What We Know So Far (February 2024)
With cyber-attacks on the rise in healthcare, HIPAA enforcer, the Department of Health and Human Services (HHS), has taken proactive measures to enhance the sector’s resilience against these growing threats. As covered entities and business associates adapt to emerging challenges, understanding and implementing the voluntary Healthcare and Public Health Sector-Specific Cybersecurity Performance Goals (HPH CPGs) is crucial.
Evolving Compliance Regulations
HHS recognizes the dynamic nature of cybersecurity threats in the healthcare sector. The voluntary nature of the HPH CPGs doesn’t imply optional compliance. Given the current voluntary nature of the initiative, initial adoption might be modest. However, when the landscape shifts towards mandatory, there will be a foreseeable rush to comply. Adopting policies now is an excellent strategy for staying ahead of potential mandates and ensuring smoother adaptation.
Linking Cybersecurity and HPH CPGs
The HHS has collaborated with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to adapt cross-sector Cybersecurity Performance Goals (CPGs) into sector-specific guidelines for healthcare. These goals, derived from industry cybersecurity frameworks, aim to strengthen cyber preparedness and protect patient information.
Linking HIPAA and HPH CPGs
The HPH CPGs are categorized into Essential Goals and Enhanced Goals, offering a comprehensive approach to cybersecurity. Essential Goals establish foundational practices to address common vulnerabilities, while Enhanced Goals promote advanced practices for a higher level of defense. Despite these ‘voluntary’ titles, it’s important to remember that many of these goals are actually required under HIPAA, such as employee training, an incident response plan, and requirements to have a policy on how access is given to employees but also revoked.
Essential Goals: Foundational Cybersecurity Practices
Mitigate Known Vulnerabilities
Reduce the likelihood of threat actors exploiting known vulnerabilities.
Reduce the risk from common email-based threats.
Add an additional layer of security to protect assets.
Basic Cybersecurity Training
Ensure organizational users learn and perform secure behaviors.
Deploy encryption to maintain confidentiality of sensitive data.
Promptly remove access for departing workforce members.
Basic Incident Planning and Preparedness
Ensure effective organizational responses to cybersecurity incidents.
Use unique credentials to detect anomalous activity.
Separate User and Privileged Accounts
Establish secondary accounts to prevent lateral movement.
Vendor/Supplier Cybersecurity Requirements
Identify, assess, and mitigate risks associated with third-party products and services.
Enhanced Goals: Advancing Cybersecurity Capabilities
Identify known, unknown, and unmanaged assets for rapid risk detection.
Third Party Vulnerability Disclosure
Establish processes to respond to threats in assets provided by vendors.
Third Party Incident Reporting
Promptly respond to security incidents or breaches across vendors.
Discover and responsibly share vulnerabilities through testing and simulations.
Internally address prioritized vulnerabilities from testing and simulations.
Detect and Respond to Threats
Ensure organizational awareness and ability to respond to relevant threats.
Separate mission-critical assets into discrete network segments.
Centralized Log Collection
Collect telemetry for faster incident response and visibility.
Centralized Incident Planning and Preparedness
Consistently maintain and update incident response plans.
Define and maintain secure device and system settings.
Early Adoption is Key
Understanding and embracing HPH CPGs will be essential for healthcare organizations moving forward with the evolving compliance and cybersecurity landscapes. Whether addressing foundational practices or advancing capabilities, these goals provide a comprehensive framework to safeguard patient information.