Cybersecurity performance goals (CPGs) are a set of cybersecurity best practices and minimum-security standards developed by the Cybersecurity and Infrastructure Security Agency (CISA) to help healthcare organizations enhance their cybersecurity resilience. These goals provide a roadmap for healthcare entities to safeguard patient information, maintain compliance, and protect against potential threats.
CPGs are baseline security standards and recommended practices to help organizations protect against cyber threats and enhance their overall cybersecurity resilience. Developed by CISA, these goals provide organizations, particularly small and medium-sized enterprises, with clear, actionable steps to improve their cybersecurity posture without requiring advanced technical expertise or significant resources.
In the news: HHS releases new voluntary cybersecurity performance goals
CPGs are divided into essential goals and enhanced goals by the HHS:
Essential goals “help healthcare organizations address common vulnerabilities by setting a floor of safeguards that will better protect them from cyber attacks, improve response when events occur, and minimize residual risk” and include mitigating known vulnerabilities, improving email security, having cybersecurity training, and more.
Enhanced goals “help healthcare organizations mature their cybersecurity capabilities and reach the next level of defense needed to protect against additional attack vectors” and include asset inventory, cybersecurity testing, and more.
See also:
Read more: How to perform a risk assessment
Related: A guide to cybersecurity policies
CPGs are intended for all organizations, especially those with limited cybersecurity resources. They are particularly useful for small and medium-sized businesses that may not have dedicated cybersecurity teams.
CPGs are designed to be simple and actionable, focusing on high-impact practices that organizations can easily adopt. They complement more comprehensive frameworks like the NIST Cybersecurity Framework or ISO 27001 but focus more on accessible, practical steps.
Cyber threats evolve continuously, so organizations should regularly review and update their cybersecurity practices. Ideally, conduct reviews annually or more often if new threats or vulnerabilities emerge.