How Can I Protect Healthcare and Public Health Infrastructure

Federal government; state, local, tribal and territorial (SLTT) entities; public and private owners and operators of critical infrastructure; and healthcare and public health facility managers all need to know the risks that an infrastructure failure can pose to the facilities and communities that rely on that infrastructure. Every region in the U.S. is at risk for many different kinds of infrastructure failures, ranging from cyber threats to water supply failures, power outages, communications failures, supply chain issues and more.

The resources below can help you better prepare for, respond to and recover from some common infrastructure issues.

CIP Policy

• National Infrastructure Protection Plan 2013: Partnering for Critical Infrastructure Security and Resilience (NIPP 2013): NIPP 2013 establishes a vision, mission, and goals that are supported by a set of core tenets focused on risk management and partnership to influence future critical infrastructure security and resilience planning at the international; national; regional; SLTT; and owner and operator levels.
• Presidential Policy Directive 21: Critical Infrastructure Security and Resilience (PPD-21): PPD-21 advances efforts to strengthen and maintain secure, functioning, and resilient critical infrastructure. This directive establishes national policy on critical infrastructure security and resilience. Protection of critical infrastructure is a shared responsibility among the Federal government; SLTT entities; and public and private owners and operators of critical infrastructure. This directive also refines and clarifies the critical infrastructure-related functions, roles, and responsibilities across the Federal Government, and enhances overall coordination and collaboration.
• Executive Order 13636: Improving Critical Infrastructure Cybersecurity (EO 13636): EO 13636 emphasizes the importance of enhancing the security and resilience of the Nation’s critical infrastructure and to maintaining a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties. It indicates that these goals can be achieved through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and by collaboratively developing and implementing risk-based standards. To learn more, check out HHS Activities to Enhance Cybersecurity.
• President’s Climate Action Plan: The President's Climate Action Plan calls on the federal government; SLTT entities; and communities to make stronger, safer investments in critical infrastructure. The plan 1) directs agencies to support climate-resilient investment; 2) establishes an SLTT leaders task force on climate preparedness; 3) supports community preparedness for the impacts of climate change; 4) supports the development of standards to boost the resilience of buildings and infrastructure; and 5) encourages rebuilding and lessons learned from Hurricane Sandy.

Cybersecurity

• U.S. Critical Infrastructure Cyber Community Voluntary Program: As part of Executive Order (EO) 13636, the Department of Homeland Security (DHS) launched the Critical Infrastructure Cyber Community or C³ (pronounced “C Cubed”) Voluntary Program to assist the enhancement of critical infrastructure cybersecurity and to encourage the adoption of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (the Framework), released in February 2014. The C³ Voluntary Program was created to help improve the resiliency of critical infrastructure’s cybersecurity systems by supporting and promoting the use of the Framework.
  • Cyber Resilience Review (CRR): The CRR is a no-cost, voluntary, non-technical assessment to evaluate an organization’s operational resilience and cybersecurity practices. The CRR may be conducted as a self-assessment or as an on-site assessment facilitated by DHS cybersecurity professionals. The CRR assesses enterprise programs and practices across a range of ten domains including risk management, incident management, service continuity, and others. The assessment is designed to measure existing organizational resilience as well as provide a gap analysis for improvement based on recognized best practices
  • Enhanced Cybersecurity Services for Critical Infrastructure Entities: TThe Department of Homeland Security’s (DHS) Enhanced Cybersecurity Services (ECS) Program was expanded in February 2013 by Executive Order 13636: Improving Critical Infrastructure Cybersecurity as a voluntary information sharing program. ECS assists critical infrastructure owners and operators to improve protection of their systems from unauthorized access, exploitation, or data exfiltration. ECS shares sensitive and classified government vetted cyber threat information with qualified Commercial Service Providers (CSPs) and Operational Implementers (OIs). In turn, the CSPs use the cyber threat information to protect their customers who are validated critical infrastructure entities. OIs use the cyber threat information to protect only their internal networks.
• Protecting the Healthcare Digital Infrastructure: Cybersecurity Checklist: Cybersecurity Checklist can be used to help the Healthcare and Public Health Sector improve its ability to identify and address potential vulnerabilities; to mitigate cyber threats; and to strengthen cybersecurity. The checklist serves as a starting point on cybersecurity and it outlines several hardware, software, and cybersecurity educational items organizations should consider and implement to protect their digital infrastructure.
• Healthcare and Public Health Cybersecurity Primer: Cybersecurity 101: The Healthcare and Public Health Cybersecurity Primer is a tool intended for use by sector members, owners and operators, as well as Federal, State and local partners who may not be cyber experts, but wish to improve the sector’s level of understanding of cybersecurity. The document contains concepts and common practices of security as they pertain to the cyber component of healthcare and public health.

