Survey Raises Concerns About Cybersecurity Performance Goals (CPG) Awareness
One of the objectives of the HIPAA Journal 2024/25 Annual Survey was to obtain insights into HIPAA compliance best practices. This was so that organizations experiencing compliance challenges could use the information to resolve the challenges and better support compliance activities. However, the responses to one particular question demonstrate a lack of awareness about HHS’ Cybersecurity Performance Goals (CPGs).
In December 2023, the Department of Health and Human Services (HHS) published its strategy for Healthcare Sector Cybersecurity. The following month, the agency published voluntary healthcare-specific Cybersecurity Performance Goals (CPGs) to help organizations in the Healthcare and Public Health (HPH) sector address common vulnerabilities (Essential Goals) and mature their cybersecurity capabilities (Enhanced Goals).
At the time HHS published its strategy, the agency noted “voluntary goals alone will not drive the cyber-related behavioral change needed across the healthcare sector” and that the HHS’ Office for Civil Rights would work on an update to the HIPAA Security Rule to include new cybersecurity requirements for HIPAA compliance. The proposed update was published as a Notice of Proposed Rulemaking (NPRM) in January 2025.
The NPRM proposes to mandate many of the (currently) voluntary HHS HPH Cybersecurity Performance Goals, require greater specificity for HIPAA risk analyses, and strengthen the requirements for planning for contingencies and responding to security incidents. If finalized, the proposals will not only become standards required for HIPAA compliance, but may also be adopted by CMS as conditions for participation in Medicare and Medicaid.
Subscriber Awareness of the Cybersecurity Performance Goals
At around the same time as HHS published the proposed update, we invited subscribers to the HIPAA Journal Newsletter to participate in the HIPAA Journal 2024/25 Annual Survey. The anonymous survey consisted of forty questions on subjects such as the frequency of internal compliance audits, the nature of workforce training, and what technologies were being used to communicate electronic Protected Health Information.
The question that raises concerns about CPG awareness was “Has Your Organization Adopted the HHS HPH Cybersecurity Performance Goals?”. The responses were as follows:
| Yes – Essential and Enhanced | 8.00% |
| Yes – Essential Only | 4.60% |
| Plan to Adopt within 1 year | 31.00% |
| No Plans to Adopt | 9.20% |
| Don’t Know | 47.20% |
The most significant takeaway from this question is that nearly half of the respondents (most of whom were solely or jointly responsible for HIPAA compliance in their organizations) did not know if they had adopted – or if they were planning to adopt – HHS’ HPH Cybersecurity Performance Goals. This was by far the highest “Don’t Know” response to any question in The HIPAA Journal 2024/25 Annual Survey and implies a lack of CPG awareness.
However, the implied lack of CPG awareness does not mean healthcare organizations are failing in their responsibilities to ensure the confidentiality, integrity, and availability of electronic Protected Health Information. The way in which many respondents answered survey questions relating to email security, cybersecurity training, and encryption suggests that at least 80% of respondents have adopted some CPGs – they just are not aware of it!
Why CPG Awareness Needs to be Improved
There are several reasons why CPG awareness needs to be improved. The first is that, if HHS’ proposals to update the HIPAA Security Rule are finalized in their current format, organizations that are CPG-aware will be better positioned to implement the necessary measures. Those who are not CPG-aware may struggle to compile asset inventories, conduct vulnerability scans and pen tests, and centralize security preparedness planning in the time allowed.
A further reason why CPG awareness needs to be improved is that, in the event of a data breach, HHS’ Office for Civil Rights has the authority to be flexible in how it settles enforcement actions if the violating organization can demonstrate twelve months compliance with a recognized security framework (See “What is the New HIPAA Safe Harbor Law?”). Compliance with HHS’ HPH Cybersecurity Performance Goals would help satisfy this requirement.
The third reason why CPG awareness in healthcare organizations needs to be improved is that, although there has been no mention of CPG compliance being a condition of participation in Medicare and Medicaid since the publication of the Healthcare Sector Cybersecurity strategy, emergency preparedness (EP) is already a condition of participation. It would be very simple for CMS to extend the existing EP Rule Elements to include HHS’ Cybersecurity Performance Goals.
What Can Healthcare Organizations Do Now?
Healthcare organizations that are not CPG-aware can improve their understanding by visiting HHS’ Performance Goals webpage and downloading the CPG PDF. The PDF contains links to sections of the Health Industry Cybersecurity Practices program (405(d)) relevant to each Goal, cross-references them with corresponding NIST guidelines, provides a description of what each Goal is intended to achieve (or mitigate), and the implementation specifications for each Goal.
Thereafter, it will be possible to compare the CPG requirements against measures already in place to comply with the HIPAA Security Rule and the CMS conditions of participation in Medicare and Medicaid. Healthcare organizations might also find it beneficial to review the preamble to HHS’ proposed Security Rule update (90 FR 898) to determine which CPGs may be mandated and understand how HHS’ Office for Civil Rights intends to apply them.
Considering that compliance with many of the CPGs may be mandatory within a year, healthcare organizations and other covered entities who require assistance navigating HHS’ Cybersecurity Performance Goals – and comparing them against existing security measures – are advised to seek independent HIPAA compliance advice.
