What HHS's New Cybersecurity Performance Goals Mean to Healthcare Organizations

The Feb. 21 cyberattack against UnitedHealth-owned technology services provider Change Healthcare impacted access at multiple pharmacy chains for days. The attack caused a nationwide disruption in a network that provides communication between pharmacies and health insurance firms, and affected benefits verification, claims submission, status updates, remittance information transmittal, and prior authorization. 

While that attack, suspected to be a nation-state incident according to a 8-K filing with the Securities and Exchange Commission, was especially egregious, attacks on healthcare organizations occur daily and often disrupt operations. In 2023 alone, more than 725 healthcare organizations reported data breaches involving 500 or more people to the U.S. Department of Health and Human Services. These data breaches affected 112 million. Since 2009, the number of such data breaches has climbed steadily higher. 

In recent years, the most impactful cyberattacks targeting the healthcare sector have involved ransomware and extortion. With the epidemic of ransomware, Craig Burland, CISO at Inversion6, contends that the U.S. government has essentially no other choice but to step in and set the expectations on the healthcare systems to protect their data and technology environment. The government has taken steps to do so with the establishment of the HHS’ healthcare sector’s Cybersecurity Performance Goals (CPGs). 

"These performance goals build off the administration's cybersecurity strategy with more actionable guidance for hospitals to follow, reducing the risk to the organization and their patients," Burland says.

The CPGs, currently voluntary, shouldn't be anything new to security teams, as the goals are based on guidelines and frameworks from the National Institute of Standards and Technology, the Health Industry Cybersecurity Practices Publication, and various guidance from the Cybersecurity and Infrastructure Security Agency's (CISA) and the Health Insurance and Accountability Act's security rule that went into effect in 2005. 

With so many rules comes complexity, and many of these rules have evolved over time and are likely to continue to do so. Liz Heddleston, principal at the Virginia-based law firm Woods Rogers Vandeventer Black, says the performance goals will help healthcare providers prioritize. 

"The performance goals will help healthcare organizations focus their limited resources on the cybersecurity practices that are most effective in protecting sensitive patient data," says Heddleston. 

The CPGs are categorized by "Essential" and "Enhanced" goals. Essential goals are designed to provide the foundation of a cybersecurity program: the proficiencies for minimal defense and incident response capabilities such as email security, vulnerability management, encryption and others considered basic security hygiene. Enhanced goals are more advanced cybersecurity abilities and include asset inventory, network segmentation, TTP detection and response, mitigation, and more. The goals align with the National Cybersecurity Strategy and map to specific NIST and CISA CPG goals. 

Smaller Healthcare Providers May Be Biggest Beneficiaries 

The focus that the new CPGs are expected to bring will be especially helpful to small- and medium-sized businesses. "For smaller healthcare organizations with limited resources, these performance goals can act as a guiding star," says Michael Hurckes, managing partner at MAH Advising. 

Hurckes explains how he's observed how compliance programs that have been customized to an organization's size and risk exposure can improve that organization's security and compliance posture. "These targeted goals not only streamline compliance efforts across the board but also help in aligning them with overarching healthcare regulations like HIPAA, ultimately focusing on what matters most—protecting patient information and improving patient outcomes through enhanced security measures," Hurckes says.

Heddleston is hopeful that the new goals help smaller organizations, but remains concerned about their ability to keep themselves secure. 

"Ideally, the cybersecurity goals will help smaller organizations prioritize the most high-impact security measures. However, smaller organizations simply may not have the funds to implement all of the "essential" goals outlined by HHS and, therefore, may need to make difficult decisions about what to prioritize," Heddleston says.

Industry Mixed on Mandatory Security Regulations

While the CPGs are currently voluntary, HHS has said the agency plans to make some of them mandatory in the future. That has garnered pushback from the industry. 

Rick Pollack, the president and CEO of the American Hospital Association, said in a statement that while the group supports voluntary efforts to improve cybersecurity, it doesn't support the move to make guidelines mandatory. 

"The AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime. Many recent cyberattacks against hospitals have originated from third-party technology and other vendors. No organization, including federal agencies, is or can be immune from cyberattacks. Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cyber crime and would be counterproductive to our shared goal of preventing cyberattacks," Pollack said.

"The AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime."

—Rick Pollack, CEO, AHA

"While the cybersecurity goals will be voluntary at first, HHS plans to incorporate them into existing regulations, such as HIPAA. In the long term, once these cybersecurity goals become mandatory, failing to implement these practices may lead to financial consequences for healthcare organizations, such as enforcement actions or fines and penalties.” 

Inversion6's Burland says while it's true that hospitals are overwhelmed with regulations to protect privacy and deliver patient outcomes—barely a week goes by without another attack that disrupts hospital operations and imperils patient care. 

"Hospital administrators need this external push to prioritize implementing best practices to protect their digital environments. Hospital cyber leaders need this extra ammunition when requesting more investment to keep their organization safe. While this step may not be perfect, and it may not be enough, the administration clearly needed to take action," Burland concludes.