HHS releases healthcare cybersecurity goals

The Department of Health and Human Services (HHS) has released a new set of voluntary cybersecurity performance goals (CPGs) aimed at the clinical care and public health systems. The healthcare-specific objectives are designed to complement the Department of Homeland Security’s cross-sectional goals, released in 2023, and include suggestions “to strengthen cyber preparedness, improve cyber resiliency, and ultimately protect patient health information and safety.” 

“These resiliency-based goals complement HHS’ ongoing work to improve cybersecurity in medical devices through the Food and Drug Administration’s establishment of pre-market cybersecurity requirements and recommendations for medical devices, and promote cybersecurity through the Office for Civil Rights’ continuous administration and enforcement of the Health Insurance Portability and Accountability Act Privacy, Security, and Breach notification rules,” HHS says in its report. 

The goals are broken down into two primary groups: essential goals to help create a floor of cybersecurity safeguards; and enhanced goals to encourage ongoing maturity of the cybersecurity environment. 

Essential goals for healthcare cybersecurity 

The essential goals lay the groundwork for strong cybersecurity defenses in an environment where attackers are getting more sophisticated than ever. Some of the objectives include: 

• Implementing incident planning and preparedness programs to ensure timely and effective responses to threats or breaches 
• Mitigating known vulnerabilities to reduce opportunities for threat actors to exploit known loopholes in networks, including networks that are directly accessible from the internet 
• Enhancing user-centered safeguards such as improving email security, employing multifactor authentication, conducting basic cybersecurity training, and appropriately managing credentialing and privileges for current and former users 
• Monitoring and managing vendor and business associate relationships to identify and mitigate risks associated with third-party products and services 
• Deploying strong encryption to maintain the security and integrity of traffic in motion 

Enhanced goals to safeguard the health system of the future 

Organizations that have successfully addressed their basic cybersecurity needs can enhance their defenses with additional goals, including: 

• Conducting comprehensive asset inventories to identify known, unknown (shadow), and unmanaged assets that may include vulnerabilities 
• Establishing third-party vulnerability and incident reporting processes to discover, respond to, and report upon threats and incidents involving third-party entities 
• Completing regulator cybersecurity testing, incident planning, and mitigation protocols to quickly discover potential issues and act quickly to address high-priority problems 
• Implement network segmentation to separate mission-critical assets into discrete segments that minimize lateral movement by threat actors 
• Maintain consistent governance of telemetry from security log data sources and configuration management to ensure full visibility across the network at all times 

The full report includes detailed information about each goal and how to achieve compliance with these voluntary standards. HHS has also published a concept paper, aligned with the overall federal cybersecurity strategy, to provide additional insight into how these goals can support a safer environment for the clinical care and public healthcare systems. 

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at jennifer@inklesscreative.com.