On December 10, 2021, a series of tornadoes hit Western Kentucky, including at least one EF-4 that traveled approximately 160 miles through the state. These tornadoes killed over 80 people, damaged more than 15,000 buildings, and caused additional damage and loss of power in the area. Hospitals in the area saw a surge of an additional 500 patients because of the storms, with most facilities already close to capacity from COVID-19 Omicron cases. Additionally, some facilities were on backup power and lacked online systems to document patient care. Emergency crews struggled with downed power lines, communication disruptions, grounding of air crews, and loss of facilities in the area. The hospitals also faced challenges around a lack of water to help patients covered in mud and debris. The success of this region is a direct result of preparation that began years ago when local healthcare providers facing COVID-19 realized the need to work together and plan for disasters and resilience.
The U.S. Healthcare and Public Health (HPH) Sector is “large, diverse, and open, spanning both the public and private sectors.” The HPH Sector protects “all sectors of the economy from hazards such as terrorism, infectious disease outbreaks, and natural disasters.” The HPH Sector-Specific Plan states:
It includes publicly accessible healthcare facilities, research centers, suppliers, manufacturers, and other physical assets and vast, complex public-private information technology systems required for care delivery and to support the rapid, secure transmission and storage of large amounts of HPH data.
According to the U.S. Centers for Medicare and Medicaid Services, National Health Expenditures (NHE) accounted for $4.3 trillion, or 18.3% of the U.S. gross domestic product. The HPH Sector employed 14.7 million in 2022, accounting for 9.3% of employment in the United States.
The HPH Sector encompasses facilities and services from the private sector across the federal, state, local, tribal, and territorial levels, including direct patient care facilities such as general or surgical hospitals, psychiatric hospitals, ambulatory healthcare facilities, extended care facilities, and individual practitioner offices and clinics. Also, under the HPH Sector are public health agencies, healthcare educational facilities, health-supporting facilities, laboratories, pharmaceutical production operations, mortuaries, and regulatory and oversight organizations.
What Makes This Sector Critical to the Nation, and What Importance Does It Have to State and Local Communities?
This sector not only provides resources and support critical to health security across the local, state, and federal levels, it is also central to the daily health and well-being of all citizens. Access to adequate healthcare is a critical component of national security and is interdependent with other sectors in supporting the five core mission areas of prevention, protection, mitigation, response, and recovery.
In 2021, there were 139.8 million visits to emergency departments, with 40 million of those injury-related and 13.1% of visits requiring hospitalization. An additional 131 million Americans, or two-thirds of the adult population, use prescription drugs to manage their health. U.S. nursing homes operate at over 70% capacity, and more than 60% of beds in 5,157 community healthcare facilities are occupied.
With this demand, connections, and dependencies so important to daily life, it is essential for emergency managers, sector leaders, and officials at all levels to identify potential weaknesses and improve resilience. The COVID-19 pandemic exposed weaknesses in the HPH Sector worldwide, some of which are now additionally exploited by cyberattacks for financial gain. The complexity of the sector defies a simple policy change or regulation to ameliorate risks and challenges, which demands engagement and a dedicated effort to ensure the effectiveness of this sector.
What Are This Sector’s Key Assets and Interconnected/Interdependent Systems (Physical or Cyber)?
The HPH Sector is interconnected with and dependent on at least seven other critical infrastructure sectors. Issues or incidents in emergency services, energy, information technology, transportation, or water services can significantly and widely impact the industry. However, the most critical asset is its workers. From running the facilities to caring for patients, shortages in staffing directly affect all aspects of the sector. Patient outcomes are at risk when staffing shortages exist in any area, not just in patient care. For example, business office staff shortages can decrease revenue flows for a hospital if they do not have timely follow-up on claims.
Due to the resource-intensive nature of healthcare, the HPH Sector is heavily dependent on transportation and distribution networks, as laid bare during the COVID-19 pandemic. Maintaining adequate supply chains and transportation networks is vital for the HPH Sector’s overall performance. There are critical assets across the country, with most facilities owned and operated by private industry. Some facilities may be small but represent the main healthcare service for the population, a trend in more rural areas exacerbated during the pandemic.
Healthcare is increasingly moving toward electronic health records, billing, and telehealth services, increasing the sector’s reliance and dependence on Information Technology and Communications and vulnerability and risk for cyberattacks. As these attacks increase, it is important to continue assessing controls in place to protect physical and digital content.
What Are This Sector’s Dependencies (Physical, Cyber, Geographic, and Logical) and Interdependencies With Other Critical Infrastructures?
The HPH Sector includes a complex array of physical and cyber assets and is highly dependent on the following sectors for service delivery and continuity of operations:
- Communications – This sector supplies situational awareness and helps coordinate healthcare activities during routine and emergency operations. During emergency operations, this sector is critical in providing information to the public and facilitating resource sharing and response across the industry. The communications sector also is crucial in expanding the use and reach of telehealth options. These options can improve outcomes for at-risk populations like the elderly and those lacking specialist services in their areas.
