Components of DOT Security’s Services
Explore each of the core elements that combine to form DOT Security’s complete offering
See how it all comes together
DOT Security’s holistic service- A plan to get back up and running if a problem occurs
- Comply with data security laws and industry regulations
- Expert planning and training to improve overall security
- Protection for a controlled internal environment
- Coverage for individual systems and devices
- Control who can get into your networks
- Improved insight into data and communications
- Extra fortification for your most sensitive data
Risk Assessment
InsightsCybersecurity insights and analyses
Dive into the world of modern cybersecurity with explanations, predictions, and expert opinions
Find blogs, infographics, videos, and more
DOT Security insights- Definitions for industry terms and acronyms
- The complete beginner’s guide to everything cybersecurity
Cybersecurity Consulting
The Cybersecurity Performance Goals from the Department of Health and Human Services (HHS)
March 07, 2024
10 minute read
The Department of Health and Human Services (HHS) recently published a new set of healthcare-specific cybersecurity performance goals meant to assist healthcare organizations and institutions in modernizing and reinforcing their cybersecurity practices.
The cybersecurity performance goals were published on Wednesday, January 24th and while implementation is completely voluntary, the measures included in these healthcare CPGs are specifically high-impact and are often considered cybersecurity best practices.
Sign up for our newsletter!
The HHS has even gone as far as to split these cybersecurity performance goals into two categories: essential and advanced. The following sections review the new CPGs from the Department of Health and Human Services in detail.
If you aren’t sure how your cybersecurity posture measures up to the industry standard, check out our Cybersecurity Checklist: How Covered is Your Business to discover gaps in your security measures and how you can fill them.
The Purpose of the HHS Cybersecurity Performance Goals
The main purpose behind these new voluntary cybersecurity performance goals is to make it easier for healthcare organizations to establish and implement effective cybersecurity measures without being a drain on resources.
“Today (Jan. 24th), the U.S. Department of Health and Human Services (HHS), through the Administration for Strategic Preparedness and Response (ASPR), is releasing voluntary health care specific cybersecurity performance goals (CPGs) and a new gateway website to help Health Care and Public Health (HPH) sector organizations implement these high-impact cybersecurity practices and ease access to the plethora of cybersecurity resources HHS and other federal partners offer.”
Since healthcare institutions often handle such a massive volume of personal health information (PHI) they are prime targets for cybercriminals. In fact, in 2023, the healthcare industry saw the third most ransomware attacks annually, only falling behind education/research and governmental institutions.
“The top impacted industries by ransomware attacks in 2023 were Education/Research with 22% of organizations suffering this type of attack, followed by Government/Military with 16% and Healthcare with 12%.”
It’s also worth noting that while these first cybersecurity performance goals are voluntary, they may be paving the way to enforceable security regulations akin to the HIPAA regulations.
“The release of these cybersecurity performance goals is a step forward for the sector as we look to propose new enforceable cybersecurity standards across HHS policies and programs that are informed by these CPGs.”
- HHS Deputy Secretary Andrea Palm -
A major point of emphasis underlying the HHS cybersecurity performance goals is building a layered cybersecurity strategy that provides multiple points of protection in the instance that any one security measure should fail.
“The HPH CPGs provide layered protection at different points of weakness in an organization’s technology environment, which is crucial to increase cyber resilience and ultimately protect patient safety. Layered defense provides redundancy so if one line of defense is compromised, additional layers exist as a backup to ensure that threats are stopped along the way.”
Let’s take a look at both the essential and advanced cybersecurity performance goals and how they function.
The Essential Cybersecurity Performance Goals
The essential CPGs are a collection of cybersecurity measures aimed at improving the baseline of security in any given healthcare institution by addressing a wide variety of common vulnerabilities and minimizing risk.
-
Mitigate Known Vulnerabilities: This first goal focuses on identifying and patching known weaknesses in software or network systems to prevent cyberattacks, reducing the risk of breaches and unauthorized access.
-
Email Security: Protecting email communication channels from various threats such as phishing scams, malware, and spoofing, ensures confidentiality, integrity, and availability of sensitive information exchanged via email.
-
Multifactor Authentication: By implementing a multi-factor authentication (MFA) protocol that requires multiple forms of identification (e.g., passwords, biometrics, security tokens), this goal enhances access control measures, significantly reducing the risk of unauthorized access even if one authentication factor is compromised.
-
Basic Cybersecurity Training: Educating and training users on fundamental cybersecurity principles, common threats, and best practices will help your staff recognize and respond to potential security incidents, ultimately fostering a security-conscious organizational culture.
-
Strong Encryption: Strong data encryption practices ensure data confidentiality, integrity, and authenticity, this goal involves encrypting sensitive information during transmission and storage using robust cryptographic algorithms, rendering it unreadable to unauthorized parties.
