As previously reported in this blog, on Dec. 6, 2023, the Department of Health and Human Services (HHS or the Department) released a “concept paper,” which laid out its vision of future action regarding healthcare cybersecurity. The first of the four prongs described in the paper was the future publication of “Healthcare and Public Health Sector-specific Cybersecurity Performance Goals” (HPH CPGs). With surprising speed, these goals were published on Jan. 29.
HHS states that the HPH CPGs are designed to better protect the healthcare sector from cyberattacks, improve response when events occur and minimize residual risk. There are 20 HPH CPGs, which include both essential goals to outline minimum foundational practices for cybersecurity performance (the first 10 goals) and enhanced goals to encourage adoption of more advanced practices (the last 10 goals).
The Essential Goals contain security practices that are expected for HIPAA Security Rule compliance.
These are deemed Essential Goals:
- Mitigate Known Vulnerabilities
- Email Security
- Multifactor Authentication
- Basic Cybersecurity Training
- Strong Encryption
- Revoke Credentials
- Basic Incident Planning and Preparedness
- Unique Credentials
- Separating User and Privileged Accounts
- Vendor/Supplier Cybersecurity Requirements
The Enhanced Goals ALSO contain security practices that are expected for HIPAA Security Rule compliance.
These are Enhanced Goals:
- Asset Inventory
- Third Party Vulnerability Disclosure
- Third Party Incident Reporting
- Cybersecurity Testing
- Cybersecurity Mitigation
- Detect and Respond to Relevant Threats
- Network Segmentation
- Centralized Log Collection
- Centralized Incident Planning and Preparedness
- Configuration Management
If these goals are truly optional, can entities that do not implement these practices still be in compliance with the Security Rule and avoid penalties? Not really….
In the December concept paper, HHS emphasized that adherence to these goals would be “voluntary.” At the same time, however, HHS warned that the HPH CPGs will inform “future regulatory action from the Department” and adherence to the goals will eventually be required. What is interesting regarding this comment is that nearly every OCR data request already asks for evidence of implementation of the majority of the 20 identified goals. This suggests that, on a practical level, these are not voluntary.
Did they just re-brand the 405(d) Recognized Security Practices? What now?
HHS also professed that it needed to promulgate the HPH CPGs because “access to numerous cybersecurity standards and guidance that apply to the [healthcare] sector” causes confusion about how to prioritize cybersecurity practices. Accordingly, we considered the HPH CPGs with these goals in mind, providing “clear direction” to dispel “confusion regarding which cybersecurity practices to prioritize.”
Unfortunately, at least at this early stage, the HPH CPGs are likely to exacerbate the confusion rather than clear it up. A cursory review of the HPH CPGs shows they are a re-packaging of well-established, recommended practices, and as we highlighted in our post on the HHS concept paper, the creation of the HPH CPGs raise questions about the future viability of the 405(d) Task Force’s recognized security practices (RSP).
The RSP, updated in 2023, are statutorily designated as a framework, along with the NIST Cybersecurity Framework (NIST CSF), that can be used to mitigate Health Insurance Portability and Accountability Act (HIPAA) enforcement penalties. Moreover, requests seeking evidence of adherence to the 405(d) RSP or the NIST CSF are a regular (and relatively burdensome) item in HHS Office for Civil Rights’ (OCR) data requests in the enforcement context.
Although the HPH CPGs include a “mapping” to the RSP, the NIST CSF, and the NIST SP 800-53r5, understanding the interrelationship between these frameworks and controls requires expertise that many healthcare entities do not have in-house. For example, each singular HPH CPG is shown mapping to multiple NIST CSF desired outcomes, multiple RSP sub-practices and many, many NIST 800-53r5 controls. This may complicate efforts to structure and document HIPAA security programs and likely require expert help from outside counsel to interpret the frameworks and assess compliance.
While a comprehensive analysis of each of the HPH CPGs and the HHS mappings to NIST and the RSP is beyond the scope of this blog post, consider the example of CPG No. 1 – “Mitigate Known Vulnerabilities: Reduce the likelihood of threat actors exploiting known vulnerabilities to breach organizational networks that are directly accessible from the Internet.” Based on this description, one might reasonably assume that HHS is advocating a commonly recommended prioritization for vulnerability management programs, i.e., identifying and remediating known-exploited vulnerabilities in externally exposed assets. However, CPG No. 1 maps to a much broader range of topics, which suggests that something else could be intended. Does this mean that meeting the first CPG requires doing everything in the mapped-to desired outcomes, practices, sub-practices and controls? If so, it is unclear how the CPG adds anything helpful to whatever is already in the RSP and NIST sources identified. Similarly, how does CPG No. 2 (“Email Security: Reduce risk from common email-based threats, such as email, spoofing, phishing, and fraud”) add anything useful or helpful to the RSP practice “Email Protection Systems”?
Additional confusion comes from the designation of an “asset inventory” as enhanced
The enhanced goals (CPG Nos. 10 – 20), designed to “encourage adoption of more advanced practices,” lead with “Asset Inventory: Identify known, unknown (shadow), and unmanaged assets to more rapidly detect and respond to potential risks and vulnerabilities.” The enhanced goal classification of this CPG is very confusing; the recommendation to know what systems and data need safeguarding has always been considered fundamental to information security. Accordingly, it has been one of the first practices identified in frameworks and standards for decades. Moreover, HHS and OCR regulatory guidance and enforcement activity have consistently emphasized the importance of this practice as the foundation for the required HIPAA security risk analysis. In other words, how did this CPG end up in the enhanced category? Should it be de-prioritized for smaller organizations, as it is apparently not included in the “minimum floor of recommended safeguards”?
More to Come…
How to incorporate the HPH CPGs in HIPAA security compliance programs will become clearer as the Department publishes additional guidance on its expectations in this regard and as OCR enforcement activity illuminates the relationship between the HPH CPGs and the RSP. For the time being, it would be prudent to highlight and prioritize the HPH CPGs in security programs to the extent this is not already being done as part of alignment with other recognized security practices such as the 405(d) RSP or the NIST CSF. Doing so will mean added compliance burdens, at least in the form of analysis and documentation, even if the HPH CPGs are already effectively part of the security program.