How HHS Cybersecurity Performance Goals Will Impact Healthcare

February 01, 2024 - HHS recently unveiled healthcare-specific cybersecurity performance goals (CPGs) with the intent of helping the sector prioritize the implementation of key security best practices.

On their surface, the voluntary CPGs are straightforward, consisting of “essential” and “enhanced” goals that many healthcare organizations have likely already implemented, such as multifactor authentication and basic incident planning and preparedness.

While the goals themselves may not be revelatory, their existence in this format, their voluntary nature, and how they fit into HHS’ overall healthcare and public health (HPH) sector security strategy are a significant step forward for the industry and are a sign of what’s to come.

“Ultimately, this is laying the foundation for some sort of regulation baseline or standard,” Carter Groome, CEO of First Health Advisory, said in an interview with HealthITSecurity. “And I could see it actually getting there in two years or so.”

HealthITSecurity spoke with several experts to gather their thoughts on the CPGs and what they mean for the industry going forward.

HPH CPG Basics

The HPH CPGs arrived shortly after HHS’ December 2023 healthcare sector cybersecurity concept paper, which established an overarching cybersecurity strategy for the sector at the national level. The concept paper revolved around four actions that HHS planned to take in the near future, the first of which was publishing voluntary healthcare and public health sector CPGs.

The actual goals, though presented in a new format, were built upon guidance that the healthcare industry has been familiar with for years, such as the Healthcare Industry Cybersecurity Practices, the National Cybersecurity Strategy, and the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The CPGs were also modeled after the Cybersecurity and Infrastructure Security Agency’s (CISA) existing CPGs for critical infrastructure.

“This is as much of an awareness and education campaign as it is best practice guidance,” Groome suggested, pointing out that many healthcare organizations have already met these standards.

The “essential” category consists of goals that help healthcare organizations tackle common vulnerabilities, minimize risk, and improve incident response. The “enhanced” goals help healthcare organizations reach further cybersecurity maturity by focusing on more advanced but equally crucial tactics, such as network segmentation and third-party incident reporting.

Additionally, each goal has been mapped to a specific HICP practice, NIST control, and CISA CPG, bringing more attention to the plethora of existing guidance and helping healthcare organizations streamline their cyber activities.

To Brad Marsh, EVP of government health security and technology at First Health Advisory and a former Army nurse, the CPGs signify a much-needed alignment between patient care and cybersecurity.

“Let's look back at regular hygiene. There was a push by The Joint Commission for ‘scrub in, scrub out.’ It was mandated that you had to do this. There was no additional funding for that, but it increased patient safety,” Marsh explained.

“This is along the same lines, but for cyber hygiene. We need to make sure that there is a base level of standards so that these patients are safe when they walk into our digital hospitals.”

Equipped with these CPGs, healthcare organizations can make informed decisions surrounding risk mitigation and cyber hygiene activities.  

Voluntary CPGs Allude to Future Mandates, Implementation Woes

The CPGs are voluntary for now, but HHS’ concept paper made it clear that they will become the basis of future regulations.

“Given the increased risk profile of hospitals, HHS aspires to have all hospitals meeting sector-specific CPGs in the coming years,” HHS noted in the paper. “With additional authorities and resources, HHS will propose incorporation of HPH CPGs into existing regulations and programs that will inform the creation of new enforceable cybersecurity standards.”

Specifically, HHS said that it plans to propose new enforceable cybersecurity standards that would be incorporated into existing programs, such as Medicare and Medicaid and the HIPAA Security Rule.

This idea was met with pushback by the American Hospital Association (AHA). In a statement following the release of the HHS concept paper, AHA President and CEO Rick Pollack expressed support for federal guidance and funding to improve cybersecurity.

But Pollack also said that the AHA “cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime.”

“No organization, including federal agencies, is or can be immune from cyberattacks. Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cyber crime and would be counterproductive to our shared goal of preventing cyberattacks,” Pollack continued, pledging that the AHA would continue to work with Congress to develop policies that shield healthcare organizations from cyber risk.

On the other hand, experts argue that voluntary standards are simply not enough to get the sector to a state of resilience amid increasing cyber threats.

“There have been voluntary best practices and incentives, but people still aren’t doing them,” Ty Greenhalgh, industry principle of healthcare at Claroty and HHS 405(d) ambassador, told HealthITSecurity.

“But then, putting mandates on hospitals that are already cash-strapped without the proper incentives in place has the potential of doing more damage than it does good.”

HHS alluded to its plans for financially supporting implementation and incentivizing participation in its concept paper. One way it plans to do so is via an upfront investments program to help under-resourced providers cover CPG implementation costs. HHS also mentioned a broader incentives program that would encourage all hospitals to invest in enhanced CPGs.

Groome predicted that grant-based incentives would become the norm in the short term, while participation in Medicare and Medicaid for noncompliance could be on the line in the future – an action that would likely stir up additional dissent from industry groups during the rulemaking process.

Overall, experts agreed that the controls addressed in the essential and enhanced categories of the CPGs are all crucial to improving healthcare cybersecurity. Some of the goals, such as revoking credentials for departing workforce members and mitigating known vulnerabilities, require little upfront investment from healthcare organizations.

Even so, implementation and funding questions will remain a key focus area for HHS and stakeholders as organizations begin to measure themselves against these CPGs in preparation for future regulations.

“If these are funded mandates, I think everybody knows they need them and they will embrace them, and we will get there much less painfully,” Greenhalgh suggested. “I think if they are unfunded, we're going to see a fight during the proposed rulemaking process as to what's essential, and what's not essential, because there's a cost associated with each one of those.”

Greenhalgh expressed optimism in HHS’ and the industry’s ability to work through implementation challenges in a way that doesn’t overburden healthcare organizations that are already stretched thin.

“Overall, I think this is a really good step, and it is well thought-out,” Greenhalgh said. “I know HHS is thinking about all of these other aspects, but we don't know yet what the next steps in this are going to be.”

Codifying these CPGs into law will take time. But today, healthcare organizations can use this voluntary guidance to inform security decisions and prioritize implementing the CPGs that will have the biggest impact on reducing risk.