HHS Publishes Healthcare Cybersecurity Performance Goals — March 6, 2024

On 6 March 2024 the U.S. Department of Health and Human Services (HHS) published cybersecurity performance goals (CPGs) for the Healthcare and Public Health (HPH) sector. The voluntary goals—developed with the Cybersecurity and Infrastructure Security Agency (CISA)—define baseline safeguards that every HPH organization should implement immediately and advanced safeguards for larger or more mature entities. HHS signaled that future regulation, funding, and enforcement may align with these goals, making them a de facto compliance roadmap.

The goals respond to escalating ransomware and supply-chain attacks on hospitals and public health agencies. They reference the NIST Cybersecurity Framework (CSF) 2.0, the HHS 405(d) Health Industry Cybersecurity Practices (HICP), and sector-specific risk data. Teams should treat the goals as a structured program encompassing governance, technical controls, and resilience measures.

Baseline goals overview

Baseline goals represent critical safeguards HHS expects all HPH entities—regardless of size—to implement in the near term. Highlights include:

• Asset inventory and vulnerability management: Maintain accurate inventories of medical devices, IT assets, and software; implement vulnerability scanning and patch management covering clinical systems.
• Multi-factor authentication (MFA): Enforce MFA for privileged accounts, remote access, and access to systems housing electronic protected health information (ePHI).
• Security logging and monitoring: Collect and centralize security logs, retain them for at least 12 months, and monitor for anomalous activity.
• Incident response plans: Develop and test incident response playbooks covering ransomware, data breaches, and operational disruptions. Include communications with law enforcement, HHS, and patients.
• Backups and recovery: Maintain offline or immutable backups, test restoration regularly, and ensure coverage for electronic health record (EHR) systems, radiology, laboratory, and other critical platforms.
• Email security and phishing defenses: Deploy email filtering, DMARC, and user awareness training.
• Endpoint security: Implement endpoint detection and response (EDR) solutions, application control, and anti-malware across clinical workstations, servers, and networked medical devices where feasible.

Advanced goals overview

Advanced goals target teams with greater resources—such as integrated delivery networks, academic medical centers, and large public health agencies. They focus on layered defenses and zero trust principles:

• Network segmentation and microsegmentation: Separate clinical networks, administrative networks, and medical devices to limit lateral movement. Implement software-defined segmentation where appropriate.
• Identity governance: Use privileged access management (PAM), just-in-time access, and continuous validation of user access rights.
• Supply-chain risk management: Establish third-party risk assessments, contractual security requirements, and continuous monitoring for vendors and cloud providers.
• Continuous monitoring and threat hunting: Use security operations centers (SOCs), managed detection and response (MDR), and threat intelligence to detect advanced adversaries.
• Resilience and recovery planning: Implement cyber incident response exercises, disaster recovery site failovers, and manual contingencies for clinical workflows.
• Secure development and change control: Integrate DevSecOps practices for internally developed applications and medical device updates.

Governance alignment

HHS emphasizes executive oversight. Boards, governing bodies, and senior management must understand cyber risk, allocate resources, and monitor progress. Recommended governance steps include:

• Assigning an executive owner (for example, CIO, CISO) accountable for CPG setup.
• Establishing cross-functional steering committees including clinical leadership, biomedical engineering, compliance, legal, and supply-chain management.
• Integrating CPG metrics into enterprise risk management and audit committees, aligning with HIPAA Security Rule risk analyzes.

HHS plans to tie funding—including grants, Medicare incentives, and potential penalties—to progress against the CPGs. Documenting governance and resource decisions will show diligence.

How to implement this

1. Assessment (Weeks 0–8): Conduct gap assessments against baseline and advanced goals. Map current controls to NIST CSF and HICP, identify deficiencies, and prioritize quick wins such as enabling MFA and improving backups.
2. program design (Weeks 8–16): Develop a remediation roadmap with budget estimates, timelines, and dependencies. Align with ongoing initiatives (EHR upgrades, medical device management) to simplify setup.
3. Execution (Months 4–18): Implement technical controls (EDR, network segmentation), improve logging, roll out phishing training, and formalize incident response. Coordinate with clinical operations to minimize disruption.
4. Validation (Months 12–18): Conduct tabletop exercises, penetration tests, and independent audits. Track key performance indicators (KPIs) such as mean time to detect/respond, MFA coverage, and patch compliance.
5. Continuous improvement: Establish ongoing review cycles, integrate lessons learned from incidents, and refresh risk assessments annually.

