Cybersecurity Performance Goals: CPGs for Healthcare Industry

The Genesis: HHS’s Mandate for Cybersecurity Excellence

Recently, The Department of Health and Human Services (HHS) has introduced a set of healthcare-specific Cybersecurity Performance Goals (CPGs) aimed at assisting the healthcare sector in emphasizing crucial security best practices. These voluntary CPGs comprise both “Essential” and “Enhanced” goals, including widely adopted measures such as multifactor authentication and basic incident response planning.

Although the goals themselves are not groundbreaking concepts, their structured format, voluntary nature, and integration into HHS’s broader healthcare and public health (HPH) sector outline written in black and white for the industry.

Experts foresee these voluntary CPGs as a foundational step, potentially paving the way for future regulatory standards within the next two years. We see it not potentially, but inevitably paving the way for mandated regulatory standards very soon.


Deciphering the CPGs: A Dual-Pronged Approach

The HPH CPGs are built upon the December 2023 healthcare sector cybersecurity concept paper, outlining a comprehensive cybersecurity strategy at the national level. These goals, while presented in a new format, take inspiration from established industry guidance, such as the Healthcare Industry Cybersecurity Practices (HICP), the National Cybersecurity Strategy, and the National Institute of Standards and Technology (NIST) Cybersecurity Framework.


Navigating the CPGs: A Surface Level Exploration

The “Essential” goals focus on addressing common vulnerabilities, minimizing risks, and enhancing incident response. The “Enhanced” goals elevate cybersecurity maturity with advanced tactics like network segmentation and third-party incident reporting. Each goal is meticulously aligned with specific practices from HICP, NIST controls, and the Cybersecurity and Infrastructure Security Agency’s (CISA) CPGs.


Essential CPGs:

  • Mitigate Known Vulnerabilities
  • Email Security
  • Multifactor Authentication
  • Basic Cybersecurity Training
  • Strong Encryption
  • Revoke Credentials for Departing Workforce Members, Including Employees, Contractors, Affiliates, and Volunteers
  • Basic Incident Planning and Preparedness
  • Unique Credentials
  • Separate User and Privileged Accounts
  • Vendor/Supplier Cybersecurity Requirements


Enhanced CPGs:

  • Asset Inventory
  • Third Party Vulnerability Disclosure
  • Third Party Incident Reporting
  • Cybersecurity Testing
  • Cybersecurity Mitigation
  • Detect and Respond to Relevant Threats and Tactics, Techniques, and Procedures (TTP).
  • Network Segmentation
  • Centralized Log Collection
  • Centralized Incident Planning and Preparedness
  • Configuration Management

You can read the details about these goals here or partner with us and begin mapping a plan to implement these goals.

Voluntary or Voluntold: Soon to Unfold

As mentioned earlier, the CPGs are currently voluntary (voluntold), but HHS intends to use them as the foundation for future regulations. The HHS concept paper in its detail, emphasizes the aspiration for all hospitals to meet sector-specific CPGs in the coming years, potentially incorporating them into existing programs such as Medicare, Medicaid, and the HIPAA Security Rule. The American Hospital Association (AHA) has expressed support for federal guidance and funding for cybersecurity improvement but opposes mandatory requirements without adequate funding.

As the industry grapples with implementation challenges, experts underscore the critical nature of the controls outlined in the CPGs. Overall, while the journey towards codifying these CPGs into law may be protracted, healthcare organizations should begin leveraging this voluntary guidance to make informed security decisions and prioritize actions that significantly reduce cyber risk.

Strategic Application: Aligning CPGs with Healthcare Realities

If your organization has previously considered the implementation of any of these goals, the imperative is clear: take immediate action. According to the renowned 2023 Data Breach Investigations Report performed by Verizon, the top patterns of attacks for the Healthcare Industry were System intrusion, Basic Web Application Attacks, and Miscellaneous Errors, which represented 68% of breaches. If you have minimal security protocols, you’ll want to begin prioritizing and focusing on the CPGs which will decrease your chances of becoming a target.

Verizon DBIR Statistics

Mapping Cybersecurity Goals: A Quick Start Suggestion

Obviously in a perfect world, implementing all of the Essential & Enhanced CPGs right off the bat would be ideal, but resources are tight, and bandwidth is low, we’d suggest starting with Email Security, Multifactor Authentication, and Cybersecurity Training.


Contact us today to initiate a comprehensive review of your goals and determine the next strategic steps for implementation.