Department of Health and Human Services (HHS) Cybersecurity Performance Goals (CPGs)

Department of Health and Human Services (HHS) Healthcare Cybersecurity Performance Goals (CPGs)

A Voluntary Checklist for HIPAA Compliance

Prioritization of cybersecurity efforts and dollars can be a challenging endeavor. To quell some of those challenges, we’ve created a checklist that mirrors and helps satisfy healthcare cybersecurity performance goals created by the HHS.

Essential CPGs Checklist

Download this checklist to help set a floor of data safegaurds for your organization.

DOWNLOAD CHECKLIST

Enhanced CPGs Checklist

Download this checklist to help your organization up its level of security—protecting against advanced threats.

DOWNLOAD CHECKLIST

About the HHS's Healthcare Cybersecurity Performance Goals (CPGs)

Since 2018, there’s been a major uptick in cyber incidents. The OCR noticed a 93% increase in large breaches reported from 2018-2022, and a 273% increase in those that included ransomware. As such, the HHS has created a set of healthcare cybersecurity performance goals (CPGs) for organizations to strive toward—improving their security posture and ultimately protecting more personal patient information. As a service provider with decades of experience working with healthcare organizations—focusing on doing security correctly and achieving compliance as a byproduct of good practice—we’ve created a checklist of practical security measures you can take to achieve these goals. These goals are broken down into Essential Goals and Enhanced Goals to either set a floor of safeguards or add a layer of protection against advanced threats, respectively. 

Table of Contents

How to Use the CPG Checklists

Essential Goals vs. Enhanced Goals

Essential Goals

Essential goals are exactly what they sound like. To adequately safeguard data and protect sensitive information, these must be implemented.

The essential goals address common vulnerabilities by setting a floor of safeguards that will better protect your organization from cyberattacks, improve response when events occur, and minimize residual risks. 

Enhanced Goals

Once essential goals are completed, organizations can focus on the enhanced goals. 

The enhanced goals aim to help organizations reach a next level of defense—ultimately maturing cybersecurity capabilities and protecting against additional and advanced attack vectors.

These checklists will help you prioritize efforts, build a better security program, and better safeguard data. Download the documents, check the boxes on this page, and print them off!

Essential Goals Checklist

Mitigate Known Vulnerabilities

Reduce the likelihood of threat actors exploiting known vulnerabilities to breach organizational networks that are directly accessible from the internet.



  •  Provide risk management updates to executive management
  •  Executive management make risk treatment decisions
  •  Prioritize and assign deadlines to risk treatment tasks
  •  Address administrative, physical, and technical risks in the risk management program
  •  Develop a schedule to periodically review the information security training program
  •  Include administrative, physical, and technical control review in vendor risk assessments
  •  Include security provisions/requirements in vendor contracts
  •  Instruct personnel to notify security immediately if they encounter unescorted/unauthorized visitors
  •  Configure firewalls to secure traffic between remote sites
  •  Route all untrusted network access through firewalls
  •  Enforce inter-WAN traffic restrictions to allow only the traffic required for essential services
  •  Employ encryption (VPN) or private networking (MPLS) to protect the network traffic between sites
  •  Implement similar network security controls at all sites
  •  Apply multi-factor authentication (MFA) to all remote access connections
  •  Restrict file sharing and transfers between remote access and internal systems
  •  Configure strong encryption on all remote access traffic
  •  Segment remote access traffic from internal trusted networks
  •  Monitor remote access connection attempts and traffic
  •  Restrict remote access privileges to personnel with a specific business need
  •  Periodically review all remote access privileges and rights
  •  Periodically scan the network for vulnerabilities
  •  Review the results of vulnerability scanning and remediation efforts
  •  Regularly scan for vulnerabilities with an independent scanner
  •  Ensure vulnerability scans are appropriately authenticated
  •  Periodically scan for back-channel connections to the Internet that bypass the DMZ
  •  Conduct external vulnerability scans at least quarterly
  •  Ensure that external vulnerability scans are reviewed by knowledgeable and authorized personnel
  •  Develop procedures for the conduct of external vulnerability scanning
  •  Review all external vulnerability scan reports according to a documented process
  •  Test all web applications for security flaws on a regular basis
  •  Require that web applications are subjected to security testing when changes are made
  •  Develop formal criteria for the treatment of identified risks and ensure that management is involved in all risk decisions
  •  Perform searches of the Internet for sensitive information exposed
  •  Review and address the sensitive information discovered on social media
  •  Review and address the sensitive information discovered on file sharing websites
  •  Review and address the sensitive information discovered on internet-accessible systems
  •  Review and address the publicly available information discovered
  •  Remediate/remove all critical-severity vulnerabilities immediately
  •  Remediate/remove all high-severity vulnerabilities within 7 days
  •  Remediate/remove vulnerabilities with known exploits immediately
  •  Address all medium-severity vulnerabilities
  •  Review the medium-severity vulnerabilities and make your risk decisions

