1. Introduction

  Y2K issues will bear considerable effect upon all aspects of health service. Not only hospitals and large health centres will be negatively affected, but also doctors' clinics and laboratories will feel the adverse effects of the millennium bug. A couple of graphic examples should ram home the extent and seriousness of the problem. During a test, the Y2K team at a health care centre discovered that a particular respirator in use will shut off in 2000, but no reason was known for such behaviour. Also, an intra-venous (IV) pump used at hospitals nation-wide are set up to be recalibrated every three months to ensure proper flow of the IV. A computerized alarm shuts off the IV if the unit is not recalibrated after six months and the units will shut off in 2000 because the computers will think that the units have not been recalibrated since 1900. If there are a great number of these units in use, then the ensuing chaos and catastrophe caused by their dysfunction would be too horrible to describe.

  Inevitably, some organizations, which run private health clinics, have thus far evaded the scrutiny of the official Y2K watchdog although every effort is being made to make the net as wide as is practicable. It is quite impossible to monitor the work of all health service providers. It is the responsibility of each institution, no matter how small, to check its Y2K readiness, take the necessary steps to ensure compliance and work out contingency plans that would take account of anticipated and unforeseen circumstances. Everyone has to do his share. Of course, NIC will do its level best to support the efforts of any institution that seeks its help and advice in tackling this intricate and unpredictable problem.

  In fact, NIC has embarked on a systematic programme of public education and awareness of Y2K issues, besides its principal role in providing technical assistance in solving problems arising from them. The public health service institutions and private hospitals were invited to a seminar that explained the potentially deleterious effects of the Y2K problem and provided detailed information on how to deal with the thorny issues.

  NIC has prepared a Y2K package specific for the situation in Jordan. It includes a complete inventory of medical equipment that might be affected by Y2K issues. This package, which is available at no charge to institutions, public or private, is meant to help these institutions address and, hopefully, resolve Y2K issues. It was distributed to the private hospitals in March 1999. In May of this year, the Jordanian Doctors' Association was provided with a package to be distributed among its members who are also at risk due the potential destruction of patient records and possible malfunction of medical equipment used in their clinics. The litigation emanating from negligence could disrupt the smooth running of the doctors' practices, which are mainly concerned with healing patients, not causing them further hardship, according to the Hippocratic Oath. Also in May, a package was delivered to the Jordanian Hashemite Fund for Human Development and whence to non-governmental organizations (NGOs) that might be unaware of the Y2K problem or at a loss on how to deal with it.

  No guarantee can be given to any health care organization that it will be spared the lurking pernicious bug. Starting from computers that store and process patient information to critical medical equipment, the range is quite impressive and no one can really predict the exact scenario which will unfold once the dreaded twelfth knell ushers in the new millennium. It is safe to assume that potentially fatal incidents will occur. A sobering example is apt at this stage: entering a child's date of birth as 1-1-00 could be interpreted as 1-1-1900. That would result in calculating a dose of medicine for a 100-year-old patient -- possibly deadly for a new-born.

  Each health service provider must go through a standard and systematic procedure for dealing with Y2K issues. First, a Y2K plan must be devised. In simple terms, this gives the upper management a blue-print that shows who is responsible for what job and how and when to do it. This entails the set up of a dedicated and fully empowered Y2K team, which must be knowledgeable about the issues at stake. The importance of penning down procedures and tests cannot be overstated. No coherent decisions could be made at the technical and managerial levels without proper documentation. It is markworthy that many institutions and individuals in Jordan shy away from setting down their plans and ideas onto paper. It is as if they expect people to unlock their minds and extract information from within. This point should be addressed by educationalists and psychologists at a national level.

  At the outset, the principal action to take is to prepare detailed inventories of IT (Information Technology) equipment (mainly computers), lists of medical equipment and of other systems that might be affected. For each model of equipment, the inventories and lists must minimally contain information on the manufacturer, software version, year of incorporation in service, local agent or supplier, number in service, locations, and the function, so that rational risk assessments could be made at a later stage (see section 3).

