HHS Publishes Healthcare Cybersecurity Performance Goals — March 6, 2024

Executive briefing: On 6 March 2024 the U.S. Department of Health and Human Services (HHS) published cybersecurity performance goals (CPGs) for the Healthcare and Public Health (HPH) sector. The voluntary goals—developed with the Cybersecurity and Infrastructure Security Agency (CISA)—define baseline safeguards that every HPH organisation should implement immediately and advanced safeguards for larger or more mature entities. HHS signalled that future regulation, funding, and enforcement may align with these goals, making them a de facto compliance roadmap.

The goals respond to escalating ransomware and supply-chain attacks on hospitals and public health agencies. They reference the NIST Cybersecurity Framework (CSF) 2.0, the HHS 405(d) Health Industry Cybersecurity Practices (HICP), and sector-specific risk data. Organisations should treat the goals as a structured programme encompassing governance, technical controls, and resilience measures.

Baseline goals overview

Baseline goals represent critical safeguards HHS expects all HPH entities—regardless of size—to implement in the near term. Highlights include:

• Asset inventory and vulnerability management: Maintain accurate inventories of medical devices, IT assets, and software; implement vulnerability scanning and patch management covering clinical systems.
• Multi-factor authentication (MFA): Enforce MFA for privileged accounts, remote access, and access to systems housing electronic protected health information (ePHI).
• Security logging and monitoring: Collect and centralise security logs, retain them for at least 12 months, and monitor for anomalous activity.
• Incident response plans: Develop and test incident response playbooks covering ransomware, data breaches, and operational disruptions. Include communications with law enforcement, HHS, and patients.
• Backups and recovery: Maintain offline or immutable backups, test restoration regularly, and ensure coverage for electronic health record (EHR) systems, radiology, laboratory, and other critical platforms.
• Email security and phishing defences: Deploy email filtering, DMARC, and user awareness training.
• Endpoint security: Implement endpoint detection and response (EDR) solutions, application control, and anti-malware across clinical workstations, servers, and networked medical devices where feasible.

Advanced goals overview

Advanced goals target organisations with greater resources—such as integrated delivery networks, academic medical centres, and large public health agencies. They focus on layered defences and zero trust principles:

• Network segmentation and microsegmentation: Separate clinical networks, administrative networks, and medical devices to limit lateral movement. Implement software-defined segmentation where appropriate.
• Identity governance: Use privileged access management (PAM), just-in-time access, and continuous validation of user access rights.
• Supply-chain risk management: Establish third-party risk assessments, contractual security requirements, and continuous monitoring for vendors and cloud providers.
• Continuous monitoring and threat hunting: Leverage security operations centres (SOCs), managed detection and response (MDR), and threat intelligence to detect advanced adversaries.
• Resilience and recovery planning: Implement cyber incident response exercises, disaster recovery site failovers, and manual contingencies for clinical workflows.
• Secure development and change control: Integrate DevSecOps practices for internally developed applications and medical device updates.

Governance alignment

HHS emphasises executive oversight. Boards, governing bodies, and senior management must understand cyber risk, allocate resources, and monitor progress. Recommended governance steps include:

• Assigning an executive owner (e.g., CIO, CISO) accountable for CPG implementation.
• Establishing cross-functional steering committees including clinical leadership, biomedical engineering, compliance, legal, and supply-chain management.
• Integrating CPG metrics into enterprise risk management and audit committees, aligning with HIPAA Security Rule risk analyses.

HHS plans to tie funding—including grants, Medicare incentives, and potential penalties—to progress against the CPGs. Documenting governance and resource decisions will demonstrate diligence.

Implementation roadmap

1. Assessment (Weeks 0–8): Conduct gap assessments against baseline and advanced goals. Map current controls to NIST CSF and HICP, identify deficiencies, and prioritise quick wins such as enabling MFA and improving backups.
2. Programme design (Weeks 8–16): Develop a remediation roadmap with budget estimates, timelines, and dependencies. Align with ongoing initiatives (EHR upgrades, medical device management) to streamline implementation.
3. Execution (Months 4–18): Implement technical controls (EDR, network segmentation), enhance logging, roll out phishing training, and formalise incident response. Coordinate with clinical operations to minimise disruption.
4. Validation (Months 12–18): Conduct tabletop exercises, penetration tests, and independent audits. Track key performance indicators (KPIs) such as mean time to detect/respond, MFA coverage, and patch compliance.
5. Continuous improvement: Establish ongoing review cycles, integrate lessons learned from incidents, and refresh risk assessments annually.

