It’s Time for the FAA to Start Doing its Job (Again)

By CHHS Research Assistant Alana Coopersmith

Note: The views expressed do not necessarily represent those of CHHS or the University of Maryland, Baltimore. 

Boeing, the Commercial Airliner and Defense giant, has had a disastrous start to 2024. In only three months, there have been four reported commercial plane malfunctions. It would be unsurprising to find that these malfunctions stem from Boeings regulatory capture over the Federal Aviation Administration (FAA). After 20 years, it is time for the FAA to recapture the industry.

While the world may be shocked by Boeing’s 2024 track record thus far, many are likely not surprised. In 2018, a 737 MAX crashed 13 minutes after takeoff, killing all 189 people on board. Six months later, another MAX plunged six minutes after takeoff, killing 157 people. This second crash prompted the MAX to be grounded worldwide  and led to intense investigations into the plane’s development. The investigations revealed, beyond the technical details of the crash, how the FAA handed over the regulatory-reins to Boeing, leading to the mass production of a plane with a deadly flaw.

The 737 MAX was imagined in 2011 as a response to Airbus’ A320neo. The A320neo was a new, fuel-efficient aircraft. To avoid losing customers to their rival, Boeing shelved plans to develop an entirely new aircraft – which would have been both timely and costly – and instead chose to upgrade the previous generation of the 737 to match the A320’s capabilities. Boeing’s pressure to rush the MAX into production “resulted in extensive efforts to cut costs, maintain the 737 MAX program schedule, and avoid slowing the 737 MAX production line.

Boeing’s awareness of the MAX design’s safety concerns is well documented. Despite its knowledge, Boeing’s disregard of such warnings in the pursuit of performance targets is also well documented. For example, in 2013, Boeing engineers suggested installing a computer-based airspeed indicator to augment the MAX’s single external speed sensor. According to a 2020 report from the House Transportation and Infrastructure Committee, this request “was rejected by Boeing management due to cost concerns.” In 2018, Ed Pierson, a senior Boeing plant supervisor at the MAX production facility, emailed Scott Campbell, the 737 General Manager, to request a meeting about “safety concerns,” At the meeting, Mr. Pierson, a former military officer, told Mr. Campbell that the military would never tolerate a cavalier attitude towards the safety issues present in the MAX’s development, to which Mr. Campbell allegedly responded: “The military is not a profit-making organization.”

Additionally, in 2013, the National Transportation Safety Board held a two-day hearing to determine how Boeing and the FAA could have missed the potential for catastrophic failure of the 787 Dreamliner lithium-ion batteries when they were certified in 2007. In response to the fire that “sparked” concern, Al-Jazeera randomly asked 15 Boeing employees if they would fly on the 787 Dreamliners they were building. 10 of those 15 expressed they would not, due to safety concerns.

Despite these safety concerns, the FAA certified the 737 MAX in 2018, leading to the deaths of 346 people, and certified the 787 Dreamliner despite its lithium-battery malfunctions in 2007; most likely because the FAA was captured by Boeing. The FAA, since those crashes, has not effectively recaptured the industry.

Regulatory Capture is the proves by which an agency becomes dominated by the industry it is charged with. In the cases of Boeing’s MAXs and Dreamliners, the FAA did not uphold its responsibility to ensure the safety of the aircrafts – largely because it removed itself from the regulatory process altogether.

Until 2004, the FAA regulated the production of Boeing Aircrafts through a web of Designated Engineering Representatives (DER), who, although were paid by Boeing and were Boeing employees, were selected by and reported to the FAA, and the FAA retained final authority and possessed a clear view of the aircraft’s certification process. In 2004, a committee made up largely of industry backers passed a rule that the previous DERs, now called Authorized Representatives (AR), no longer reported to the FAA, but now reported directly to Boeing Managers. Direct communication with the FAA was completely severed, and Boeing was vested with vast amounts of power over the certification of its own aircraft. Boeing’s new appointment power over ARs gives it the power to align the certification process with its own interests, to the extreme detriment to the public interest.

