Understanding cybersecurity performance goals 

Released in January 2024, the HHS Cybersecurity Performance Goals (CPGs) are designed to help healthcare organizations prioritize necessary security actions and reduce the risks associated with cyber threats. The HHS guidance on the CPGs notes, “These goals are a voluntary subset of cybersecurity practices that healthcare organizations, and healthcare delivery organizations in particular, can prioritize to strengthen cyber preparedness, improve cyber resiliency, and ultimately protect patient health information and safety…The HPH CPGs directly address common attack vectors against U.S. domestic hospitals as identified in the 2023 Hospital Cyber Resiliency Landscape Analysis.” The CPGs are structured into two tiers: essential and enhanced goals.  

The CPG tiers 

Essential goals 

The goals establish a baseline of foundational cybersecurity practices that all healthcare organizations should implement like the use of HIPAA compliant email systems. These measures address common vulnerabilities and make sure organizations have the necessary safeguards to secure protected health information (PHI). 

Enhanced goals

These are intended for organizations that have already met the essential requirements and seek to improve their cybersecurity maturity further. These goals encourage more advanced practices like maintaining an asset inventory and establishing centralized log collection. By promoting these layered security measures, the CPGs aim to create a defense against various attack vectors that healthcare entities face. 

How do they relate to existing cybersecurity frameworks?

Developed in alignment with existing frameworks like the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Health Industry Cybersecurity Practices (HICP), the CPGs provide a roadmap for healthcare organizations to improve their cybersecurity posture. While currently voluntary, there is an expectation that these standards may evolve into mandated requirements as HHS seeks to strengthen cybersecurity regulations in response to the increasing risk profile of healthcare facilities.

How can healthcare organizations implement these goals 

Begin by adopting the essential goals, such as:

• Email security: Implement email filtering solutions to block phishing attempts and malicious attachments.
• Basic cybersecurity training: Provide regular training sessions for all staff on recognizing cyber threats and following secure practices.
• Vendor cybersecurity requirements: Establish security requirements for third-party vendors that handle sensitive data.

Develop an asset inventory

Create and maintain an inventory of all IT assets, including hardware, software, and data repositories, to ensure visibility and management of cybersecurity risks.

Implement enhanced goals gradually

Once essential goals are established, work towards enhanced goals like:

• Network segmentation: Divide the network into segments to limit lateral movement by attackers if one segment is compromised.
• Centralized log collection: Set up centralized logging to monitor and analyze security events across the organization.
• Configuration management: Regularly assess and manage configurations of devices and applications to ensure they meet security standards.

FAQs

What are cybersecurity options for smaller organizations with limited funding? 

Smaller organizations can use open-source security tools, conduct regular employee training, and implement basic security measures. 

Why is network segmentation a necessary part of cybersecurity?

Network segmentation limits the movement of attackers within a network by isolating sensitive data and systems.