In response to the number of successful, large-scale ransomware attacks affecting healthcare organizations nearly tripling since 2018, the Department of Health and Human Services (HHS) has released guidance outlining its Cybersecurity Performance Goals (CPGs), developed in collaboration with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. The CPGs outline a framework of voluntary cybersecurity practices that healthcare organizations may utilize as part of their broader cybersecurity frameworks, strengthening their ability to comply with those security measures required by the Health Insurance Portability and Accountability Act (HIPAA).
The CPGs consist of defined lists of essential and enhanced goals, each of which is intended to mitigate risk within identifiable threat areas. Additional information on these goals is available in the appendices to the guidance.
The essential goals are intended to set a baseline for organizational cybersecurity practices that better protects an organization from cyberattacks, improves responsive abilities when attacks occur, and minimizes the risk that stems from these events. These essential goals are as follows:
- Mitigate Known Vulnerabilities. Reduce the likelihood of threat actors exploiting known vulnerabilities to breach organizational networks that are directly accessible from the internet.
- Email Security. Reduce risk from common email-based threats, such as email spoofing, phishing, and fraud.
- Multifactor Authentication. Add a critical, additional layer of security, where safe and technically capable, to protect assets and accounts directly accessible from the internet.
- Basic Cybersecurity Training. Ensure organizational users learn and perform more secure behaviors.
- Strong Encryption. Deploy encryption to maintain confidentiality of sensitive data and integrity of information technology (IT) and operational technology (OT) traffic in motion.
- Revoke Credentials for Departing Workforce Members, Including Employees, Contractors, Affiliates, and Volunteers. Prevent unauthorized access to organizational accounts or resources by former workforce members, including employees, contractors, affiliates, and volunteers, by removing access promptly.
- Basic Incident Planning and Preparedness. Ensure safe and effective organizational responses to, restoration of, and recovery from significant cybersecurity incidents.
- Unique Credentials. Use unique credentials inside organizations’ networks to detect anomalous activity and prevent attackers from moving laterally across the organization, particularly between IT and OT networks.
- Separate User and Privileged Accounts. Establish secondary accounts to prevent threat actors from accessing privileged or administrative accounts when common user accounts are compromised.
- Vendor/Supplier Cybersecurity Requirements. Identify, assess, and mitigate risks associated with third-party products and services.
The enhanced goals provide a more advanced framework through which an organization may ensure that its cybersecurity framework is well-positioned to deal with more sophisticated cyberattack vectors. These enhanced goals are as follows:
- Asset Inventory. Identify known, unknown (shadow), and unmanaged assets to more rapidly detect and respond to potential risks and vulnerabilities.
- Third-Party Vulnerability Disclosure. Establish processes to promptly discover and respond to known threats and vulnerabilities across vendors and service providers.
- Third-Party Incident Reporting. Establish processes to promptly discover and respond to known security incidents or breaches across vendors and service providers.
- Cybersecurity Testing. Establish processes to promptly discover and responsibly share vulnerabilities in assets discovered through penetration testing and attack simulations.
- Cybersecurity Mitigation. Establish processes internally to act quickly on prioritized vulnerabilities discovered through penetration testing and attack simulations.
- Detect and Respond to Relevant Threats and Tactics, Techniques, and Procedures (TTP). Ensure organizational awareness of and ability to detect relevant threats and TTPs at endpoints. Ensure organizations are able to secure entry and exit points to their network with endpoint protection.
- Network Segmentation. Mission-critical assets are separated into discrete network segments to minimize lateral movement by threat actors after the initial compromise.
- Centralized Log Collection. Collection of necessary telemetry from security log data sources within an organization’s network that maximizes visibility, cost-effectiveness, and faster response to incidents.
- Centralized Incident Planning and Preparedness. Ensure organizations consistently maintain, drill, and update cybersecurity incident response plans for relevant threat scenarios.
- Configuration Management. Define secure device and system settings in a consistent manner and maintain them according to established baselines.
The CPGs are consistent with the HIPAA rules and serve to promote the existing HIPAA compliance obligations of healthcare organizations. HHS views this guidance as a key element of its ongoing efforts to promote the use of a robust cybersecurity framework as part of a comprehensive HIPAA compliance program. Compliance with this guidance may reduce the likelihood of breaches, as well as potentially reduce the likelihood or amount of penalties in the event of a breach. Specifically, federal law requires HHS to take into account (as a mitigating factor to potentially reduce penalties) whether a covered entity or business associate had recognized security practices in place for at least 12 months prior to the breach. Healthcare organizations should thoroughly review the CPGs and assess the adequacy of their cybersecurity capabilities as part of their HIPAA compliance efforts.