Cybersecurity performance goals (CPGs) are a set of cybersecurity best practices and minimum-security standards developed by the Cybersecurity and Infrastructure Security Agency (CISA) to help healthcare organizations enhance their cybersecurity resilience. These goals provide a roadmap for healthcare entities to safeguard patient information, maintain compliance, and protect against potential threats.
Understanding CPGs
CPGs are baseline security standards and recommended practices to help organizations protect against cyber threats and enhance their overall cybersecurity resilience. Developed by CISA, these goals provide organizations, particularly small and medium-sized enterprises, with clear, actionable steps to improve their cybersecurity posture without requiring advanced technical expertise or significant resources.
In the news: HHS releases new voluntary cybersecurity performance goals
Types of CPGs
CPGs are divided into essential goals and enhanced goals by the HHS:
Essential goals “help healthcare organizations address common vulnerabilities by setting a floor of safeguards that will better protect them from cyber attacks, improve response when events occur, and minimize residual risk” and include mitigating known vulnerabilities, improving email security, having cybersecurity training, and more.
Enhanced goals “help healthcare organizations mature their cybersecurity capabilities and reach the next level of defense needed to protect against additional attack vectors” and include asset inventory, cybersecurity testing, and more.
See also:
Tips/best practices for implementing CPGs
Start with a risk assessment
- Identify and prioritize assets, vulnerabilities, and potential threats.
- Focus on high-risk areas first to maximize your cybersecurity improvements.
Read more: How to perform a risk assessment
Establish clear security policies
- Create, document, and enforce policies that outline cybersecurity expectations for employees and contractors.
Related: A guide to cybersecurity policies
Monitor networks and systems
- Use intrusion detection and prevention systems to monitor for suspicious activity.
- Regularly review logs to identify unusual access patterns or other indicators of compromise.
Backup data and test recovery
- Perform regular, encrypted backups of critical data and test recovery procedures.
- Ensure backups are stored securely and are separate from the primary network to prevent ransomware attacks.
Engage with external cybersecurity resources
- Leverage government resources (such as CISA guidelines) and industry frameworks (e.g., NIST Cybersecurity Framework) for up-to-date guidance.
- Consider working with cybersecurity consultants for deeper audits or advanced security needs.
Track and measure progress
- Set specific, measurable goals to evaluate improvements over time.
- Use metrics such as incident response time, phishing simulation success rates, and compliance with access policies to assess effectiveness.
FAQs
Who should follow CPGs?
CPGs are intended for all organizations, especially those with limited cybersecurity resources. They are particularly useful for small and medium-sized businesses that may not have dedicated cybersecurity teams.
How do CPGs differ from other cybersecurity frameworks?
CPGs are designed to be simple and actionable, focusing on high-impact practices that organizations can easily adopt. They complement more comprehensive frameworks like the NIST Cybersecurity Framework or ISO 27001 but focus more on accessible, practical steps.
How often should organizations review and update their CPG implementation?
Cyber threats evolve continuously, so organizations should regularly review and update their cybersecurity practices. Ideally, conduct reviews annually or more often if new threats or vulnerabilities emerge.
Tshedimoso Makhene