  Once comprehensive and detailed lists are prepared, the Y2K status of the equipment is ascertained. The first step for hospitals is getting help from the companies that make the equipment. But it is not always easy. Some suppliers may choose to ignore queries. This is a normal reaction in the absence of pressure on them to divulge information. Fortunately, the pressure is so intense in the United States of America, that the overwhelming majority of manufacturers and suppliers have submitted statements to the U.S. Food and Drug Administration (FDA), or are in the process of doing so. Most "respectable" manufacturers and suppliers provide Y2K information on their Web sites.

  At this stage it is important to take account of interface systems - simply speaking two, or more, pieces of equipment that are connected together, say a computer and a medical equipment. Even if both systems are compliant, or functionally unaffected by Y2K issues, there is no guarantee that the combined system will be compliant. Some subtle changes in one system, which may be deemed benign within, may cause catastrophic effects on the other. Fortunately, the number of such complex systems in Jordan is very small. Be that as it may, there is no escaping doing the necessary validation tests.

  Now that the status of all equipment is available (assuming that all manufacturers and suppliers have provided the desired information, or tests have been carried out to verify compliance), the overall picture becomes clear. It is possible to short list the equipment that will definitely be affected by the millennium bug with information on numbers and locations. The phase of remediation may be immediately initiated. Top management, which must be kept informed of progress at all times, must take the managerial and fiscal steps required to implement the solutions.

2. Risk Management and Contingency Planning for Health Service Providers

  One aspect of the Y2K problem is that there are so many factors to consider at all stages that even when one thinks that all systems have been made compliant, there is still the distinct possibility that some internal aspects have been overlooked or ignored. For example, the inventory compiled by the Ministry of Health may have missed some critical medical equipment, a vital system may have been misclassified, or even some manufacturers may have supplied erroneous Y2K status information. Also assessment mistakes are a distinct possibility. External factors, which are beyond the control of the Ministry, cause disruption of service and potential injury or even death. For example, power, water, fuel and communications cuts are always in the cards. This argument leads to the fact that all health service institutions must set up Y2K contingency plans. No one is immune from infection by the bug. The adage a stitch in time saves nine is very apt in this regard.

  No matter how serious the impact of the Y2K problem on the health sector is, the severity of impact will be determined by how much any one health organization does to lessen the impact and how well prepared that organization is to deal with what they cannot solve in time. A well-constructed and tested contingency plan will significantly ameliorate or even eliminate Y2K problems including system failures, down-time, injuries, repair costs, lawsuits, and other interruptions to normal operations.

  The first phase of contingency plan design is to make detailed assessments of the risks involved. It boils down to a rigorous exercise in risk management, the purpose of which is to ensure that the organization can conduct business as usual through 2000. This entails minimizing the risk of failures. This effort should include planning for disaster recovery, contingencies, business continuity, and emergency preparedness. This planning effort must encompass hardware, software, infrastructure, and other non-technical systems as well as systems and infrastructure external to the organization.

    Risk management and contingency planning are directly related to one another and as such will be discussed jointly in the following sections. First, the factors that affect risk management planning will be listed for the specific case of medical equipment at the Ministry of Health in Jordan. These are then used to help in building an appropriate Y2K contingency plan.

3. Risk Management: Medical Equipment

  The following are the main factors that affect planning risk management:

