The Roadmap to Enhanced Cybersecurity in Healthcare: Understanding HHS’s CPGs

Background

The Department of Health and Human Services (HHS) aids the Healthcare and Public Health (HPH) sector in preparing for and responding to cyber threats.

HHS, in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA), has developed voluntary Cybersecurity Performance Goals (CPGs) for the healthcare sector.

Purpose of CPGs

– The CPGs aim to protect healthcare organizations from cyberattacks, improve response capabilities, and minimize residual risk.

– They are divided into essential goals, which outline minimum foundational practices, and enhanced goals, promoting more advanced practices.

Key Components

Essential Goals

Include mitigating known vulnerabilities, email security, multifactor authentication, basic cybersecurity training, strong encryption, revoking credentials, basic incident planning, unique credentials, and vendor/supplier cybersecurity requirements.

Enhanced Goals

Focus on asset inventory, third-party vulnerability disclosure, incident reporting, cybersecurity testing, mitigation, threat detection, network segmentation, centralized log collection, and configuration management.

Implementation

– The CPGs are built on CISA’s CPGs and are informed by common industry frameworks and best practices like the Healthcare Industry Cybersecurity Practices and the NIST Cybersecurity Framework.

– They address common attack vectors against U.S. domestic hospitals and promote resiliency in medical devices and healthcare operations.

Conclusion

– The HPH CPGs offer a comprehensive foundation for cyber preparedness and resiliency, emphasizing layered protection and targeted strategies to mitigate cyber risks in the healthcare sector.

This document https://hphcyber.hhs.gov/performance-goals.html is crucial for healthcare organizations looking to strengthen their cybersecurity posture and safeguard patient information and healthcare operations against emerging cyber threats.