HHS Publishes Healthcare Cybersecurity Performance Goals — March 6, 2024
New Healthcare and Public Health sector goals set baseline and advanced safeguards for hospitals, clinics, and public health agencies.
Executive briefing: On the U.S. Department of Health and Human Services (HHS) released the Healthcare and Public Health (HPH) Sector-Specific Cybersecurity Performance Goals. The voluntary goals align with the Biden Administration’s healthcare cyber strategy, providing prioritized safeguards for organizations of varying maturity.
Goal structure
- Essential goals. Twelve baseline practices—covering MFA, email filtering, asset inventories, and offline backups—aim to reduce the most common ransomware and data breach risks.
- Enhanced goals. Ten advanced measures promote network segmentation, managed detection and response, endpoint detection tools, and advanced vulnerability management.
- Implementation roadmap. HHS offers templates, maturity self-assessments, and funding references to help resource-constrained providers prioritize investments.
Control alignment guidance
- HIPAA Security Rule. Map the goals to §164.308 administrative safeguards—especially risk analysis, workforce training, and contingency planning.
- Joint Commission and CMS compliance. Incorporate the goals into accreditation readiness and Centers for Medicare & Medicaid Services (CMS) emergency preparedness requirements.
- NIST CSF 2.0. Use the crosswalk HHS provides to integrate the goals into Identify, Protect, Detect, Respond, and Recover functions.
Operational recommendations
- Establish an executive steering committee to track goal adoption, funding needs, and dependency on Health Sector Cybersecurity Implementation support.
- Leverage the HHS 405(d) Knowledge on Demand platform to deliver workforce training aligned with the goals’ awareness expectations.
- Coordinate with regional health care coalitions and Information Sharing and Analysis Centers (ISACs) to share implementation best practices.