Skip over global navigation links
U.S. Department of Health and Human Services

How Can I Protect Healthcare and Public Health Infrastructure

Federal government; state, local, tribal and territorial (SLTT) entities; public and private owners and operators of critical infrastructure ; and healthcare and public health facility managers all need to know the risks that an infrastructure failure can pose to the facilities and communities that rely on that infrastructure. Every region in the U.S. is at risk for many different kinds of infrastructure failures, ranging from cyber threats to water supply failures, power outages, communications failures, supply chain issues and more.

The resources below can help you better prepare for, respond to and recover from some common infrastructure issues. 

CIP Policy

  • National Infrastructure Protection Plan 2013: Partnering for Critical Infrastructure Security and Resilience (NIPP 2013):  NIPP 2013 establishes a vision, mission, and goals that are supported by a set of core tenets focused on risk management and partnership to influence future critical infrastructure security and resilience planning at the international; national; regional; SLTT; and owner and operator levels.
  • Presidential Policy Directive 21: Critical Infrastructure Security and Resilience (PPD-21):  PPD-21 advances efforts to strengthen and maintain secure, functioning, and resilient critical infrastructure. This directive establishes national policy on critical infrastructure security and resilience. Protection of critical infrastructure is a shared responsibility among the Federal government; SLTT entities; and public and private owners and operators of critical infrastructure. This directive also refines and clarifies the critical infrastructure-related functions, roles, and responsibilities across the Federal Government, and enhances overall coordination and collaboration.
  • Executive Order 13636:  Improving Critical Infrastructure Cybersecurity (EO 13636): EO 13636 emphasizes the importance of enhancing the security and resilience of the Nation’s critical infrastructure and to maintaining a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties. It indicates that these goals can be achieved through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and by collaboratively developing and implementing risk-based standards.   To learn more, check out HHS Activities to Enhance Cybersecurity.
  • President’s Climate Action Plan:  The President's Climate Action Plan calls on the federal government; SLTT entities; and communities to make stronger, safer investments in critical infrastructure. The plan 1) directs agencies to support climate-resilient investment; 2) establishes an SLTT leaders task force on climate preparedness; 3) supports community preparedness for the impacts of climate change; 4) supports the development of standards to boost the resilience of buildings and infrastructure; and 5) encourages rebuilding and lessons learned from Hurricane Sandy.

Cybersecurity

  • U.S. Critical Infrastructure Cyber Community Voluntary Program:  As part of Executive Order (EO) 13636, the Department of Homeland Security (DHS) launched the Critical Infrastructure Cyber Community or C³ (pronounced “C Cubed”) Voluntary Program to assist the enhancement of critical infrastructure cybersecurity and to encourage the adoption of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (the Framework), released in February 2014. The C³ Voluntary Program was created to help improve the resiliency of critical infrastructure’s cybersecurity systems by supporting and promoting the use of the Framework.
    • Cyber Resilience Review (CRR):  The CRR is a no-cost, voluntary, non-technical assessment to evaluate an organization’s operational resilience and cybersecurity practices. The CRR may be conducted as a self-assessment or as an on-site assessment facilitated by DHS cybersecurity professionals. The CRR assesses enterprise programs and practices across a range of ten domains including risk management, incident management, service continuity, and others. The assessment is designed to measure existing organizational resilience as well as provide a gap analysis for improvement based on recognized best practices.
    • Enhanced Cybersecurity Services for Critical Infrastructure Entities:  The Department of Homeland Security’s (DHS) Enhanced Cybersecurity Services (ECS) Program was expanded in February 2013 by Executive Order 13636: Improving Critical Infrastructure Cybersecurity as a voluntary information sharing program. ECS assists critical infrastructure owners and operators to improve protection of their systems from unauthorized access, exploitation, or data exfiltration. ECS shares sensitive and classified government vetted cyber threat information with qualified Commercial Service Providers (CSPs) and Operational Implementers (OIs). In turn, the CSPs use the cyber threat information to protect their customers who are validated critical infrastructure entities. OIs use the cyber threat information to protect only their internal networks.
  • Protecting the Healthcare Digital Infrastructure: Cybersecurity Checklist:  Cybersecurity Checklist can be used to help the Healthcare and Public Health Sector improve its ability to identify and address potential vulnerabilities; to mitigate cyber threats; and to strengthen cybersecurity.  The checklist serves as a starting point on cybersecurity and it outlines several hardware, software, and cybersecurity educational items organizations should consider and implement to protect their digital infrastructure.
  • Healthcare and Public Health Cybersecurity Primer:  Cybersecurity 101:  The Healthcare and Public Health Cybersecurity Primer is a tool intended for use by sector members, owners and operators, as well as Federal, State and local partners who may not be cyber experts, but wish to improve the sector’s level of understanding of cybersecurity.  The document contains concepts and common practices of security as they pertain to the cyber component of healthcare and public health.

Water Supply

Power Outage

  • Planning for Power Outages:  A Guide for Hospitals and Healthcare Facilities: This guide highlights some of the impacts of a power outage on hospitals and healthcare facilities and poses questions to that managers of those facilities need to ask to help them prepare for an outage. Additionally, it provides some information on existing resources that can be used to help develop and implement the hospital or healthcare facility's preparedness strategy and establish better relationships with the local electric utility.

Communications

Supply Chain

  • FDA Drug Shortages:  FDA works closely with manufacturers of drugs in short supply to communicate the issue and to help restore availability. FDA also works with other firms who manufacturer the same drug, asking them to increase production, if possible, in order to prevent or reduce the impact of a shortage.  This site provides information on current and past drug shortages as well as manuals and related resources to help prevent and manage shortages.
  • Commerce International Dependencies Report:  Report on pharmaceuticals and medical devices produced by foreign manufacturers that are critical to healthcare services during emergencies.  The report also discusses domestic alternatives where they exist. 
  • American Society of Health-System Pharmacists Drug Shortages Exit Icon: Provides additional information on drug shortages and management.

Training


Active Shooter Planning


Interested in becoming a bigger part of the solution?  Learn how you can partner with us to protect healthcare and public health infrastructure.

Critical Infrastructure Protection for the Healthcare and Public Health Sectors

  • This page last reviewed: June 16, 2017