New Healthcare Cybersecurity Performance Goals: Essential vs. Enhanced

The U.S. Department of Health and Human Services (HHS) recently released a concept paper that details the ongoing efforts to enhance cybersecurity in the healthcare and public health sectors.
"In light of recent cybersecurity events impacting health care operations nationally, we expect all payers to review and implement HHS's voluntary HPH Cyber Performance Goals (CPGs). These CPGs are part of HHS' broader cybersecurity strategy and designed to help health care organizations strengthen cyber preparedness, improve cyber resiliency, and ultimately protect patient health information and safety." (Source).

In an effort to strengthen the cybersecurity of healthcare organizations, new performance goals have been outlined that categorize practices into Essential Goals and Enhanced Goals. These goals aim to better protect organizations from cyberattacks, improve their response when incidents occur, and minimize risks. 

The U.S. Department of Health and Human Services (HHS) recently released a concept paper that details the ongoing efforts to enhance cybersecurity in the healthcare and public health sectors. This initiative is part of a broader strategy to bolster cyber resiliency, protect patient safety, and address the increasing cyber threats that healthcare organizations face. The paper builds on the National Cybersecurity Strategy and outlines critical steps, including the publication of new cybersecurity performance goals, collaboration with Congress to develop hospital incentives, and a push for greater accountability within the sector.

A Landscape Analysis of the adoption of Healthcare Industry Cybersecurity Practices (HICP) reveals varied levels of progress across different areas:

  • Significant Progress Made: E-mail protection systems are well-adopted and require no further action.
  • Urgent Improvement Needed: Several areas, including Endpoint Protection Systems, Identity and Access Management, Network Management, Vulnerability Management, and Security Operations Center and Incident Response, need urgent attention to enhance cybersecurity defenses.
  • Additional Research Required: IT Asset Management, Network Connected Medical Devices Security, and Cybersecurity Oversight and Governance require further investigation and development to meet the necessary standards.
  • Further Attention Required (Not Urgent): Data Protection and Loss Prevention, while not urgently needed, should still be considered to ensure comprehensive cybersecurity coverage.

Given this context, the new Essential and Enhanced Goals are designed to address these gaps and improve the overall cybersecurity posture of healthcare organizations.

Essential Goals: The Foundation of Cybersecurity

These goals are the minimum standards that all healthcare organizations should implement to protect themselves against the most common cyber threats. Think of these as the "must-haves" for any organization.

  1. Mitigate Known Vulnerabilities: Ensure that your organization reduces the chances of cyber threats by regularly updating and patching systems to fix known vulnerabilities. This reduces the risk of hackers exploiting these weaknesses.
    [HIPAA Requirement] HIPAA mandates that covered entities implement security measures to reduce risks and vulnerabilities to electronic protected health information (ePHI).
  2. Email Security: Protect your organization from email-based threats like phishing by implementing strong email security measures. This includes filtering out suspicious emails and ensuring that users are aware of potential threats.
    [HIPAA Requirement] Ensuring the confidentiality of ePHI in electronic communications is a requirement under HIPAA.
  3. Multifactor Authentication (MFA): Add an extra layer of security by requiring more than just a password to access important systems. This could be a code sent to a phone or an authentication app, making it harder for unauthorized users to gain access.
    [HIPAA Requirement] Implementing procedures to verify that a person or entity seeking access to ePHI is the one claimed is a HIPAA requirement.
  4. Basic Cybersecurity Training: Make sure that everyone in your organization knows the basics of cybersecurity. This includes recognizing phishing attempts and understanding the importance of strong passwords.
    [HIPAA Requirement] HIPAA requires that all workforce members be trained on the security policies and procedures with respect to ePHI.
  5. Strong Encryption: Protect sensitive information by encrypting data, making it unreadable to anyone who doesn't have the correct key. This is crucial for maintaining the confidentiality and integrity of both IT and OT (Operational Technology) systems.
    [HIPAA Requirement] Encryption of ePHI is an addressable implementation specification under HIPAA's Security Rule.
  6. Revoke Credentials for Departing Workforce Members: Immediately remove access for anyone leaving your organization. This prevents former employees, contractors, or volunteers from accessing systems after they depart.
    [HIPAA Requirement] HIPAA requires that access to ePHI be terminated promptly when workforce members leave or are no longer authorized to access ePHI.
  7. Basic Incident Planning and Preparedness: Be ready to respond to a cybersecurity incident by having a plan in place. This ensures that your organization can recover quickly and minimize the damage.
    [HIPAA Requirement] HIPAA mandates that covered entities implement policies and procedures to address security incidents.
  8. Unique Credentials: Assign unique login details for each user within your organization. This helps in detecting any unusual activity and prevents unauthorized access to different parts of your network.
    [HIPAA Requirement] HIPAA requires unique user identification to track and control access to ePHI.
  9. Separate User and Privileged Accounts: Users who need administrative privileges should have separate accounts for day-to-day tasks and administrative tasks. This prevents attackers from gaining administrative control if a regular user account is compromised.
    [HIPAA Requirement] The principle of least privilege, which is aligned with HIPAA, requires that users are granted the minimum access necessary to perform their job duties.
  10. Vendor/Supplier Cybersecurity Requirements: Ensure that third-party vendors and suppliers adhere to strict cybersecurity standards, reducing the risk they pose to your organization.
    [HIPAA Requirement] HIPAA requires that covered entities enter into agreements with vendors that handle ePHI to ensure they will protect the information.
Enhanced Goals: Advancing Cybersecurity Maturity

These goals are for organizations looking to take their cybersecurity to the next level. They build on the essential goals, offering more advanced practices to protect against a broader range of threats.