Integration with regulatory requirements

The CPGs complement existing obligations under HIPAA, HITECH, Centers for Medicare & Medicaid Services (CMS) emergency preparedness conditions, and state breach notification laws. Document how CPG controls satisfy HIPAA Security Rule standards (45 CFR 164.308–164.312). Align medical device security with FDA’s 2023 premarket cybersecurity guidance and postmarket management expectations.

Nonprofit hospitals should incorporate CPG progress into IRS Form 990 Schedule H community benefit reporting, demonstrating investment in patient safety and resilience.

Third-party and supply-chain considerations

Healthcare delivery relies on EHR vendors, managed service providers, telehealth platforms, and medical device manufacturers. Update business associate agreements (BAAs) to require adherence to baseline controls, breach notification timelines, and evidence of segmentation or MFA. Implement continuous monitoring via questionnaires, security ratings, or shared telemetry.

Coordinate with regional health information exchanges (HIEs) and group purchasing organisations to share best practices and threat intelligence. Participation in the Health Information Sharing and Analysis Center (H-ISAC) enhances situational awareness.

Funding strategies

HHS indicated that federal grants (e.g., through ASPR or FEMA) and Medicare incentive adjustments may support CPG adoption. Organisations should prepare project proposals, cost-benefit analyses, and compliance documentation to qualify for funding. Track time and resources spent on CPG remediation for potential reimbursement.

Metrics and reporting

Develop dashboards for leadership summarising progress: percentage of systems with MFA, number of segmented networks, vulnerability remediation timelines, and training completion rates. Map metrics to HHS reporting templates to streamline future regulatory submissions.

Incident response readiness

Update incident response plans to incorporate ransomware payment decision trees, patient diversion protocols, and communications with regulators. Coordinate with local and federal law enforcement, including FBI Cyber Task Forces. Maintain contact information for HHS’ Health Sector Cybersecurity Coordination Center (HC3).

Future outlook

HHS plans to update the CPGs regularly and may incorporate them into formal rulemaking for Medicare Conditions of Participation or HIPAA updates. Stay engaged with public comment opportunities, and monitor HHS’ 405(d) programme for implementation guides, checklists, and maturity models.

Sources

• HHS announcement of Healthcare and Public Health cybersecurity performance goals
• HHS 405(d) Cybersecurity Performance Goals portal
• CISA cybersecurity performance goals

Zeph Tech supports healthcare organisations with CPG readiness assessments, remediation roadmaps, and executive reporting.

Related briefings

Curated signals from the same pillar or overlapping topics.

Cybersecurity · Credibility 91/100 · February 21, 2024

NIST Finalizes SP 800-66 Rev. 2 for HIPAA Security Rule — February 21, 2024

NIST released SP 800-66 Rev. 2 on 21 February 2024, updating the HIPAA Security Rule implementation guide with CSF 2.0 mappings, risk management playbooks, and assessment templates that healthcare entities must embed…

Cybersecurity · Credibility 93/100 · March 7, 2024

Volt Typhoon Living-Off-the-Land Tactics Detailed — March 7, 2024

Joint advisory AA24-064A shows PRC actor Volt Typhoon living off the land inside U.S. critical infrastructure, pushing operators to harden edge devices, hunt for credential abuse, and accelerate segmentation across IT…

Cybersecurity · Credibility 90/100 · March 7, 2024

Cybersecurity Briefing — March 7, 2024

CISA’s Secure by Design pledge sets seven concrete outcomes—MFA defaults, secure configurations, unique credentials, memory safety roadmaps, VDP maturity, accessible telemetry, and incident transparency—that vendors must…

Cybersecurity · Credibility 93/100 · March 12, 2024

European Parliament Adopts Cyber Resilience Act — March 12, 2024

MEPs approved the Cyber Resilience Act to mandate secure-by-design development, coordinated vulnerability handling, and CE marking for connected products across the EU.

Cybersecurity · Credibility 93/100 · February 26, 2024

NIST Releases Cybersecurity Framework 2.0 — February 26, 2024

NIST updated its flagship Cybersecurity Framework with a new Govern function, expanded supply-chain guidance, and implementation resources for organisations of all sizes.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook — Zeph Tech

  Use Zeph Tech research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.