the public safety, those aren’t welcome words.

Notwithstanding the above, it is reasonable to expect the use of Twitter® to continue to rapidly grow within the public safety and emergency management space primarily as an adjunct to existing mass alerting modalities. It is further likely that Twitter® can and will be used by innovative agencies as a means to enhance information gathering through public participation - in essence enabling “virtual neighborhood watch” capabilities. However, it is very unlikely Twitter® could be adopted for any internal public safety and emergency management communications use because of the additional security, data integrity assurance, information management and control, and most importantly, reliability needs. Instead, it is more likely that private, in-house “Twitter-like” communications utilities will be created that are more suitable for public safety needs that could augment existing internal communications and information management environments, particularly where resources and assets are geographically diverse. But even within a more robust private framework, the public Twitter® environment still can play an important role as a public interface through integration and the application of appropriate information vetting and verification filters to allow relevant two-way information sharing.

Do these things like Twitter® matter? You bet. For someone, somewhere it just might make all the difference in the world. Here is one of my favorite tweets which came from the Oregon Office of Emergency Management (twitter.com/BailyJN):

“Here's the scenario - You are at work, kids at school. Big earthquake. No phone service or power. Roads closed. Tell me your plan.” 3:46 PM Mar 13th

Post Script: As this article was completed and waiting for general publishing, Microsoft announced a beta release of Vine, a new Twitter-like service for emergency communications. As they say “timing is everything” but then again there is a certain obviousness for the reasons described above. See,
http://www.pcworld.com/article/163974/microsofts_vine_emergency_social_networking.html

*****************************************************************************
The author is not affiliated with Twitter, and the assessments and characterizations made within the article reflect the author’s opinions and do not constitute any endorsement of Twitter or its suitability or reliability for public safety or any other use. Neither the author nor publisher of this article asserts any claim or rights in or to the trade names or marks of Twitter, Inc., all of which are expressly reserved to Twitter.

You can follow the Author’s updates and commentary on Twitter at “@Interoperable”.

Public Safety Agencies and School Emergency Communications Connected under NIMS

Reprinted from Preparedness Today February 2009

"NIMS Implementation Activities for Schools and Higher Education Institutions’ presents a set of key school and campus emergency management activities that will enhance the relationship between schools and campuses, their respective local governments, and their community partners as they communicate, collaborate, and coordinate on these NIMS activities." - US Dept. of Education Announcement – NIMS Implementation Activities For Schools and Higher Education Institutions

In central Connecticut, steps are being taken to establish comprehensive communications interoperability between schools and local public safety response assets. The Rocky Hill, CT. Police Department, Cromwell, CT. Police and Fire Departments, and Berlin High School and Berlin, CT. Police Department have deployed Mutualink’s communication resource sharing platform, enabling seamless, real-time interoperable communications among all of the network participants. This effort is a major step towards an emergency preparedness and response communications capability that meets the collaborative “all disciplines, all hazards” approach established under the National Response Framework (NRF), and enabling a National Incident Management System (NIMS) compliant environment with an institutionalized and operational understanding of the Incident Command System (ICS).

Schools of all levels are encouraged to be ready to handle emergencies, and the US Department of Education (ED) has issued important guidance to assist educators and administrators in implementing NIMS compliant preparedness and response programs. As part of its effort, ED has established the Readiness and Emergency Management for Schools (REMS) Technical Assistance Center. The REMS resource center can guide schools in emergency preparedness activities and also assist them with funding applications under the ED Readiness and Emergency Management for Schools (REMS) and Emergency Management for Higher Education (EMHE) Discretionary Grant Program.

In addition to the programmatic drive to achieve a higher state of preparedness and response readiness, the practical imperative interoperable communications between public safety agencies and schools as a pragmatic step to improved safety has been further magnified over the past decade by a series of high-profile tragic events such as the ones that occurred at Columbine High School and Virginia Tech University. In the aftermath of the Virginia Tech tragedy, the International Association of Campus Law Enforcement Administrators (IACLEA) published an analysis and blueprint for safer campuses. In this report, the IACLEA reaffirmed the importance of interoperable communications for effective critical incident response.

