HOME > SOLUTIONS FOR MEETING CYBERSECURITY PERFORMANCE GOALS AND HHS INITIATIVES

Solutions for meeting cybersecurity
performance goals and HHS initiatives

The Department of Health and Human Services (HHS) has introduced the cybersecurity performance goals (CPGs)—a set of controls prioritized from widely adopted NIST CSF, and HICP,  to focus on resilience against the top priority threats to healthcare (as revealed in the Hospital Cyber Resiliency Initiative Landscape Analysis by HHS).

Why CPGs?

A brief history of HHS Cybersecurity Performance Goals — from CSA act in 2015 to HISAA act in 2024.

Acknowledging the rising threat to critical sectors, the U.S. Congress passes the CSA. Section 405(d) aims to establish voluntary best practices to shield healthcare organizations (HCOs) from cyber risks.

torn-paper-1
2015

Congress passes the Cybersecurity Act (CSA)

2015

HHS sets up a Task Group to address the concerns under section 405(d) of the CSA

HHS shoulders this responsibility and convenes the 405(d) Task Group, comprising of over 150 members from cybersecurity, privacy, healthcare practitioners, IT, and other SMEs.

The task force creates the HICP, a best practice guide focused on the top threats to the healthcare industry along with specific practices that HCOs can follow to combat them. Additionally, the HICP supports compliance with HIPAA’s Security Rule.

2018

The Health Industry Cybersecurity Practices (HICP) is created

2018–2022

#1 target for ransomware is healthcare, says the FBI

93% increase in large breaches reported to HHS Office for Civil Rights (OCR).
278% increase in large breaches involving ransomware.

Ransomware attacks affect cancer care during COVID-19 pandemic:

41% decrease in total outpatient volume.

Major ransomware attack in San Diego-based healthcare NPO

- causes $112M in lost revenue, remediation, and fines.

In spite of the HICP being enforced, the ransomware incidents continue to rise, revealing that many HCOs struggle to adopt and implement these standards effectively due to the following limitations:

  • IT teams at HCOs are understaffed, with technicians juggling multiple roles.
  • Most IT budgets prioritize big projects like EHR implementation, leaving little for cybersecurity needs.
  • Despite multiple frameworks, attacks are prevalent.
  • HHS conducts research to understand the top threats and controls to prevent them.
  • HHS releases its findings in a report titled Hospital Cyber Resiliency Initiative Landscape Analysis.
  • The report unveils some alarming gaps in existing cybersecurity practices followed by HCOs and recognizes that certain practices within the HICP must be prioritized.

Key findings from the report:

Ransomware: The top threat

- %

of HCOs affected in 2023.

Poor vulnerability assessment

- %

of hospitals have a documented response plan for vulnerabilities.

- %

of hospitals conduct advanced vulnerability tests.

Third-party gateways

- %

of ransomware incidents involve third-party sources.

- rd

most common risk vector according to CISOs.

Antiquated assets

- %

of hospitals operate legacy systems with known vulnerabilities.

Rising cyber insurance premiums

- %

increase in 2021, leading some hospitals to self-insure.
See the detailed report from HHS
April 2023

The HHS conducts the Hospital Cyber Resiliency Initiative Landscape Analysis

Jan. 2024

HHS releases voluntary cybersecurity performance goals (CPGs)

  • Based on the findings from the Hospital Cyber Resiliency Initiative Landscape Analysis, HHS releases a set of prioritized cybersecurity practices dubbed the CPGs.
  • The CPGs are focused on addressing the top threats plaguing healthcare and references key controls and practices from the NIST CSF and the HICP.
  • These voluntary set of goals are split into two categories: essential and enhanced.
  • HHS works with Congress on funding programs for implementing the CPGs.

Despite so many initiatives from the HHS, the healthcare sector witnesses increased cyberattacks:

"Mega corporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result...these are common-sense reforms, which include jail time for CEOs that lie to the government about their cybersecurity."

