New HHS Cybersecurity Performance Goals Help to Prioritize Security Practices, But Truly Protecting Healthcare Organizations Takes Much More

This past week, as a follow on to its cybersecurity strategy concept paper published in December, the Department of Health and Human Services (HHS) introduced Health and Public Health Sector (HPH) Cybersecurity Performance Goals (CPG) to help healthcare organizations prioritize the implementation of high-impact cybersecurity practices.

Brief Overview

HHS has broken the goals down into Essential and Enhanced goals, defined as follows:

Essential Goals: Intended to help healthcare organizations address common vulnerabilities by setting a floor of safeguards that will better protect them from cyberattacks, improve response when events occur, and minimize residual risk.

Enhanced Goals: Intended to help healthcare organizations mature their cybersecurity capabilities and reach the next level of defense needed to protect against additional attack vectors.

These goals are (for now) a voluntary subset of cybersecurity practices that healthcare organizations, and healthcare delivery organizations in particular, can reference to strengthen cyber preparedness, improve cyber resiliency, and ultimately protect patient health information and safety.

The goals are informed by select references to the 405(d) Health Industry Cybersecurity Practices (HICP), the NIST Cybersecurity Framework (CSF), the NIST Special Publication 800-53rev5 Controls, and the 2023 Hospital Cyber Resiliency Landscape Analysis.

The CPGs may serve as inputs into future regulatory requirements, including changes to the HIPAA Security Rule, which HHS has stated it will begin the process of revising in the spring of 2024.

These goals are not a replacement for requirements under HIPAA, including the requirement to perform ongoing risk analysis of all information systems with ePHI.

Clearwater’s Perspective on HPH CPGs

The establishment of well-defined, healthcare-specific cybersecurity performance goals is a positive step forward in bringing attention to and prioritizing certain foundational outcomes for cyber hygiene. However, the CPGs are not all-inclusive, do not distinguish between organization size or complexity, and do not make reference to the requirement to address each organization’s unique risks.

We are glad to see that the CPGs provide references to specific outcomes from existing frameworks, control sets, and practice guides already used in healthcare, such as the 405(d) HICP, NIST CSF v1.1, and NIST Special Publication 800-53 rev5. Clearwater’s solutions are all based on the aforementioned standards, so they already align to the CPGs while also going further.

The CPGs reflect intended outcomes of a very basic subset of security practices that HHS believes should be prioritized to mitigate threats broadly facing the healthcare industry.  While this approach can be helpful for some organizations, the referenced practices and controls were likely intentionally “watered down” in an attempt to make the CPGs more achievable and to avoid the perception of placing additional burdens on an industry struggling financially.

We at Clearwater are concerned that this might create further confusion and lure some organizations into a false sense of security. It’s crucial that healthcare organizations don’t stop at the essential goals. They must be on a journey to implement more robust practices, such as those referenced in the enhanced goals and the additional practices cited in 405(d) HICP.

To be clear—we don’t want to see more regulation or financial burden placed on the industry. We believe that Congress must act to provide resources to smaller healthcare providers, including funding through grants and rebates, to address cybersecurity risks at a level that is appropriate to protect the safety of patients. Robust security practices based on industry standards, including ongoing risk management, must happen at all healthcare organizations—this is the only path forward to win the war against cyber criminals, and accomplishing this is only realistic with support from our government.

HHS's cybersecurity performance goals are only the beginning to protecting healthcare organizations

Clearwater’s Recommendations

Healthcare organizations should continue to leverage the NIST CSF and implement the 405(d) Health Industry Cybersecurity Practices (HICP) that were specifically designed to address the top five cybersecurity threats to the healthcare and public health sectors. Doing so will achieve all the CPGs and meet the healthcare industry’s best practices that address the top five cybersecurity threats facing healthcare.

Most importantly, healthcare organizations must conduct a comprehensive risk analysis of all their systems with ePHI (as required by the HIPAA Security Rule) and determine the level of unique residual risk that exists in each organization and each of its information systems with ePHI. While conducting a risk analysis is not mentioned as a “goal” itself, it is required by the HIPAA Security Rule, a key component of the NIST CSF Implementation Guide, and also a part of HICP. It allows an organization to understand risk that exists even after foundational controls and practices are implemented and to make informed decisions on how to treat that risk.

Understand Your Organization’s Status Relative to HPH CPGs Through a NIST CSF Performance Assessment

As mentioned earlier, HPH CPGs are mapped to the NIST CSF and 405(d) HICP, and therefore understanding an organization’s status relative to the CPGs is achievable by analyzing outcomes from NIST CSF and 405(d) HICP evaluations. Clearwater can provide this output—along with others mapped to other frameworks—from our existing assessments. If you are an existing client, you can receive this analysis at no additional cost as part of your current NIST CSF Performance Assessment.

Building and Executing a Reasonable and Appropriate Cybersecurity Program for Healthcare

Clearwater uses NIST CSF and 405(d) HICP as the basis for ClearAdvantage®, its comprehensive program designed to help healthcare organizations build and mature a strong cybersecurity and compliance program developed on industry standards. Clearwater executes the program on behalf of clients through an outsourced managed services model. As such, clients who subscribe to ClearAdvantage and implement our recommendations will, by definition, achieve and exceed the HPH CPGs.

So, if you are a current ClearAdvantage subscriber, these goals further justify the investment you made and validate the great work we are doing together. If you are a healthcare provider who is struggling to implement HICP or even achieve the very basic CPGs, then we recommend you speak to one of our experts and discuss ways others across the industry have tackled these challenges, even on tight budgets.

If you have other questions about HPH CPGs and their relevance to your organization, please reach out to Clearwater at info@clearwatersecurity.com.

Newsletter

Sign up for our monthly newsletter discussing hot topics and access to invaluable resources.


Related Blogs

Clearwater Cyber Briefing: Key Trends and Takeaways for December 2024

Clearwater Cyber Briefing: Key Trends and Takeaways for December 2024

In today’s ever-evolving threat landscape, staying ahead of cybersecurity risks is more critical than ever for healthcare organizations. That’s why, each month, Clearwater Security delivers a Cyber Briefing, providing a comprehensive digest of the latest news, emerging threats, and key updates from across the healthcare cybersecurity ecosystem. These briefings are designed to equip healthcare leaders with the knowledge and insights they need to safeguard their organizations and stay informed on the most pressing issues.
Navigating the HIPAA Privacy Rule for Reproductive Healthcare: Compliance Essentials Before the December 2024 Deadline

Navigating the HIPAA Privacy Rule for Reproductive Healthcare: Compliance Essentials Before the December 2024 Deadline

In an era where the privacy of reproductive healthcare has become a topic for debate, healthcare organizations face growing fears and challenges over the potential misuse of sensitive patient data. Recent legal developments, coupled with the shifts following the Dobbs v. Jackson decision, have shown the urgent need for robust safeguards. Notably, the December 23, 2024 compliance deadline for the HIPAA Privacy Rule Final Rule to Support Reproductive Health Care Privacy offers a pivotal moment to address these concerns.

Connect
With Us