How Government Agencies Prepare for the Worst and What Healthcare Can Learn from This Process

This is the third of four articles in a series offering a fresh perspective for healthcare executives and security professionals on their physical security strategies. The articles are based on the expertise and perspectives I have gained through over 40 years of safeguarding U.S. national security agencies and private sector organizations.

I still remember the morning of September 11, 2001. It was glorious. The air was crisp, and there wasn’t a cloud in the sky, which was a deep, majestic blue as the sun rose over suburban Virginia. I had just finished a meeting at the CIA and was heading back to my office at FBI Headquarters in Washington, D.C., when I received a call from my office informing me that the first airplane had hit the Twin Towers in New York City.

I served as the first Assistant Director (AD) of the FBI’s Security Division. The FBI established this division just months earlier in response to the espionage arrest of Robert Hanssen. As the AD of the Security Division, I was the FBI executive responsible for the Emergency Management (EM) and Continuity of Operations Programs (COOP). Although the 9/11 attacks marked the first and only large-scale activation of the FBI’s emergency response plan in which I was involved, it was not the first time the FBI considered how to respond in a crisis. Only a few years before, we invested significant resources in updating and practicing our crisis response and COOP plans to prepare for the potential catastrophic impacts of the “Y2K Millennium Bug.”

The EM discipline has made significant advancements since 9/11, and federal and state government processes continue to incorporate many best practices that the private sector has adopted, including within healthcare. As a tailored incident command system, the Hospital Incident Command System (HICS) combines proven federal and state emergency management processes with those specific to healthcare, addressing both physical and cyber disasters. The American and California Hospital Associations serve on the HICS Advisory Committee, providing technical expertise on the development, implementation, and maintenance of HICS guidance and activities.¹

Healthcare systems should evaluate their EM, COOP, and disaster response (DR) programs. Often, insufficient attention is given to the need for “clinical continuity”, the ability to provide safe and quality care for 30 days or longer without the benefit of network or internet-connected mission-critical technologies and services, due to a malicious or non-malicious event.²  This approach will provide the additional benefit of helping healthcare organizations meet their Joint Commission accreditation requirements.

Areas for consideration include:

1. Designate an accountable executive. Organizations drive action more effectively when a single executive is responsible for it. The Joint Commission defines seven components within its Environment of Care (EOC) standards, several of which affect crisis response capabilities, including Safety, Security, and Emergency Preparedness. Healthcare organizations that fail to designate an accountable executive for oversight—potentially the EOC or EM Committee chair—risk uncoordinated and ineffective actions.
   ‍
2. Integrate program definitions and planning processes across disciplines. Organizations should combine DR, EM, and COOP planning to ensure a unified program definition and clear roles. Healthcare organizations may define these disciplines differently. For example, DR at one organization might be the responsibility of the information technology (IT) department and focus primarily on information systems. In contrast, other organizations may adopt a broader business continuity (BC) approach, reporting to the EM or security executive. Different approaches can be successful with adequate coordination and communication.
   ‍
3. Conduct thorough planning based on a current risk assessment. Best practice organizations utilize an “All-Hazards” approach to planning. The Joint Commission requires healthcare organizations to develop their EM program and COOP based on the organization’s Hazard Vulnerability Assessment. The risk assessment process evaluates the likelihood of hazards occurring and their impact on the healthcare facility and the community it serves, prioritizing these hazards for mitigation, preparation, response, and recovery actions.
   ‍
4. Allocate the necessary resources for mitigation and preparation activities. Almost nothing goes according to plan. Furthermore, critical infrastructure systems we rely on, such as cell phones, power, and water, may not function during a crisis. These are just two reasons why comprehensive planning and preparation are essential. The planning process must address how the healthcare organization will maintain essential functions, define a succession plan for key leaders, and establish a procedure for delegating authority to ensure that decision-making remains uninterrupted. Effective preparation requires sufficient time for training and conducting exercises. This can often be challenging due to the productivity demands of healthcare organizations and the responsibilities care staff have toward patients, but it is crucial. Additionally, it is vital to involve hospital administration and operational leaders in the training and exercises. The government provides various resources to assist planners, including those linked to the National Incident Management System, the Incident Command System, the National Exercise Program, and courses offered by FEMA’s National Disaster Emergency Management University.
   ‍
5. Delegate emergency response to the lowest logical operational level. The staff most familiar with operational processes are the most effective responders during a crisis. They should receive proper training and be empowered to act independently, exercising their judgment within established guidelines. If the crisis escalates, the incident command structure must ensure that responders are adequately supported and that sufficient resources are directed to the response effort as the impact increases. Throughout the response, organizations must coordinate their actions effectively and communicate relevant information both internally and externally, including with community response elements.

It is almost certain that most healthcare organizations will need to implement an emergency response to a crisis in the coming years, whether that crisis is a natural disaster or a man-made event. Now is the time to review your EM, COOP, and DR programs in light of the best practices outlined in U.S. government response protocols and the HICS. Developing and exercising your crisis response plans will yield substantial returns on your resource investment, including saved lives, better protection of healthcare assets, the ability to maintain operations during the crisis, and improved well-being for the community during times of disaster. For healthcare CEOs, an effective response during a crisis becomes a defining moment for the organization, enhancing patient confidence, staff morale, and brand reputation.

--

Ken Senser is the Chief Strategy Officer and a partner at Corporate Security Advisors, an AHA preferred cybersecurity and risk service provider. He is a subject matter expert in several disciplines, possessing over 40 years of experience in global security program governance, structure, and operations, incident response, and crisis management. During his more than 15 years as Senior Vice President at Walmart, Ken led global programs in Global Security, Investigations, Corporate Aviation, and Corporate Travel. Before joining Walmart, he served as a CIA officer detailed to the FBI as the Assistant Director of the Security Division. Following the Hanssen espionage arrest, Ken transformed the FBI's security program by establishing and overseeing the day-to-day operations of the first division in the FBI’s history focused on security. He began his federal career with the CIA in 1983, holding various executive positions and serving in roles related to physical, technical, protective, and personnel security.

All statements of fact, opinion, or analysis expressed are those of the author and do not reflect the official positions or views of the US Government. Nothing in the contents should be construed as asserting or implying US Government authentication of information or endorsement of the author's views.

‍

1. California Emergency Medical Services Authority (EMSA). Hospital Incident Command System, Sacramento, CA: State of California. Accessed October 18, 2025.  [link]
2. American Hospital Association. AHA Clinical Continuity Assessment Program: Cybersecurity & Continuity Assessment Brochure. Chicago, IL: AHA; July 2025. Accessed October 18, 2025. [link]

‍