Ron Wyden,
U.S. Senate Finance Committee Chair

Change Healthcare cyberattack:

  • 100 million individuals affected in the largest-known breach of PHIs.
  • UnitedHealth records $2.5B in total impacts from its Change Healthcare cyberattack
67% of HCOs are hit by ransomware in 2024.

In response to threats, cybersecurity becomes a board-level priority for HCOs, as indicated by the . KLAS report

Jan. 2024–Sept. 2024

U.S. healthcare witnesses the largest-ever cyberattack, and HCO's priorities shift to cybersecurity

Sept. 2024

Health Infrastructure Security and Accountability Act (HISAA) means tighter regulations and tougher fines

With cybersecurity being a nation level priority, the U.S. Senate introduces HISAA as a bill, which dictates stringent regulations and fines for cybersecurity violations.

Some highlights of HISAA are:

  • HHS and HIPAA statutory caps on fines will be removed to ensure larger HCOs face sufficiently large penalties to deter lax cybersecurity.
  • HISAA will allocate $1.3 billion to cover implementation costs, especially for smaller HCOs.
  • All HCOs will have to publicly disclose compliance status and healthcare executives should certify them on an annual basis.
  • Any false information could lead to fines of up to $1M and prison time for up to 10 years.
  • HHS should conduct annual audits for HCOs and submit the summary to Congress biennially.
  • HHS has to create a set of minimum and enhanced security requirements, built upon the CPGs, in a span of two years.
  • Until the new set of standards are created, HCOs should assess adherence with the CPGs.

CPGs are the stepping stone to HISAA—here's how you can align with them and be prepared

Before the minimum security requirements specific to HISAA become effective, HCOs should assess their compliance with the CPGs. While meeting the CPGs is currently voluntary, HISAA will mandate these goals in the future. Besides, CPGs takes controls from NIST CSF, and HICP, prioritizes them against top threats to healthcare, early adoption will serve to mitigate critical threats and also prepare you for future mandates by HISAA.

Tactical advice on implementing relevant portions of CPG with ManageEngine Endpoint Central

ManageEngine Endpoint Central helps you achieve the endpoint management and security portions of the essential and enhanced goals under the CPGs.

