The healthcare industry is a major target for cyberattacks because of all of the personal information collected from patients. Recognizing that the healthcare industry is such a ripe hunting ground for cybercriminals, the U.S. Department of Health and Human Services (HHS) has unveiled cybersecurity performance goals (CPGs) targeted to assist the healthcare industry avoid these attacks. HHS is recommending Essential CPGs best practices, including:

• Mitigate Known Vulnerabilities: Reduce the likelihood of threat actors exploiting known vulnerabilities to breach organizational networks that are directly accessible from the Internet.
• Email Security: Reduce risk from common email-based threats, such as email spoofng, phishing, and fraud.
• Multifactor Authentication: Add a critical, additional layer of security, where safe and technically capable, to protect assets and accounts directly accessible from the Internet.
• Basic Cybersecurity Training: Ensure organizational users learn and perform more secure behaviors.
• Strong Encryption: Deploy encryption to maintain confidentiality of sensitive data and integrity of Information Technology (IT) and Operational Technology (OT) traffic in motion.
• Revoke Credentials for Departing Workforce Members, Including Employees, Contractors, Affiliates, and Volunteers: Prevent unauthorized access to organizational accounts or resources by former workforce members, including employees, contractors, affiliates, and volunteers by removing access promptly.
• Basic Incident Planning and Preparedness: Ensure safe and effective organizational responses to, restoration of, and recovery from significant cybersecurity incidents.
• Unique Credentials: Use unique credentials inside organizations’ networks to detect anomalous activity and prevent attackers from moving laterally across the organization, particularly between IT and OT networks.
• Separate User and Privileged Accounts: Establish secondary accounts to prevent threat actors from accessing privileged or administrative accounts when common user accounts are compromised.
• Vendor/Supplier Cybersecurity Requirements: Identify, assess, and mitigate risks associated with third party products and services.

These are all basic best practices that should have already been adopted by industry participants long ago. The goal of Essential CPGs is to set a floor for protecting patients’ PHI and personal identifiable information (PII) from cyberattack. 

HHS is not satisfied with just recommending the bare minimum in cybersecurity. HHS is also putting forth recommended Enhanced CPGs that build upon the Essential CPGs and provide greater cybersecurity when implemented. These Enhanced CPGs include:

• Asset Inventory: Identify known, unknown (shadow), and unmanaged assets to more rapidly detect and respond to potential risks and vulnerabilities.
• Third Party Vulnerability Disclosure: Establish processes to promptly discover and respond to known threats and vulnerabilities in assets provided by vendors and service providers.
• Third Party Incident Reporting: Establish processes to promptly discover and respond to known security incidents or breaches across vendors and service providers.
• Cybersecurity Testing: Establish processes to promptly discover and responsibly share vulnerabilities in assets discovered through penetration testing and attack simulations.
• Cybersecurity Mitigation: Establish processes internally to act quickly on prioritized vulnerabilities discovered through penetration testing and attack simulations.
• Detect and Respond to Relevant Threats and Tactics, Techniques, and Procedures (TTP): Ensure organizational awareness of and ability to detect relevant threats and TTPs at endpoints. Ensure organizations are able to secure entry and exit points to its network with endpoint protection.
• Network Segmentation: Mission critical assets are separated into discrete network segments to minimize lateral movement by threat actors after initial compromise.
• Centralized Log Collection: Collection of necessary telemetry from security log data sources within an organization’s network that maximizes visibility, cost effectiveness, and faster response to incidents.
• Centralized Incident Planning and Preparedness: Ensure organizations consistently maintain, drill, and update cybersecurity incident response plans for relevant threat scenarios.
• Configuration Management: Define secure device and system settings in a consistent manner and maintain them according to established baselines.

Currently, implementation of both the Essential CPGs and Enhanced CPGs is voluntary. The application of these CPGs is a supplement to compliance with HIPAA Security Rule, not a substitution.  It is anticipated that these CPGs will become mandatory through an amendment of the HIPAA Security Rule. It is currently anticipated that amendments to the HIPAA Security Rule, including new cybersecurity requirements, will be implemented in September 2024, but that deadline may be extended. CMS will also likely propose new cybersecurity requirements for hospitals through Medicare and Medicaid in the form of Medicare or Medicaid conditions of participation or as part of the Medicare Promoting Interoperability Program. It is currently unknown when CMS will begin the rulemaking and comment process for proposed enforceable cybersecurity requirements.