Few pieces of data are as intimate and private as health records. Because of the sensitive nature of the data, important financial details (like insurance and HSA accounts) are at risk. The potential harm to human life from downtime to machines makes protection critical too.
These things all contribute to the healthcare industry being a top target—and make healthcare security one of the biggest games of cat and mouse between organizations, regulators, and attackers.
And the data suggests the scale is inflating. In 2023, hackers compromised more than 133 million healthcare records, increasing from 51.9 million the year prior. The cost has increased too. In 2023, the average payout was $1.5M to attackers as opposed to “just” $800k in 2022.
All this means that regulators must act to ensure this trend reverses and that we protect more data and lives. That’s where the HHS Cybersecurity Performance Goals come into play.
THAT’S ENOUGH CONTEXT — LET’S GET TO THE GOOD PART
Who Is the HHS, and What Does the HHS Do?
The HHS is the U.S. Department of Health and Human Services. Its mission is to improve the health of American citizens by advancing science, medicine, public health, and social services.
Below is a network of HHS cyber security organizations and resources. These help organizations improve their cyber resilience. This support comes partly from the regulations mentioned above.
Most recognized is the Office for Civil Rights (OCR).
What is the OCR and What are Their Findings?
At its core, the OCR’s job is to protect the privacy and security of health information. Notably, they enforce the Health Insurance Portability and Accountability Act—commonly referred to as HIPAA.
If your organization handles Protected Health Information (PHI), you must follow HIPAA rules. These rules include privacy, security practices, and breach notifications.
The OCR saw a 93% rise in large breaches reported from 2018 to 2022. There was also a 273% increase in breaches that involved ransomware.
This issue needs attention on a larger scale. In December 2023, the HHS announced it would release a cybersecurity strategy for the health sector.
This four-pronged approach intends to improve resilience among healthcare organizations, as highlighted by the HHS Cybersecurity Performance Goals.
What are the HHS Cybersecurity Performance Goals?
At their core, the HHS Cybersecurity Performance Goals set a floor of cybersecurity best practices to help healthcare organizations improve their security posture. Ultimately, the idea is to better secure protected healthcare information.
The HHS released the CPGs in January 2024 and split them into two levels—essential and enhanced goals.
Several security strategies—like the NIST Cybersecurity Framework and Health Industry Cybersecurity Practices (HICPs)—support the goals. These goals focus on common attack methods used against U.S. hospitals and clinics.
These security practices are currently voluntary. However, we expect regulatory agencies to enforce new requirements by the end of 2024. These will come from existing regulations, like HIPAA.
Essential CPGs
Essential goals are exactly what they sound like. To adequately safeguard data and protect sensitive information, healthcare organizations must implement these measures.
The essential goals address common vulnerabilities by setting a floor of safeguards that will better protect your organization from cyberattacks, improve response when events occur, and minimize residual risks.
Enhanced CPGs
Once organizations complete essential goals, they can focus on the enhanced goals.
The enhanced goals aim to help organizations reach an elevated level of defense—ultimately maturing cybersecurity capabilities and protecting against additional and advanced attack vectors.
Our HHS Cybersecurity Performance Goals (CPGs) Checklists
New regulations, technologies, and best practices come and go, but the challenges security leaders face remain constant.
- What can I do to minimize the chance of a breach?
- What regulations do I have to adhere to?
- How do I prioritize a limited budget and stretched bandwidth?
- How do I track and prove our progress?
With the upcoming HHS CPG requirements for healthcare organizations, we have created a checklist.
This checklist covers both the essential and enhanced CPGs. These checklists show the control and practice requirements that hospitals and clinics need to follow as part of the guidance.
To use these, simply review the list(s) and check off the boxes as you add capabilities. This will help you see what you still need to finish.
Here’s what’s in them:
Essential Goals Checklist
- Mitigate Known Vulnerabilities
- Email Security
- Multifactor Authentication
- Basic Cybersecurity Training
- Strong Encryption
- Revoke Credentials for Departing Workforce Members, Including Employees, Contractors, Affiliates, and Volunteers
- Basic Incident Planning and Preparedness
- Unique Credentials
- Separate User and Privileged Accounts
- Vendor/Supplier Cybersecurity Requirements
Enhanced Goals Checklist
- Asset Inventory
- Third-Party Vulnerability Disclosure
- Third-Party Incident Reporting
- Cybersecurity Testing
- Cybersecurity Mitigation
- Detect and Respond to Relevant Threats and Tactics, Techniques, and Procedures (TTP)
- Network Segmentation
- Centralized Log Collection
- Centralized Incident Planning and Preparedness
- Configuration Management
A General Note on Compliance, Risk, and Security Best Practices
We’ve been working with companies to improve their cybersecurity postures for nearly two decades.
In doing so, we’ve noticed that compliance does not equal security.
We strongly believe that creating fundamental security practices is essential for protecting information. Risk-based decisions should be our top priority. And, if done properly, compliance can and will be a byproduct.
These HHS cybersecurity goals are a good start. However, we suggest a complete four-phase cyber risk assessment.
This assessment should examine administrative, internal technical, external technical, and physical controls. This approach will help establish a baseline for overall risk and allow you to prioritize efforts and spending.
If you assess and manage risk properly, you will finish these checklists in the process!
If you have questions about the HHS cybersecurity goals and checklists, risk assessments, or cyber mapping, please ask us!
