According to the U.S. Health and Human Services, voluntary cybersecurity performance goals can help healthcare organizations create layered protections and are customizable. The agency’s next steps include designing investments and incentives for healthcare organizations to implement the goals and enforcement standards.
WHY IT MATTERS
HHS published the CPGs to help healthcare organizations prioritize implementing high-impact cybersecurity practices.
They consist of essential and enhanced objectives and align with the HHS 405(d) Program and the Health Sector Coordinating Council Cybersecurity Working Group’s Healthcare Industry Cybersecurity Practices, as well as the NIST Cybersecurity Framework and the National Cybersecurity Strategy of the Cybersecurity and Infrastructure Security Agency.
The 2023 edition of HICP, which the HHS Cybersecurity Task Force released in April, along with a Hospital Cyber Resiliency Landscape Analysis and an educational platform, includes the most relevant and cost-effective ways to keep patients safe and mitigate cyber threats.
Ahead of the CPGs, industry groups have debated what should fall within the “essential bucket” as healthcare providers will receive funding to comply, according to Ty Greenhalgh, HHS 405(d) ambassador and Industry Principal of Healthcare at Claroty, a cybersecurity organization. company serving healthcare and other industries, in an email sent to Healthcare IT news after the CPGs posted on Wednesday.
“Voluntary targets alone will not drive the cyber-related behavioral change needed in the healthcare sector, especially as the ability to afford and implement these solutions makes it nearly impossible for smaller hospitals to become compliant,” said Greenhalgh .
“While the essential CPG targets will be effective in preventing attacks on healthcare IT environments where bad actors have historically been able to infiltrate, they currently overlook the critical need to secure clinical and (operational technology) devices that play an interconnected role in providing life-saving care. .”
He added that the White House National Cybersecurity Strategy is more aligned with the “broader, long-term approach needed” to help defend against cyberattacks.
“By applying these broader concepts – preparedness and support, information sharing, financial support and incentives, incident response and recovery, workforce development and regulatory reform – hospitals will have a much better chance of deterring attacks to prevent.”
HHS said in its concept paperreleased last month, states that the essential objectives provide “a floor of safeguards” that will better protect healthcare organizations from cyberattacks, improve incident response and minimize risk, while the enhanced objectives can help healthcare organizations mature their cybersecurity capabilities.
The agency will then “work with Congress to obtain new authority and funding to provide financial support and incentives to domestic hospitals to implement high-impact cybersecurity practices,” the agency said.
HHS noted that it is considering upfront investments to help high-need healthcare providers, such as under-resourced hospitals, cover costs associated with implementing the essential CPGs, along with an incentive program to encourage all hospitals to participate in to invest in the improved objectives.
THE BIG TREND
In October, CISA, HHS and HSCC released a healthcare cybersecurity toolkit as part of an effort to close gaps in resources and cyber capabilities. They recommend enterprise-wide risk assessments and a range of best practices, including vulnerability scans of all systems and devices to reduce the risks of common cyber-attacks.
The enhanced objectives in the new voluntary CPGs, including developing an asset inventory, are considered fundamental to healthcare cyber defense. According to CISA, an asset inventory is a first mitigation step.
“Knowing what assets are on your organization’s network is fundamental to cybersecurity: ‘you can’t secure what you can’t see,’” CISA said in a Guide to mitigation to combat widespread cyber threats affecting the healthcare and public health sectors, the agency released in November.
Frank Sinatra, the chief information security officer at Newark’s University Hospital, said he has used multiple risk assessments each year, including HICP. He cited many benefits of HICP compliance, including improved business continuity planning. But: “It’s always a matter of prioritizing and where you’re going to allocate your resources,” he continued HIMSSTV in May.
ON THE RECORD
“We have a responsibility to help our healthcare system withstand cyber threats, adapt to the evolving threat landscape, and build a more resilient sector,” HHS Assistant Secretary Andrea Palm said in a statement.
“The release of these cybersecurity performance goals is a step forward for the industry as we seek to propose new enforceable cybersecurity standards for the HHS policies and programs informed by these CPGs.”
The story was updated on January 25 with further comment from Greenhalgh.
Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.