Boeing’s flawed self-regulation is now brought to light again, as the MAX and Dreamliner aircrafts have made mainstream media appearances with missing bolts and plunging planes. As the MAX 10 production has slowed, it would be in the best interest of the FAA and Boeing to revert to the DER system for certification. It would return meaningful public oversight to the aircraft certification process, improve public trust in the FAA and in Boeing, and promote accountability. Other options seem to be flawed: further delegating oversight power to manufacturers would only exacerbate the issue; but conducting all oversight and certification work itself would cost the FAA at least $1.8 billion, require another 10,000 engineers. Although the FY2025 Budget includes a request for $1.8 billion for the Office of Aviation Safety to support production oversight and continued operational safety, it likely will still be in the FAA’s best interest to revert to the DER system, as the experience with and expertise of the latest technology is largely housed inside of the industry, rendering industry employees the most qualified to certify the aircraft.

Spring 2023 CHHS Newsletter Now Available!

CHHS is proud to present the Spring 2023 edition of our newsletter.

This edition includes:

  • Director’s Message from CHHS Founder and Director Michael Greenberger
  • An overview of our recent work on cybersecurity
  • Information on CHHS externs and research assistants
  • A description of our facilitation of a variety of trainings and exercises
  • And much more!



Supreme Court Blocks Vaccine Mandate: An Issue of Institutional Competence

By CHHS Extern Jenna Newman

On September 9th, 2021, President Biden first announced the creation of a plan that would require a large number of Americans to receive the COVID-19 vaccination. The Occupational Safety and Health Administration (OSHA) then published the aforementioned vaccine mandate on November 5. The OSHA mandate required workers employed by businesses with at least 100 employees to receive the COVID-19 vaccine, with an exception only allowed for workers who were tested weekly at their own expense and wore a mask each day. The mandate also pre-empted contrary state laws. On January 13, the U.S. Supreme Court stayed OSHA’s COVID-19 vaccine mandate.

The majority on the Court explained that because this order required 84 million Americans to either receive the COVID-19 vaccine or take weekly tests at their own expense, it was not an “everyday exercise of federal power.” The Court further noted that OSHA is tasked with ensuring occupational safety, which includes “safe and healthy working conditions.” The justices speaking for the majority found that this mandate did not set workplace safety standards, rather enacting broad public health measures that went against the original text of the act. They reasoned that “permitting OSHA to regulate the hazards of daily life – simply because most Americans have jobs and face those same risks while on the clock – would significantly expand OSHA’s regulatory authority without clear congressional authorization.” The Court drew a distinction between occupational hazards and risks that occur in the workplace, explaining that COVID-19 is not an occupational hazard that OSHA has the power to regulate. For example, COVID-19 is a universal risk that is present everywhere that people choose to gather, not just in the work-place setting. That is the difference between occupational risks and risks in general.

By contrast, the justices writing for the dissent argued that the OSHA mandate was within the agency’s mission to “protect employees from grave danger that comes from new hazards.” The dissenting justices noted that COVID-19 is a new hazard that poses a grave danger to millions of people, making the OSHA mandate “necessary” to address the dangerous situation. As a result, the dissent found that the majority ruling was at odds with the statutory scheme.

The biggest issue that the case raises surrounds the institutional competence to address the health care crisis. The dissent stated that the underlying dispute “is a single, simple question: Who decides how much protection, and of what kind, American workers need from COVID-19?” The options are either an agency or the Court. While competing arguments exist on both sides, the reality is that the decision is now left up to each individual company. Companies must now weigh the pros and cons of instituting regulations or potentially losing staff. For example, United Airlines and Tyson foods have instituted their own mandates, but others have chosen to not take any action, such as Walmart, Amazon, and JPMorgan Chase.

The institutional competence issue is further shown in the majority opinion in Biden v. Missouri, which was a small win for the Biden administration because it allowed a limited mandate that required health care workers to receive the COVID-19 vaccine if they worked at a facility that received federal funding. Differing significantly from the majority opinion concerning the OSHA mandate, the majority in Biden v. Missouri found that the secretary of health and human services mandate “fell within the authorities that Congress conferred upon him.” The statute that gives authority to the mandate states that the Secretary can make Medicaid and Medicare funds contingent on conditions that “the Secretary finds necessary in the interest of the health and safety of individuals who are furnished services.” Here, the majority found that this limited mandate was within congressional authorization because it ensures that providers are taking to steps to stop the spread of a dangerous virus.

