Healthcare , HIPAA/HITECH , Industry Specific

HHS Details New Cyber Performance Goals for Health Sector

'Essential' and 'Enhanced' Best Practices Will Influence Upcoming Rule-Making
HHS Details New Cyber Performance Goals for Health Sector
HHS' cybersecurity performance goals guidance details "essential" and "enhanced" best practices and controls for strengthening healthcare sector security. (Image: HHS)

The Department of Health and Human Services has released guidance that spells out voluntary cybersecurity performance goals for the healthcare sector. The document is a first step in fleshing out a concept paper the Biden administration released in December that outlines a strategy to push hospitals and other healthcare entities to adopt a stronger cybersecurity posture.

See Also: Securing Healthcare: Minimizing Risk in an Ever-Changing Threat Landscape

While the guidance is voluntary, sources close to the effort said the goals will be used to inform upcoming HHS rule-making that aims to incentivize adoption of better cybersecurity practices among segments of the healthcare sector, with potential sticks and carrots.

The new 13-page Cybersecurity Performance Goals document released Wednesday by HHS' Administration for Strategic Preparedness and Response details both essential goals "to outline minimum foundational practices" for cybersecurity performance and enhanced goals "to encourage adoption of more advanced practices."

"We have a responsibility to help our healthcare system weather cyberthreats, adapt to the evolving threat landscape, and build a more resilient sector," Andrea Palm, deputy secretary of HHS, said in a statement.

"The release of these cybersecurity performance goals is a step forward for the sector as we look to propose new enforceable cybersecurity standards across HHS policies and programs that are informed by these CPGs," she said.

Both sets of goals - the essential and enhanced - are based on industry cybersecurity frameworks, best practice and strategies, including the National Institute of Standards and Technology's Cybersecurity Framework and the Health Industry Cybersecurity Practices playbook developed by the Health Sector Coordinating Council and HHS' 405(d) cyber advisory group.

"Today's release is exemplary of the public-private partnership at work," said Erik Decker, CISO at Utah-based healthcare delivery system Intermountain Health. "These CPGs leveraged five years of work with the release of HICP and offer clarity and direction to our industry on key and necessary cybersecurity practices," said Decker, who is also chair of the HSCC Joint Cybersecurity Working Group and co-chair of the HHS 405(d) cyber task force.

The performance goals are designed to directly address common attack vectors against U.S. domestic hospitals, including ransomware and other disruptive cyberthreats, HHS said.

While the goals are labeled "voluntary," HHS plans to tap into them for upcoming rule-making to create potential sticks and carrots for healthcare organizations - such as participants in Medicare and Medicaid programs and under-resourced provider groups - the department would like to have implement the recommended practices.

In its concept paper released in December, HHS said it had envisioned the establishment of two financial programs to incentivize healthcare entities into implementing the performance goals (see: Biden Administration Issues Cyber Strategy for Health Sector).

They include an upfront investments program to help high-need healthcare providers, such as hospitals with minimal resources, to cover the initial costs associated with implementing the "essential" cybersecurity measures and an incentives program to encourage all hospitals "to invest in advanced cybersecurity practices to implement 'enhanced'" CPGs, the concept paper says.

The HHS goals will inform upcoming HHS rule-making and potential mandates, Decker told Information Security Media Group. "The mandates must go through the rule-making process, and the industry will have time to review and comment," he said.

"We support this process with the understanding that incentivizing the underserved will be a critical step that must be provided."

Essential and Enhanced Goals

HHS's guidance said the "essential goals" aim to help healthcare organizations address common vulnerabilities "by setting a floor of safeguards that will better protect them from cyberattacks, improve response when events occur, and minimize residual risk."

Essential goals include mitigating known vulnerabilities, implementing email security, multifactor authentication, strong encryption, incident response planning, separating user and privileged accounts, addressing vendor and supplier risk, offering cybersecurity training to employees, and more.

The enhanced goals aim to help healthcare organizations mature their cybersecurity capabilities and reach the next level of defense needed to protect against additional attack vectors, HHS said.

Those enhanced goals address issues such as asset inventory; third-party vulnerability disclosures and incident reporting; cybersecurity testing and mitigation; network segmentation; detecting relevant threats, tactics, techniques and procedures; centralized log collection; configuration management, and a number of other control areas and best practices.

The essential goals consist primarily of relatively lower cost, high-yield actions to protect organizations from identity-based attacks, HHS said. "The more intensive enhanced goals like network segmentation prevent threat actors from moving laterally within organizations when they are compromised," HHS advised.

HSCC, which collaborated with HHS, CISA and other federal agencies over the last several years in developing the HICP practices upon which many of the new HHS CPGs are based, said the goals amplify the recognition among health providers - large, medium and small – that cyber safety is a patient safety issue.

"This accountability in turn must be supplemented with government and industry assistance to those under-resourced health systems that accept their cybersecurity responsibility for protecting patient safety as a national imperative but are financially and operationally constrained," HSCC said.

In addition to the new guidance, HHS announced a new "gateway" website to provide access to specific cybersecurity information and resources from across HHS and other federal agencies.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.