Building Resilient Health Infrastructure with ASPR
What is Critical Infrastructure Protection?
This episode answers the question, "What is critical infrastructure protection?"
MICHAEL ELTRINGHAM (ME): Hey everyone! Thanks for listening. I’m Michael Eltringham, a program analyst within the HHS ASPR Critical Infrastructure Protection Division and I’m joined by the Critical Infrastructure Protection (or the “CIP Division) director Dr. Laura Wolf. How are you, Dr. Wolf?
DR. LAURA WOLF (LW): I'm great! How are you Mike?
ME: Great! So today's question that we're going to cover on the podcast is, “What is critical infrastructure protection?” So we deal with health care and public health sector critical infrastructure protection and we're kind of taking a step back to the most basic level to kind of set the foundation of what our field is really all about. Let me start with, maybe not the dictionary definition, but what's the definition of critical infrastructure protection and who defines it?
LW: Sure. The legal definition comes from the Patriot Act of 2001 and critical infrastructure is defined as, “Systems and assets whether physical or virtual so vital to the United States that the incapacity or destruction would have a debilitating impact on security national economic security national public health or safety or any combination of those matters.” So really you're thinking about the infrastructure in the U.S. Whether these are buildings or bridges and roads and dams that infrastructure really keeps America going and it's not just that physical infrastructure. It's also cyber systems that we rely on more and more to carry out those missions.
ME: So we're talking about, you know, the definition of course of critical infrastructure. Our office or our division is tasked with critical infrastructure protection of not just the healthcare public health sector but of all the sectors who are the authority or what first of all what are the designated authorities for that and who helps carry that out with them
LW: Sure. So the overall responsibility for the mission of protecting critical infrastructure belongs to the Department of Homeland Security they have an office of infrastructure protection that has staff both in DC and in all the regions that carry out the broad overarching mission one thing is that in the US a majority of the critical infrastructure is owned by private sector so DHS stimulates a lot of the partnerships between a government and private sector to make sure we're ensuring that critical infrastructure.
ME: Can you elaborate just a little bit on when you say stimulates that partnership: how does that come to fruition or how does that happen?
LW: Sure, so in their authority under the National Infrastructure Protection Plan they can allow for conversations about risk to happen between government and private sector in a way where we don't have to publicly announce those discussions. It's called the Critical Infrastructure Partnership Advisory Council structure. It's exempt from the Federal Advisory Committee Act – FACA - and in that way we're able to have private conversations with owners and operators of critical infrastructure to talk about the risks that they face without those risks getting out publicly. Because that's a potential security challenge if we're telling the world, “hey, here's our critical infrastructure and here's where it's vulnerable.”
ME: I was going to say, it was a vulnerability issue as opposed to: “These are, you know, super-secret meetings for a nefarious purpose.”
LW: Absolutely it's more about protecting the vulnerabilities of the U.S. critical infrastructure. So DHS owns the ability to host those meetings but some of the agencies like ours in HHS are designated as a sector specific agency for health care and public health. And that designation - not to be too policy wonky - but presidential policy directive 21 is where it most recently clarifies that we're the sector specific agency for health care and public health. All exciting reads if you want to learn more about critical infrastructure.
ME: So you talked about HHS as the sector-specific agency for the healthcare and public health sector but kind of alluded to, there are more sectors of course. So can you talk a little bit about the - maybe not the sector partnerships so much - but just kind of the what sectors exist, or what are the ones that are most - I don't want to say most critical to healthcare and public health - but what are some common interdependencies that we see from certain sectors I guess?
LW: There you go, so that's the common terminology when we're talking about the interactions between the sectors in healthcare. When we perform our jobs we need buildings that have power and air conditioning and water and Internet connectivity. So we look to other sectors for the provision of those utilities. So some of our key partners in other sectors are in energy, water, and communications but also in the transportation sector.
We support our infrastructure during both steady state and response and often the biggest issue in response is, “How can I get my stuff to where it needs to go?” And that's where we rely on a lot of our transportation partners. Now are there shared goals across the sectors? Sure. We have what are called the “Joint National Priorities” and so these are, at the very basic level, “What are we trying to do in the partnership between government and private sector?” So I'll summarize them. There are five: the first one is to strengthen the management of cyber and physical risks to critical infrastructure. That's the basic one and that's been the foundation of our work for many years.
Number two is building capacities and coordination for enhanced incident Response and recovery. As I mentioned before, we work together on a normal basis but also when there's a disaster to make sure that nationally important critical infrastructure is supported.
The third priority is to strengthen collaboration across sectors jurisdictions one's and that's really the foundation of the entire partnership to make sure we're talking to each other.
Number four is to enhance effectiveness and resilience decision-making. That's really to make sure that both government and private sector have the information they need to make choices. And often these choices are costly when we're looking at security measures and it may not be obvious to everyone why you would want to spend money securing critical infrastructure. There's not a lot of “bang for your buck” there unless there is a big event and you and you do need it so it's a challenging process for our partners.
And the last one is to share information to improve prevention, protection, mitigation, response and recovery activities. And this is all-encompassing about sharing information. But I do want to point out that sometimes there is classified information that needs to be shared with our private sector partners and we are able to get them clearances and to provide them that information as it is relevant to their industry or even their particular facility.
ME: So can you talk a little bit about, you know, we've kind of alluded again to the collaboration. What kind of ways do the different sectors tend to collaborate together?
LW: Sure. So there are a lot of bureaucratic ways that we come together to do work but it is very flexible in how we do that. So there are meetings of the government leads separate from the private sector leads but we meet together several times a year to discuss issues and we create working groups that can involve members from across the different sectors. So we've been working recently with the emergency services sector about one of those issues with transportation: “How can I not only get my stuff to where it needs to go, but if it's in an unmarked van and I need to get it to a hospital, how can I communicate that with local law enforcement to say that this is critical these are critical goods that need to get in somewhere?”
ME: So there it is: that's critical infrastructure protection defined. Again, in future episodes, what we're really looking to do is kind of raise awareness on issues related to healthcare public health sector critical infrastructure protection and in a kind of a bite-sized, concise format give high-level general overviews.
Of course you may have questions after you listen to some of our episodes or today's episode and that's fine! We encourage you please to email us at C-I-P, that’s CIP@hhs.gov. If you have any questions about the HPH sector partnership or anything you heard about today, or if you just have feedback on the podcast, we'd love to hear it! So thank you, Laura!
LW: Thanks Mike for today's podcast! And thanks everyone!