Public Sector CIOs: Planning for a Pandemic

By Kim Boatman

In the wake of Hurricane Katrina and other disasters, state governments have learned valuable lessons, says Drew Leatherby, issues coordinator for the National Association of State Chief Information Officers (NASCIO).

“Definitely, all states have a continuity of operations or disaster recovery plan in place,’’ says Leatherby.

But the question is whether states are doing enough.

A disaster, whether man-made, natural or biological, carries the potential to disrupt data systems and communications networks, bringing government to a halt. The consequences can result in chaos, diminished public trust and even loss of life.

Although states are preparing for disruptions involving the physical infrastructure related to data and communications, Leatherby is concerned that few are adequately prepared for the one disaster he says is certain to strike: the pandemic. In a technical sense, a pandemic is a disease that strikes a whole country or continent. But in a practical sense, any disease or illness that afflicts a significant portion of a state or region could have far-reaching consequences.

“It’s a completely different ball game. It’s something that really concerns me,’’ says Leatherby, author of a November, 2007, NASCIO report, Pandemic Planning and Response for State IT: Where’s My Staff? “It’s something the states are planning for from a health perspective. But it’s not really made it to the disaster recovery plans the way I’d like to see.’’

Disaster recovery plans generally have focused on securing data centers and other infrastructure. Among the precautions:

• The state of Nevada is building a redundant data center in Las Vegas that mirrors the center in Carson City, the state capital, says Leatherby. In the event of a disaster, the second data center could be brought online quickly.
  
  
• The state of Kentucky stores backup tapes in a cave system. It’s both an economical and extremely secure solution.
  
  
• The state of New Mexico is looking at backup systems either in the state or neighboring states that wouldn’t be on the same power grid, says state CIO Roy Soto.

But a pandemic raises another issue.

“The dynamics of a pandemic are rather severe compared to a tornado or floods, which can be regionally dispersed,’’ says Otto Doll, South Dakota’s state CIO. “We run up four contingencies, based on four different levels of disaster, with the pandemic being on the far end. The biggest challenge is you’re going to lose a significant portion of your workforce.’’

In a state such as South Dakota, where the vast majority of state IT personnel are concentrated in one location, the potential for disruption from a pandemic is significant. If an illness sweeps through Pierre, the state capital and one of the state’s few population centers, Doll knows a majority of his IT people might be unable to work.

In planning for a pandemic, according to Leatherby and others, state and local CIOs should take into consideration the following:

1. Understand critical missions Know what systems absolutely must be kept going, whether it’s communications systems for first responders or email.
   
   
2. Evaluate personnel Classify workers by skill set. Recognize where the organization lacks depth and cross-train workers. “When you map out skill sets in your IT organization, you find out where, in essence, your depth is suspect,’’ says Doll. “For smaller operations like ours, it’s not like you have twelve guys who know a certain skill. You just don’t want a couple of guys knowing something. You want to push that out to three to four people.’’ Noting a lack of depth in an area helps prioritize the training the state provides, says Doll. It’s also a matter of looking at personnel in depth, says Soto, considering whether a worker who is a subject matter expert also has health problems likely to keep him or her home in a pandemic.
   
   
3. Prepare for teleworking The idea of workers operating remotely goes against the deeply engrained culture of most state governments, says Leatherby. Establishing procedures for workers to telecommute and making it possible for them to fulfill responsibilities remotely could keep government up and running in a pandemic.
   
   
4. Collaborate across boundaries In New Mexico, the state makes sure a broad swath of organizations -- from private non-profits to Native American tribal authorities -- are involved in the planning process. Coordination with other state, federal, and local governments is important, says Leatherby, since systems critical to other entities’ programs and services might need to be shut down during a pandemic. Also, a mutual-aid agreement with another organization, such as a state university, might provide skilled IT personnel to fill gaps. Prior approval for access to a facility or a system would need to be in place. “You have to be able to tap into the private sector,’’ Soto says. “They’re stakeholders as well. They can be called in to provide services.’’
   
   
5. Consider vendors All the planning in the world is for naught, says Doll, if telecommunications companies in South Dakota can’t keep their operations going. The depth of thinking needed for a pandemic plan is evident, says Doll, when he considers this: What if the company that provides diesel fuel to power a backup generator for a data center has no one to drive the delivery truck? CIOs need to evaluate the supply chain, says Leatherby, looking at how vendors handle their own pandemic planning.
   
   
6. Review continuously A disaster relief plan can be quickly outdated in the fast-paced IT world, says Doll. Changes in technology can mean a change in skill sets. “Any change to IT infrastructure, we ask. ‘Does this change anything in our disaster management world?’’’ he says.

In general, states have made real progress in terms of preparedness for public health emergencies, according to a report released in February by Centers for Disease Control and Prevention. The report credits more than $5 billion in federal funding for increasing states’ abilities to respond to public health threats. For instance, all state health departments now receive urgent reports about disease on a 24-hour, seven-days-a-week basis. In 1999, only 12 states could do so. All states now share information using the Epidemic Information Exchange, a secure, CDC-based communications system.

But the report also finds that preparedness challenges remain. When the potential impact of a pandemic is considered, says Leatherby, it becomes evident just how critical IT workers are.

“People don’t realize how reliant they are on the Internet, on computer systems,’’ he says. “I put IT workers in the same tier as first responders.’’

 

Kim Boatman is a journalist based in Silicon Valley, Calif. She spent more than 15 years writing about a variety of topics for the San Jose Mercury News.