1. The size of the organization. Keeping tabs on all affected systems is a great challenge that can only be met by the direct involvement of upper management, since many managerial and fiscal decisions have to be made in quick response to new information as it becomes available. In this respect, each health centre must have a local Y2K team to convert the directives of the central Y2K committee into action. If no one at the grass-roots level is willing or capable of implementing the official Y2K procedure and to provide useful feedback to the centre, then surely the whole exercise is doomed to failure.
2. The nature of the systems under consideration. By their very nature, medical equipment are classified as critical, as far as Y2K issues are concerned. Tampering with the health and well-being of citizens is a criminal offence. Therefore, extra care must be taken when considering risks and assessing impact of equipment failure. There is no room for laxity or complacence. Of course, some pieces of equipment are more critical than others. A hierarchical pyramid could be constructed showing those that are most vital at the top, and least critical at the bottom.
3. The stringency of criteria for inventory collection and status assessment. The work done in the limited period of time, from awareness to full assessment of risks, is impressive. Y2K Status assessment has been carried out using two separate methods: direct contact with the manufacturers/suppliers, and referring to their Web sites, if available. The level of agreement was very high, which increased confidence in the results obtained.
4. The nature of the services offered by the organization. One could envision a doomsday scenario in which all the things that might go wrong, do so simultaneously, so that emergency plans (as distinct from Y2K contingency plans) and crisis management systems break down, leading to catastrophic results, which in the worst case could include permanent physiological damage and loss of life.
5. The nature of customers/users. The people who use the Public Health Service are mainly government employees and the poorer sections of society. In general, these people do not have the option of going to the private health sector. Therefore, it is most essential that the risks posed by Y2K issues be minimized so that the health and well-being of these people are not compromised. It is very easy to become complacent. This is a propensity of human nature that must not be allowed a free rein.
6. Litigation issues. At this stage, it is  not clear whether users of the Health Service will have the right to sue for damages incurred by Y2K issues. Negligence, ignorance and apathy are difficult to define, as it is hard, not to say impossible, to find legal precedents. The improbability of users raising litigation issues eases the pressure. Be that as it may, it is a moral responsibility that appropriate actions be taken to at least mitigate (make less harsh) the Y2K risks, if not eliminate them altogether.
7. The availability of insurance coverage. In general, users of the Public Health Service do not have insurance coverage, because most of them cannot afford it. Also, it is very difficult to obtain an insurance contract that covers possible damage from Y2K problem because no one can really predict the degree and extent of effect.
8. Level of dependence upon computers and embedded chips. Fortunately, the degree to which medical equipment depends on computers and embedded chips is small. This fact lessens the risk of malfunctions resulting from the Y2K bug. This lightens the work involved in risk management. However, the large spatial distribution of equipment throughout Jordan means that a viable system of tab keeping should be set in place and tested rigorously. Breakdown of (tele)communications might result in non action, with possible disastrous consequences.
9. The organization's propensity for risk. The small number of complex and interface systems and equipment and the limited use of computers, means that the risks to which it is exposed to from internal sources can be relatively easily managed. External factors are beyond control. These include power, water and communications cuts. The power generators at hospitals have never been tested for extended periods of time (>5-6 hours). Protracted water cuts will definitely prove disastrous. Telecom disruptions are particularly dangerous, because co-ordination between centre and periphery would be seriously curtailed.

4.1 Preamble

  For the purposes of Y2K contingency planning, the systems and equipment have been divided into four sections, each requiring a separate plan, besides the overall, mainly administrative, plan. These sectors include IT, medical equipment, electromechanical equipment, and other equipment, including faxes, exchangers, photo-copiers, etc. Only the medical equipment sector will be dealt with in this paper.

 4.2 Contingency Plan Issues for Medical Equipment

  Y2K contingency plans for medical equipment must minimally address the following issues:

1. Objective of the plan: Some of the objectives to choose from include: continue normal operations, continue in a degraded mode, continue in a hybrid mode, i.e. ensure proper operation for some systems and allow others to operate in degraded mode, abort the function as quickly as safely possible, etc. In the case of medical equipment, the most realistic goal is to continue in a hybrid mode, as there is a strong possibility (almost certain) that not all fixes will be done on time.
2. Criteria for invoking the plan. (e.g., missing a renovation milestone, reaching the projected Y2K-related failure date, experiencing serious system failures, etc.). Details of these criteria are found in 4.3.2 and 4.3.3.
3. Expected life of the plan. It is projected that external vital service cuts will last for considerable periods of time (>3 weeks). Also affected equipment will take a very long time to replace, in the order of months, because suppliers will be swamped with replacement orders from all over the world, creating severe bottlenecks. Given all these factors, it is expected that the plan will remain in operation for at least 3 months.
4. Roles, responsibilities and authority. It is the responsibility of the Y2K team to work out all the technical details of the contingency plan and submit drafts to upper management. Top management is required to approve the document and issue the appropriate directives to facilitate placement and testing of the plan. The management of the contingency plan is the responsibility of the Central Co-ordinating Body (CCB).
5. Plan(s) creation and checkout of resource constraints to plan for each contingency and objective.
6. Training on and testing of plans. The Y2K team must set the plan in place, once it is approved, and test it under realistic conditions. The local Y2K teams at the various health centres must be given detailed instructions on how to implement the plan. Rehearsals should be used to identify week points and overlooked factors. If shortcomings are detected, the plan must be taken back to the drawing board and amended until it becomes foolproof.
7. Procedures for invoking contingency mode. These are stated in section 4.3.2, 4.3.3.
8. Procedures for operating in contingency mode. These are detailed in section 4.3.2, 4.3.3.
9. Resource plan for operating in contingency mode (e.g., staffing, scheduling, materials, supplies, facilities, temporary hardware and software, communications, etc.).
10. Criteria for returning to normal operating mode. These include internal and external ones. The former include replacement of faulty equipment, the latter restoration of external services (power, water, telecom, fuel).
11. Procedures for returning to normal operating mode. These are not discussed in this paper. They will be addressed once the Y2K contingency plan has been approved by the Ministry and NIC.

4.3 The Y2K Plan for Medical Equipment

  Assuming worst case scenario, i.e. that no remedial action will be taken before the end of the millennium, the contingency plan is configured thus:

4.3.1 Checklist for Contingency Plan

1. Has the contingency plan been explained to and signed off by the NIC Y2K Team? Yes to the first point and no to the second. An unofficial copy of the Y2K contingency plan has been obtained by NIC, but so far has not been approved by top management at the Ministry. As such no official plan has been received by NIC for signing off.
2. Does the contingency plan identify risks for each application (including interfaces)? Only a few systems have not been tested so far, or whose Y2K status has not been determined yet. These will be considered non-compliant, unless proved otherwise. The contingency plan must take these equipment into account.
3. Does the contingency plan assess the impacts of each potential internal and external failure? Yes. A complete list is available detailing failure, impact and counter measures.
4. Has the probability of failure been estimated? For internal factors, a full probability study has been prepared. External factors are beyond the control of the Ministry.
5. Has the expected loss been computed? The Ministry offers free medical services, and as such no financial loss is expected. However, the risk to public health is considerable, and is well documented.
6. Are alternatives for each risk identified? The process of identification is still in progress. It is estimated that by the end of July most risks would have been accounted for.
7. Does the contingency plan estimate resource requirements for each contingency alternative? The process of estimation is in progress. There are two levels of priority assigned to remediation of medical equipment: urgent, i.e. needs to be fixed before the end of 1999 (estimated cost: JD30,000, $38,000), and not urgent, which includes equipment that will only be affected non functionally, for example those that will display the wrong date in the new Millennium (cost of fixing and replacement about JD500,000, $700,000). It is obvious that the final Y2K contingency plan depends on the availability of funds to remediate potentially faulty equipment. The worst case scenario discussed in this paper assumes that no fixes will be made before the end of the year.
8. Does the contingency plan eliminate alternatives for which cost is greater than expected loss? This does not apply to the case under discussion, because there is no luxury of multiple alternatives.
9. Has the contingency plan been validated through testing, rehearsal, or quality assurance audit? Although there is a blue-print for a Y2K contingency plan, it has still not been approved by top management, and as such, has not been validated yet.
10. Have resources required for implementation of the contingency plan been identified? Yes.
11. If yes, have the resources been obtained? Some resources have still to be obtained.

4.3.2 Plan for Internal Factors: This is the blue-print for a plan that takes factors inside the health centres into account, i.e. those that are within control.

• Administrative procedures.