In preparation for the operational deployment and use of Mutualink between the schools and police and fire departments, personnel at Berlin High School and Berlin Police Department have worked with Mutualink on completing FEMA Incident Command System, ICS-100 certification. In January, all participants will begin taking part in routine check-in exercises. We invite your jurisdiction to take the next step in making community-wide emergency preparedness and response a reality.

Below, we have compiled a guide of key Emergency Management and Response resources for schools and higher education institutions.

NIMS & Emergency Management Related Resources for Schools:

• Readiness and Emergency Management for Schools (REMS) and Emergency Management for Higher Education (EMHE) Discretionary Grant Program - http://www.ed.gov/programs/emergencyhighed/resources.html
• US Department of Education – Emergency Management for Schools- http://www.ed.gov/admins/lead/safety/emergencyplan/index.html
• US Department of Education- NIMS Implementation Activities for Schools and Higher Education Institutions (HEIs) - http://rems.ed.gov/index.cfm?event=NIM
• Readiness and Emergency Management for Schools (REMS) Technical Assistance Center-http://rems.ed.gov/index.cfm
• The Idaho Emergency Operation Planning Guide For Safe and Secure Schools*-http://www.sde.idaho.gov/site/safe_secure/
  
  *Editor’s Note – a wonderfully concise and well organized web guide for school administrators and emergency personnel.

Lesson Learned from the Mumbai Attacks

Reprint from December 2008 Article - Preparedness Today
By: Joe Mazzarella, Chief Legal Counsel, Mutualink, Inc.
While the precise details of the November 30, 2008 terrorist attack on Mumbai, India continue to emerge, there is enough information available to provide a portrait of events that can offer many valuable lessons for public safety and security leaders. We tread lightly to avoid any notion of opportunism, however, as dedicated public safety communications professionals, the Mumbai attacks reveal the fundamental importance that a real time, community-wide incident based emergency communications sharing platform can play in effective emergency preparedness and response.

Without reproducing the event timeline in detail, the operational signature of the Mumbai attacks provides important information that will assist in preparing for and responding to potentially similar events in the future. As history amply demonstrates, terrorist groups tend to copy and emulate methods that they deem to be successful. Law enforcement and security professionals should recognize that the “success” of the Mumbai operation will provide both a strategic and tactical template for others. The Mumbai attacks are the realization of a predicted security threat scenario – coordinated multi-site urban terror assaults.

In this attack, we note that a massive and multi-faceted emergency response effort unfolded. It included local police, anti-terrorism police units, military units, fire rescue, bomb detection units, medical response, port authority, traffic control, and railway and airport transportation authorities. We can only speculate about the level of cohesive and interoperable communications that existed, however, the response efforts as reported appear to have been chaotic and nominally coordinated. This condition reduced and impaired force effectiveness. It also is apparent that poor and/or delayed communication and information sharing limited situational awareness, response assessments and planning.

Based upon publicly available information, we make the following observations for future emergency preparedness and response planning efforts:

• Multiple Site Coordinated Attack – Coordinated urban attacks occurred at 10 separate locations, with 8 being within an approximately 4 mile area and the others occurring approximately 15 miles away near the Mumbai international airport. The effect and impact of the operation was catastrophic, spanned 3 days and paralyzed a major financial center with over 12 million people. Yet, it was carried out by a relatively small number of actors, consisting of an operational cell of 10 to possibly 18 people. Identifying that the singular attacks were part of an orchestrated whole took several hours.
• Key Infrastructure and Community Assets Targeted – Key community assets were targeted or played important roles in the attacks. The targets appear to have been consciously chosen in advance of the operation. The assets were: Hospitals, Police Stations, Railways Stations, Airport Facilities, Port Facilities, Hotels, Cinemas, Cafes and Religious Sites.
• Targeted Sites Served Multiple Reinforcing Objectives - The choice of sites provides valuable information in assessing the nature and type of facilities that may make attractive targets for future coordinated multi-site urban assaults. Specifically, we note the following:
• Police Stations - Public Safety Command and Control – Attacking this facility type slows down the security response apparatus and provided other actors time to execute their objectives in other locations. It should be noted that the Security Chief and other high ranking counter-terrorism officers were essentially targeted and assassinated. This tactic appears to have been designed to disrupt command and control, and hobble security response effectiveness.
• Hotels – Hotels are emerging as high risk terrorism targets. Security personnel should be focusing on vulnerability assessments and preparedness and response plans.
  Hotels, which are historically publicly open environments with a transient guest population, are emerging as preferred targets. The Mumbai hotel attacks were patterned off the success of an earlier Marriott Hotel attack in Karachi, Pakistan. However, interest in tourism related sites and hotels extend back much further, including the Bali hotel bombing in 2002.

