Building Resilient Health Infrastructure with ASPR
What is ASPR's Division of Critical Infrastructure Protection?
This episode provides context on the mission and role of ASPR's Critical Infrastructure Protection Division.
[Music]
MICHAEL ELTRINGHAM: You’re listening to “Building Resilient Health Infrastructure with ASPR,” a podcast from the HHS ASPR Critical Infrastructure Protection Division. If you have any questions about this episode, please email us at CIP@hhs.gov.
Hey everyone! Thanks for listening. I'm Michael Eltringham, a program analyst within the HHS ASPR Critical Infrastructure Protection – or “CIP” – Division. I'm joined by our division director, Dr. Laura Wolf. How are you, Dr. Wolf?
DR. LAURA WOLF: Great, thanks Mike!
ME: Thank you. Today's question: “What is ASPR CIP Division?”
“So we're going to talk a little bit today about why ASPR? Why was ASPR designated as the leads, you know, to be the sector specific agency of the HPH Sector? So you want to kind of touch on that to just start us off?
LW: Sure. So as we've talked about in the past, you know, critical infrastructure are those nationally significant systems and infrastructure that if damaged or destroyed would impact national security and public health. The role of the Assistant Secretary for Preparedness and Response at HHS is to coordinate, as it says, preparedness and response. So ASPR is the lead for Emergency Support Function 8, that's public health and medical. So they are coordinating boots on the ground: teams of medical professionals that go out and help after a disaster.
They're also coordinating the needs of hospitals in the hospital preparedness program to be resilient to disaster. In addition to ESF-8, we're the leads for the recovery support function for health and social services. And so we also have the staff that go in after a disaster to help the community, including the healthcare community, recover from those disasters. So it's a natural fit for us to sit here, because we have the resources of the rest of ASPR to pull on for knowledge on threats to the health care system. How we might mitigate those threats and when there is an incident, I and you have done in the past and the rest of our team, go and sit in the Secretary's
Operations Center with the rest of the ESF-8 response staff so we are completely integrated into that response.
We have access to leadership to talk about areas of critical infrastructure that need to be prioritized for assistance whatever that might be and we're also able to analyze the impacts to the nation of any sort of disaster on the health care public health systems.
ME: So I think that summarizes it pretty well. Talking about the priorities of the division. Right now, going forward, you know, in the next - I don't know what you want to call them, maybe the next year - what would you say are the main priorities of the ASPR CIP Division?
LW: So our priorities have to be flexible, because the threats to health care and public health keep changing. In light of that, one of the long-term projects that we've had is to create a more objective risk assessment tool for all types of health care facilities to use. But our risk tool combines components of threat assessment vulnerability and consequences assessment and also help for a facility to understand how critical they are in their system, in their county, in their state, or in the country.
ME: I think it might be important to touch on very quickly - and I know we might cover this in a future episode - but can you talk a little bit really quickly about who provided input for that tool because I think that that speaks to the kind of the partnership.
LW: Absolutely! It could not have been done without the work of the partnership. There are a lot of government analysts who come at this with the same perspective as pre-existing assessments. Which don't necessarily take into account healthcare specific vulnerabilities, let's say. And so we brought our private sector partners to the table: those emergency managers and security professionals from healthcare facilities of a variety of types to say these are the threats we care about. This is the impact of some of these types of events happening at our facility, to help make this a really comprehensive and helpful tool.
They also gave us feedback on qualities like: if a tool is too long, our more junior counterparts may not be able to work it. So we tried to balance the needs of the private sector in order to get the tool done with the desires of the government to know every possible piece of information you could know about a facility.
ME: Talking about priorities: so you kind of touched on the risk management aspect and the risk tool. What are some other areas in which –
LW: Sure, so you said that risk tool will help us identify priority threats and hazards and risks to the community.
But in the meantime there are some clear consistent threats one of those are is cyber attacks and events. And so over the years we've really bolstered our work in cybersecurity, strengthened our partnerships with both government and private sector experts in cyber, and we've been able to accomplish a lot in support of healthcare cyber security.
One example is that a several years ago NIST released a cybersecurity framework and we've worked with a lot of our healthcare partners to make sure that there's enough guidance available specific to healthcare on how to implement that NIST cybersecurity framework.
ME: And when we say this that's National Institute of Standards and Technology correct?
LW: Very good, very good!
ME: I will pass the test after this.
LW: We do have a lot of acronyms! But so cybersecurity is one of the threats that we manage. We also look a lot to supply chain and we've talked about that in a lot of the previous episodes. But we work closely with our partners to identify where we might be most helpful in those areas. And then optimizing the way we communicate and work together during Incident Response.
ME: So I think you did a great job highlighting the priorities of the division and I think that's a good point to tell our listeners that in future episodes that we're going to release, we’ll kind of do a little deeper dive on a lot of those different cross-cutting issues within those priorities: cybersecurity, supply chain, risk management, communications, incident response, all that kind of stuff. We will cover that and we'll use specific examples from real life responses that we participated in or other issues like that.
So we're excited to share those with you all and we thank you for listening today! That's our episode. As always you can email us at CIP@hhs.gov. If you have any questions on the CIP Division, the HPH Sector Partnership, or if you just want to give us feedback on the podcast we'd love to hear it.
So thank you everyone for listening thank you Laura for joining me.
LW: Thank you, Mike!
ME: Thanks everyone and we’ll see you next time!
[Music]