Water Supply

• Planning for Water Supply Interruptions: A Guide for Hospitals and Healthcare Facilities: This guide highlights some of the impacts of a water interruption and poses questions to ask to help hospitals and healthcare facilities prepare for an interruption. Additionally, it provides some information on existing resources that can help these facilities develop and implement an effective preparedness strategy.

Power Outage

• Planning for Power Outages- A Guide for Hospitals and Healthcare Facilities: This guide highlights some of the impacts of a power outage on hospitals and healthcare facilities and poses questions to that managers of those facilities need to ask to help them prepare for an outage. Additionally, it provides some information on existing resources that can be used to help develop and implement the hospital or healthcare facility's preparedness strategy and establish better relationships with the local electric utility.

Communications

• Working Without Technology: How Hospitals and Healthcare Organizations Can Manage Communication Failure: This fact sheet includes recommendations and other steps to help healthcare organizations or facilities effectively manage and continue operations in the event of a breakdown in traditional forms of communication.

Supply Chain

• FDA Drug Shortages: FDA works closely with manufacturers of drugs in short supply to communicate the issue and to help restore availability. FDA also works with other firms who manufacturer the same drug, asking them to increase production, if possible, in order to prevent or reduce the impact of a shortage. This site provides information on current and past drug shortages as well as manuals and related resources to help prevent and manage shortages.
• Commerce International Dependencies Report: Report on pharmaceuticals and medical devices produced by foreign manufacturers that are critical to healthcare services during emergencies. The report also discusses domestic alternatives where they exist.
• American Society of Health-System Pharmacists Drug Shortages Exit Icon: Provides additional information on drug shortages and management.

Training

• TEEX Infrastructure Protection Courses and Certificate Programs Exit Icon: List of courses from Texas A&M Engineering on Critical Infrastructure Protection.
• FEMA Emergency Management Institute: The Emergency Management Institute (EMI) offers self-paced courses designed for people who have emergency management responsibilities and the general public. All are offered free-of-charge to those who qualify for enrollment.

Active Shooter Planning

• Newly Revised! Healthcare and Public Health Sector Coordinating Council Guidance on Active Shooter Planning and Response in a Healthcare Setting: This document was developed by the HPH SCC to provide specific guidance to healthcare providers, incorporating the unique aspects of the healthcare setting, such as special considerations for operating rooms, neonatal units, and medical gases and resources for coordinating medical and behavioral health responses after the incident.
• Incorporating Active Shooter incident Planning into Health Care Facility Emergency Operations Plans: This document, produced by HHS- ASPR, DOJ, and DHS-FEMA encourages healthcare facilities to consider how to better prepare for an active shooter incident in their emergency operations plan. The document is geared toward emergency planners, disaster committees, executive leadership, and others. Information sharing, coordination with law enforcement, and psychological first aid information is provided.
• MESH Coalition Active Shooter Training Video Exit Icon: ​This video, produced by the MESH Coalition, a non-profit public-private healthcare coalition in Marion County, Indiana and the Indianapolis Coalition for Patient Safety, Inc., a collaboration of the six major Indianapolis health systems, shares with viewers the unique considerations for those responding to an active shooter in healthcare settings. The video is cited by the HPH SCC as embodying the goals of their Guidance document.
• FBI Active Shooter Resources: Additional active shooter planning resources from the FBI. ​
  ​
  ​
  ​