HHS Outlines Cybersecurity Performance Goals

The Department of Health and Human Services (HHS) has partnered with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to introduce Healthcare and Public Health (HPH) Cybersecurity Performance Goals (CPGs). These voluntary goals are tailored to empower healthcare organizations, particularly those involved in healthcare delivery, to enhance their cyber preparedness and response capabilities.

Cybersecurity Workshop

Essential Goals: The Foundation

The Essential Goals within the HPH CPGs serve as the bedrock for healthcare organizations. These goals address common vulnerabilities and establish a foundational framework for cybersecurity. Let's explore some of these essential goals:

  1. Mitigate Known Vulnerabilities: Reduce the likelihood of threat actors exploiting known vulnerabilities to fortify organizational networks against cyber threats.

  2. Email Security: Strengthen defenses against common email-based threats like spoofing, phishing, and fraud, crucial in today's digital communication landscape.

  3. Multifactor Authentication: Add an extra layer of security to protect assets and accounts directly accessible from the internet, a critical step against cyber threats.

  4. Basic Cybersecurity Training: Ensure organizational users are well-versed in and practice secure behaviors, a proactive approach to cybersecurity.

  5. Strong Encryption: Deploy encryption to maintain data confidentiality and the integrity of IT and OT traffic in motion.

  6. Revoke Credentials for Departing Workforce Members: Promptly remove access for former workforce members to prevent unauthorized access to organizational accounts or resources.

  7. Basic Incident Planning and Preparedness: Ensure effective organizational responses to cybersecurity incidents for a swift recovery.

  8. Unique Credentials: Use unique credentials inside organizations’ networks to detect anomalous activity and prevent lateral movement by threat actors.

  9. Separate User and Privileged Accounts: Establish secondary accounts to prevent threat actors from accessing privileged accounts when common user accounts are compromised.

  10. Vendor/Supplier Cybersecurity Requirements: Identify, assess, and mitigate risks associated with third-party products and services for comprehensive cybersecurity.

Enhanced Goals: Advancing Cybersecurity Capabilities

The Enhanced Goals take healthcare organizations to the next level by encouraging the adoption of more advanced cybersecurity practices. These goals focus on maturing cybersecurity capabilities, improving incident response mechanisms, and enhancing overall defense against additional attack vectors.

  1. Asset Inventory: Identify known, unknown (shadow), and unmanaged assets to detect and respond rapidly to potential risks and vulnerabilities.

  2. Third Party Vulnerability Disclosure: Establish processes to promptly discover and respond to known threats and vulnerabilities in assets provided by vendors and service providers.

  3. Third Party Incident Reporting: Implement processes to promptly discover and respond to known security incidents or breaches across vendors and service providers.

  4. Cybersecurity Testing: Establish processes to promptly discover and responsibly share vulnerabilities in assets discovered through penetration testing and attack simulations.

  5. Cybersecurity Mitigation: Establish processes internally to act quickly on prioritized vulnerabilities discovered through penetration testing and attack simulations.

  6. Detect and Respond to Relevant Threats and TTP: Ensure organizational awareness and capability to detect relevant threats and TTPs at endpoints.

  7. Network Segmentation: Separate mission-critical assets into discrete network segments to minimize lateral movement by threat actors after initial compromise.

  8. Centralized Log Collection: Collect necessary telemetry from security log data sources within an organization’s network to maximize visibility and enable faster response to incidents.

  9. Centralized Incident Planning and Preparedness: Ensure organizations consistently maintain, drill, and update cybersecurity incident response plans for relevant threat scenarios.

  10. Configuration Management: Define secure device and system settings consistently and maintain them according to established baselines.

Prioritizing Cybersecurity for a Resilient Healthcare Ecosystem

The HPH Cybersecurity Performance Goals introduced by HHS provide a comprehensive roadmap for healthcare organizations to strengthen their cybersecurity posture. By combining essential goals for foundational practices with enhanced goals for advanced capabilities, the HPH CPGs aim to mitigate risks, improve response mechanisms, and ultimately safeguard patient health information. Adherence to these performance goals becomes paramount as the healthcare sector continues to embrace digital transformation, ensuring a secure and resilient healthcare ecosystem.

Get more insights from the TetherView team and join in on the conversation:

Subscribe to our Newsletter
Register for a Workshop
Follow us on