How HHS Strategy Enhancements Bolster Healthcare Cybersecurity

The Department of Health and Human Services (HHS) serves as the Sector Risk Management Agency (SRMA) for the critical infrastructure sector of Healthcare and Public Health (HPH). As such, they are responsible for sharing cyber threat information, providing resources to comply with data security and privacy laws, issuing cybersecurity guidance and threat alerts for medical devices, and publishing healthcare-specific cybersecurity best practices. 

In recent years, healthcare delivery organizations (HDOs) have dealt with unprecedented cybersecurity challenges as digital transformation drives growth across the sector via advancements in connected medical devices and clinical workflows. As reported in our Global Healthcare Cybersecurity Study 2023, at least 78% of survey respondents experienced a minimum of one cybersecurity incident over the last year. With 30% citing at least one incident that affected cyber-physical systems (CPS), including medical devices and/or building management system (BMS) devices. These alarming results demonstrated how healthcare cybersecurity risks have begun to outpace the benefits of connected patient care, and the sector-wide need to bolster cybersecurity defenses against sophisticated adversaries. 

Enter: HPH Cybersecurity Performance Goals (CPGs).  

What are the HPH CPGs?

The HPH CPGs are voluntary, sector-specific goals that empower HDOs to prioritize the implementation of key security best practices. This landmark initiative consists of “essential” and “enhanced” goals designed to help organizations prepare for and respond to cyber threats, adapt to the evolving threat landscape, and build a more resilient sector. These goals are informed in part by common industry cybersecurity frameworks, directives, guidelines, best practices, and strategies found within the following documents:

1. White House National Cybersecurity Strategy (NCS)

2. HHS 405(d) Healthcare Industry Cybersecurity Practices

3. HHS Hospital Resiliency Landscape Analysis

4. CISA Critical Infrastructure Cybersecurity Performance Goals 

5. NIST Cybersecurity Framework

Each goal, whether essential or enhanced, has been mapped to a specific HICP practice, NIST control, and CISA CPG, bringing more attention to the plethora of existing guidance, and helping HDOs to better streamline their cyber activities.

What is the Difference Between Enhanced and Essential Goals?

The new CPGs have been designed in order to provide a layer of protection across different stages of the attack chain in order to mitigate the impact of cybersecurity incidents. The “essential” category for example consists of goals that help healthcare organizations tackle common vulnerabilities, minimize risk, and improve incident response. The “enhanced” goals on the other hand, help healthcare organizations reach further cybersecurity maturity by focusing on more advanced but equally crucial tactics, such as network segmentation and third-party incident reporting. For organizations who have already met essential goals, enhanced goals bolster cybersecurity maturity by helping hospitals navigate their next steps.   

How Will the New Strategy Be Implemented?

The HHS has outlined four concurrent steps that form the basis for advancing cybersecurity in the healthcare sector. This strategy entails: 

1. New Goals Set for the Healthcare Cybersecurity Sector: As discussed, the HHS has established new, voluntary goals for the industry. The HPH CPGs outline goals required for foundational cybersecurity activities while encouraging stretch goals to encourage greater sophistication of advanced cybersecurity performance.

2. New Support and Incentives: HHS will work with Congress to obtain new authority and funding to administer financial support for domestic hospital investments in cybersecurity and, in the future, enforce new cybersecurity requirements via financial consequences for hospitals.

3. Greater Enforcement & Accountability: Within the next few years, the HHS aspires to have all hospitals meeting their sector-specific CPGs. And, plan to propose new enforceable cybersecurity standards that would be incorporated into existing programs, such as Medicare and Medicaid and the HIPAA Security Rule.They will also work with Congress to increase penalties, expand the number of investigators, and return to proactive audits in an effort to increase compliance. 

4. Expansion of HHS for Program Maturity: HHS plans to mature its “one-stop shop” cybersecurity support function for the healthcare sector within the Administration of Strategic Preparedness and Response (ASPR) to more effectively enable industry to access the support and services the Federal Government has to offer.

The HPH CPGs represent a paradigm shift, empowering healthcare organizations to proactively bolster their cybersecurity defenses. However, meeting these goals can prove challenging for healthcare organizations unsure of where to begin. Luckily, Claroty’s purpose-built solution, The Medigate Platform offers a highly flexible & customizable approach to accommodate a wide array of security best practices to support all levels of cybersecurity program maturity. Whether that be implementing initial asset management and mitigation of known vulnerabilities, to more sophisticated approaches such as network segmentation and detection and response to relevant threats and tactics, Claroty can help healthcare organizations to prioritize the CPGs that will have the biggest impact on reducing risk. 

To learn more about how Claroty can help support the HPH CPGs check out our white paper, or simply request a demo.