This past week, as a follow on to its cybersecurity strategy concept paper published in December, the Department of Health and Human Services (HHS) introduced Health and Public Health Sector (HPH) Cybersecurity Performance Goals (CPG) to help healthcare organizations prioritize the implementation of high-impact cybersecurity practices.
HHS has broken the goals down into Essential and Enhanced goals, defined as follows:
Essential Goals: Intended to help healthcare organizations address common vulnerabilities by setting a floor of safeguards that will better protect them from cyberattacks, improve response when events occur, and minimize residual risk.
Enhanced Goals: Intended to help healthcare organizations mature their cybersecurity capabilities and reach the next level of defense needed to protect against additional attack vectors.
These goals are (for now) a voluntary subset of cybersecurity practices that healthcare organizations, and healthcare delivery organizations in particular, can reference to strengthen cyber preparedness, improve cyber resiliency, and ultimately protect patient health information and safety.
The goals are informed by select references to the 405(d) Health Industry Cybersecurity Practices (HICP), the NIST Cybersecurity Framework (CSF), the NIST Special Publication 800-53rev5 Controls, and the 2023 Hospital Cyber Resiliency Landscape Analysis.
The CPGs may serve as inputs into future regulatory requirements, including changes to the HIPAA Security Rule, which HHS has stated it will begin the process of revising in the spring of 2024.
These goals are not a replacement for requirements under HIPAA, including the requirement to perform ongoing risk analysis of all information systems with ePHI.
Clearwater’s Perspective on HPH CPGs
The establishment of well-defined, healthcare-specific cybersecurity performance goals is a positive step forward in bringing attention to and prioritizing certain foundational outcomes for cyber hygiene. However, the CPGs are not all-inclusive, do not distinguish between organization size or complexity, and do not make reference to the requirement to address each organization’s unique risks.
We are glad to see that the CPGs provide references to specific outcomes from existing frameworks, control sets, and practice guides already used in healthcare, such as the 405(d) HICP, NIST CSF v1.1, and NIST Special Publication 800-53 rev5. Clearwater’s solutions are all based on the aforementioned standards, so they already align to the CPGs while also going further.
The CPGs reflect intended outcomes of a very basic subset of security practices that HHS believes should be prioritized to mitigate threats broadly facing the healthcare industry. While this approach can be helpful for some organizations, the referenced practices and controls were likely intentionally “watered down” in an attempt to make the CPGs more achievable and to avoid the perception of placing additional burdens on an industry struggling financially.
We at Clearwater are concerned that this might create further confusion and lure some organizations into a false sense of security. It’s crucial that healthcare organizations don’t stop at the essential goals. They must be on a journey to implement more robust practices, such as those referenced in the enhanced goals and the additional practices cited in 405(d) HICP.
To be clear—we don’t want to see more regulation or financial burden placed on the industry. We believe that Congress must act to provide resources to smaller healthcare providers, including funding through grants and rebates, to address cybersecurity risks at a level that is appropriate to protect the safety of patients. Robust security practices based on industry standards, including ongoing risk management, must happen at all healthcare organizations—this is the only path forward to win the war against cyber criminals, and accomplishing this is only realistic with support from our government.
Healthcare organizations should continue to leverage the NIST CSF and implement the 405(d) Health Industry Cybersecurity Practices (HICP) that were specifically designed to address the top five cybersecurity threats to the healthcare and public health sectors. Doing so will achieve all the CPGs and meet the healthcare industry’s best practices that address the top five cybersecurity threats facing healthcare.
Most importantly, healthcare organizations must conduct a comprehensive risk analysis of all their systems with ePHI (as required by the HIPAA Security Rule) and determine the level of unique residual risk that exists in each organization and each of its information systems with ePHI. While conducting a risk analysis is not mentioned as a “goal” itself, it is required by the HIPAA Security Rule, a key component of the NIST CSF Implementation Guide, and also a part of HICP. It allows an organization to understand risk that exists even after foundational controls and practices are implemented and to make informed decisions on how to treat that risk.
Understand Your Organization’s Status Relative to HPH CPGs Through a NIST CSF Performance Assessment
As mentioned earlier, HPH CPGs are mapped to the NIST CSF and 405(d) HICP, and therefore understanding an organization’s status relative to the CPGs is achievable by analyzing outcomes from NIST CSF and 405(d) HICP evaluations. Clearwater can provide this output—along with others mapped to other frameworks—from our existing assessments. If you are an existing client, you can receive this analysis at no additional cost as part of your current NIST CSF Performance Assessment.
Building and Executing a Reasonable and Appropriate Cybersecurity Program for Healthcare
Clearwater uses NIST CSF and 405(d) HICP as the basis for ClearAdvantage®, its comprehensive program designed to help healthcare organizations build and mature a strong cybersecurity and compliance program developed on industry standards. Clearwater executes the program on behalf of clients through an outsourced managed services model. As such, clients who subscribe to ClearAdvantage and implement our recommendations will, by definition, achieve and exceed the HPH CPGs.
So, if you are a current ClearAdvantage subscriber, these goals further justify the investment you made and validate the great work we are doing together. If you are a healthcare provider who is struggling to implement HICP or even achieve the very basic CPGs, then we recommend you speak to one of our experts and discuss ways others across the industry have tackled these challenges, even on tight budgets.
If you have other questions about HPH CPGs and their relevance to your organization, please reach out to Clearwater at email@example.com.