These cases certainly illustrate the challenges that the pandemic has created in interpreting the authority conferred upon agencies by Congress, and what types of regulations go beyond these authorities. In light of the contrasting majority opinions, the institutional competence issue will continue until a consensus is reached on the proper authority of agencies to make vaccine regulations in the workplace.

Analysis of Court Order Enforcing Title 42 Restrictions on Migrants

By CHHS Extern Cailey Duffy

On September 30th, the U.S. Court of Appeals for the District of Columbia allowed a stay of the September 16th ruling in Huisha-Huisha v. Mayorkas. Circuit judges Rogers, Millett, and Katsas allowed the Biden administration to continue enforcing the Title 42 order while their appeal is in progress. Title 42 was issued under former president Trump in March 2020. It allows the government to prevent certain individuals from entering the U.S. during public health emergencies. Former President Trump cited the coronavirus pandemic as a reason to expel migrants attempting to enter the United States. President Biden has continued this order, deporting over 900,000 migrants, and rationalizing it as a preventative measure to keep detention centers from overflowing during the pandemic. To combat the order, the ACLU filed a preliminary injunction in U.S. District Court, arguing that individuals at the border should be allowed to seek asylum under U.S. law. On September 16th, the injunction was granted.

In his opinion in Huisha-Huisha, Judge Sullivan ruled that Congress is not authorized to expel migrants under Title 42 – it is only allowed to limit who enters. He held the plaintiffs had shown they were likely to suffer irreparable harm as a result of deportation, as many would have to return to violent and unsafe home countries. Furthermore, he argued that the migration would not likely affect coronavirus rates, due to the wide availability of testing and vaccines. The injunction did not prevent the expulsion of single adults, so many individuals were still left with no choice but to be returned to their previous country of residence. The Biden administration appealed, and the appeal was granted. The administration cites the need for the Title 42 order as preventing a surge of migrant families that the nation is unable to handle given the current pandemic. They worry that an influx of migrants would lead to higher rates of COVID-19. However, the administration has not provided evidence that this would actually be the case.

Biden is under pressure from the Republican Party to crack down on migration due to the increasing number of arrests at the border. His critics believe that reversal of former president Trump’s immigration policies has led to an uptick in migration. However, it is more likely this increase in migration is due to political turmoil and food insecurity in nations like El Salvador, Guatemala, and Haiti. While Biden’s administration has exempted unaccompanied children from the Title 42 deportations and is trying to be more lenient with families at the border, many are concerned that the continuance of Title 42 in any capacity contradicts Biden’s campaign promises of a more humane approach to immigration. Biden is surely in a difficult spot, caught between Democratic critics of the Title 42 order and republican critics of his immigration reform. However, categorizing migration as a public health threat is not only speculative, but creates serious humanitarian concerns.

New: Summer 2021 CHHS Newsletter Released

CHHS has released its semiannual newsletter, which highlights some of the work we’ve done over the past several months. The newsletter includes a welcome message from CHHS Founder and Director Michael Greenberger.

Check it out here:

CHHS Summer 2021 Newsletter

In the Aftermath of Van Buren v. United States

By CHHS Extern Mike Rovetto

A few weeks ago, the Supreme Court released its decision in Van Buren v. United States, and the implications this case has for nearly every business and employer in the country could be potentially staggering. Before going into the implications of the case, a brief introduction is warranted.

A more perfect case could not have been presented to the Court to answer the question of what “exceeding authorized access” means under the Computer Fraud and Abuse Act (CFAA). Van Buren centered around a police officer who sold information that he procured from the state DMV to an undercover FBI informant. Van Buren had procured the data using his valid police credentials to log into the police database and download the files.

The FBI charged Van Buren for violating the CFAA, a 1986 law that makes it a crime to illegally access a database. The CFAA has been deemed the federal computer trespass law which subjects anyone to criminal liability who “intentionally accesses a computer without authorization or exceeds authorized access.” Van Buren was ultimately convicted of the charge and on his appeal to the Eleventh Circuit, argued that “exceeds authorized access applies only to those who obtain information which their computer access does not extend, not to those who misuse access that they otherwise have”. The circuit denied his appeal, which led to the Supreme Court of the United States granting a writ of certiorari. Van Buren’s argument before the Court revolved around one basic idea; the CFAA only criminalized accessing files that one is not authorized to access; it did not criminalize misusing information that one did have authorization to access.