- Emergency Services – This sector, consisting of service facilities, systems, and personnel, is the first line of action in emergency response. The HPH Sector relies heavily on the Emergency Services Sector to prevent and mitigate consequences following a disaster. Some services provided include patient transportation, decontamination, safety and security, and triage.
- Energy – The HPH Sector, like many others, relies on the energy sector to sustain operations. Facilities have varying abilities to maintain operations during an extended power failure, and extended power outages also impact supporting sectors that, in turn, degrade the HPH Sector’s ability to function effectively. Power supply issues also can hamper sterilization, life-sustaining equipment, intensive care and operating units, and refrigeration for vaccines and medications.
- Information Technology – With the HPH Sector’s ever-increasing reliance on information technology, any degradation in support and service can impact the quality of care. Computers are integral for every sector aspect, from patient care to pharmaceutical manufacturing and distribution to financial management.
- Transportation Systems – The HPH Sector relies on transportation and distribution to supply everything from personal protective equipment to medication, without which the sector cannot deliver services. Patients cannot receive care or reach healthcare facilities without effective transportation systems, whether they are private or public. Transportation barriers for healthcare include reaching and serving at-risk populations, contraction of public transportation, long transit times, particularly in rural areas, and reduced funding for transportation projects.
- Water and Wastewater Systems – The HPH Sector relies on potable water for infection control, sanitation, dialysis, laboratory needs, climate control, sterilization, drinking water, and other uses.
With over 6,000 hospitals, 400 health systems, 26,000 nursing homes, and countless other facilities in every state and territory across the country, the HPH Sector relies heavily on and is interdependent with other sectors. The nature of operations across the country varies, but no healthcare facility can operate in a vacuum.
What Are This Sector’s Current and Emerging Vulnerabilities, Hazards, Risks, and Threats?
With the complex physical assets, electronic networks, and interconnections with multiple other sectors, the HPH Sector faces threats. Motivations for action against the HPH Sector include financial gain, commercial benefits, intellectual property theft, service disruption, and others. Primary vulnerabilities, hazards, risks, and threats include:
- Pandemics and health crises – Even before the COVID-19 pandemic, the threat of emerging or reemerging diseases was a threat to the HPH Sector. With so many issues arising from the pandemic not fully mitigated, additional crises will strain the sector and workers.
- Natural disasters, extreme weather, and climate change – With the sector represented in every level of government and across the country, HPH is impacted by every disaster and weather event. These events affect facilities and systems, take a toll on staff, and place staff at risk. Working to meet the community’s surge needs while dealing with associated service disruptions is an inherent challenge.
- Malicious human acts – An active shooter event or other attack against a facility or a Chemical, Biological, Radiological, Nuclear, or Explosive (CBRNE) attack in the community can cause mass casualties, panic, and disruption of services.
- Supply chain disruption and corruption – The just-in-time model of distribution designed and in place before the COVID-19 pandemic could not keep the sector supplied under the weight of workforce shortages, disruptions, and increased demands. Transportation and supply chain shortages significantly impacted healthcare during the COVID-19 pandemic, with product shortages continuing for materials ranging from personal protective equipment to medications.
- Cyberattacks – The HPH Sector increasingly depends on health IT and secure storage and transmission to dictate care, maintain records, issue prescriptions, control financial operations, and more. Bad actors may seek to steal patient data, corrupt information, extort facilities or systems, or otherwise impact security. Advanced threats also pose a risk to pharmaceutical companies and the industry, stealing intellectual property for competitive advantage.
- Space weather and electromagnetic pulse risks – Severe weather and electromagnetic pulses (EMP) from natural or manufactured sources can impact the power grid. Natural EMP events arise from magnetic storms from the sun, and their impacts can result in either short- or long-term outages and overwhelm supplementary power sources.
- Internal HPH Sector dependencies and interdependencies – Due to the HPH Sector’s size and complexity, a single point of failure can result in cascading impacts (e.g., the 2009 H1N1 and COVID-19 pandemics affected healthcare and public health workforce capacity).
- Cross-sector dependency and interdependency risks – The close connections, dependencies, and interdependencies with other sectors mean a failure or disruption in one sector can significantly impact others, including local disasters. These vulnerabilities are beyond the scope of any one sector to manage, requiring advanced planning to build resilience and contingency plans.
With increased reliance on electronic medical records, electronic prescriptions, and other technology across facilities and organizations, any disruption in internet service or power supplies can have impacts beyond turning off lights and machines. A ransomware attack in August 2023 against Prospect Medical Holdings impacted operations across their system, including 17 hospitals and over 150 clinics. Data from more than half a million patients was then listed for sale on the dark web with a price tag of over $1 million. This is in addition to the ransom demanded to unlock their systems, and it underscores that paying a ransom to an attacker does not guarantee the data breach stops there. This follows a trend dating back for several years, with federal agencies, vendors, and healthcare technology experts noting the increase in attacks and recommending mitigation and improved defenses.
