HHS Unveils Healthcare Cybersecurity Performance Goals

January 24, 2024 - HHS has released sector-specific cybersecurity performance goals (CPGs) to help the sector prioritize key security actions and reduce risk. The voluntary CPGs consist of “essential” and “enhanced” goals, establishing minimum security practices as well as advanced strategies to guide organizations of all security maturity levels.

The release of the CPGs follows HHS’ December 2023 healthcare sector cybersecurity concept paper, which established an overarching cybersecurity strategy for the sector at the national level. The concept paper centered around four actions that HHS plans to take in the near future, the first of which was publishing voluntary healthcare and public health sector CPGs.

The Cybersecurity and Infrastructure Security Agency (CISA) already maintains its own voluntary CPGs that serve as a benchmark for critical infrastructure entities to measure security maturity. The healthcare-specific CPGs were built upon this structure and informed by existing frameworks, including the Healthcare Industry Cybersecurity Practices, the National Cybersecurity Strategy, and the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

“The HPH CPGs are designed to ensure layered protection at different stages of the attack chain, or points in digital systems that can be exploited, which is crucial to mitigating the impacts of cybersecurity incidents if and when they occur,” HHS states in the document, which is accompanied by the HPH Cybersecurity Gateway and a guided course that gives practitioners a tour of the CPGs.  

The essential goals help healthcare organizations address common vulnerabilities and establish baseline security protocols to minimize risk. This category consists of goals such as email security, multi-factor authentication, basic cybersecurity training, and vendor cybersecurity requirements.

For organizations that have already met the essential goals, the enhanced goals provide an opportunity to level-up security maturity. The enhanced goals consist of actions such as establishing an asset inventory, network segmentation, configuration management, and centralized log collection.

Each goal is mapped to a specific desired outcome that aligns with HICP practices and NIST standards.

In addition to providing a detailed overview of the goals, HHS provided healthcare organizations with a Cyber Defense Matrix, which maps out the ways in which the CPGs can provide protection across the organization’s IT enterprise.

“Taken together, the HPH CPGs offer a sound foundation for cyber preparedness and resiliency for healthcare organizations,” HHS states.

Now that the CPGs have been released, HHS will likely set its sights on achieving related goals mentioned in the concept paper – one of which is obtaining resources to incentivize healthcare organizations to implement these CPGs. What’s more, the concept paper stressed the importance of HHS working with Congress to obtain additional funding for this purpose and helping under-resourced hospitals cover the costs of implementing these practices.

The CPGs are voluntary at the moment, but the concept paper made it clear that these standards could become mandated in the future.

“Given the increased risk profile of hospitals, HHS aspires to have all hospitals meeting sector-specific CPGs in the coming years,” HHS noted in the paper. “With additional authorities and resources, HHS will propose incorporation of HPH CPGs into existing regulations and programs that will inform the creation of new enforceable cybersecurity standards.”