The new Healthcare and Public Health Cybersecurity Performance Goals (HPH CPGs) offer healthcare providers the means of starting and maturing their cybersecurity measures.
The Healthcare Sector continues to be the subject of many cyberattacks - which result in mass data breaches, computer systems being shut down, and even delayed care for patients. Change Healthcare (owned by UnitedHealth Group), an organization that processes 15 billion healthcare transactions each year and is involved in a third of patient records, suffered a devastating cyberattack by BlackCat Ransomware in February. Attacks like these are expensive and far-reaching. An AHA (American Health Association) survey found that “94% of hospitals report financial impact, with more than half reporting ‘significant or serious’ impact.”
These cyberattacks have not gone unnoticed on a federal level. In 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released a free cybersecurity toolkit for the healthcare and public health (HPH) sector. Soon after, the US Department of Health and Human Services (HHS) released their own four-step cybersecurity strategy to combat the increasing cyber threats in the healthcare sector.
In January 2024, HHS completed the first step in the strategy and released voluntary health care and public health cybersecurity performance goals (HPH CPGs). According to the HPH, the CPGs were influenced by “common industry cybersecurity frameworks, guidelines, best practices, and strategies”, like the Healthcare Industry Cybersecurity Practices, and the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
The performance goals are split into two groups, essential goals and enhanced goals. The essential goals serve as a baseline cybersecurity measure, aiming to help healthcare organizations protect themselves from cyber attacks, improve how they respond to incidents, and reduce remaining risks by establishing basic security measures.
Essential Goals:
- Mitigate Known Vulnerabilities
- Email Security
- Multifactor Authentication
- Basic Cybersecurity Training
- Strong Encryption
- Revoke Credentials for Departing Workforce Members, Including Employees, Contractors, Affiliates, and Volunteers
- Basic Incident Planning and Preparedness
- Unique Credentials
- Separate User and Privileged Accounts
- Vendor/Supplier Cybersecurity Requirements
The enhanced goals are the next level to the essential goals. They aim to support healthcare organizations in strengthening their cybersecurity capabilities and reaching an advanced level of defense to safeguard against new methods of attack.
Enhanced Goals:
- Asset Inventory (organize assets to better detect and respond to new vulnerabilities)
- Third Party Vulnerability Disclosure (setting up processes to discover and respond to vulnerabilities in assets from third parties)
- Third Party Incident Reporting (setting up processes to discover and respond to known security issues from third party providers)
- Cybersecurity Testing (including penetration testing and attack simulations)
- Cybersecurity Mitigation
- Detect and Respond to Relevant Threats and Tactics, Techniques, and Procedures
- Network Segmentation (separate critical assets into discrete networks)
- Centralized Log Collection
- Centralized Incident Planning and Preparedness
- Configuration Management
These goals are voluntary… for now. The Centers for Medicare and Medicaid Services (CMS) said that it “expect[s] all payers to review and implement HHS’s voluntary HPH Cyber Performance Goals (CPGs)” in an update to Medicare regulations. The Change Healthcare cyber attack - which is costing some healthcare systems $100 million per day - is also driving a push for improved cybersecurity in the healthcare industry.
Senator Mark Warner (D-VA) is pushing for legislation that requires hospitals to have strong cybersecurity practices before they can get emergency payments from the government, saying that “We need to get some minimum cybersecurity standards into healthcare…We've been talking about this for some time without a lot of action.” As the future of healthcare cybersecurity develops, it’s clear that the HPH CPGs will be the first point of reference for many healthcare providers trying to protect their employees and patients from more cyberattacks.