Email Security

Reduce risk from common email-based threats, such as email spoofing, phishing, and fraud.



  •  Document network security requirements in policy
  •  Develop network diagrams and processes to update them
  •  Develop data flow diagrams and processes to update them
  •  Conduct internal penetration tests at least annually
  •  Conduct a risk assessment to determine security requirements for network segmentation
  •  Adopt a graduated set of security controls between network segments
  •  Segregate networks based on the value and classification of the data processed
  •  Configure gateway devices in accordance with an access control policy
  •  Ensure developer access is removed prior to implementation into production
  •  Document a vendor risk management policy
  •  Provide security training to financial employees, specific to their role
  •  Use strong authentication for all access to financial systems
  •  Validate the identity of all visitors accessing non-public areas
  •  Configure firewalls to secure traffic between remote sites
  •  Enforce inter-WAN traffic restrictions to allow only the traffic required for essential services
  •  Employ encryption (VPN) or private networking (MPLS) to protect the network traffic between sites
  •  Disable all inactive/unapproved switch ports
  •  Apply multi-factor authentication (MFA) to all remote access connections
  •  Restrict file sharing and transfers between remote access and internal systems
  •  Implement a Mobile Device Management (MDM) solution
  •  Adopt processes for managing personal devices (BYOD)
  •  Enforce encryption of all organizational data stored on mobile devices
  •  Enforce authentication on mobile devices containing organizational data
  •  Adopt remote wipe capabilities on mobile devices containing organizational data
  •  Enforce encryption on all communications between mobile devices and information resources
  •  Conduct external vulnerability scans at least quarterly
  •  Test all web applications for security flaws on a regular basis
  •  Conduct penetration testing on all externally facing systems at least annually
  •  Audit all internet-facing systems regularly
  •  Perform searches of the Internet for sensitive information exposed
  •  Review and address the sensitive information discovered on social media
  •  Review and address the sensitive information discovered on file sharing websites
  •  Review and address the sensitive information discovered on internet-accessible systems
  •  Review and address the publicly available information discovered
  •  Reconfigure DNS servers to restrict unauthorized zone transfer
  •  Regularly audit the ports open to the internet
  •  Disable administrative login pages or restrict traffic to only that which is explicitly required
  •  Disable administrative login pages or secure with multi-factor authentication (MFA)
  •  Disable user login pages or secure with multi-factor authentication (MFA)
  •  Remediate/remove vulnerabilities with known exploits immediately

Multifactor Authentication

Add a critical, additional layer of security, where safe and technically capable, to protect assets and accounts directly from accessible from the internet.


 
  •  Document an access control policy
  •  Require periodic user account reviews in policy
  •  Develop policies for user registration and de-registration requirements
  •  Document processes for account management
  •  Ensure user account management activities are authorized and auditable
  •  Document procedures for management of system accounts
  •  Prohibit the use of shared user accounts
  •  Disable user accounts immediately when personnel leave
  •  Adopt a process to identify and disable redundant accounts
  •  Inventory all system/service accounts
  •  Adopt processes to audit access controls
  •  Use strong authentication for all access to financial systems
  •  Install access controls to separate all public spaces from non-public spaces
  •  Validate the identity of all visitors accessing non-public areas
  •  Apply multi-factor authentication (MFA) to all remote access connections
  •  Enforce authentication on mobile devices containing organizational data
  •  Use unique credentials for managing logging systems
  •  Disable administrative login pages or secure with multi-factor authentication (MFA)
  •  Disable user login pages or secure with multi-factor authentication (MFA)

Basic Cybersecurity Training

Ensure organizational users learn and perform more secure behaviors.