In a 6-3 decision, the majority ruled in favor of Van Buren’s view that the language of the CFAA only prohibited illegally accessing data (i.e., hacking), it did not prohibit illegal misuse of data that one was able to lawfully access. The Court came to the correct conclusion. Professor Orin Kerr, a law professor and expert on cyberlaw from the University of California – Berkley, analogized this case perfectly: essentially, this case boils down to criminalizing a contract dispute. Every citizen in the US should rightly shudder at a police officer violating their privacy in such a way, Van Buren’s actions (by accessing the database) criminal. What Van Buren did by accessing the database was certainly a firing offense, but one would not expect to be led out of a workplace in handcuffs because you accessed Facebook or sent a personnel email in violation of the company’s computer policy. A result the majority feared could happen considering the government’s policy on the subject which does not ban criminalizing conduct based solely on contractual disputes.

Highlighting an interesting point raised by Justice Thomas in his dissent, the Justice notes that Van Buren’s actions were similar to that of a property trespasser (defining a trespasser as someone who has legal access to a property for one purpose, but enters the property for another ulterior purpose, then he is trespassing.) The Justice then continues with this: “What is true for land is also true in the computer context; if a company grants permission to an employee to use a computer for a specific purpose, the employee has no authority to use it for other purposes”. This analogy is curious considering that in 2017, Justice Thomas joined Justice Alito’s concurrence in Packingham v. North Carolina, which rejected equating the cyberworld to the physical world. Regardless, the Justice’s example here still equates to a contract dispute. Fireable? Yes. Criminal? No.

In an interesting turn of events, the Court remanded back to the Ninth Circuit Linkedin v. hiQ, a case which stems from mining data off Linkedin user profiles after a cease-and-desist letter was ignored by hiQ. The Court remanded the case to determine if its Van Buren decision affected the lower circuits decision in how it interpreted the CFAA. The outcome of that case could land back in the hands of the Supreme Court in the coming years.

The President’s Executive Order on Cybersecurity

By CHHS Extern Mike Rovetto

A few weeks ago, multiple news agencies covered a memo President Biden’s administration released calling on private business entities to do more against the threat of ransomware and to “better understand [their] critical role”. While the President’s Executive Order is a good first step in fixing the nation’s cybersecurity problem, the E.O. does not go far enough for the simple fact that it only affects federal agencies and government contractors with active government contracts.

The U.S. approaches cybersecurity much in the way it does other regulatory matters, in a laissez faire manner that focuses more on self-regulation. In a cybersecurity self-regulatory scheme, an industry is expected to “police themselves” and set standards for how best to protect their cyber-infrastructure. Proponents of this approach argue that self-regulation is the best practice because the industry itself is the best entity to determine what vulnerabilities the industry has. If the past year has shown us anything, it should show that the self-regulation of the cyber world lacks the necessary security proponents argue comes from industry expertise. The city of Baltimore was attacked with ransomware. Public reports of the attack stated the cost to the city was over $18 million to restore services, such as payment processing for utility bills, basic email communications, and critical emergency systems like 911. Last year, reports began surfacing of a security breach within the State Department. It was revealed that SolarWinds, a government IT contractor who specializes in providing software for supporting IT infrastructure, was hacked by Russian nationals who inserted malicious code into software that allowed the hackers to “hide in plain sight” and appear as legitimate network traffic. Ultimately the SolarWinds hack has affected dozens of federal and state agencies as well as private enterprises who downloaded the infected software. The hack compromised systems and allowed the hackers to steal information such as FireEye’s hacking tools that they use to test client’s security. And this past March, Microsoft, one of the largest software companies in the world, suffered a data breach in their Microsoft Exchange Server Platform which hosts entities ranging from police departments to credit unions. The attack saw over 30,000 organizations which represent and/or holds data for millions of people across the country, have private email communications stolen. Victims of the hack include law firms, infectious disease experts, defense contractors, and higher education intuitions.