-
Proper Offboarding: This process focuses on securely revoking access privileges and removing user accounts, devices, or credentials upon an employee's departure from the organization, minimizing the risk of insider threats and unauthorized access.
-
Basic Incident Planning and Preparation: Basic incident planning involves establishing protocols, procedures, and resources to effectively detect, respond to, and recover from cybersecurity incidents, reducing downtime and mitigating the potential damage to systems and data.
-
Unique Credentials: By enforcing the use of distinct usernames, passwords, or access tokens for each user or device, unique credentials enhance accountability and reduce the risk of credential-based attacks such as password guessing or credential stuffing.
-
User Privileges: This goal focuses on assigning appropriate access rights and permissions based on the principle of least privilege. This limits users' capabilities to the bare minimum necessary for their roles, effectively reducing the chance that accounts become compromised.
-
Vendor/Supplier Cybersecurity Standards: This goal involves establishing and enforcing cybersecurity requirements and standards for third-party vendors or suppliers to ensure the security of outsourced products, services, or data, safeguarding against supply chain vulnerabilities and dependencies.
The Advanced Cybersecurity Performance Goals
Taking cybersecurity a step further, the HHS also released an accompanying list of advanced cybersecurity performance goals that are designed to mature cybersecurity strategies and fortify defenses against new-aged cyberattacks.
-
Asset Inventory: Maintaining a comprehensive and up-to-date inventory of all digital assets, including hardware, software, and data, facilitates better risk management, vulnerability assessment, and incident response across the organization's entire infrastructure.
-
Third-Party Vulnerability Disclosure: This goal involves establishing structured processes for third-party vendors or partners to disclose vulnerabilities in their products or services promptly, enabling organizations to assess and remediate potential security risks, which fosters collaboration and trust within complex business partnerships.
-
Third-Party Incident Reporting: Third-party incident reporting is already necessary for certain events and entails establishing clear communication channels and protocols for third-party entities to report security incidents promptly. This facilitates swift response and coordination to mitigate potential impacts on shared systems or data, enhancing overall incident management capabilities.
-
Cybersecurity Testing: Conducting comprehensive, continuous testing of systems, applications, and networks through various methods such as penetration testing, vulnerability scanning, and red team exercises, to proactively identify and address security weaknesses before they can be exploited by adversaries.
-
Cybersecurity Mitigation: Mitigating cyber risk can be done through threat modeling, security controls optimization, and proactive threat hunting, which are all designed to minimize the likelihood and impact of cyberattacks on organizational assets.
-
Detection and Response: Managed detection and response is both the timely detection of security incidents and the rapid response to mitigate their impact by isolating, analyzing, and neutralizing. MDR leverages sophisticated technologies to monitor, analyze, and remediate network attacks.
-
Network Segmentation: Network segmentation is a part of data security that divides an organization's network infrastructure into distinct segments, each with its own security controls and access policies. This helps contain and limit the spread of cyber threats or malware, enhances overall resilience, and reduces the attack surface.
-
Log Monitoring and Analysis: Monitoring and analyzing system logs, network traffic, and security events helps cybersecurity experts detect unusual or suspicious behavior and indicators of compromise. By conducting ongoing log analysis, you can enable proactive threat detection and rapid incident response.
-
Advanced Incident Response and Disaster and Recovery: Advanced incident response and disaster recovery is all about improving the organization’s resilience in the face of a security incident or cyberattack. Incident response launches into play as soon as a threat is detected and verified, wherein disaster and recovery plans are followed in the wake of a cyberattack and are designed to return the organization to full operations with as little downtime and damage as possible.
-
Advanced Security Provisioning: The last of the cybersecurity performance goals from the HHS aims to implement cutting-edge security technologies and practices that provision and manage access to resources securely. This includes a lot of the other devices covered by the CPGs like identity and access management (IAM) solutions, encryption, and zero-trust architectures. All of these measures work together to protect against evolving cyber threats and ensure compliance with current and future regulatory requirements.
If you’ve already successfully established security measures to address the essential CPGs published by the HHS, consider evolving your cybersecurity posture by implementing these additional advanced CPGs that look to provide defenses against the next generation of cyberthreats.
Wrapping Up on The Cybersecurity Performance Goals from the HHS
While there is no one-size-fits-all solution for cybersecurity, regulations and cybersecurity performance goals, like the ones published by the HHS, are tools that help standardize cybersecurity priorities and practices for organizations that need to protect themselves.
These cybersecurity performance goals from the Department of Health and Human Services are currently voluntary, but that doesn’t mean you should wait to start implementing them as they can significantly improve your cybersecurity posture upon implementation.
To get an idea of how your current cybersecurity posture performs, check out our Cybersecurity Checklist: How Covered is Your Business and start improving your defenses today.