HHS Unveils Voluntary HPH Cybersecurity Performance Goals

Posted By Steve Alder on Jan 25, 2024

The Department of Health and Human Services (HHS) has unveiled the Cybersecurity Performance Goals (CPGs) that were outlined in its December 2023 Healthcare Sector Cybersecurity Strategy. These voluntary goals will help healthcare organizations take the necessary steps to improve cybersecurity and guide them through implementing high-impact measures to quickly improve resilience to cyber threats and recover quickly should their defenses be breached.

Cyberattacks on healthcare organizations have increased significantly in recent years with 2023 breaking records for the number of notified HIPAA data breaches (725) and the number of breached records (133M). The HHS Cybersecurity Strategy aims to help the healthcare and public health (HPH) sector prepare for and respond to cyber threats, adapt to a rapidly changing threat landscape, and improve cyber resilience across the sector, with the establishment of voluntary cybersecurity goals the first step in that process.

The voluntary CPGs will help HPH sector organizations prioritize the implementation of high-impact cybersecurity practices – cybersecurity practices that will have the greatest impact on improving resilience to the most common attack vectors. As outlined in the HHS cybersecurity strategy, two tiers of CPGs have been developed: Essential CPGs and Enhanced CPGs. The essential CPGs are relatively low-cost minimum foundational cybersecurity practices that will greatly improve cybersecurity, and the enhanced CPGs are intended to encourage the adoption of more advanced cybersecurity practices. The aim is to get all healthcare delivery organizations to adopt the essential CPGs to make it harder for cyber actors to gain access to their networks and incentivize them to mature their cybersecurity programs by adopting the Enhanced CPGs.

The CPGs were developed based on the Cross-Sector CPGs released by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) in March 2023, which were intended to serve as a cybersecurity baseline for all critical infrastructure entities. The HHS collaborated with CISA and the industry to develop the healthcare-specific CPGs, which were also informed by common industry cybersecurity frameworks, guidelines, best practices, and strategies such as the National Cybersecurity Strategy, Healthcare Industry Cybersecurity Practices (HICP) and the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

Layered Protection at Each Stage of the Attack Chain

The HPH CPGs are concerned with improving resiliency at all points in digital systems that can be exploited by cyber actors. The Essential CPGs will help HPH sector organizations address common vulnerabilities to improve their security posture, improve incident response, and minimize residual risk. The Enhanced CPGs are intended to help HPH sector organizations mature their cybersecurity capabilities and improve their defenses against additional attack vectors.

Essential HPH CPGs

• Mitigate Known Vulnerabilities
• Email Security
• Multifactor Authentication
• Basic Cybersecurity Training for the Workforce
• Strong Encryption for Sensitive Data in Transit
• Revoke Credentials for Departing Workforce Members, Including Employees, Contractors, Affiliates, and Volunteers
• Basic Incident Planning and Preparedness
• Unique Credentials for all members of the Workforce
• Separate User and Privileged Accounts
• Vendor/Supplier Cybersecurity Requirements

Enhanced CPGs

• Asset Inventory
• Third-Party Vulnerability Disclosure
• Third-Party Incident Reporting
• Cybersecurity Testing
• Cybersecurity Mitigation
• Detect and Respond to Relevant Threats and Tactics, Techniques, and Procedures (TTP)
• Network Segmentation
• Centralized Log Collection
• Centralized Incident Planning and Preparedness
• Configuration Management

“While the practices are not new, the HPH cybersecurity performance goals help to prioritize certain cybersecurity objectives for the healthcare and public health sectors. The goals also provide references to specific outcomes from existing frameworks, control sets, and practice guides already used in healthcare, such as the 405(d) Health Industry Cybersecurity Practices, NIST Cybersecurity Framework v1.1, and NIST Special Publication 800-53 rev5,” Steve Cagle, Clearwater CEO, and AEHIS board member, told the HIPAA Journal. “Defining how to achieve these goals through these specific references may reduce some of the perceived ambiguity related to the implementation of cybersecurity practices. It’s also possible that these goals will appear as requirements in future regulation, and this might help to drive more consistent cybersecurity hygiene and maturity, as well as compliance.”

OCR has made it clear that the CPGs will be voluntary but HHS Deputy Secretary Andrea Palm explained that the CPGs will inform future rulemaking. “We have a responsibility to help our health care system weather cyber threats, adapt to the evolving threat landscape, and build a more resilient sector,” said Palm. “The release of these cybersecurity performance goals is a step forward for the sector as we look to propose new enforceable cybersecurity standards across HHS policies and programs that are informed by these CPGs.” That includes new cybersecurity requirements for healthcare organizations that participate in Medicare and Medicaid programs and the updates to the HIPAA Security Rule that OCR plans to announce in Spring 2024. Should any of these cybersecurity measures be included in regulatory updates, HIPAA-regulated entities will be given time to implement these measures and they will be subject to standard notice and comment periods.

The HHS outlined in its cybersecurity strategy its plans to make funds available to help under-resourced healthcare delivery organizations make the necessary investments in cybersecurity by helping to cover the initial costs of implementing the essential CPGs. The HHS also plans to create an incentive program to encourage the adoption of the Enhanced CPGs. The establishment of these programs to help financially challenged hospitals is essential, as while the creation of the CPGs is a great first step, many healthcare delivery organizations simply do not have the funding available to make the necessary investments to improve cybersecurity.

“It’s important to note that these goals reflect only the baseline security practices that HHS believes must be met to mitigate threats broadly facing the healthcare industry. A key function of the Board is to ensure that the organization is assessing and managing risk. Being accountable for basic controls is not enough, and my concern is that some organizations may think once these are in place, they are “covered.” Even with these controls in place, the healthcare organization must conduct a comprehensive risk analysis of all its systems with ePHI (as required by the HIPAA Security Rule) and determine the level of residual risk that remains for each of these systems,” explained Cagle. “The Board should ensure that this process is taking place on an ongoing basis, and the risk owners — those system owners, clinicians, and others in the organization — must take ownership of that risk and take steps to reduce it to an acceptable level. While the Board can and should provide the mandate and resources to do this, it’s up to everyone to ensure that the risk analysis and risk response process is ongoing and comprehensive in scope.”

The HPH CPGs are detailed in an 11-page PDF document that can be accessed on the HHS HPH Cyber website.