Recently the District of Columbia Metropolitan Police Department was the victim of a major data breach. An attack on the Department’s IT servers saw dozens of private personnel files, including home addresses, cellphone numbers, and more released by hackers after payment demands were refused. Just last month, the group responsible released raw intelligence related to everything from the Jan. 6 riots to intelligence on criminal activity. The hacking group  In Florida, in what might be the first active cyberterrorist attack on U.S. soil that could cost American lives, hackers were able to access a water treatment facility command and control system and attempted to poison an entire city’s water supply. Finally, in two back-to-back attacks on major critical infrastructure, major portions of the country were severely disrupted. The Colonial Pipeline attack saw gas shortages for weeks that disrupted the entire East Coast. In that case, a ransomware attack locked down a critical pipeline that feeds gas from New Jersey to Texas and touches nearly every state in-between. If that wasn’t enough, the most recent attack on the nation’s critical infrastructure, this time an attack on our nation’s food supply, should be. In that attack, criminal groups related to Russia forced a shutdown of one of our nation’s largest meat suppliers.

To sum, we have three major metropolitan areas, one critical federal agency, two critical infrastructure sectors, with about eleven states and millions of people affected by some type of cybersecurity attack. And for all but one, that is just within the last eight months. Self-regulation cannot fix this. Experts from both the private and public sectors agree on this. Microsoft President stated before Congress “We need to impose a clear, consistent disclosure obligation on the private sector”. Chairman Richard Glick of the Federal Energy Regulatory Commission response to the Colonial Pipeline attack highlights the issue completely “Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors”. If self-regulation were capable of meeting this threat, the Department of Homeland Security would not be issuing new regulations for pipeline security measures.

What is clear from the evidence over the last two years is that self-regulation in the cybersecurity and data privacy realm is failing. Leaders from across multiple sectors have called on the government to provide leadership in this area and establish standards that companies must abide by. While there has been some action in the last few months, President Biden’s Executive Order, the President’s appointment of an a National Cyber Director, and DHS’s move to regulate pipeline security are excellent first steps, there are still massive shortcomings in the way cybersecurity is handled across a wide breadth of sectors in the United States. While the President’s E.O. is a good first step at the federal level, it does nothing to address infrastructure at the state level. Another question to ask is, does the E.O. affect business entities’ with non-government contracts (say Boeing’s commercial manufacturing)? Further, the E.O. does nothing for the thousands of other small-to-moderate sized businesses that store sensitive data that do not have government contracts at all. The U.S. needs to stop relying on business entities to police themselves and instead empower the most capable entity it can create with the ability to propose standards, regulate all cyber-related industries in the U.S., and enforce regulations like mandatory breach notification, encrypting all personal information, and requiring basic security measures like firewalls. When it’s your own industry base calling for regulations like mandatory breach notification, it’s past time to call for that same industry to do better.

On the Front Lines: UMB Champions of Excellence Center for Health and Homeland Security Team University of Maryland, Baltimore

On October 19, 2020, the University of Maryland, Baltimore honored CHHS staff members for their work on the front-lines during the COVID-19 epidemic. CHHS staff members have assisted local emergency management and public health offices in providing critical preparedness, response and recovery work over these past months. As a result, the University has honored 8 CHHS staff members by naming them UMB Champions of Excellence.

Michael Greenberger, JD, has seen this type of dedication since the 2002 founding of CHHS, a University of Maryland, Baltimore (UMB) center that partners closely with the Francis King Carey School of Law to provide governmental and institutional organizations with tailored and comprehensive consulting services on emergency management and homeland security. He says the eight-person team went “above and beyond” the call of duty, leaving the safety of their homes to work grueling hours during an unprecedented health crisis.

“These people shifted into these responsibilities and never said a word about the fact that this was not what they signed up for,” said Greenberger, founder and director of CHHS. “They just went and did it — and did so without complaint. Our partners have offered nothing but the highest of praise for their work.”