The Mumbai Hotel attacks reveal a variety of valuable information and insights:

1. Symbolic Buildings. The multiple hotel buildings that were targeted had a symbolic purpose from a historical and socio-political aspect.
   Staging Points. The hotels themselves were used as planning, staging and storage points for weapons caches in anticipation of the attack. Some the terrorists were guests.
   Bottleneck Control. Once the public access floor was under control, the remaining floors were effectively controlled and a mass hostage opportunity arose.
2. Identifying Friend from Foe. External security personnel had a difficult time identifying the actual terrorists and clearing the hotels. Only a few video shots of terrorists’ faces were shared through conventional electronic distribution means hours after the event unfolded.
3. Closed Circuit Video Feeds. Closed circuit video feeds were limited and in most instances unmanned. Real time feeds could not be shared.
   Layout Plans. Hotel layout plans were not available for response teams. This lack of information undoubtedly hindered planning and delayed a tactical response effort.
4. Mass Communication. Communications to hotel guests stranded and barricaded in their rooms were handled from within the hotel by hotel personnel over the telephone. Mass communication and updates could not be delivered through the system by outside responders.
5. Inside Intelligence. Despite ongoing firefights, Hotel guests were actively texting and communicating with family members from mobile devices within the hotels. This represented a valuable intelligence information gathering opportunity that could have been leveraged and shared with responders.

• Hospitals – Attacking these targets helped to further impair public safety response efforts and cause mass casualty response coordination to be more complicated. It also created psychological fear by attacking a facility which is universally accepted as a place of safety and care.
• Airport Facilities – A taxi was blown up at one of the main roadways leading to the Mumbai International Airport. This tactic had the effect of creating a disproportionate resource response and diversion, because airports have received the lion’s share of security focus due to their status as classic terrorism targets. Assaults on airport related facilities may be used in a diversionary fashion, particularly in urban areas that host nearby airports which rely upon local emergency response assets.
• Cinemas and Cafés – These targets are attractive mass casualties’ opportunities and create general mayhem. They instill immediate fear in the civilian population. In the United States, malls, cineplexes and similar predictable and routine gathering locations would be prime targets.
• Ports – The use of water ports as a covert means of entering a targeted environment raises new concerns. Small vessels provide the ability to surreptitiously move material and men with a minimum of risk of detection by the general public. Cities with navigable water bodies that provide quick access to key parts of an urban environment should be aware of this vulnerability.
• Railway Stations – Railway stations provide large masses of people in transit and make an attractive target for causing mass casualties. It also is an attractive site for early engagement because it creates general transportation chaos, provides a good environment to blend in with other transient people carrying articles and baggage, and makes identification and apprehension difficult.
• Religious Targets – These targets are attractive for their political and religious value and are usually designed solely to send a message and create terror. The last targets occupied in the Mumbai attacks were religious in nature and it is possible to assume that terrorists seeking a final glorifying act will move to these symbolic targets as their last place of defense and final mayhem. Being able to quickly identify, notify and communicate with these vulnerable targets early in an unfolding attack of this nature may save lives.

Overall, we have no doubt that continued and careful study and examination by security assessment professionals and strategists will yield important and valuable preparedness and response practices. Even absent those forthcoming insights, the Mumbai attacks clearly demonstrate the significant value that cohesive and adaptable community-wide emergency communications and information sharing capabilities can offer in events of this nature.

1 The information used for this article was gathered from generally available public news sources, including reports published by the BBC News, Times of India, New York Times, Washington Post, and Wall Street Journal.