HHS Details New Cyber Performance Goals for Health Sector

‘Essential’ and ‘Enhanced’ Best Practices Will Influence Upcoming Rule-Making

The Department of Health and Human Services has released guidance that spells out voluntary cybersecurity performance goals for the healthcare sector.

The new 13-page Cybersecurity Performance Goals document, recently released by HHS’ Administration for Strategic Preparedness and Response, details both essential goals “to outline minimum foundational practices” for cybersecurity performance and enhanced goals “to encourage adoption of more advanced practices.”

“The release of these cybersecurity performance goals is a step forward for the sector as we look to propose new enforceable cybersecurity standards across HHS policies and programs that are informed by these CPGs,”Andrea Palm, deputy secretary of HHS, said in a statement.

Both sets of goals — the essential and enhanced — are based on industry cybersecurity frameworks, best practices, and strategies.

The performance goals are designed to directly address common attack vectors against U.S. domestic hospitals, including ransomware and other disruptive cyberthreats.

While the goals are labeled “voluntary,” HHS plans to tap into them for upcoming rule-making to create potential sticks and carrots for healthcare organizations — such as participants in Medicare and Medicaid programs and under-resourced provider groups — the department would like to have implemented the recommended practices.

They include an upfront investments program to help high-need healthcare providers, such as hospitals with minimal resources, to cover the initial costs associated with implementing the “essential” cybersecurity measures and an incentives program to encourage all hospitals “to invest in advanced cybersecurity practices to implement ‘enhanced'” CPGs.

Essential and Enhanced Goals
HHS’s guidance said the “essential goals” aim to help healthcare organizations address common vulnerabilities “by setting a floor of safeguards that will better protect them from cyberattacks, improve response when events occur, and minimize residual risk.”

Essential goals include:

  • mitigating known vulnerabilities
  • implementing email security
  • multifactor authentication
  • strong encryption
  • incident response planning
  • separating user and privileged accounts
  • addressing vendor and supplier risk
  • offering cybersecurity training to employees

The enhanced goals aim to help healthcare organizations mature their cybersecurity capabilities and reach the next level of defense needed to protect against additional attack vectors, HHS said.

Those enhanced goals address issues such as:

  • asset inventory;
  • third-party vulnerability disclosures and incident reporting
  • cybersecurity testing and mitigation
  • network segmentation
  • detecting relevant threats, tactics, techniques and procedures
  • centralized log collection
  • configuration management

The essential goals consist primarily of relatively lower cost, high-yield actions to protect organizations from identity-based attacks, HHS said. “The more intensive enhanced goals like network segmentation prevent threat actors from moving laterally within organizations when they are compromised,” HHS advised.

In addition to the new guidance, HHS announced a new “gateway” website to provide access to specific cybersecurity information and resources from across HHS and other federal agencies.

If you have questions about the changing IT security regulatory landscape and how it affects your organization, call ITPAC today.