HHS Releases ‘Essential’ And ‘Enhanced’ Cybersecurity Performance Goals

HHS publishes a new website and releases its essential and enhanced voluntary cybersecurity performance goals.

• Source: Shutterstock

As promised, the Department of Health and Human Services has released its voluntary cybersecurity performance goals (CPGs), split into “essential” and “enhanced” goals. A related website from HHS.gov, posted 24 January, offers resources intended to connect the healthcare and public health (HPH) sector with the department.

While the CPGs are currently voluntary, the HHS is working to establish enforcement informed by the goals around cybersecurity standards for healthcare delivery organizations (HDOs), HHS Deputy Secretary Andrea Palm said in a release.

The CPGs were created to “directly address common attack vectors against U.S. domestic hospitals as identified in the 2023 Hospital Cyber Resiliency Landscape Analysis,” the release reads.

Essential goals are the bare minimum for healthcare cybersecurity and set a “floor of safeguards” to protect HDOs from cybersecurity attacks.

2024 HIPAA Update Will Include Cybersecurity Requirements
A new report explains how the Department of Health and Human Services plans to incentivize good cybersecurity practices for healthcare organizations.
Discover the full story

The essential goals are:

  • Mitigating known vulnerabilities;
  • Reducing risk from email threats;
  • Introducing multifactor authentication;
  • Conducting basic cybersecurity trainings;
  • Encrypting sensitive data;
  • Revoking credentials of departing employees in a timely manner;
  • Creating unique credentials to detect anomalous activity within systems;
  • Separating accounts based on security levels; and
  • Extending cybersecurity requirements to third-party partners.

These are considered basic, good cybersecurity practices across industries. (Also see "FDA And CISA Device Cybersecurity Agreement Needs To Be Updated, GAO Says" - Medtech Insight, 4 January, 2024.)

The HHS’s enhanced set of goals is resource-dependent and intended to help organizations “mature” their cybersecurity and reach the “next level of defense” against threats.

What is penetration testing?

“Penetration testing often includes hiring a third party to test a system’s vulnerabilities by trying to exploit the system as much as possible. After the tests are finished, the vulnerabilities are reported back to the organization for fixing.” (Also see "Vulnerabilities Up 59%: The State Of Healthcare Cybersecurity In 2023" - Medtech Insight, 10 August, 2023.)

These include:

  • Inventorying assets to identify known and unknown assets and detect vulnerabilities more quickly;
  • Establishing processes for identifying, detecting and reporting vulnerabilities in third-party partnerships;
  • Cybersecurity testing, such as penetration testing;
  • Detecting and responding to threats and common techniques used by threat actors;
  • Segmenting networks to prevent threat actors from accessing multiple assets;
  • Creating centralized log collection and incident planning and responses; and
  • Defining a baseline of secure device and system settings.

 The report’s appendices outline these goals in greater detail, including desired outcomes and implementation resources.

The HHS’s CPG website also has a comprehensive, guided tour of its CPGs in a different format that acts as a checklist for organizations.

More from Cybersecurity

FDA Publishes Final Cybersecurity Guidance To Replace Final Cybersecurity Guidance

 

The US FDA has issued an updated final guidance document on cybersecurity considerations for medical device manufacturers that replaces a previous final guidance the agency issued in 2023.

With LDT Rule DOA, Could FDA Shift Focus To RUOs?

 

Now that the US FDA has chosen not to appeal a March ruling effectively killing the agency’s efforts to regulate lab-developed tests as medical devices, will the agency adopt a different strategy to flex its regulatory muscle?

Congress, Researchers Highlight Security Risks At DNA Testing Services

 
• By 

Congress has launched an inquiry into 23andMe amid privacy concerns following its bankruptcy, particularly regarding the potential sale of sensitive user data. Additionally, a Cybernews report gave 40 DNA testing firms an average cybersecurity grade of D, citing widespread vulnerabilities and data breaches, along with inadequate public information about their security practices.

Birmingham City University Develops New Defense Mechanism Against Cyberattacks On AI Systems

 

AI systems used in healthcare are vulnerable to adversarial cyberattacks, which are a growing concern, said Atif Azad, a professor of AI at Birmingham City University. Azad’s research group has developed a method that trains AI to become more resilient to cyber threats through the use of random image adjustments.

More from Digital Technologies

HeartFlow Takes Another Crack At Public Markets With $100M IPO Filing

 
• By 

AI heart imaging company HeartFlow filed for a $100m IPO after scrapping its 2022 SPAC plans. It remains unprofitable but is betting on FDA clearances, Medicare coverage and a demand for AI-powered diagnostics to win over investors.

Abbott Lowers Outlook But Headwinds Are Temporary

 

Despite headwinds, executives remain optimistic about growth in Abbott’s medical devices and diabetes divisions and plan several product rollouts, including the Volt PFA catheter for electrophysiology and the dual glucose-ketone sensor CGM.

Numerous Injuries Prompt Class I Recall Of Dexcom CGM Receivers

 

Dexcom has recalled several models of its glucose monitoring receivers due to a speaker glitch that may suppress vital blood sugar alerts. The FDA designated the recall, which affects thousands of devices, as class I.