Cybersecurity Performance Goals and HIPAA

What We Know So Far (February 2024)

With cyber-attacks on the rise in healthcare, HIPAA enforcer, the Department of Health and Human Services (HHS), has taken proactive measures to enhance the sector’s resilience against these growing threats. As covered entities and business associates adapt to emerging challenges, understanding and implementing the voluntary Healthcare and Public Health Sector-Specific Cybersecurity Performance Goals (HPH CPGs) is crucial. 

 

Evolving Compliance Regulations

HHS recognizes the dynamic nature of cybersecurity threats in the healthcare sector. The voluntary nature of the HPH CPGs doesn’t imply optional compliance. Given the current voluntary nature of the initiative, initial adoption might be modest. However, when the landscape shifts towards mandatory, there will be a foreseeable rush to comply. Adopting policies now is an excellent strategy for staying ahead of potential mandates and ensuring smoother adaptation. 

 

Linking Cybersecurity and HPH CPGs

The HHS has collaborated with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to adapt cross-sector Cybersecurity Performance Goals (CPGs) into sector-specific guidelines for healthcare. These goals, derived from industry cybersecurity frameworks, aim to strengthen cyber preparedness and protect patient information. 

 

Linking HIPAA and HPH CPGs

The HPH CPGs are categorized into Essential Goals and Enhanced Goals, offering a comprehensive approach to cybersecurity. Essential Goals establish foundational practices to address common vulnerabilities, while Enhanced Goals promote advanced practices for a higher level of defense. Despite these ‘voluntary’ titles, it’s important to remember that many of these goals are actually required under HIPAA, such as employee training, an incident response plan, and requirements to have a policy on how access is given to employees but also revoked. 

 

Essential Goals: Foundational Cybersecurity Practices 

Mitigate Known Vulnerabilities

Reduce the likelihood of threat actors exploiting known vulnerabilities. 

Email Security

Reduce the risk from common email-based threats. 

Multifactor Authentication

Add an additional layer of security to protect assets. 

Basic Cybersecurity Training

Ensure organizational users learn and perform secure behaviors. 

Strong Encryption

Deploy encryption to maintain confidentiality of sensitive data. 

Revoke Credentials

Promptly remove access for departing workforce members. 

Basic Incident Planning and Preparedness

Ensure effective organizational responses to cybersecurity incidents. 

Unique Credentials

Use unique credentials to detect anomalous activity. 

Separate User and Privileged Accounts

Establish secondary accounts to prevent lateral movement. 

Vendor/Supplier Cybersecurity Requirements

Identify, assess, and mitigate risks associated with third-party products and services. 

 

Enhanced Goals: Advancing Cybersecurity Capabilities  

Asset Inventory

Identify known, unknown, and unmanaged assets for rapid risk detection. 

Third Party Vulnerability Disclosure

Establish processes to respond to threats in assets provided by vendors. 

Third Party Incident Reporting

Promptly respond to security incidents or breaches across vendors. 

Cybersecurity Testing

Discover and responsibly share vulnerabilities through testing and simulations. 

Cybersecurity Mitigation

Internally address prioritized vulnerabilities from testing and simulations. 

Detect and Respond to Threats

Ensure organizational awareness and ability to respond to relevant threats. 

Network Segmentation

Separate mission-critical assets into discrete network segments. 

Centralized Log Collection

Collect telemetry for faster incident response and visibility. 

Centralized Incident Planning and Preparedness

Consistently maintain and update incident response plans. 

Configuration Management

Define and maintain secure device and system settings.

 

Early Adoption is Key

Understanding and embracing HPH CPGs will be essential for healthcare organizations moving forward with the evolving compliance and cybersecurity landscapes. Whether addressing foundational practices or advancing capabilities, these goals provide a comprehensive framework to safeguard patient information.