How Would a Human-Caused, Natural, or Technological Disaster Impact This Sector’s Preparedness, Response, and Recovery Efforts?
Disasters of any origin can stress the HPH Sector. The Administration for Strategic Preparedness and Response (ASPR) produces a National Health Security Strategy every four years to combat these threats. The 2023-2026 National Health Security Strategy builds on its goals and objectives, guides federal actions for desired outcomes, and recommends implementation activities for state, local, tribal, and territorial partners and the entire HPH Sector. Each disaster listed can have localized or wide-ranging impacts on the HPH Sector.
The risk from intentional CBRNE events increased over the last few years, with advancements in biotechnology, including gene-editing hardware and other technologies, low-yield weapons development, information proliferation, and drone technology. Each attack has the potential to harm large numbers of citizens with the initial attack and cripple the HPH Sector, at least locally, by overwhelming capacity, inciting panic, and disrupting multiple infrastructure sectors in the aftermath. These impacts can broaden if the targets are those the HPH Sector heavily depends on, such as energy, transportation, water, or information technology.
Natural disasters can also have a varied impact on preparedness, response, and recovery efforts, depending on the nature and location of the event. Widespread disasters like hurricanes, ice storms, heat waves, or wildfires can place immense pressure on the HPH Sector across large swaths of territory. Natural disasters have increased in frequency and severity in recent years, driven by climate change, requiring the sector to respond in more significant ways more often. Following the COVID-19 pandemic with continuing supply chain and staffing shortages, these events challenge response and recovery operations, strain surge capacity, and lead to resource competition. According to the World Bank, the COVID-19 pandemic exposed significant weakness in primary healthcare (direct care provided to patients). The exposure of flaws in the current healthcare structure and systems and insight into the implications of failures in the sector provide a framework for potential improvements moving forward.
The threat of cyberattacks on the HPH Sector from actors both at home and abroad also increased in recent years, with further increases projected. These attacks threaten national health safety, disrupt patient care, and worsen patient outcomes. They can also disrupt response activities and exploit vulnerabilities in critical infrastructure systems, leading to additional disruptions in the HPH Sector as other sectors deal with breaches or other events. Threat actors may target pharmaceutical, biologic, or medical supply chains or target facilities and systems, as patient information is lucrative on the black market. In 2022, this sector experienced 344 cyberattacks, exposing the records for over 26 million individuals, which represents a 12.4% increase in attacks and a 270% increase in victims from 2020 to 2022. These statistics, coupled with the increase in the cost of an average data breach for the sector to $10.93 million, underscores the need for continual improvement. The cost per breach in this sector is up over 50% in the past three years, increasing the risk on hospitals, systems, and other organizations that fall victim to these attacks. These cyberattacks, per the American Hospital Association (AHA), can impact not only privacy but also patient safety.
What Else Do Emergency Preparedness, Response, and Recovery Professionals Need to Know About This Sector?
The success of this sector largely relies on collaboration and communication with other sectors, so they understand the sector, population served, and available resources in times of mass casualty and response. With an all-hazards approach, each event is unique and will require flexibility and adaptability based on the circumstances. Additionally, climate change has increased weather events with more extreme impacts, which is critical from a response and resource perspective.
The structure of the HPH Sector, with care facilities across the country, a network of support services, and the rapid incorporation of technology since the COVID-19 pandemic create opportunities for terrorists or other bad actors. The levels of oversight, governance, and resources present in these agencies and entities across the sector result in varied resilience and response to threats. Additionally, the norms of care across the country depend on the population, training, and support for the sector in each location. When disasters or attacks occur, the need and demand for HPH services can increase significantly and may be complicated by disruptions or increased demands in supporting infrastructure sectors. This may lead to limitations in the ability of this sector to respond to the surge needs and add to the complexity of risk assessment and response. These factors increase the need for community engagement and planning to improve the resilience and security of healthcare moving forward.
Tanya M. Scherr
Tanya Scherr holds a Ph.D. in Public Policy and Administration with a Healthcare and Emergency Preparedness focus. She is an associate professor in Healthcare Administration for the University of Arizona – Global Campus and has over 28 years’ healthcare experience. Along with being a Certified Fraud Examiner since 2011, she is also a former firefighter-EMT, previously licensed in several states, as well as holding national certification. Dr. Scherr has held several executive and board of director positions for community non-profits that focus on women’s equality, domestic violence, and sexual assault.
Daniel Scherr holds a Ph.D. in Public Policy Administration with a terrorism, mediation, and peace focus. He is an assistant professor in Criminal Justice at the University of Tennessee Southern and program coordinator for the Cybersecurity Program. In addition, he is a Certified Fraud Examiner and Army veteran with two decades of experience in homeland security and operation.