The staff members:

Hassan Sheikh, PharmD, JD
Jihane Ambroise, MPH, CPH
Joseph Corona, CEM
Samantha Durbin, MS
Patrick Fleming, MPA, MSL
Ian Hamilton, MS
Netta Squires, JD, MSL, CEM
Kimberly Stinchcomb, MPH, CPH




Unpacking Contact Tracing

By CHHS Extern Carly Yost

Public health jargon, previously only known by professionals in the field, is now a part of most people’s everyday vernacular. Due to the global pandemic caused by the emergence of COVID-19, contact tracing is among those previously unknown terms that are now a part of everyone’s daily lives. Several large cities across the United States have recently hired hundreds to thousands of new contact tracers in hopes to contain the spread of COVID-19 as restrictions on Stay-At-Home orders are lifted. At the same, Google and Apple released software that would allow cities to create contact tracing apps which residents would download on their phones. While the concept of contact tracing may be now well-known, the application is still lackluster. The responsibility of contact tracing for public health ultimately falls on local government, but both individuals and companies can play their own role in contact tracing and help fill the gaps where local jurisdictions are struggling.

In the past few months, many local health departments have gone from employing a handful of contact tracers to hundreds and thousands. During this pandemic, contact tracers reach out to everyone who tests positive for COVID-19 and find out contact information for anyone who they have come in contact with in the past 14 days. However, in New York City, of those who tested positive, less than 50% gave contact information for those these came into contact with in the 14 days before the positive test. Privacy concerns seem to be the United States’ general deficiency in contact tracing in comparison to other countries. For example, other countries have required people to write down their contact information when entering businesses or large gatherings, in order to have a reliable method to trace contact even with people unknown to the person who tested positive for COVID-19. Without these kinds of regulations in the United States, it will remain a difficult task for contact tracers to find any strangers an infectious person may have come into contact with.

Although cites in the U.S. have not implemented similar methods, some have encouraged individuals to keep their own log. Upon a new phase of reopening for the city, Baltimore City Health Commissioner, Dr. Letitia Dzirasa, advised individuals to “[keep] physical or digital note of places they visit and instances and times in which they were in close contact with others for a prolonged period of time. This means places where you’ve been closer than 6 feet to others for longer than 15 minutes.” This individual contact log will make the work of the 300 new contact tracers hired by Baltimore City much more timely and effective. While the CDC website does not contain any specific guidelines for individuals tracing their own contacts, it does state that contact tracing is the key to slowing the spread of COVID-19. According to the CDC, a contact tracer will ask everyone to list names of those for whom they have been within six feet for over 15 minutes during the time they may have been infectious, and it seems keeping a personal log can only help during this process.

Not only local governments and individuals, but also companies have a newfound interest in contact tracing as they hope to bring their workforce back into full operation. The basics being recommended by most health departments for businesses are temperature and health screenings, but businesses are certainly going beyond those measures to track employees’ movement once inside the building, through cell phone apps, VPN tracking on work-issued laptops, badges, or even light sensors. This of course brings up privacy concerns with an intersection of employment law, health law, and privacy law, with experts advising the best course of actions would be a vetted cell phone contact tracing app. With effective contact tracing, offices can be more assured that once they reopen, they will remain open and if one person gets sick, there is a lower probability that an outbreak occurs across the entire office.

Contact tracing may seem as though it is just a new buzzword, but the CDC, health departments, and other experts continue echoing its utmost importance during the COVID-19 pandemic. Now is the time when individuals should consider what part they can play in contact tracing, to assist with the local resources already in place. Maintaining a log of people you come into contact with for will aid contact tracers if you do test positive for the virus. Continuously following CDC guidelines will slow the spread of COVID-19, thereby making contact tracing more manageable. Additionally, as businesses begin to reopen, research and precautions should be taken to limit the spread of COVID which means effectively tracing contact while not violating privacy laws. Better Business Bureau Northwest and Pacific gave precautionary tips to employers hoping to utilize contact tracing, particularly to pay attention to how and where data is stored, who has access to collected data, and how much information is shared with employees. The resounding advice for employers shopping for contact tracing applications is to find one which does not permit the employer to access the data and keeps the data anonymous and preferably stored on the user’s device. The key is protect the individual’s right to privacy, especially concerning health data, while mitigating a “direct threat” to the health and safety of everyone in the workplace. As public health experts have long-known, contact tracing is now a societal responsibility and an operational necessity.

