The Department of Health and Human Services (HHS) has unveiled the Cybersecurity Performance Goals (CPGs) that were outlined in its December 2023 Healthcare Sector Cybersecurity Strategy. These voluntary goals will help healthcare organizations take the necessary steps to improve cybersecurity and guide them through implementing high-impact measures to quickly improve resilience to cyber threats and recover quickly should their defenses be breached.
Cyberattacks on healthcare organizations have increased significantly in recent years with 2023 breaking records for the number of data breaches (725) and the number of breached records (133M). The HHS Cybersecurity Strategy aims to help the healthcare and public health (HPH) sector prepare for and respond to cyber threats, adapt to a rapidly changing threat landscape, and improve cyber resilience across the sector, with the establishment of voluntary cybersecurity goals the first step in that process.
The voluntary CPGs will help HPH sector organizations prioritize the implementation of high-impact cybersecurity practices – cybersecurity practices that will have the greatest impact on improving resilience to the most common attack vectors. As outlined in the HHS cybersecurity strategy, two tiers of CPGs have been developed: Essential CPGs and Enhanced CPGs. The essential CPGs are relatively low-cost minimum foundational cybersecurity practices that will greatly improve cybersecurity, and the enhanced CPGs are intended to encourage the adoption of more advanced cybersecurity practices. The aim is to get all healthcare delivery organizations to adopt the essential CPGs to make it harder for cyber actors to gain access to their networks and incentivize them to mature their cybersecurity programs by adopting the Enhanced CPGs.
The CPGs were developed based on the Cross-Sector CPGs released by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) in March 2023, which were intended to serve as a cybersecurity baseline for all critical infrastructure entities. The HHS collaborated with CISA and the industry to develop the healthcare-specific CPGs, which were also informed by common industry cybersecurity frameworks, guidelines, best practices, and strategies such as the National Cybersecurity Strategy, Healthcare Industry Cybersecurity Practices (HICP) and the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
Layered Protection at Each Stage of the Attack Chain
The HPH CPGs are concerned with improving resiliency at all points in digital systems that can be exploited by cyber actors. The Essential CPGs will help HPH sector organizations address common vulnerabilities to improve their security posture, improve incident response, and minimize residual risk. The Enhanced CPGs are intended to help HPH sector organizations mature their cybersecurity capabilities and improve their defense against additional attack vectors.
Essential HPH CPGs
- Mitigate Known Vulnerabilities
- Email Security
- Multifactor Authentication
- Basic Cybersecurity Training for the Workforce
- Strong Encryption for Sensitive Data in Transit
- Revoke Credentials for Departing Workforce Members, Including Employees, Contractors, Affiliates, and Volunteers
- Basic Incident Planning and Preparedness
- Unique Credentials for all members of the Workforce
- Separate User and Privileged Accounts
- Vendor/Supplier Cybersecurity Requirements
Enhanced CPGs
- Asset Inventory
- Third-Party Vulnerability Disclosure
- Third-Party Incident Reporting
- Cybersecurity Testing
- Cybersecurity Mitigation
- Detect and Respond to Relevant Threats and Tactics, Techniques, and Procedures (TTP)
- Network Segmentation
- Centralized Log Collection
- Centralized Incident Planning and Preparedness
- Configuration Management
Initially, the CPHs will be voluntary; however, the HHS will use these CPGs to inform future rulemaking, including new cybersecurity requirements for healthcare organizations that participate in Medicare and Medicaid programs, the planned updates to the HIPAA Security Rule, and HHS efforts to incentivize the adoption of cybersecurity practices. Any new regulatory updates that include new cybersecurity requirements will be subject to standard notice and comment periods.
“We have a responsibility to help our health care system weather cyber threats, adapt to the evolving threat landscape, and build a more resilient sector,” said HHS Deputy Secretary Andrea Palm. “The release of these cybersecurity performance goals is a step forward for the sector as we look to propose new enforceable cybersecurity standards across HHS policies and programs that are informed by these CPGs.”
The HHS outlined in its cybersecurity strategy its plans to make funds available to help under-resourced healthcare delivery organizations make the necessary investments in cybersecurity by helping to cover the initial costs of implementing the essential CPGs. The HHS also plans to create an incentive program to encourage the adoption of the Enhanced CPGs. The establishment of these programs to help financially challenged hospitals is essential, as while the creation of the CPGs is a great first step, many healthcare delivery organizations simply do not have the funding available to make the necessary investments to improve cybersecurity.
The HPH CPGs are detailed in an 11-page PDF document that can be accessed on the HHS HPH Cyber website.
The post HHS Unveils Voluntary HPH Cybersecurity Performance Goals appeared first on HIPAA Journal.