1. CCB will be responsible for ensuring proper implementation of contingency plan procedures. It should be composed of both top managerial staff, preferably including the Secretary General, and technical cadres from Y2K team and maintenance, and it must report directly to the Minister. It shall have full details of procedures, including lists of triggering events and counter-actions required. Also, personnel responsible for each counter measure are nominated and given full briefs. It must have access to all most recent accumulated Y2K documents in both hard and soft forms. At least three communications systems must be adopted to ensure continued contact with the various hospitals and centres. A rugged and tested back-up generator must be made available in case of power cuts to keep the CCB headquarters operational. See appendix 2 for details of plan lists.
2. Funds must be made readily available to grease the wheels of contingency management. Decisions must be made on the spot, so to speak, in order to mitigate the effects of the crisis. The head of CCB must be fully empowered to authorize expenditure of funds.
3. The staff at each health centre must be made aware of the contingency plan and the risks and possible adverse effects of the Y2K problem. They must take part in testing the plan and be given the chance to comment on any aspect of it. Some overlooked points might well be pointed out by experienced and perspicacious individuals not directly involved in contingency plan formulation.

• Technical procedures:

1. A labelling system will be adopted to identify the affected equipment visually. Red tags will be used for the systems that will be definitely affected functionally. Brown labels will be used for the equipment that will be affected in a minor and non-functional manner. Blue will be used to identify equipment that is either compliant, or not affected by Y2K issues. This system will help staff to remember which equipment will be affected and in what manner. See appendix 1 for a list of equipment and the associated colour labels.
2. Notwithstanding the assumption that no remedial action will be taken prior to the first cataclysmic date (1/1/2000), there should be in place configuration/version control procedures to keep track of each and every remedial action that is taken. Environment detailing documents, including labelling systems, must be kept updated and and newer versions distributed to all local Y2K teams. After each major upgrade, the relevant contingency sub plan must be re-tested and adjusted accordingly.
3. Of the 250 pieces of equipment that will definitely be affected by Y2K issues, 71 will become dysfunctional, i.e. will stop working or will function in an unforeseen and, most probably, deleterious manner. These are branded with red stigmas. By the end of the working day on 31/12/1999, all red label systems must be shut down, and alternatives found (see next procedure).
4. A table is constructed indicating the faulty machines, the centres at which they are found and lists of alternative equipment with locations and contact details. At this stage of work, only internal resources are available, i.e. those inside the Ministry, as no reliable information is available from other health institutions.
5. Systems that cannot be tested for Y2K compliance must either be taken out of service, which is the safest thing to do, or kept under close watch for a considerable time in the new year. The latter option requires that lists be made detailing the locations of these systems and alternatives in case of mishaps, as the faulty equipment needs to be removed because it cannot be fixed. It is most prudent to use red labels for these equipment. The local Y2K teams must be made aware of the status of these systems and given detailed instructions on procedure.
6. The effect on the rest of the equipment (about 180 in number) is restricted to display and printing of incorrect dates, and other minor, non-functional symptoms. Since the objective of the contingency plan is to operate in a hybrid mode, brown label systems will be allowed to remain in operation, albeit under careful observation by local Y2K and maintenance teams. In case of malfunction, the systems are removed from service until a solution is found and implemented. A table is designed listing the affected equipment, the symptoms, location, and alternative machines with full contact information.
7. The blues must also be kept under observation, at least on the first day of year 2000 and on 29/2/1999.
8. The local Y2K and maintenance teams at health centres must maintain contact with CCB, provide periodical situation reports, and implement directives issued from the centre. They must do all power-up functions on the morning of the fateful date and they should be deployed to monitor operation of systems and provide hands-on assistance in case of trouble. Their work must continue until the all clear is given by CCB. The exercise is repeated on 29/2/2000. Lists of all alternatives specific to each health centre must be given to the local Y2K team and to the repairs people.
9. The Electronic Services and Training Centre (ESTC), at the Royal Scientific Society (RSS) must be kept on alert for any possible malfunction, as they are responsible for the repair of most of the medical equipment at the Ministry. It must liaise with CCB, and co-ordinate its efforts with the local Y2K and maintenance teams. The period of vigil starts from 31/12/1999 till the all clear signal is given by CCB. This is repeated for the next critical date on 29/2/2000. The Ministry must provide the maintenance corps with all Y2K information available, including full inventory of medical equipment and their Y2K status, lists of affected equipment and location, lists of alternative resources. Co-ordination efforts must be maintained at the highest levels.
10. The inventory of medical systems and their Y2K status prepared by the Y2K Team at NIC, has contact information for all the manufacturers and suppliers of equipment. In case of malfunction, these are contacted for replacement or advice. However, due to system chokes, responses would not come in good time. Nevertheless, one reserves a place in the (long) queue.
11. Co-ordination with the local agents and suppliers must be started at the earliest possible time to check on the available stocks. Up-to-date lists of equipment and their numbers should be made available to the Y2K team at the Ministry in order to initiate purchase procedures as soon as is practicable. Moneys for such purposes are obtained from the Y2K contingency fund.

