Voluntary HHS Performance Goals Set the Foundation for High-Impact Cybersecurity Practices for Healthcare Organizations

In March 2023, The White House issued the National Cybersecurity Strategy. This strategy details the U.S. Government’s approach to “improving the nation’s cyber defense and securing our digital infrastructure.” The healthcare and public health (HPH) sector has particularly high cybersecurity stakes given its reliance on protected health information (PHI). Cybersecurity vulnerabilities in the HPH sector can cause patient care disruption and put patients’ safety at risk.

With patient safety a core tenet of the U.S. Department of Health and Human Services (HHS), in December 2023, the agency produced a concept paper on its Healthcare Sector Cybersecurity strategy. The purpose of this concept paper is to highlight its current and planned steps to help the HPH sector “prepare for and respond to cyber threats,” including improving cyber resiliency and protecting patient safety.

The concept paper includes four primary pillars of action:

To address the first pillar of action, in January 2024, HHS released new, voluntary cybersecurity performance goals (CPG) for the HPH sector. These goals are designed to help healthcare organizations “prioritize the implementation of high-impact cybersecurity practices” to protect patient health information and safety. These goals address three important dimensions of a strong cybersecurity strategy:

1. Strengthening preparedness to protect against cyberattacks.
2. Improving response when incidents occur.
3. Improving resiliency and minimizing residual risk after an attack has occurred.

The CPGs are broken into two categories: Essential goals, which are the foundational practices healthcare organizations need to address common cybersecurity vulnerabilities, and Enhanced goals, which are more mature and advanced practices to help healthcare organizations reach the next level of defense.

These healthcare-specific CPGs provide a practical framework for an organization to evaluate its cybersecurity preparedness. The goals will also become a critical component of the healthcare organization’s compliance program; providing a guide with which to prioritize the organization’s efforts to develop an effective cybersecurity program. The CPGs are designed to ensure layered protections at different points of potential vulnerability to improve both the protection of patient safety and resiliency. This layered defense approach provides redundancy so if one line of defense is compromised, additional layers provide a backstop to help thwart the threat.

The HPH sector-specific cybersecurity performance goals issued by HHS were built upon CISA’s CPGs and informed by the Healthcare Industry Cybersecurity Practices and National Institute of Standards and Technology (NIST) Cybersecurity Framework. While these CPGs are voluntary now, they can be expected to be used to define industry standards and future cybersecurity measures required under HIPAA and state laws. In addition to using the CPGs to benchmark a healthcare organization’s own cybersecurity efforts, they can be used to evaluate current and future technology vendor relationships.

Considering the cybersecurity risk to healthcare organizations is profound, HHS has provided this valuable resource to help healthcare organizations mature their security model related to cyber threats. Of course, in implementing these CPGs, organizations must also keep in mind the state laws and contract obligations that affect them.

Prioritize high-impact cybersecurity practices. Read the U.S. Department of Health and Human Services’ full concept paper to unlock a full proactive approach to safeguarding healthcare entities.