 
  •  Develop a formal information security awareness, education, and training program
  •  Develop an information security awareness training policy
  •  Develop a process to ensure that information security training occurs prior to granting access to information resources
  •  Define a schedule security awareness training
  •  Develop role-based security training requirements
  •  Adopt a strategy for communicating management’s commitment to information security
  •  Develop a schedule to periodically review the information security training program
  •  Measure the effectiveness of information security training activities
  •  Document rules for use and provisioning of privileged access
  •  Provide training to users on use of data encryption
  •  Provide security training to financial employees, specific to their role
  •  Include facility security and safety in an employee training program
  •  Provide security requirements and emergency procedures to all visitors
  •  Address clear desk/screen in periodic user awareness training

Strong Encryption

Deploy encryption to maintain confidentiality of sensitive data and integrity of Information Technology (IT) and Operational Technology (OT) traffic in motion.



  •  Document an encryption policy
  •  Document management’s approach to encryption in policy
  •  Conduct a risk assessment targeted on use and deployment of encryption
  •  Document encryption requirements for data in transit
  •  Document policy & procedures for encryption key management
  •  Define roles and responsibilities for encryption management
  •  Ensure all users are provided with tools and training to encrypt data
  •  Address loss/compromise of encryption keys in incident response processes
  •  Provide training to users on use of data encryption
  •  Develop network diagrams and processes to update them
  •  Develop data flow diagrams and processes to update them
  •  Configure gateway devices in accordance with an access control policy
  •  Ensure developer access is removed prior to implementation into production
  •  Document a vendor risk management policy
  •  Provide security training to financial employees, specific to their role
  •  Enforce inter-WAN traffic restrictions to allow only the traffic required for essential services
  •  Employ encryption (VPN) or private networking (MPLS) to protect the network traffic between sites
  •  Disable all inactive/unapproved switch ports
  •  Apply multi-factor authentication (MFA) to all remote access connections
  •  Restrict file sharing and transfers between remote access and internal systems
  •  Configure strong encryption on all remote access traffic
  •  Implement a Mobile Device Management (MDM) solution
  •  Adopt processes for managing personal devices (BYOD)
  •  Enforce authentication on mobile devices containing organizational data
  •  Adopt remote wipe capabilities on mobile devices containing organizational data
  •  Enforce encryption on all communications between mobile devices and information resources
  •  Ensure backup data is encrypted while in transport
  •  Conduct external vulnerability scans at least quarterly
  •  Test all Web applications for security flaws on a regular basis
  •  Conduct penetration testing on all externally facing systems at least annually
  •  Audit all internet-facing systems regularly
  •  Perform searches of the Internet for sensitive information exposed
  •  Review and address the sensitive information discovered on social media
  •  Review and address the sensitive information discovered on file sharing websites

Revoke Credentials for Departing Workforce Members, Including Employees, Contractors, Affiliates, and Volunteers

Prevent unauthorized access to organizational accounts or resources by former workforce members, including employees, contractors, affiliates, and volunteers by removing access promptly.



