The U.S. Department of Health and Human Services (HHS) has introduced cybersecurity performance goals (CPGs) to help healthcare organizations defend against cyberattacks and protect patient data. These goals include essential practices like mitigating vulnerabilities and implementing email security, as well as enhanced measures such as asset inventory and centralized incident planning.
HHS Introduces Cybersecurity Performance Goals to Safeguard Healthcare Industry
( Credit to: Jdsupra )
The healthcare industry is increasingly becoming a prime target for cyberattacks due to the wealth of personal information it holds. In response to this growing threat, the U.S. Department of Health and Human Services (HHS) has introduced cybersecurity performance goals (CPGs) aimed at assisting the healthcare sector in defending against these attacks. These CPGs outline essential and enhanced best practices to protect patients' sensitive data and personal identifiable information (PII) from malicious actors.
The Essential CPGs put forth by HHS serve as a baseline for healthcare organizations to fortify their cybersecurity measures. These recommendations include:
- Mitigate Known Vulnerabilities: Taking steps to reduce the risk of threat actors exploiting known vulnerabilities in organizational networks accessible from the Internet.
- Email Security: Implementing measures to minimize risks associated with email-based threats such as spoofing, phishing, and fraud.
- Multifactor Authentication: Adding an additional layer of security, where feasible, to safeguard assets and accounts accessible from the Internet.
- Basic Cybersecurity Training: Ensuring that employees receive adequate training to adopt secure behaviors and practices.
- Strong Encryption: Deploying encryption methods to protect the confidentiality of sensitive data and maintain the integrity of IT and Operational Technology (OT) traffic.
- Revoking Credentials for Departing Workforce Members: Promptly removing access to organizational accounts and resources for former employees, contractors, affiliates, and volunteers to prevent unauthorized access.
- Basic Incident Planning and Preparedness: Establishing effective response and recovery protocols to handle significant cybersecurity incidents.
- Unique Credentials: Utilizing unique credentials within organizational networks to detect suspicious activity and impede lateral movement by attackers.
- Separate User and Privileged Accounts: Creating separate accounts to prevent unauthorized access to privileged or administrative accounts in case common user accounts are compromised.
- Vendor/Supplier Cybersecurity Requirements: Identifying, assessing, and mitigating risks associated with third-party products and services.
In addition to the Essential CPGs, HHS also recommends Enhanced CPGs that build upon the foundational practices to provide even greater cybersecurity protection. These Enhanced CPGs include:
- Asset Inventory: Identifying known, unknown (shadow), and unmanaged assets to promptly detect and respond to potential risks and vulnerabilities.
- Third-Party Vulnerability Disclosure: Establishing processes to promptly identify and address known threats and vulnerabilities in assets provided by vendors and service providers.
- Third-Party Incident Reporting: Implementing processes to promptly discover and respond to security incidents or breaches across vendors and service providers.
- Cybersecurity Testing: Establishing procedures to promptly identify and responsibly share vulnerabilities discovered through penetration testing and attack simulations.
- Cybersecurity Mitigation: Implementing internal processes to swiftly address prioritized vulnerabilities identified through penetration testing and attack simulations.
- Detect and Respond to Relevant Threats and TTPs: Ensuring organizational awareness and detection capabilities for relevant threats and Tactics, Techniques, and Procedures (TTPs) at endpoints.
- Network Segmentation: Separating mission-critical assets into distinct network segments to minimize lateral movement by threat actors following an initial compromise.
- Centralized Log Collection: Collecting necessary telemetry from security log data sources within an organization's network to enhance visibility, cost-effectiveness, and incident response speed.
- Centralized Incident Planning and Preparedness: Consistently maintaining, practicing, and updating cybersecurity incident response plans to effectively address relevant threat scenarios.
- Configuration Management: Defining secure device and system settings consistently and adhering to established baselines.
Currently, the implementation of both Essential CPGs and Enhanced CPGs remains voluntary. However, it is anticipated that these CPGs will eventually become mandatory through an amendment to the HIPAA Security Rule. The expected timeline for implementing new cybersecurity requirements, including amendments to the HIPAA Security Rule, is September 2024, although this deadline may be extended. Additionally, the Centers for Medicare and Medicaid Services (CMS) may propose new cybersecurity requirements for hospitals through Medicare and Medicaid programs.
With the healthcare industry facing an escalating threat of cyberattacks, the HHS's introduction of cybersecurity performance goals is a crucial step in safeguarding patient data and protecting sensitive information. By adhering to the recommended Essential CPGs and considering the Enhanced CPGs, healthcare organizations can establish a robust cybersecurity framework that mitigates risks and enhances their ability to detect, respond to, and recover from cybersecurity incidents. As the industry moves towards mandatory compliance, healthcare providers must prioritize cybersecurity to ensure the privacy and security of patient information.