  1. Asset Inventory: Keep a detailed inventory of all physical and digital assets within your organization. This helps in identifying risks and vulnerabilities more quickly.
    [HIPAA Consideration] While not explicitly required by HIPAA, maintaining an inventory of assets helps ensure that all systems containing ePHI are adequately protected.
  2. Third Party Vulnerability Disclosure: Establish clear processes for vendors to report any security vulnerabilities in the products or services they provide.
    [HIPAA Consideration] While not explicitly required, this supports HIPAA's emphasis on managing security risks from vendors.
  3. Third Party Incident Reporting: Ensure that your vendors and service providers report any security breaches promptly, allowing your organization to respond quickly.
    [HIPAA Consideration] This complements HIPAA's requirements for managing incidents and breaches involving ePHI.
  4. Cybersecurity Testing: Regularly test your systems for vulnerabilities through penetration testing and simulations. This helps identify and fix security gaps before attackers can exploit them.
    [HIPAA Consideration] Conducting regular security assessments aligns with HIPAA's requirement to protect ePHI.
  5. Cybersecurity Mitigation: Develop internal processes to act quickly on vulnerabilities identified through testing. This minimizes the window of opportunity for attackers.
    [HIPAA Consideration] Mitigating vulnerabilities supports HIPAA's mandate to protect ePHI from risks.
  6. Detect and Respond to Relevant Threats: Make sure your organization is aware of and can detect the latest threats and techniques used by attackers. This includes having robust endpoint protection in place.
    [HIPAA Consideration] Proactive threat detection aligns with HIPAA's requirement to protect ePHI.
  7. Network Segmentation: Separate your critical systems into different network segments. This limits the movement of attackers within your network if they manage to breach one segment.
    [HIPAA Consideration] Network segmentation can support HIPAA's security requirements by isolating ePHI.
  8. Centralized Log Collection: Collect and analyze logs from across your organization’s network in one central location. This improves visibility and speeds up your response to potential incidents.
    [HIPAA Consideration] Log management supports HIPAA's requirement to monitor access to ePHI.
  9. Centralized Incident Planning and Preparedness: Consistently update and drill your incident response plans. Being prepared for the latest threats is key to minimizing the impact of any breach.
    [HIPAA Requirement] HIPAA requires that incident response plans be regularly updated and tested.
  10. Configuration Management: Maintain consistent and secure settings across all devices and systems. This ensures that all parts of your network are equally protected.
    [HIPAA Consideration] Proper configuration management helps maintain the security of systems that store or process ePHI.
Actionable Checklist

To help your organization implement these goals, here’s a quick checklist of actionable steps you can discuss with your IT provider:

Goal Actionable Steps Who is Responsible Complete
Mitigate Known Vulnerabilities Implement an automated patch management system; Prioritize patching based on criticality of vulnerabilities. IT Security Team [ ]
Email Security Deploy advanced email filtering tools; Conduct phishing awareness training. IT Security Team, HR/Training [ ]
Multifactor Authentication (MFA) Implement MFA for all critical systems; Use an authentication app or SMS-based code. IT Security Team [ ]
Basic Cybersecurity Training Conduct regular cybersecurity training sessions; Use scenario-based learning for staff. HR/Training [ ]
Strong Encryption Deploy encryption for all sensitive data, both in transit and at rest; Regularly update encryption protocols. IT Security Team [ ]
Revoke Credentials for Departing Workforce Members Automate the credential revocation process in HR offboarding; Ensure immediate access termination. HR/IT Security Team [ ]
Basic Incident Planning and Preparedness Develop and regularly update an incident response plan; Conduct incident response drills bi-annually. IT Security Team, Leadership [ ]
Unique Credentials Assign unique login credentials to each user; Regularly audit user accounts for anomalies. IT Security Team [ ]
Separate User and Privileged Accounts Create separate accounts for administrative tasks; Enforce the principle of least privilege across all accounts. IT Security Team [ ]
Vendor/Supplier Cybersecurity Requirements Review and enforce cybersecurity clauses in vendor contracts; Conduct regular vendor risk assessments. Procurement, Legal, IT Security [ ]
Asset Inventory Deploy a real-time asset management tool; Regularly update and audit the asset inventory. IT Security Team [ ]
Third Party Vulnerability Disclosure Establish a process for vendors to report vulnerabilities; Create a centralized system for tracking vendor issues. Procurement, IT Security Team [ ]
Third Party Incident Reporting Implement a protocol for vendors to report incidents promptly; Monitor vendor compliance with incident reporting. Procurement, IT Security Team [ ]
Cybersecurity Testing Schedule annual penetration tests IT Security Team [ ]
Cybersecurity Mitigation Create a vulnerability management plan; Act on vulnerabilities identified in tests promptly. IT Security Team [ ]
Detect and Respond to Relevant Threats Deploy endpoint detection and response (EDR) tools; Monitor for and respond to emerging threats. IT Security Team [ ]
Network Segmentation Implement network segmentation for critical systems; Review and update segmentation strategy regularly. IT Security Team [ ]
Centralized Log Collection Deploy a centralized logging system; Analyze logs regularly to detect and respond to threats. IT Security Team [ ]
Centralized Incident Planning and Preparedness Regularly update and test incident response plans; Centralize incident response operations. IT Security Team, Leadership [ ]
Configuration Management Maintain and enforce secure configuration settings across all devices; Regularly audit configurations. IT Security Team [ ]

By implementing these Essential and Enhanced Goals, your organization will be better protected against cyber threats. Discuss these goals with your IT provider to ensure they are properly integrated into your organization’s cybersecurity strategy.

References

Have a project in mind? Let’s talk

Get in touch