  •  Create a process to perform background and verification checks on all employees
  •  Establish a screening process for contractors and third-party personnel
  •  Evaluate and document background check requirements for employees based on role
  •  Develop and adopt processes for employment verification
  •  Develop a process to validate candidate CV/resumes
  •  Develop a process to validate candidate academic and professional qualifications
  •  Develop and adopt processes for background checks in accordance with relevant laws and regulations
  •  Develop a process to ensure that information security training occurs prior to granting access to information resources
  •  Document an access control policy
  •  Require periodic user account reviews in policy
  •  Develop policies for user registration and de-registration requirements
  •  Document processes for account management
  •  Ensure user account management activities are authorized and auditable
  •  Document procedures for management of system accounts
  •  Prohibit the use of shared user accounts
  •  Disable user accounts immediately when personnel leave
  •  Adopt a process to identify and disable redundant accounts
  •  Inventory all system/service accounts
  •  Adopt processes to audit access controls
  •  Document personnel privacy expectations
  •  Define a process to discipline personnel for information security non-compliance
  •  Reward personnel for complying and participating in information security improvement efforts
  •  Consider employee incentives and/or performance measurements related to information security
  •  Use strong authentication for all access to financial systems
  •  Install access controls to separate all public spaces from non-public spaces
  •  Validate the identity of all visitors accessing non-public areas
  •  Apply multi-factor authentication (MFA) to all remote access connections
  •  Use unique credentials for managing logging systems

Basic Incident Planning and Preparedness

Ensure safe and effective organizational responses to, restoration of, and recovery from significant cybersecurity incidents.


 
  •  Add insurer requirements to the Incident Response Plan
  •  Add insurer notification to the Incident Response Plan
  •  Adopt a strategy for communicating management’s commitment to information security
  •  Address loss/compromise of encryption keys in incident response processes
  •  Document and communicate vendor responsibilities in incident management
  •  Include security provisions/requirements in vendor contracts
  •  Define criteria for sharing incident information with external parties
  •  Develop a facility physical security plan and supporting processes

Unique Credentials

Use unique credentials inside organizations’ networks to detect anomalous activity and prevent attackers from moving laterally across the organization, particularly between IT and OT networks.


 
  •  Document an access control policy
  •  Require periodic user account reviews in policy
  •  Develop policies for user registration and de-registration requirements
  •  Document processes for account management
  •  Ensure user account management activities are authorized and auditable
  •  Document procedures for management of system accounts
  •  Prohibit the use of shared user accounts
  •  Disable user accounts immediately when personnel leave
  •  Adopt a process to identify and disable redundant accounts
  •  Inventory all system/service accounts
  •  Adopt processes to audit access controls
  •  Use strong authentication for all access to financial systems
  •  Install access controls to separate all public spaces from non-public spaces
  •  Validate the identity of all visitors accessing non-public areas
  •  Apply multi-factor authentication (MFA) to all remote access connections
  •  Use unique credentials for managing logging systems

Separate User and Privileged Accounts

Establish secondary accounts to prevent threat actors from access privileged or administrative accounts when common user accounts are compromised.


 
  •  Document an access control policy
  •  Add roles and responsibilities for asset owners in policy
  •  Include physical and logical access control requirements in policy
  •  Address information dissemination in policy
  •  Address access rights management in policy
  •  Add requirements for access control role segmentation in policy
  •  Require that access requests are documented and authorized in policy
  •  Document rules for use and provisioning of privileged access
  •  Adopt role-based access control
  •  Adopt processes to audit access controls
  •  Ensure developer access is removed prior to implementation into production
  •  Mandate dual control for all financial transactions exceeding a certain dollar amount
  •  Mandate dual control for all changes to payments accounts
  •  Require visitors to obtain authorization to access to non-public areas
  •  Periodically review office security access rights
  •  Restrict remote access privileges to personnel with a specific business need
  •  Periodically review all remote access privileges and rights
  •  Implement a Mobile Device Management (MDM) solution
  •  Ensure vulnerability scans are appropriately authenticated

Vendor/Supplier Cybersecurity Requirements

Identify, assess, and mitigate third-party product and service risks.


 
  •  Define roles and responsibilities for vendor risk management
  •  Include security provisions/requirements in vendor contracts
  •  Document personnel privacy expectations

Enhanced Goals Checklist

Asset Inventory

Identify known, unknown (shadow), and unmanaged assets to more rapidly detect and respond to potential risks and vulnerabilities.


