With the digital transformation of the healthcare sector comes an ever-growing cybersecurity threat landscape. In response, the U.S. Department of Health and Human Services (HHS) has introduced a set of voluntary Cybersecurity Performance Goals (CPGs) aimed at strengthening the defenses of healthcare organizations against these threats.

Background of HPH’s Cybersecurity Performance Goals

In January 2024, the Department of Health and Human Services (HHS) introduced the Cybersecurity Performance Goals (CPGs) as a pivotal component of its expansive strategy aimed at strengthening healthcare cybersecurity. Crafted to assist the Healthcare and Public Health (HPH) sector in fortifying its defenses against evolving cyber threats, these CPGs encourage healthcare organizations to focus on implementing critical cybersecurity measures.

By prioritizing high-impact practices, these voluntary goals are designed to enhance cyber preparedness, resilience, and protect sensitive patient information. Drawing inspiration from CISA’s Cross-Sector CPGs and incorporating insights from established cybersecurity frameworks and the industry’s best practices—including the NIST Cybersecurity Framework (CSF) and Health Industry Cybersecurity Practices (HICP)—the CPGs address the primary cyber threats targeting U.S. hospitals, as identified in the 2023 Hospital Cyber Resiliency Landscape Analysis. This strategic move by HHS underscores its commitment to advancing the cybersecurity infrastructure within healthcare delivery organizations, ensuring a more secure and resilient healthcare system.

Essential vs. Enhanced Goals

The HPH CPGs are divided into essential and enhanced goals to provide a structured approach for healthcare organizations to reinforce their cybersecurity measures. Here’s a deeper look into what these categories entail and examples of each.

Essential Goals

The essential goals represent the minimum cybersecurity practices needed to establish a foundational level of security. They are designed to be broadly applicable and achievable for all healthcare organizations.

  1. Mitigate Known Vulnerabilities: Address vulnerabilities to prevent exploitation.
  2. Email Security: Implement measures to mitigate email-based threats.
  3. Multifactor Authentication (MFA): Add an extra layer of security for internet-accessible assets and accounts.
  4. Basic Cybersecurity Training: Educate organizational users on secure behaviors.
  5. Strong Encryption: Use encryption to protect sensitive data and maintain integrity.
  6. Revoke Credentials: Ensure former workforce members do not have unauthorized access.
  7. Basic Incident Planning and Preparedness: Develop strategies for effective response and recovery from cybersecurity incidents.
  8. Unique Credentials: Utilize unique credentials to detect unusual activity and prevent lateral movement within networks.
  9. Separate User and Privileged Accounts: Create separate accounts to reduce the risk of privileged account compromise.
  10. Vendor/Supplier Cybersecurity Requirements: Assess and mitigate third-party risks.

Enhanced Goals

Enhanced goals are aimed at organizations ready to take their cybersecurity to the next level, focusing on more sophisticated measures to protect against advanced threats.

  • Asset Inventory: Identify and manage all assets to detect and respond to risks swiftly.
  • Third-Party Vulnerability Disclosure and Incident Reporting: Establish processes for managing vulnerabilities and incidents involving third-party vendors.
  • Cybersecurity Testing and Mitigation: Conduct penetration testing and simulate attacks to find vulnerabilities, then quickly remediate them.
  • Detect and Respond to Threats and TTPs: Enhance the ability to detect and respond to cyber threats effectively.
  • Network Segmentation: Segregate critical assets to restrict unauthorized access and lateral movement.
  • Centralized Log Collection and Incident Planning: Collect and analyze log data for improved incident response. Develop comprehensive incident response plans.
  • Configuration Management: Define and maintain secure device and system settings.

By targeting both essential and enhanced goals, healthcare organizations can create a robust cybersecurity framework that not only addresses current threats but also prepares them for future challenges.

The Cyber Defense Matrix: Your Blueprint for HPH CPG Deployment

At the core of deploying the CPGs is the Cyber Defense Matrix. This tool categorizes the CPGs across five key domains of your IT infrastructure: Devices, Applications, Networks, Data, and Users. It is also deeply intertwined with NIST CSF 2.0 and HICP. This alignment ensures that healthcare cybersecurity leaders and practitioners can approach cybersecurity in a structured, industry-recognized manner, amplifying the effectiveness of their efforts.

6 Practical Steps for Implementing HPH CPGs

In a practical sense, applying the HPH CPGs can be broken down into a series of strategic actions that enhance your organization’s cyber defenses.

  1. Identify Your Assets and Risks: This foundational step resonates with the NIST CSF’s Identify function and is echoed in the HICP’s emphasis on risk management. By inventorying assets and assessing vulnerabilities, organizations set the groundwork for a cybersecurity strategy that is both proactive and responsive to the healthcare sector’s unique risks.
  2. Protect Your Organization: Implementing Essential Goals such as multifactor authentication and email security directly supports the Protect function of the NIST CSF and aligns with HICP’s call for robust access control and awareness training.
  3. Detect Threats Early: The matrix’s focus on enhancing detection capabilities through goals like centralized log collection mirrors the Detect function of the NIST CSF. It also aligns with HICP’s recommendation for continuous monitoring and anomaly detection to identify threats before they escalate.
  4. Respond with Precision: By refining incident response plans and practicing breach scenarios, organizations embody the Respond function of the NIST CSF, a key aspect also covered in HICP’s guidelines for developing and implementing response strategies.
  5. Recover and Learn: The emphasis on recovery plans and learning from incidents is in direct alignment with the Recover function of the NIST CSF. This approach is also reflected in HICP’s recommendation for resilience planning and improvement based on lessons learned from cybersecurity events.

Recalibrate and Improve: The ongoing cycle of evaluating and improving your cybersecurity practices embodies NIST CSF’s principle of continuous enhancement and mirrors HICP’s emphasis on adapting to the dynamic cyber threat environment and technological progress. This approach ensures your organization remains proactive against threats and cultivates an enduring culture of cybersecurity advancement.

Conclusion

The HHS Cybersecurity Performance Goals mark a significant step forward in the quest for enhanced cybersecurity in the healthcare sector. Healthcare organizations are highly encouraged to align their cybersecurity strategies with these goals, not just for compliance, but to ensure the safety and security of patient data in an increasingly digital world.

To start your journey towards a building cyber resilience at your healthcare organization, explore ArmorPoint’s cybersecurity program management solutions today.

About ArmorPoint

ArmorPoint, LLC is a managed cybersecurity solution that combines the three pillars of a robust cybersecurity program — people, processes, and technology — into a single solution. Designed by cybersecurity experts, ArmorPoint’s cloud-hosted SIEM technology and extended detection and response capabilities enable businesses to implement a highly-effective, scalable cybersecurity program. With customizable pricing available, every ArmorPoint plan offers a dynamic level of managed security services that support the risk management initiatives of all companies, regardless of available budget, talent, or time. ArmorPoint is developed and powered by Trapp Technology, Inc., a Phoenix-based IT managed services provider. To learn more about ArmorPoint, visit armorpoint.com.