Careers Contact Us Portal
Careers Contact Us Portal
Careers Contact Us Portal

Practical Steps for Meeting the New Healthcare and Public Health Sector-Specific Cybersecurity Performance Goals

Practical Steps for Meeting the New Healthcare and Public Health Sector-Specific Cybersecurity Performance Goals

At CloudWave, our cybersecurity team is dedicated to advancing a two-part thesis to assist healthcare organizations in complying with regulations, detecting potential threats, and implementing effective responses. Our focus also extends to minimizing legal liability and enhancing defensibility within advanced cybersecurity programs.

This philosophy aligns with the recently introduced Healthcare and Public Health (HPH) Sector-Specific Cybersecurity Performance Goals (CPGs). As part of its commitment to readiness and preparedness, the HHS, working closely with the Administration for Strategic Preparedness and Response (ASPR), created the new voluntary CPGs. These goals are designed to strengthen cybersecurity across the healthcare sector, assist healthcare organizations in implementing high-impact cybersecurity practices, fortify healthcare organizations’ resilience, and ultimately protect patient safety.

The HPH CPGs address the common attack vectors against U.S. hospitals quantified in the Hospital Cyber Resiliency Landscape Analysis report. The report notes that The National Security Council considers the HPH sector one of the top three sectors prioritized for additional cybersecurity attention as the increase in devastating ransomware and other cyberattacks continues to grow in both numbers and severity. These repeated attacks have continually been the cause of disruption and delay in care delivery, creating an unprecedented risk to patient safety. In fact, the FBI and DOJ are now treating the patient and public safety risk that cyberattacks pose on hospitals as a “threat to life” crime.

This further reinforces the need to prioritize patient safety and uphold quality of care during cybersecurity incidents. Instead of the traditional IT approach to protecting data, there must be a shift to protecting patients first and foremost in an effective cybersecurity response, and the new HPH CPGs are a positive step toward achieving this. It is also important to recognize that although the CPGs are voluntary, they potentially impact legal perspectives. While currently not mandatory, the terminology of “performance goals” implies a level of expectation that could carry significant legal implications in the context of legal proceedings or liability assessments.

Below is a three-step process designed to help healthcare organizations more effectively adopt and meet cybersecurity performance goals.

Step 1: Implementing Critical Best Practices

As a starting point, we identified the critical best practices in successfully defending a healthcare organization against cyber threats. These are not the named HPH CPGs, but the elements below serve as a foundational checklist for guiding healthcare organizations in aligning with the evolving industry standards and expectations for legal defensibility.

The most advanced hospitals with the most mature security programs are deploying and embracing an advanced set of tools, including:

  • Encryption
  • Intrusion and Detection Prevention Systems
  • Network Monitoring and Analytics
  • Security Information and Event Management
  • Next-Generation Endpoint Protection
  • Data Loss Prevention
  • Network Segmentation
  • Cloud Access Security Broker

Building on this foundation, we will now outline the two types of goals identified in the HPH CPGs: essential (foundational goals that your organization should be pursuing) and enhanced (goals your organization should aim to implement if it is not already doing so).

Step 2: Essential Goals
  • Mitigate Known Vulnerabilities
  • Email Security
  • Multifactor Authentication
  • Basic Cybersecurity Training
  • Strong Encryption
  • Revoke Credentials for Departing Workforce Members, Including Employees, Contractors, Affiliates, and Volunteers
  • Basic Incident Planning and Preparedness
  • Unique Credentials
  • Separate User and Privileged Accounts
  • Vendor/Supplier Cybersecurity Requirements
Step 3: Enhanced Goals
  • Asset Inventory (Including Medical Devices)
  • Third-Party Vulnerability Disclosure
  • Third-Party Incident Reporting
  • Cybersecurity Testing (Including PEN Testing and Application Security Testing)
  • Cybersecurity Mitigation
  • Detect and Respond to Relevant Threats and Tactics, Techniques, and Procedures (Network Intrusion Detection, Honeypots, etc.)
  • Network Segmentation
  • Centralized Log Collection
  • Centralized Incident Planning and Preparedness
  • Configuration Management

We recommend organizing the CPGs into a framework to create an effective plan for how your organization is meeting or will meet the performance goals. This includes the categories of maturity, plan (to get there), cost, and status. In terms of measuring maturity, do a thorough assessment as to where your organization stands with reaching the HPH performance goals in four different layers:

  • Not implemented
  • Partially implemented
  • Largely implemented
  • Fully implemented

Implementing these strategies requires a carefully planned approach, ensuring that each layer of maturity is comprehensively evaluated and addressed. By systematically advancing through the stages of implementation, your organization can progressively enhance its cybersecurity posture. This step-by-step progression not only helps in achieving the HPH CPGs but also in maintaining a clear and measurable path toward improvement. Effective implementation also includes continuous monitoring and adjustment to align with evolving cybersecurity threats and organizational changes. If you don’t know how to get started identifying your maturity or don’t have the resources to do it, check out our Cybersecurity Capability Maturity Model that identifies gaps, helps you prioritize, and tracks progress over time.

The voluntary nature of the HHS’ Healthcare and Public Health Cybersecurity Performance Goals should not undermine their significance. While not presently mandated, they serve as a remarkable framework that can help strengthen a healthcare organization’s cybersecurity posture and influence legal perspectives. Engaging in proactive discussions and strategizing around the HPH goals is essential in advancing patient safety and fortifying healthcare organizations against potential legal ramifications.

To explore this critical subject in more detail, we invite you to listen to the on-demand webinar, “Review of HHS’ Healthcare and Public Health (HPH) Cybersecurity Performance Goals,” provided to our CloudWave Cybersecurity Insider Program members. Not a member? Join now for access to live monthly educational webinars, on-demand training sessions, threat intelligence alerts, and more. If you have any additional questions about the HHS CPGs, want direct access to the HPH webinar recording, or want to discuss your cybersecurity strategy with one of our experts, please email customersfirst@gocloudwave.com.

Jacob Wheeler, senior solution architect, CloudWave

Disclaimer: The author is not a licensed attorney, and CloudWave is not a law firm. The thoughts represented here represent our opinions. Please discuss any specific recommendations or tactics with your legal counsel.