 
  •  Develop, approve, and adopt a formal asset management policy
  •  Include all physical devices and systems in an asset inventory
  •  Include software in an asset inventory
  •  Develop documented procedures to support asset management policies
  •  Develop a process to regularly update asset inventories
  •  Define roles and responsibilities for asset management
  •  Develop a method to centrally manage the asset inventory
  •  Develop policy and procedure to ensure asset inventories are updated at least annually
  •  Revise practices to account for the entire asset lifecycle
  •  Include physical and logical access control requirements in policy
  •  Increase the scope of change management practices
  •  Develop network diagrams and processes to update them
  •  Adopt a graduated set of security controls between network segments
  •  Configure gateway devices in accordance with an access control policy
  •  Compile an inventory of all vendors employed by the organization
  •  Actively monitor financial accounts
  •  Disable all inactive/unapproved switch ports
  •  Implement 802.1x (or port-based network access control)
  •  Monitor remote access connection attempts and traffic
  •  Regularly scan for vulnerabilities with an independent scanner
  •  Ensure vulnerability scans are appropriately authenticated
  •  Periodically scan for back-channel connections to the Internet that bypass the DMZ
  •  Conduct external vulnerability scans at least quarterly
  •  Test all Web applications for security flaws on a regular basis
  •  Audit all internet-facing systems regularly
  •  Regularly audit the ports open to the internet

Third-Party Vulnerability Disclosure

Establish processes to promptly discover and respond to known threats and vulnerabilities in assets provided by vendors and service providers.


 
  •  Establish an information security risk management program
  •  Develop a schedule to periodically review the information security training program
  •  Document a vendor risk management policy
  •  Compile an inventory of all vendors employed by the organization
  •  Classify all vendors according to the inherent risks they pose to the organization
  •  Adopt a process to ensure all vendors receive the appropriate level of scrutiny for security risk
  •  Review the risks inherent in vendor relationships at least annually
  •  Perform validated risk assessments on high-risk vendors
  •  Include administrative, physical, and technical control review in vendor risk assessments
  •  Define roles and responsibilities for vendor risk management
  •  Document and communicate vendor responsibilities in incident management
  •  Include security provisions/requirements in vendor contracts

Third-Party Incident Reporting

Establish processes to promptly discover and respond to known security incidents or breaches across vendors and service providers.


 
  •  Develop a schedule to periodically review the information security training program
  •  Document a vendor risk management policy
  •  Review the risks inherent in vendor relationships at least annually
  • Define roles and responsibilities for vendor risk management
  •  Include security provisions/requirements in vendor contracts
  •  Document personnel privacy expectations

Cybersecurity Testing

Establish processes to promptly discover and responsibly share vulnerabilities in assets discovered through penetration testing and attack simulations.


 
  •  Include security provisions/requirements in vendor contracts
  •  Instruct personnel to notify security immediately if they encounter unescorted/unauthorized visitors
  •  Perform searches of the Internet for sensitive information exposed
  • Review and address the sensitive information discovered on social media
  •  Review and address the sensitive information discovered on file sharing websites
  •  Review and address the sensitive information discovered on internet-accessible systems
  •  Review and address the publicly available information discovered

Cybersecurity Mitigation

Establish processes internally to act quickly on prioritized vulnerabilities discovered through penetration testing and attack simulations.


 
  •  Include security provisions/requirements in vendor contracts
  •  Instruct personnel to notify security immediately if they encounter unescorted/unauthorized visitors
  •  Perform searches of the Internet for sensitive information exposed
  • Review and address the sensitive information discovered on social media
  •  Review and address the sensitive information discovered on file sharing websites
  •  Review and address the sensitive information discovered on internet-accessible systems
  •  Review and address the publicly available information discovered

Detect and Respond to Relevant Threats and Tactics, Techniques, and Procedures (TTP)

Ensure organizational awareness of and ability to detect relevant threats and TTPs at endpoints, and ensure organizations can secure entry and exit points to its network with endpoint protection.


