Building Resilient Health Infrastructure with ASPR

[Music]

MICHAEL ELTRINGHAM: You’re listening to “Building Resilient Health Infrastructure with ASPR,” a podcast from the HHS ASPR Critical Infrastructure Protection Division. If you have any questions about this episode, please email us at [email protected].

Hey everyone! Thanks for listening. I'm Michael Eltringham, a program analyst within the HHS ASPR Critical Infrastructure Protection - or CIP – Division, and I'm alongside our division director, Dr. Laura Wolf. How are you, Dr. Wolf,?

DR. LAURA WOLF: I'm great!

ME: Great. So if you guys have been listening to the podcast we've covered in our first episode just the basic definition of critical infrastructure and our last episode we talked about specifically our sector: health care and public health sector critical infrastructure protection.

We left on a cliffhanger though. We told you we work with all these different partners but how do we work with them? How do we collaborate? So today's question is, “What is the healthcare and public health sector partnership?”

More than 90 percent of critical infrastructure in the United States is owned within the private sector. How does the government work with them? So I'll pose that first question: who's at the table for these meetings?

LW: Absolutely! So let me back up and drive home the point on the fact that so much infrastructure is owned by the private sector, we don't regulate infrastructure resilience. We don't force companies to have certain security requirements or necessarily to hold themselves to resilience standards because those structures haven't existed in the past and because of the diversity of the infrastructure that we have, you can't really require one one fix for all.

So we rely on a voluntary partnership. It benefits all of us to have secure and resilient infrastructure, and so we rely as much on our private sector partners to recognize that and learn and grow with us and make their own infrastructure secure and resilient, so when we come to a table whether that's literally or figuratively we have partners from the government and private sector.  And we organize ourselves separately into two councils: the Government Coordinating Council and the Sector Coordinating Council

The sector Coordinating Council is independent from us. We don't tell them how to organize themselves or who they have to bring to the table. But they identify infrastructure owners and operators and leaders within the sector. Various trade associations related to the subsectors we talked about last time. And so they organize themselves and identify priority issues that they care about in order to do their jobs every day.

And they come to the table and meet with us, from the government side, from our government Coordinating Council. And ours also has representatives from across the government that care about private sector infrastructure and are related to some of the issue areas that the private sector cares about. For every issue we identify the right partners make sure they're part of our activities and so each side brings to the table the experts we need to talk about priorities risks and mitigation measures for those those challenges and then if there's a response what do we have to do or prioritize in responding to a disaster.

ME: So generally the healthcare public health sector partnership has two large meetings per year where we invite all the partners from the government side and the private sector side to come to a location and collaborate. Can you go over a little bit about how - not just those meetings, but other meetings within the sector, whether it's committees or working groups - who come together how those meetings kind of work?

LW: Absolutely. So it is important for folks to meet each other. There's psychological benefits to meeting in person and handing out those business cards and seeing each other present about the topics we're working on. And so, in the recognition of challenges with travel budgets, we try to limit those in-person interactions to twice a year.

So we have what we call joint councils meetings, generally in October/November and April/May. Those are our in-person gatherings but those aren’t the only times we interact. As you mentioned, we may have working groups on specific topics. One of our current working groups is a cybersecurity working group the private sector and government partners can work separately or they come together on a joint working group to identify, again, those issues where we need mitigation measures or other types of resources to enhance cybersecurity preparedness across the board.

Now that working group has its own in person meetings more frequently than the full councils and they've been really successful and really important in moving their work forward. So we have working groups and we're trying to identify other ways of engaging our partners through non-meeting type engagements.

ME: Like a podcast?

LW: Like a podcast! Like a podcast.

ME: So it sounds like the really one of the most critical aspects of this partnership is that communication, right? And you're talking about the meetings where we work to develop these positive outcomes that go with securing our critical infrastructure or protecting our critical infrastructure. There's also that incident response element of it of that communication. Can you touch on that just very briefly?

LW: Sure Mike. And, you know, you lead a lot of our communications effort so you know better than anyone: when it comes to communications, we try to play like we fight. So what that means is we have consistent branding and consistent messaging to our partners every week. We have a highlights document that goes out trying to minimize how much information we're sharing with everyone but, you know, five bullet points that go out once a week to make it easy for folks to A) learn more about infrastructure or resilience but B) recognize our branding. Because during a response we also send out messaging with those similar templates so folks know where the information is coming from.

And that trusted communication came in very handy during the WannaCry and Petya/Not Petya cyber attacks. Because, thinking about cyber systems, either there could be email phishing going on and so having a recognizable brand helped us share our message in a way that folks knew who it was coming from and opened those messages to get that important information about that response.

ME: So with such a wide and diverse stakeholder base for the sector partnership there obviously needs to be a great deal of coordination and even facilitation which is maybe the role I think not maybe but the role of a ASPR CIP division.

For a little more detail on that you'll have to tune in next time which will be our next episode where we'll talk a little bit about what our division does: our mission and really what we're all about. it'll be our most introspective episode yet. So we're excited for that, but thanks everyone for listening! Thank you, Laura.

LW: Thanks Mike!

ME: And again, as you heard up top, if you have any questions on anything you've heard on this episode or any questions about the HPH sector partnership in general, how you can maybe join, if you're an organization where that fits your profile, email us please at [email protected]. Thanks everyone for listening!

[Music]