  These factors are beyond the control of the Ministry and as such are more unpredictable and harder to prepare for in the context of contingency planning. The principal risks stem from power, water, fuel and telecom cuts.

• Administrative procedures. Besides the points mentioned in section 4.3.2, the following ones are relevant.

1. Full Y2K status reports should be obtained from the Electricity Board (EB), Water Authority (WA), Telecommunications Company (TC) and the Petroleum Refinery (PR). Prior negotiations and arrangements should be made with them to ensure that the Ministry is at the top of the list of customers in case of reduced output due to Y2K problems.
2. Other arrangements should be made, like purchasing back-up generators and emergency battery-powered lights, water tanks and a reasonable stock of bottled water, secondary and tertiary communications equipment, and fuel depots, which must be checked full some time before the end of 1999, so as to escape possible bottlenecks. Other considerations include acquisition of back-up gas cylinders and heaters, and make prior arrangements with owners of water wells. Also, transport vehicles must be made available to facilitate communications between the CCB and periphery.
3. Check the Y2K status of suppliers of drugs and consumables, syringes, bandages, filters, stationary, etc., and determine their readiness to maintain services during year 2000. Also check on the level of their stocks. Keep ample stocks of medicines and other supplies to last for at least 3 months. List all manufacturers and suppliers, their Y2K status and contact information.
4. Lists of vital medical equipment are prepared and assessments of parts most prone to failure are made. All effort should be made to keep reasonable stocks of these parts, to evade choking bottlenecks.

• Technical procedures.

1. Power cuts: In case of power cuts at any health centre, immediately switch on stand-by generator(s). This is a reflex action not in need of a directive from CCB. All non-vital applications must be disconnected. Local Y2K team must make sure that all vital medical equipment remain connected to power. In case of disconnection, portable back-up batteries with converters are used. Some equipment that cannot be disconnected for any length of time are backed up by uninterruptible power supplies (UPSs). The stand-by generator(s) must produce enough power to maintain all important functions at the centre and be able to work for extended periods of time, in the order of weeks. Testing this section of the plan may be done by simulating power cuts and engaging back-up equipment.
2. Water shortage: If water supply is disrupted, tap the reservoir. In case of extended cuts, use the purchased water tanks to bring in water from pre-designated wells and other sources, and keep an ample stock of bottled water.
3. Telecommunications service discontinuation: If the primary service provided by the JTC goes down, use the secondary communications system. If this fails, invoke the tertiary level. In case of further failure, use transport vehicles to deliver messages. Testing this section involves successive simulation of failure of the three levels.
4. Disruption of fuel supply: If the JPR fails to continue its service, use stored fuel. If this runs out before resumption of service, panic. Realistically, there should be a national plan to deal with vital service cuts.
5. Shortage of medicines, drugs and other supplies. If stocks run low, contact local agents and international manufacturers for fresh supplies. Allow enough time for your order to be processed by the supplier, as this is the time of potentially constrictive bottlenecks.