HHS proffers cyber performance goals to health systems

Ahead of new enforceable standards, U.S. Health and Human Services has released voluntary cybersecurity performance goals to address the most significant cyberattack vectors hospitals and healthcare providers face.
By Andrea Fox
05:01 PM

Voluntary cybersecurity performance goals can help healthcare organizations establish layered protection and are adaptable, according to U.S. Health and Human Services. The agency's next steps include architecting investments and incentives for healthcare organizations to implement the goals and enforcement standards.

WHY IT MATTERS

HHS published the CPGs to help healthcare organizations prioritize implementing high-impact cybersecurity practices. 

Comprised of essential and enhanced goals, they align with the HHS 405(d) Program and Health Sector Coordinating Council Cybersecurity Working Group's Healthcare Industry Cybersecurity Practices as well as the NIST Cybersecurity Framework and the Cybersecurity and Infrastructure Security Agency's National Cybersecurity Strategy.

The 2023 Edition of HICP, which the HHS Cybersecurity Task Force released in April along with a Hospital Cyber Resiliency Landscape Analysis and an educational platform, includes the most relevant and cost-effective ways to keep patients safe and mitigate cybersecurity threats.

Ahead of the CPGs, industry groups have debated which should fall within the "essential bucket" as healthcare providers will receive funding to adhere to them, according to Ty Greenhalgh, HHS 405(d) Ambassador and Industry Principal of Healthcare at Claroty, a cybersecurity firm serving healthcare and other industries, in an email sent to Healthcare IT News after the CPGs posted Wednesday.

"Voluntary goals alone will not drive the cyber-related behavioral change needed across the healthcare sector, especially as the ability to afford and implement these solutions makes it almost impossible for smaller hospitals to be compliant," Greenhalgh said.

"While the essential CPG goals will be effective in preventing attacks on healthcare IT environments where bad actors have historically been able to infiltrate, they currently overlook the critical need to secure clinical and [operational technology] devices that play an interconnected role in providing lifesaving care."

He added that the White House National Cybersecurity Strategy is more in line with the "broader long-term approach needed" to help defend against cybersecurity attacks.

"By applying these wider concepts – preparedness and support, information sharing, financial support and incentives, incident response and recovery, workforce development and regulatory reform – hospitals will have a much better chance at fending off attacks."

HHS said in its concept paper, released last month, that the essential goals set "a floor of safeguards" that will better protect healthcare organizations from cyberattacks, improve incident response and minimize risk, while the enhanced goals can help healthcare organizations mature their cybersecurity capabilities. 

The agency will then "work with Congress to obtain new authority and funding to administer financial support and incentives for domestic hospitals to implement high-impact cybersecurity practices," it said.

HHS noted that it envisions up-front investments to help high-need healthcare providers, like low-resourced hospitals, cover costs associated with implementing the essential CPGs, along with an incentives program to encourage all hospitals to invest in the enhanced goals.

THE LARGER TREND

In October, CISA, HHS and HSCC released a healthcare cybersecurity tool kit as part of an effort to close gaps in resources and cyber capabilities. They recommend enterprise-wide risk analyses and a series of best practices, including vulnerability scans of all systems and devices to reduce the risks of common cyberattacks.

The enhanced goals in the new voluntary CPGs, which include developing an asset inventory, are considered fundamental to healthcare cyber protection. According to CISA, an asset inventory is an initial mitigation step. 

"Knowing which assets are on your organization’s network is fundamental to cybersecurity: 'you can’t secure what you can’t see,'" CISA said in a Mitigation Guide for combating pervasive cyber threats affecting the Healthcare and Public Health Sector the agency released in November.

Frank Sinatra, the chief information security officer at Newark's University Hospital, said he has used multiple risk assessments, including HICP, each year. He cited many upsides to HICP compliance, including improved business continuity planning. But, "It's always a question of prioritization and where you are going to assign your resources," he shared on HIMSSTV in May. 

ON THE RECORD

"We have a responsibility to help our healthcare system weather cyber threats, adapt to the evolving threat landscape and build a more resilient sector, said HHS Deputy Secretary Andrea Palm in a statement. 

"The release of these cybersecurity performance goals is a step forward for the sector as we look to propose new enforceable cybersecurity standards across HHS policies and programs that are informed by these CPGs."

The story was updated on January 25 with further comment from Greenhalgh.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.