The Department of Health and Human Services (HHS) has released details of the voluntary cybersecurity goals for organizations in the healthcare and public health sector (HPH), which were first announced in December 2023 in the HHS Healthcare Sector Cybersecurity concept paper.
Healthcare organizations covered by the Health Insurance Portability and Accountability Act (HIPAA) must comply with the HIPAA Security Rule, which sets baseline standards for cybersecurity to safeguard electronic protected health information (ePHI). Those cybersecurity standards were developed more than 20 years ago, and the threat landscape has changed significantly since then, with cyberattacks and data breaches now being reported at an incredible rate.
The HHS is planning an update to the HIPAA Security Rule in 2024 which will include new mandatory cybersecurity requirements; however, HIPAA updates must go through standard notice and comment periods. The HHS is planning on issuing a notice of proposed rulemaking in Spring 2024, which will be subject to a 90-day comment and notice period. Comments will need to be considered before a final rule is issued and HIPAA-regulated entities will then need to be given time to implement the necessary changes before the updated HIPAA Security Rule can be enforced. It could be well into 2025 or even later before those new requirements can be enforced and with new records set for healthcare data breaches (725) and breached records (133 million) in 2023, that is too long to wait.
In an effort to improve resilience to cyber threats across the HPH sector more rapidly, the HHS has developed two sets of HPH Cybersecurity Performance Goals (CPGs). The HPH CPGs aim to help HPH sector organizations improve resilience to cyberattacks, improve their breach response should their defenses be breached, and minimize residual risk after cybersecurity measures have been applied. The CPGs are divided into ‘Essential’ and ‘Enhanced’ cybersecurity measures for developing layered defenses. With overlapping layers of security, if a single cybersecurity measure fails to block a threat, others will be in place to provide protection. Layered defenses are key to building resilience and protecting patient data.
The Essential CPGs significantly increase the baseline for cybersecurity from the minimum standards of the HIPAA Security Rule and consist of relatively low-cost cybersecurity measures that will have a massive impact in terms of security, such as multi-factor authentication. The Enhanced CPGs aim to mature cybersecurity programs through more advanced cybersecurity measures including establishing processes for assessing and addressing vendor cybersecurity, cybersecurity testing, network segmentation, and configuration management.
The aim of the HHS is to get all HPH organizations to implement the Essential CPGs and then work on maturing their cybersecurity programs by adopting the Enhanced CPGs. The HHS is working on obtaining the necessary funding from Congress to ease the financial burden for HPH organizations and help them cover the initial cost of implementing the Essential CPGs. The HHS also plans to create incentives for adopting the Enhanced CPGs. Future rulemaking, including for HIPAA and cybersecurity requirements for the Medicare and Medicaid programs, will be based on these CPGs and it is likely that the Essential CPGs will become mandatory in the not-too-distant future.
According to the HHS, the Essential CPGs will “help healthcare organizations address common vulnerabilities by setting a floor of safeguards that will better protect them from cyberattacks, improve response when events occur, and minimize residual risk.”
- Mitigate Known Vulnerabilities
- Email Security
- Multifactor Authentication
- Basic Cybersecurity Training for the Workforce
- Strong Encryption for Data in Transit
- Revoking Credentials for Departing Workforce Members
- Basic Incident Planning and Preparedness
- Unique Credentials
- Separate User and Privileged Accounts
- Vendor/Supplier Cybersecurity Requirements
The HHS says the Enhanced CPGs will “help healthcare organizations mature their cybersecurity capabilities and reach the next level of defense needed to protect against additional attack vectors.”
- Asset Inventory
- Third-Party Vulnerability Disclosure
- Third-Party Incident Reporting
- Cybersecurity Testing
- Cybersecurity Mitigation
- Detect and Respond to Relevant Threats and Tactics, Techniques, and Procedures
- Network Segmentation
- Centralized Log Collection
- Centralized Incident Planning and Preparedness
- Configuration Management
“We have a responsibility to help our health care system weather cyber threats, adapt to the evolving threat landscape, and build a more resilient sector,” HHS Deputy Secretary Andrea Palm said in a statement. “The release of these cybersecurity performance goals is a step forward for the sector as we look to propose new enforceable cybersecurity standards across HHS policies and programs that are informed by these CPGs.”
The voluntary CPGs have been welcomed by industry and lobbying groups, with Rick Pollack, president and CEO of the American Hospital Association (AHA), recommending all HIPAA-covered entities, third-party technology providers, and business associates implement these CPGs; however, many industry groups believe these requirements should remain voluntary and oppose any new mandatory cybersecurity requirements. The HHS, however, believes that while these CPGs are a great first step for improving cybersecurity across the HPH sector, they will not be enough by themselves and regulatory changes will also be required.