Maryland Should Lead States in Nursing Home Emergency Preparedness

As states begin their phased reopening across the country, the legal and policy decisions made by health officials and governors are bearing full fruit or consequences. Some states, such as Florida and Georgia, which resisted state closures and led reopening, are now facing choices similar to those faced a month ago, but with much higher stakes, as cases of Covid-19 rise and threaten to overwhelm healthcare systems.

The state of Maryland, which was one of the earlier states to see cases rise, has led by example. With Governor Hogan at the helm of a substantial team of medical and public health experts, closures in the state of Maryland were carefully timed, well-communicated, and followed the best medical and scientific knowledge available for a novel virus. Maryland citizens, for the most part, were exemplary in their willingness to engage in measures to make themselves, their family, their neighbors, and their community safe. This is the bright spot in this pandemic; Maryland and its residents have risen to the challenge of this pandemic, and each day there are more stories of everyday acts of heroism.

Where Maryland has mirrored the country at large, however, is one of the dark spots in the pandemic: the disproportionate effect Covid-19 has had on residents at long term care facilities (LTCFs). According to CMS data, as of June 14th,  over 40% of the approximately 115,000 Covid-19 related deaths in the US have occurred at LTCFs. Some of these deaths captured national headlines, such as outbreak at Life Care Center, in Kirkland, Washington, where 37 residents died, and dozens more residents and staff were sickened or exposed.

This story has played out across the country, and within Maryland’s borders as well. As of mid-June, nearly 60% of deaths in Maryland were at nursing home facilities. Sadly, this is not the first time nursing home deaths have made headlines: starting with the tragic consequences of Hurricane Katrina in 2005, the need for better emergency preparedness and planning in LTCFs has been a part of the national emergency preparedness discussion. In fact, in 2016, the Centers for Medicare and Medicaid announced a Final Rule for Emergency Preparedness Requirements, a sweeping, federal implementation of emergency preparedness requirements.

The rule, which requires LTCFs to have emergency plans, communication plans, and twice-yearly testing and exercises, had the ability to create a much-needed, federal-level culture shift within the LTCF industry. Unfortunately, its implementation was hampered by a new administration that announced almost immediately it would work to roll-back provisions of the rule, and approached enforcement in a lackadaisical manner. More fatally, the CMS EP rule, while quite thorough in its requirements, was not coupled with any federal grant funding to help facilities meet the new requirements—many of which, such as functional or full-scale exercises—can far exceed the cost estimates CMS provided.

As we have seen in other facets of the US, changing a culture, whether in a workplace or elsewhere, takes time, effort, education, and, importantly, funding. Nursing homes throughout the country are filled with workers who are trying to do the right thing, while constantly being asked to do more with less—less money, less time, less staff. During Covid, the workers in LTCFs have become surrogate family to residents who can no longer see their own families because of visitation restrictions; these workers have coordinated video calls for families, updated caregivers on the residents’ status, and sat beside patients, reading books to those who are ill, and holding the hands of those who are dying. What LTCFs lack is a well-funded, systemic push to make emergency preparedness an integrated part of the work culture, as natural to LTCF workers as compassion is.

During this pandemic, Maryland has led the country as a state responding to a public health emergency in a measured way, as it has done so many times before. During the West African Ebola outbreak in 2014, Maryland introduced science-based quarantine and isolation policies that protected public health while safe-guarding civil liberties. Where Maryland has learned hard lessons it has made changes to safeguard residents from future harm, such as requiring backup power for dialysis centers after residents were left without access to life-saving services.

Now, Maryland should pool its strength as a healthcare and public health leader to lead the nation’s change in culture for LTCF emergency preparedness. Working with LTCFs to review infectious disease protocols, ensure case reporting, and distributing testing kits—as Maryland has now done—is critical. But Covid-19 will end, and one of its enduring legacies should be that it brought about a revolution in LTCF’s emergency preparedness, creating a nation-wide culture of safety for medically-vulnerable residents and staff no matter what the threat. Meaningful implementation of the CMS Rule can help create that culture of safety, and ensure that whatever the next emergency is, Maryland’s LTCFs are ready.