In an era where digital health is paramount, the U.S. Health and Human Services (HHS) has unveiled a strategic blueprint to bolster cybersecurity in healthcare organizations. With the introduction of Cybersecurity Performance Goals (CPGs), HHS aims to guide healthcare entities in fortifying their digital defenses through a tiered approach, emphasizing adaptability and comprehensive protection.
The newly released CPGs serve as a beacon for healthcare organizations, urging them to adopt critical cybersecurity measures. These guidelines are part of the broader HHS 405(d) Program and echo the principles outlined by the Health Sector Coordinating Council Cybersecurity Working Group’s Healthcare Industry Cybersecurity Practices. They also find resonance with the frameworks established by the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency’s (CISA) National Cybersecurity Strategy.
In a notable move, HHS, in collaboration with its Cybersecurity Task Force, introduced the 2023 Edition of the Health Industry Cybersecurity Practices (HICP) in April. This comprehensive document, along with a Hospital Cyber Resiliency Landscape Analysis and an educational platform, pinpoints the most effective strategies to safeguard patient data and counter cybersecurity threats.
The discourse surrounding the categorization of “essential” goals within the CPGs has been vibrant among industry stakeholders. Ty Greenhalgh, a distinguished HHS 405(d) Ambassador and Industry Principal at Claroty, shared insights with Healthcare IT News, highlighting the anticipation within the healthcare sector regarding the allocation of funds to support these critical cybersecurity measures.
HHS has articulated a vision wherein the essential CPGs establish a baseline of security protocols, enhancing the sector’s defense against cyber threats, optimizing incident response, and minimizing overall risk. The agency’s forward-looking strategy includes engaging with Congress to secure the necessary authority and financial backing to incentivize hospitals to adopt these pivotal cybersecurity practices.
The proposed framework not only targets immediate defensive mechanisms but also envisions a long-term strategy to elevate cybersecurity standards across the healthcare domain. This includes substantial initial investments to assist under-resourced healthcare providers in meeting the essential CPGs and a robust incentives program to drive broader adoption of advanced cybersecurity measures.
In a collaborative effort last October, CISA, HHS, and the HSCC unveiled a cybersecurity toolkit designed to bridge the resource and capability gaps within the healthcare sector. This toolkit advocates for comprehensive risk assessments and a slew of best practices, such as system-wide vulnerability scans, to mitigate prevalent cyber risks.
The advanced goals outlined in the latest CPGs underscore the criticality of developing an exhaustive asset inventory as a cornerstone of cybersecurity in healthcare. CISA has emphasized the significance of asset visibility in cybersecurity, asserting that securing an organization’s network begins with a clear understanding of its digital assets.
Echoing the sentiment of proactive cybersecurity management, Frank Sinatra, the Chief Information Security Officer at Newark’s University Hospital, shared his experiences with HICP compliance on HIMSSTV. He underscored the benefits of HICP adherence, including enhanced business continuity planning, while acknowledging the challenges in resource allocation and priority setting.
HHS Deputy Secretary Andrea Palm reaffirmed the department’s commitment to fortifying the healthcare sector against cyber threats. “We have a responsibility to help our healthcare system weather cyber threats, adapt to the evolving threat landscape, and build a more resilient sector,” she stated. The release of the CPGs marks a significant stride toward establishing enforceable cybersecurity standards within the healthcare industry, guided by the insights derived from these comprehensive guidelines.