Alert & Declare: (877) 364-9393
Member Emergency Hotline
Emergency Hotline
Agility Recovery +

What does shelter in place really mean?

In certain emergency situations, including a severe weather alert, a pandemic, an environmental hazard (e.g., chemical release), or a local emergency (e.g., active shooter), the public is told to “shelter-in-place.” The purpose of sheltering in place is to keep people safe while indoors during an emergency event. However, the phrase may be confusing to someone who is not well-versed in disaster preparedness, interpreting the instruction as staying where you currently are. That’s precisely the opposite of what you need to do.

Steps

Different threats require slightly different sheltering recommendations. The following steps describe how to effectively take shelter in place in your office, or at home, and ensure everyone is safe during a crisis.

  • – If there are any visitors in your office, make sure that they stay in your building and are instructed on shelter-in-place protocols for your office.
  • Gather everyone in the designated shelter-in-place area, secured and with locks on the doors.

  1. – In a natural disaster or radiological release, the safest location is the room on the lowest level, or underground, and in the interior-most part of the building.
  2. – In the event of a chemical or biological disaster, the area should be an interior, windowless room on the highest floor of the building. Most hazardous agents are heavy enough to slowly settle to the ground.
  3. – In the situation of a pandemic, you’ll want to remain at home and only leave for essential items (food, supplies). If you do find yourself in a busy area, you’ll want to practice social distancing to give yourself the best chance of not becoming infected.

  • – If your office is in a mobile unit, a plan must be developed in advance specifying a nearby building to seek shelter in. Strong winds will turn over a trailer or a mobile unit, making it an unsafe location during many types of disasters.
  • – Shut off all HVAC systems and fans. If there is no other room other than the one with windows, cover or block them.
  • – Encourage everyone to reach out to their emergency contact and let them know of their location.
  • – Have essential emergency kit accessible.

In any emergency situation, immediate and clear communication can provide a lifeline. Consider our Crisis Communication checklist as a part of your strategy.

Additional safety measures

It is beneficial to have a land-line phone along with a battery-operated radio and television in this safe room for efficient and reliable communication, as cellular towers may get overloaded. While using an emergency notification system in your company to alert employees to any threats in essential, consider subscribing to your local police department or local county government’s Reverse 9-1-1 system to get warnings about local threats in your area. To find this information online, search the phrase “emergency alert system” including your county and state. Exercising practice drills annually will help everyone in your workplace understand how to respond to a shelter-in-place situation, preventing any mistakes. Take your knowledge home to make sure that your family stays safe should a disaster occur. Shelter-in-place can be in response to a pandemic (ex: COVID-19). To learn more about preparing for a pandemic, download our Pandemic Tabletop Exercise . And to learn more about preparing for an active shooter, download our Active Shooter Tabletop Exercise .

A multi-location long-term care (LTC) facility in Florida provides critical care to elderly and medically vulnerable patients. With Florida’s high risk of hurricanes, flooding, and severe storms, combined with the increasing threat of cyberattacks, the organization faced dual challenges in protecting its operations.

The facility must comply with strict healthcare regulations , including:

  • HIPAA (Health Insurance Portability and Accountability Act) for patient data security
  • HITRUST for cybersecurity best practices
  • CMS Emergency Preparedness Rule for disaster resilience

While the facility had disaster recovery and cybersecurity measures in place, leadership realized they needed a   more proactive, integrated approach to ensure regulatory compliance and improve overall resilience.

The Challenge: Addressing Cyber & Natural Disaster Risks

The LTC facility identified three major risks:

  1. Cybersecurity Threats: Ransomware attacks targeting patient records and medical devices.
  2. Natural Disasters: Hurricanes causing power outages, flooding, and operational disruptions.
  3. Regulatory Compliance Gaps: Meeting CMS, HIPAA, and HITRUST requirements for both cybersecurity and emergency preparedness.

Previously, the organization relied on annual audits and manual penetration testing, but that left them vulnerable between testing cycles. They also conducted emergency drills but lacked a structured, expert-led tabletop exercise program to integrate cybersecurity and disaster response.

The Solution: PTaaS & Tabletop Exercises for Continuous Preparedness

To strengthen security and disaster resilience, the facility partnered with Agility Recovery to implement a dual approach: 1. Continuous Penetration Testing as a Service (PTaaS) for Automated Cybersecurity Monitoring

  • Weekly security scans identified vulnerabilities in EHR systems, medical devices, and third-party software.
  • Automated compliance reports simplified HIPAA and HITRUST audit preparation.
  • Real-time alerts helped IT teams remediate security risks before they became incidents.

2. Tabletop Exercises Led by an Agility Certified Business Continuity Planner

  • Quarterly tabletop exercises simulated hurricanes, cyberattacks, and power outages.
  • Cross-functional teams, including clinical staff, IT, and leadership, participated in real-world scenario testing.
  • Exercises identified gaps in disaster response and cybersecurity incident plans.

3. Integrated Business Continuity & Cybersecurity Strategy

  • The Agility Business Continuity Planner helped the facility update and refine its emergency response plans.
  • Cybersecurity risks were incorporated into the overall disaster recovery framework.
  • Post-exercise debriefs provided actionable recommendations to improve response time and decision-making.

Results: A Resilient Long-Term Care Facility Protected Against Natural Disaster and Cyberattack Interruptions

Since implementing continuous PTaaS and structured tabletop exercises for common regional events like hurricanes, flooding, and power outages, the LTC facility has achieved:

  • 100% compliance with HIPAA, HITRUST, and CMS emergency preparedness requirements.
  • Zero unpatched high-risk vulnerabilities in EHR and patient data systems.
  • Improved emergency response times for hurricanes, power outages, and cyber incidents.
  • Better staff preparedness through hands-on training and incident simulations.

Key Takeaways for Healthcare Organizations

For long-term care facilities in high-risk regions like Florida, a proactive approach to cybersecurity and disaster recovery is essential. Combining automated penetration testing with expert-led tabletop exercises ensures that both cyber and natural disaster risks are addressed. ✔ Continuous security validation with PTaaS to protect patient data and IT systems. ✔ Scenario-based training to prepare staff for real-world threats. ✔ Seamless compliance with HIPAA, HITRUST, and CMS requirements. Being prepared is non-negotiable. Secure your facility, protect your patients, and ensure compliance with Agility Recovery’s tabletop testing and cyber resilience solutions .