|
Special
Op-Ed Feature
Protecting
Our Critical Infrastructure: A "Silo" Approach Won't
Work
By
Luis G. Kun
Editor's
Note: This opinion piece was written in response to a column
carried in the October-November 2001 issue of IEEE-USA Policy
Perspectives, titled "Capitol
Shavings: On Protecting Our Critical Infrastructure."
11 September
and the "New Normal"
Welcome to the
21st century and a new reality. Suddenly topics such as
bioterrorism, which seemed so far removed from our society just a
short time ago, are knocking on our front door. The new arsenal
even includes a new vocabulary: anonymity, denial of service, data
theft, data modification, cyber intelligence, cyber attacks — including
e-mail attacks, worms, viruses, web assaults, and Trojan Horses
— resource abuse, and of course national health threats
through biological, chemical and nuclear terrorist attacks. We
know and use these terms now naturally; they are part of our new
"normal."
Where Does
Health Fit in Our Critical Infrastructure?
On 4 May 2000 (a
Thursday), the computer systems at the Centers for Disease Control
and Prevention (CDC) went down because of a computer virus. The
system remained down and was only available on a limited basis
until 9 May (a Tuesday). It became clear at that moment that if a
bioterrorist attack was planned, not by an individual, but by an
organization and or country that attacked our computers and
communications infrastructure first, our ability to respond would
basically be zero. During a national health threat, how critical
is the information infrastructure?
The National
Health Information Infrastructure (NHII)
According to the
National Committee on Vital and Health Statistics (NCVHS), the
national information infrastructure (NII) can be an essential tool
and resource in promoting the nation's health. However, it is a
largely untapped resource. The health sector has not applied
information and communication technologies as effectively as other
sectors have, and health is underrepresented in the NII relative
to the scale of the national health enterprise and its importance
to the American public.
Making the
health component congruent with the NII and an integral part of
its development requires two concurrent processes: building the
health information infrastructure (HII), and then integrating it
into the broader NII.
The "NHII"
is a set of technologies, standards, and applications that support
communication and information to improve clinical care, monitor
public health, and educate consumers and patients. The broad goal
of the NHII is health knowledge management and delivery, so that
the full array of information needed to improve the public's
health and health care is optimally available for professionals,
policy makers, researchers, patients, care givers and consumers.
Component areas of the NHII were identified initially in 1998 in a
concept paper and include privacy, confidentiality and security;
unique health identifiers; standards; population-based data;
computer-based health records; knowledge management and decision
support; and telemedicine.
Integrating
NHII With the Other Critical Infrastructure Components Is Critical
When we ask the
question: "why attack U.S. infrastructures," the three
answers that are most commonly given relate to:
- National
Security — Reduce the United States' ability to act
in its own self interest
- Public
Welfare — Erode confidence in critical services
- Economic
Strength — Damage American economic competitiveness
| *In
order to have a Threat, you need knowledge,
equipment, tools and skills, in addition to intent.
Threat is a summation of
"Capability" + "Intent."
Likewise, "Capability" =
"Skills" + "Tools," while
"Tools" = "Equipment" +
"Knowledge." |
|
Developing
policy recommendations and implementation plans cannot be done
completely and effectively unless we determine vulnerabilities and
identify threats* (i.e., physical, cyber, etc.) first. And in
developing these policies, identifying the stakeholders early on
is just as important; if we fail to do so, the
"unidentified" ones become our future vulnerabilities.
In late 1996 and
early 1997, while attending a meeting of the Application Council
within the High-Performance Computers & Communications
program, and as the representative of the Agency for Health Care
Policy and Research, I participated in a presentation on
"Critical Foundations: Protecting America's
Infrastructures." The so-called Critical Infrastructures
included electric power, telecommunications, transportation, oil
and gas delivery and storage, banking and finance, water,
emergency services, and government services. The Central
Intelligence Agency, the Federal Bureau of Investigation, the
Federal Emergency Management Agency, the National Security Agency,
and the U.S. Departments of Commerce, Defense, Energy, Justice,
Transportation and Treasury represented the public sector. Among
others, these issues arose: How could we consider our waters
critical but not our food supplies? And aren't health care and
public health considered part of our public welfare, and therefore
our critical infrastructure? Working with a "silos"
approach is not conducive to good policy. "Stove pipes"
can be a syndrome of the way we allocate funds, and they foster a
lack of cooperation among agencies and departments, particularly
their not sharing a common vision.
I was surprised
to see that almost five years later the same issues raised at the
Application Council meeting have gone unresolved. The summary in
"Protecting
and Defending Our Critical Infrastructure" (Oct.-Nov.
2001 IEEE-USA Policy Perspectives) doesn't mention
healthcare and/or public health as part of our critical
infrastructure, and while it mentions water protection, it fails
to consider our food supplies as critical. Healthcare and/or
public health must be considered part of our critical
infrastructure, and at the same time, food supplies need to be
considered critical as much as water protection.
Share the
Information; We Don't Know Who Will Need It
Terrorist
attacks can come in many forms: on a ship containing chemicals;
with an airplane crashing against a nuclear reactor; by someone
poisoning the Nebraska cornfields; by releasing poisonous gases in
a commuter train station; with letters containing anthrax; or by
American tourists unknowingly carrying highly contagious bacteria
in their bodies back to the United States. Similarly, the first
respondents in these incidents could be different: the U.S. Coast
Guard, the Federal Aviation Administration, Department of Energy,
U.S. Department of Agriculture, the Environmental Protection
Agency, or the CDC, among others. In each of these cases, however,
the ultimate threat is to our public health. Our food supplies are
as critical as our vaccine stockpiles. And because there are many
different potential respondents involved, no one agency or
department should be allowed to be an information
"silo"; all should be part of — and have access
to — the NHII.
With regard to
the IEEE-USA Policy Perspectives column published in the
Oct.-Nov. 2001 issue, it may be useful for us as an organization
to discuss issues like this one, so that when the IEEE publishes a
viewpoint, it represents endorsement by the organization as a
whole. I realize, though, that the column in question was
published as an opinion, and people have a right to think as they
please in our democratic society.
Luis G. Kun,
Ph.D., is chairman of the Bioterrorism Working Group for
IEEE-USA's Medical Technology Policy Committee; a Fellow of the
American Institute of Medical and Biological Engineering; an
adjunct professor for Public Health Informatics at Emory
University; and an IT consultant. While serving earlier as
Distinguished Fellow at the Centers for Disease Control and
Prevention in Atlanta, Ga., he was senior computer scientist for
the Health Alert Network and acting Chief Information Technology
Officer for the National Immunization Program.
|