Integration with regulatory requirements

The CPGs complement existing obligations under HIPAA, HITECH, Centers for Medicare & Medicaid Services (CMS) emergency preparedness conditions, and state breach notification laws. Document how CPG controls satisfy HIPAA Security Rule standards (45 CFR 164.308–164.312). Align medical device security with FDA’s 2023 premarket cybersecurity guidance and postmarket management expectations.

Nonprofit hospitals should incorporate CPG progress into IRS Form 990 Schedule H community benefit reporting, demonstrating investment in patient safety and resilience.

Third-party and supply-chain considerations

Healthcare delivery relies on EHR vendors, managed service providers, telehealth platforms, and medical device manufacturers. Update business associate agreements (BAAs) to require adherence to baseline controls, breach notification timelines, and evidence of segmentation or MFA. Implement continuous monitoring via questionnaires, security ratings, or shared telemetry.

Coordinate with regional health information exchanges (HIEs) and group purchasing teams to share good practices and threat intelligence. Participation in the Health Information Sharing and Analysis Center (H-ISAC) improves situational awareness.

Funding strategies

HHS showed that federal grants (for example, through ASPR or FEMA) and Medicare incentive adjustments may support CPG adoption. Teams should prepare project proposals, cost-benefit analyzes, and compliance documentation to qualify for funding. Track time and resources spent on CPG remediation for potential reimbursement.

Tracking progress

Develop dashboards for leadership summarizing progress: percentage of systems with MFA, number of segmented networks, vulnerability remediation timelines, and training completion rates. Map metrics to HHS reporting templates to simplify future regulatory submissions.

Incident response readiness

Update incident response plans to incorporate ransomware payment decision trees, patient diversion protocols, and communications with regulators. Coordinate with local and federal law enforcement, including FBI Cyber Task Forces. Maintain contact information for HHS’ Health Sector Cybersecurity Coordination Center (HC3).

Future outlook

HHS plans to update the CPGs regularly and may incorporate them into formal rulemaking for Medicare Conditions of Participation or HIPAA updates. Stay engaged with public comment opportunities, and monitor HHS’ 405(d) program for setup guides, checklists, and maturity models.

Cited sources

• HHS announcement of Healthcare and Public Health cybersecurity performance goals
• HHS 405(d) Cybersecurity Performance Goals portal
• CISA cybersecurity performance goals

This brief supports healthcare teams with CPG readiness assessments, remediation roadmaps, and executive reporting.

See also

Selected articles on related subjects.

Cybersecurity · Credibility 91/100 · February 21, 2024

NIST Finalizes SP 800-66 Rev. 2 for HIPAA Security Rule — February 21, 2024

NIST dropped the new HIPAA Security Rule guide on February 21, 2024. SP 800-66 Rev 2 maps everything to CSF 2.0, includes practical risk management templates, and gives you actual assessment checklists. If you are in…

Cybersecurity · Credibility 93/100 · March 7, 2024

Volt Typhoon Living-Off-the-Land Tactics Detailed — March 7, 2024

CISA, NSA, and FBI detailed Volt Typhoon's living-off-the-land techniques in U.S. critical infrastructure. The Chinese APT uses native tools to avoid detection. They are pre-positioning for potential disruption.

Cybersecurity · Credibility 90/100 · March 7, 2024

Secure by Design

CISA launched its Secure by Design Pledge, asking software manufacturers to commit to MFA defaults, reducing vulnerability classes, and security patch transparency. It is voluntary, but names are published.

Cybersecurity · Credibility 93/100 · March 12, 2024

European Parliament Adopts Cyber Resilience Act — March 12, 2024

The EU Parliament approved the Cyber Resilience Act in March 2024. Connected products need secure-by-design development, vulnerability disclosure processes, and CE marking. If you sell IoT in Europe, this is your…

Cybersecurity · Credibility 95/100 · February 26, 2024

NIST Cybersecurity Framework 2.0 released

On 26 February 2024 NIST released Cybersecurity Framework 2.0, adding a Govern function, expanded guidance for all organization sizes, and improved supply chain risk management coverage.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Small Business Cybersecurity Survival Checklist

  A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published

March 6, 2024

Coverage pillar

Cybersecurity

Source credibility

91/100 — high confidence

Topics

Healthcare cybersecurity · HHS guidance · Critical infrastructure resilience

Sources cited

3 sources (hhs.gov, iso.org)

Reading time

5 min

Cited sources

1. HHS HPH Sector Cybersecurity Performance Goals Portal
2. HHS Press Release — HHS Releases Cybersecurity Performance Goals for the Healthcare Sector
3. ISO/IEC 27001:2022 — Information Security Management Systems — International Organization for Standardization