The U.S. Department of Health and Human Services (“HHS”) has expanded upon its recent Healthcare Sector Cybersecurity Concept Paper (which we covered in a prior blog post), issuing cybersecurity performance goals (“CPGs”) for the healthcare and public health (“HPH”) sector. These CPGs aim to help healthcare organizations protect against cyberattacks and improve responses when attacks on critical healthcare infrastructure occur. HHS worked closely with the Department of Homeland Security’s Cybersecurity and Infrastructure Agency to develop these nationwide CPGs for the healthcare industry.

The new HPH-focused CPGs are taxonomized into two categories: essential goals, which outline minimum practices for cybersecurity performance, and enhanced goals, which provide the foundation for more advanced cybersecurity measures. The goals align with the healthcare industry cybersecurity practices and sub-practices outlined in the latest edition of Cybersecurity Practices for Medium and Large Healthcare Organizations published by the Healthcare & Public Health Sector Coordinating Council. HHS has also linked these practices and sub-practices with NIST500-53 REV5 Controls to further aid healthcare organizations with implementation and compliance efforts.

Essential goals aim to assist healthcare organizations in implementing foundational safeguards that improve protections against cyberattacks. HHS has identified 10 essential goals, which include, in part, bolstering email security, implementing multifactor authentication and encryption across electronic systems, and identification and mitigation of cybersecurity risks associated with third‑party products and services.

Enhanced goals are designed to assist healthcare organizations with defending against cyberattacks from multiple attack vectors. HHS has identified 10 enhanced goals, which include, in part, cybersecurity testing, cybersecurity mitigation, network segmentation, and configuration management. Similar to the essential goals, HHS has linked the enhanced goals to 21 health industry cybersecurity practices and sub-practices.

The release of these HPH-focused CPGs follows the recent release of the HHS HPH Cybersecurity Gateway, a new online portal that allows healthcare industry stakeholders to track additional HHS guidance in the cybersecurity space.

Proskauer will continue to provide updates about HHS’s cybersecurity strategy for the healthcare sector, as additional guidance is expected in the near future.