In January of this year, as a follow on to its cybersecurity strategy concept paper published in December, the Department of Health and Human Services (HHS) introduced Health and Public Health Sector (HPH) Cybersecurity Performance Goals (CPG) to help healthcare organizations prioritize the implementation of high-impact cybersecurity practices.
HHS has broken the goals down into Essential and Enhanced goals, defined as follows:
Essential Goals: Intended to help healthcare organizations address common vulnerabilities by setting a floor of safeguards that will better protect them from cyberattacks, improve response when events occur, and minimize residual risk.
Enhanced Goals: Intended to help healthcare organizations mature their cybersecurity capabilities and reach the next level of defense needed to protect against additional attack vectors.
These goals are (for now) a voluntary subset of cybersecurity practices that healthcare organizations, and healthcare delivery organizations in particular, can reference to strengthen cyber preparedness, improve cyber resiliency, and ultimately protect patient health information and safety.
The goals are informed by select references to the 405(d) Health Industry Cybersecurity Practices (HICP), the NIST Cybersecurity Framework (CSF), the NIST Special Publication 800-53rev5 Controls, and the 2023 Hospital Cyber Resiliency Landscape Analysis.
The CPGs may serve as inputs into future regulatory requirements, including changes to the HIPAA Security Rule, which HHS has stated it will begin the process of revising in the spring of 2024.
These goals are not a replacement for requirements under HIPAA, including the requirement to perform ongoing risk analysis of all information systems with ePHI.
Putting CPGs in Perspective
The establishment of well-defined, healthcare-specific cybersecurity performance goals is a positive step forward in bringing attention to and prioritizing certain foundational outcomes for cyber hygiene. However, the CPGs are not all-inclusive, do not distinguish between organization size or complexity, and do not make reference to the requirement to address each organization’s unique risks.
We are glad to see that the CPGs provide references to specific outcomes from existing frameworks, control sets, and practice guides already used in healthcare, such as the 405(d) HICP, NIST CSF v1.1, and NIST Special Publication 800-53 rev5. Clearwater’s solutions are all based on the aforementioned standards, so they already align to the CPGs while also going further.
The CPGs reflect intended outcomes of a very basic subset of security practices that HHS believes should be prioritized to mitigate threats broadly facing the healthcare industry. While this approach can be helpful for some organizations, the referenced practices and controls were likely intentionally “watered down” in an attempt to make the CPGs more achievable and to avoid the perception of placing additional burdens on an industry struggling financially.
We are concerned that this might create further confusion and lure some organizations into a false sense of security. It’s crucial that healthcare organizations don’t stop at the essential goals. They must be on a journey to implement more robust practices, such as those referenced in the enhanced goals and the additional practices cited in 405(d) HICP.
To be clear—we don’t want to see more regulation or financial burden placed on the industry. We believe that Congress must act to provide resources to smaller healthcare providers, including funding through grants and rebates, to address cybersecurity risks at a level that is appropriate to protect the safety of patients. Robust security practices based on industry standards, including ongoing risk management, must happen at all healthcare organizations—this is the only path forward to win the war against cyber criminals, and accomplishing this is only realistic with support from our government.
Recommended Steps
Healthcare organizations should continue to leverage the NIST CSF and implement the 405(d) Health Industry Cybersecurity Practices that were specifically designed to address the top five cybersecurity threats to the healthcare and public health sectors. Doing so will achieve all the CPGs and meet the healthcare industry’s best practices that address the top five cybersecurity threats facing healthcare.
Most importantly, healthcare organizations must conduct a comprehensive risk analysis of all their systems with electronic protected health information (as required by the HIPAA Security Rule) and determine the level of unique residual risk that exists in each organization and each of its information systems with ePHI. While conducting a risk analysis is not mentioned as a “goal” itself, it is required by the HIPAA Security Rule, a key component of the NIST CSF Implementation Guide, and also a part of HICP. It allows an organization to understand risk that exists even after foundational controls and practices are implemented and to make informed decisions on how to treat that risk.