HHS debuts voluntary cybersecurity performance goals to enhance healthcare sector resilience

Close to the heels of its December concept paper, the U.S. Department of Health and Human Services (HHS) released voluntary healthcare-specific Cybersecurity Performance Goals (CPGs) that help support the healthcare and public health (HPH) sector to enhance its cybersecurity measures. Designed to help prioritize the implementation of impactful cybersecurity practices, the CPGs aim to assist healthcare organizations in adapting to the evolving threat landscape, responding to cyber threats, and building a more resilient sector.

These CPGs, designed for healthcare organizations and delivery organizations, aim to strengthen cyber preparedness, enhance cyber resiliency, and safeguard patient health information and safety. These guidelines were built off the chassis of CISA’s CPGs and informed by common industry cybersecurity frameworks, guidelines, best practices, and strategies (e.g., Healthcare Industry Cybersecurity Practices, National Institute of Standards and Technology (NIST) Cybersecurity Framework, and the National Cybersecurity Strategy). 

Additionally, these HPH CPGs directly address common attack vectors against U.S. domestic hospitals as identified in the 2023 Hospital Cyber Resiliency Landscape Analysis.

The HPH CPGs are designed to ensure layered protection at different stages of the attack chain, or points in digital systems that can be exploited, which is crucial to mitigating the impacts of cybersecurity incidents if and when they occur. They are divided into ‘Essential Goals’ to help healthcare organizations address common vulnerabilities by setting a foot of safeguards that will better protect them from cyberattacks, improve response when events occur, and minimize residual risk; and ‘Enhanced Goals’ to help healthcare organizations mature their cybersecurity capabilities and reach the next level of defense needed to protect against additional attack vectors.

The Essential Goals work to mitigate known vulnerabilities to reduce the likelihood of threat hackers exploiting known vulnerabilities to breach organizational networks that are directly accessible from the Internet. It focuses on email security to reduce risk from common email-based threats, such as email spoofing, phishing, and fraud and adopts multi-factor authentication to add a critical, additional layer of security, where safe and technically capable, to protect assets and accounts directly accessible from the Internet. 

The HHS also recommends basic cybersecurity training that helps ensure organizational users learn and perform more secure behaviors; strong encryption to deploy encryption to maintain the confidentiality of sensitive data and integrity of IT and OT (operational technology) traffic in motion; and revoke credentials for departing workforce members, including employees, contractors, affiliates, and volunteers to prevent unauthorized access to organizational accounts or resources by former workforce members, including employees, contractors, affiliates, and volunteers by removing access promptly. 

As part of its Essential Goals, the HPH CPGs document also includes basic incident planning and preparedness to ensure safe and effective organizational responses to, restoration of, and recovery from significant cybersecurity incidents; use of unique credentials inside organizations’ networks to detect anomalous activity and prevent attackers from moving laterally across the organization, particularly between IT and OT networks; separate user and privileged accounts by establishing secondary accounts to prevent threat actors from accessing privileged or administrative accounts when common user accounts are compromised; and vendor/supplier cybersecurity requirements to identify, assess, and mitigate risks associated with third-party products and services. 

Moving to the Enhanced Goals, the HHS identified asset inventory to identify known, unknown (shadow), and unmanaged assets to more rapidly detect and respond to potential risks and vulnerabilities; third-party vulnerability disclosure to establish processes to promptly discover and respond to known threats and vulnerabilities in assets provided by vendors and service providers; and third party incident reporting to establish processes to promptly discover and respond to known security incidents or breaches across vendors and service providers. 

The agency also proposed cybersecurity testing that helps establish processes to promptly discover and responsibly share vulnerabilities in assets discovered through penetration testing and attack simulations; cybersecurity mitigation to establish processes internally to act quickly on prioritized vulnerabilities discovered through penetration testing and attack simulations; and detect and respond to relevant threats and TTPs (Tactics, Techniques, and Procedures) to ensure organizational awareness of and ability to detect relevant threats and TTPs at endpoints and that organizations can secure entry and exit points to its network with endpoint protection. 

The HPH CPGs document also includes network segmentation so that mission-critical assets are separated into discrete network segments to minimize lateral movement by threat actors after initial compromise; centralized log collection of necessary telemetry from security log data sources within an organization’s network that maximizes visibility, cost-effectiveness, and faster response to incidents. 

It also covers centralized incident planning and preparedness to ensure organizations consistently maintain, drill, and update cybersecurity incident response plans for relevant threat scenarios; and configuration management to define secure device and system settings consistently and maintain them according to established baselines. 

Reacting to the HPH CPGs, the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) identified in a statement that the CPGs amplify the recognition among health providers – large, medium, and small – that cyber safety is patient safety, and that focused investment and accountability are imperative to inoculate data, systems, and patients against the rising epidemic of cyber-attacks on the sector. “This accountability in turn must be supplemented with government and industry assistance to those under-resourced health systems that accept their cybersecurity responsibility for protecting patient safety as a national imperative but are financially and operationally constrained.”

The statement details that the CPGs were built to align and directly map to the Health Industry Cybersecurity Practices (HICP), a comprehensive resource jointly published in 2018 and updated in 2023 by HHS 405(d) and HSCC Cybersecurity Working Group. 

“The CPGs, HICP, and the 25 other published HSCC toolkits and practices are living documents that will evolve with the threats,” according to the HSCC. 

Next month, the HSCC disclosed that it will release its ambitious Five-Year Health Industry Cybersecurity Strategic Plan, forged by hundreds of healthcare leaders in consultation with our government partners. This plan provides a forward-looking formulary for how healthcare cybersecurity can upgrade from ‘critical’ to ‘stable’ by 2029.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.