Meeting the essential goals
CPG Goal Description How Endpoint Central helps you
Mitigate Known Vulnerabilities Reduce the likelihood of threat actors exploiting known vulnerabilities to breach organizational networks that are directly accessible from the internet. Scan for known vulnerabilities and deploy patches immediately wherever applicable to fix them. Learn more about vulnerability management
Email Security Reduce risk from common email-based threats, such as email spoofing, phishing, and fraud. Keep your workforce aware of phishing threats by circulating educational content through their mobile devices. Learn more about content management
Basic Cybersecurity Training Ensure organizational users learn and perform more secure behaviors. Keep your users educated on cybersecurity practices by distributing content through their mobile devices. Learn more about content distribution
Strong Encryption Deploy encryption to maintain confidentiality of sensitive data and integrity of IT and operational technology (OT) traffic in motion. Enforce encryption on devices to ensure the integrity of sensitive data. Learn more about encryption
Revoke Credentials for Departing Members Prevent unauthorized access to organizational accounts or resources by former workforce members, including employees, contractors, affiliates, and volunteers, by removing access promptly. Healthcare staff have profiles on multiple shared devices. Remove these local user profiles from all associated devices at once. Learn how to remove local user profiles across all devices
Basic Incident Planning and Preparedness Ensure safe and effective organizational responses to restoration of, and recovery from significant cybersecurity incidents.
  • Perform vulnerability scans across the device fleet to identify potential risks.
  • Automatically detect and mitigate ransomware attacks, restoring devices to the most stable backup.
  • Monitor devices for unusual activity that may be an IoC.
  • Remotely wipe and reset compromised devices based on the severity of the attack.
Unique Credentials Use unique credentials inside organizations' networks to detect anomalous activity and prevent attackers from moving laterally across the organization, particularly between IT and OT networks. Implement unique credentials by enforcing organizational password policies for all users. Learn more about password policies
Separate User and Privileged Accounts Establish secondary accounts to prevent threat actors from accessing privileged or administrative accounts when common user accounts are compromised. A dedicated dashboard that offers quick visibility into administrative accounts across your fleet. Manage UAC, revoke administrative privileges from regular users, and restrict elevated access solely to approved applications.
Vendor/Supplier Cybersecurity Requirements Identify, assess, and mitigate risks associated with third-party products and services. Identify vulnerabilities and patch third-party products easily with support offered for 850+ applications to mitigate risks associated with them. Learn more about patch and vulnerability management
Meeting the enhanced goals
CPG Goal Description How Endpoint Central helps you
Asset Inventory Identify known, unknown (shadow), and unmanaged assets to more rapidly detect and respond to potential risks and vulnerabilities. Get a comprehensive inventory of all managed devices, integrated with leading ITSM products for a unified source of asset visibility. Learn more about asset management
Third Party Vulnerability Disclosure Establish processes to promptly discover and respond to known threats and vulnerabilities in assets provided by vendors and service providers. Continuously monitor assets to discover known threats and vulnerabilities in third-party products. Learn more about vulnerability management
Third Party Incident Reporting Establish processes to promptly discover and respond to known security incidents or breaches across vendors and service providers.
  • Scan devices and applications to quickly find vulnerabilities, supporting risk assessment.
  • Address known threats by applying patches and fixing misconfigurations, with support offered for 1,500+ third-party vulnerabilities.
Learn more about patch and vulnerability management
Cybersecurity Mitigation Establish processes internally to act quickly on prioritized vulnerabilities discovered through penetration testing and attack simulations. Apply patches and correct insecure configurations for relevant vulnerabilities.
Detect & Respond to Relevant Threats & TTPs Ensure organizational awareness of and ability to detect relevant threats and TTPs at endpoints. Ensure organizations are able to secure entry and exit points to its network with endpoint protection. Conduct real-time monitoring on devices to detect and respond to malware and secure your endpoints. Learn more about our next-gen antivirus capabilities
Centralized Incident Planning & Preparedness Ensure organizations consistently maintain, drill, and update cybersecurity incident response plans for relevant threat scenarios.
  • Perform vulnerability scans across the device fleet to identify potential risks.
  • Automatically detect and mitigate ransomware attacks, restoring devices to the most stable backup.
  • Monitor devices for unusual activity that may be an IoC.
  • Remotely wipe and reset compromised devices based on the severity of the attack.
Configuration Management Define secure device and system settings consistently and maintain them according to established baselines. Configure standard system settings and align devices with your organization's baseline policies. Learn more about configuration management
Source: hhscyber.hhs.gov/performance-goals.html

   Survey and peer insights on CPGs and ransomware impact! 

We're launching a survey to understand how healthcare IT leaders are tackling ransomware, HISAA, and CPG adoption. Share your perspective, get early access to our peer insights, and see where your organization stands.

SHARE YOUR PERSPECTIVE!

If you're a healthcare enterprise, learn what we can do for you.

BOOK A CUSTOM DEMO TALK TO SALES

Learn and explore

If it's too early in your purchase process to speak with our product specialist, we recommend that you visit our content hub. You can find thought leadership content on how to get the buy-in from top management, similar case studies, and demo videos on use cases that are relevant to you.

TAKE ME TO THE CONTENT HUB TEST OUT YOUR USE CASES VIEW EDITIONS VIEW PRICING

Trusted by

Unified Endpoint Management and Security Solution
Patch ManagementSoftware DeploymentEndpoint SecurityOS DeploymentAsset ManagementMobile Device MgmtTools & Configurations
Back to Top