On January 24, 2024, the U.S. Department of Health and Human Services published, “voluntary healthcare specific Cybersecurity Performance Goals (CPGs) to help healthcare organizations prioritize implementation of high-impact cybersecurity practices.”
“These CPGs are a voluntary subset of cybersecurity practices that healthcare organizations, and healthcare delivery organizations in particular, can prioritize to strengthen cyber preparedness, improve cyber resiliency, and ultimately protect patient health information and safety.”
“The HPH CPGs directly address common attack vectors against U.S. domestic hospitals as identified in the 2023 Hospital Cyber Resiliency Landscape Analysis.”
There is speculation that Medicare or Medicaid funding could potentially be tied to the implementation of these goals.
Regardless of potential strategies to encourage Healthcare providers to follow the guidelines, it is worth delving into the guidelines to understand their goals and what they could mean to the ASC market.
Many ASCs are not directly associated with hospital systems, but despite that, there are many lessons an ASC could learn from the HHS CPGs. After all, 2023 was a record year for healthcare-related cybersecurity breaches in the U.S. It has been reported that there were 734 known Healthcare breaches resulting in the theft of records belonging to over 135 million unique patients, the equivalent of 40% of the U.S. population.
At the core of the CPGs is the principle that the goals should be relatively achievable and have the most significant impact in reducing the cybersecurity risk of a healthcare provider. From an ASC’s perspective, these goals could be easily considered a distraction from their primary focus of providing the best patient care/outcomes. Unfortunately, cybercriminals have continued developing their ever-evolving array of tools and techniques to steal valuable healthcare information they can sell. For example, a more recent unpleasant tactic is called “Swatting,” where criminals in possession of stolen healthcare data extort not only the providers but also patients.
The CPGs are split into two categories: Essential Goals & Enhanced Goals.
The Essential Goals set the minimum cybersecurity standard expected of healthcare providers. The Enhanced Goals help healthcare organizations mature their cybersecurity capabilities and reach the next level of defense needed to protect against additional attack vectors.
The Essential Goals are as follows:
- Mitigate Known Vulnerabilities (Operating Systems, Applications, Firmware)
- Email Security (Malware Detection and Quarantining, DMARC)
- Multifactor Authentication (MFA)
- Basic Cybersecurity Training (employees are often considered the weakest link in cybersecurity)
- Strong Encryption (makes stolen data harder to use)
- Revoke Credentials for Departing Workforce Members, Including Employees, Contractors, Affiliates, and Volunteers (in a timely manner)
- Basic Incident Planning and Preparedness (Plan for loss of service)
- Unique Credentials (every employee uses different credentials to compartmentalize the risk)
- Separate User and Privileged Accounts (reduce the number of employees with admin access as an everyday occurrence)
- Vendor/Supplier Cybersecurity Requirements (What are our I.T. vendors doing to protect our data?)
Readers of the HST Cybersecurity blog should be aware of most, if not all, of these items, as they have been previously discussed. An MSSP (a Managed Security Service Provider) can help with some. Others could be integrated into plans for patient care when I.T. services are unavailable. Of particular attention should be the last one. Vendor management is not usually the most glamorous of subjects, but some recent breaches have impacted healthcare providers (including ASCs), not because their own networks were attacked but rather because their third-party service providers were compromised. This has led to the theft of tens of millions of patient records, which has affected multiple healthcare providers. In these cases, not only did the business associate have to report the breach to HHS, but also the covered entity. By not ensuring third-party service providers have robust security practices validated by independent audits, ASCs can be at risk through the negligence of others.
Consider the following in the event of a cybersecurity breach.
- Who will be responsible for informing their patients that their confidential information has been stolen?
- What reputational damage will be incurred by the affected ASC?
- What financial cost will the ASC incur through interruptions in care, resolution of I.T. issues, and repair of the aforementioned reputational damage?
- What is the financial cost to patients of having their data stolen and sold on the dark web?
- Who will the patient hold accountable?
The Enhanced Goals are for organizations with an existing security program that wants to improve its maturity. As with the Essential Goals, if, as an ASC, you are dependent on third-party service providers, directing these goal requirements at vendors would help an ASC judge the maturity of that provider’s security program and whether, as an ASC, you can feel confident in placing trust in that Vendor.
The Enhanced Goals are as follows:
- Asset Inventory
- Third-Party Vulnerability Disclosure
- Third-Party Incident Reporting
- Cybersecurity Testing
- Cybersecurity Mitigation
- Detect and Respond to Relevant Threats and Tactics, Techniques, and Procedures
- Network Segmentation
- Centralized Log Collection
- Centralized Incident Planning and Preparedness
- Configuration Management
It should be stated in fairness to all I.T. Vendors that even meeting these goals is no guarantee that cybercriminals, especially with the advent of generative A.I., will not be able to breach them. Much in the same way, there is no guarantee that a surgical procedure will always have a perfect outcome. It does however, significantly decrease the odds of a cybercriminal being successful, which helps the ASC and their patients.
For more information on the HHS Cybersecurity Goals, please copy the following URL and paste it into a browser: hphcyber.hhs.gov/performance-goals.html
For more information about the record number of healthcare breaches in 2023, please copy the following URL and paste it into a browser: databreachtoday.com/how-2023-broke-long-running-records-for-health-data-breaches-a-24246
Don’t miss out on the good stuff – Subscribe to HST’s Blog & Podcast!
Every month we’ll email you our newest podcast episodes and articles. No fluff – just helpful content delivered right to your inbox.