 
  •  Evaluate internal and external threats in the risk management program
  •  Address administrative, physical, and technical risks in the risk management program
  •  Develop a schedule to periodically review the information security training program
  • Include administrative, physical, and technical control review in vendor risk assessments
  •  Actively monitor financial accounts
  •  Inspect all incoming materials before moving them to internal areas
  •  Monitor remote access connection attempts and traffic

Network Segmentation

Mission-critical assets are separated into discrete network segments to minimize lateral movement by threat actors after initial compromise.


 
  •  Ensure all users are provided with tools and training to encrypt data
  •  Document network security requirements in policy
  •  Develop network diagrams and processes to update them
  • Develop data flow diagrams and processes to update them
  •  Conduct internal penetration tests at least annually
  •  Conduct a risk assessment to determine security requirements for network segmentation
  •  Adopt a graduated set of security controls between network segments
  •  Segregate networks based on the value and classification of the data processed
  •  Configure gateway devices in accordance with an access control policy
  •  Isolate development and testing environments from production
  • Configure firewalls to secure traffic between remote sites
  •  Route all untrusted network access through firewalls
  •  Enforce inter-WAN traffic restrictions to allow only the traffic required for essential services
  •  Employ encryption (VPN) or private networking (MPLS) to protect the network traffic between sites
  •  Disable all inactive/unapproved switch ports
  •  Implement 802.1x (or port-based network access control)
  •  Use firewall rules or VLANs with Access Control Lists (ACLs) to restrict traffic between network segments
  •  Implement a separate and isolated management network
  •  Stop use of all insecure network management protocols
  •  Replace all unmanaged network equipment with managed
  •  Configure a separate subnet for security-specific systems
  •  Restrict file sharing and transfers between remote access and internal systems
  •  Segment remote access traffic from internal trusted networks
  •  Periodically scan for back-channel connections to the Internet that bypass the DMZ
  •  Regularly audit the ports open to the internet

Centralized Log Collection

Collection of necessary telemetry from security log data sources within an organization’s network that maximizes visibility, cost-effectiveness, and faster response to incidents.


 
  •  Ensure user account management activities are authorized and auditable
  •  Setup tracking and periodic audits on change management requests
  •  Develop an internal information security audit program that is authorized by policy
  • Document an information security audit schedule
  •  Adopt processes to audit access controls
  •  Coordinate audit activities with systems, application, and data owners
  •  Define the scope, methodology, and timing for audit activities
  •  Adopt access controls appropriate for audit activities that are logged and monitored
  •  Ensure that audit results are shared with senior management
  •  Document the different types of audits undertaken by the organization
  • Define retention periods for audit results
  •  Adopt processes for the aggregation and correlation of log events from multiple systems
  •  Ensure that log analysis is performed and reviewed periodically
  •  Configure all systems to synchronize time with the same authoritative time source
  •  Use unique credentials for managing logging systems
  •  Employ a centralized logging system that is isolated from the monitored systems

Centralized Incident Planning and Preparedness

Ensure organizations consistently maintain, drill, and update cybersecurity incident response plans for relevant threat scenarios.


 
  •  Add insurer requirements to the Incident Response Plan
  •  Add insurer notification to the Incident Response Plan
  •  Document and communicate vendor responsibilities in incident management
  • Include security provisions/requirements in vendor contracts
  •  Clearly document criteria for activating recovery plans
  •  Test recovery plans at least annually
  •  Follow-up all events and tests with lessons learned and revisions to procedures
  •  Update recovery strategies to reflect the current operating environment
  •  Include public relations in recovery plans and procedures
  •  Develop strategies to address and limit reputational impact from an event
  • Communicate recovery strategies to all relevant personnel
  •  Develop and document facility evacuation procedures
  •  Develop Disaster Recovery and/or Business Continuity Plans (DRP/BCP)

Configuration Management

Define secure device and systems settings consistently and maintain them according to established baselines.


 
  •  Revise practices to account for the entire asset lifecycle
  •  Document instructions for installation and configuration of servers
  •  Document instructions for installation and configuration of client systems
  • Audit all internet-facing systems regularly

Cheat Sheets

Checklists

Incident Response Playbooks

Policy Templates

Program Guides

Workbooks

Need help with checking off these goals?

We're happy to help!