TLDR
The Department of Health and Human Services (HHS) has released voluntary cybersecurity performance goals for healthcare organizations as part of its strategic plan to improve industrywide cybersecurity. The goals are housed on a new gateway website that the department launched to centralize cybersecurity resources. The goals are divided into “Essential Goals” and “Enhanced Goals” and address common attack vectors against hospitals. The American Hospital Association and the Federation of American Hospitals have both expressed support for the goals.
The HHS has published voluntary cybersecurity performance goals specifically developed for healthcare organizations as part of its strategic plan to enhance industrywide cybersecurity. Released through HHS’ Administration for Strategic Preparedness and Response, the goals aim to address key areas in healthcare cybersecurity and help organizations build a more resilient sector. The goals are divided into two categories, “Essential Goals” and “Enhanced Goals,” which reflect cybersecurity frameworks, best practices, and strategies developed by the healthcare industry.
The goals cover various aspects of cybersecurity, including initial protection, response, mitigation of residual risk, and prioritization of layers of protection. The Department of HHS has prioritized measures to address identity-based attacks, which make up 80% of the hospital industry’s cyberattacks. These measures include basic cybersecurity training, email security, and revoked credentials for departing employees. The goals also include enhanced measures such as network segmentation.
The release of the voluntary cybersecurity performance goals has been welcomed by the hospital industry. The American Hospital Association (AHA) has recommended that all components of the healthcare sector, including third-party technology providers and business associates, implement the practices outlined in the goals. The AHA has been working closely with federal agencies and the hospital field to exchange cyber threat information and risk mitigation practices to enhance cybersecurity efforts.
The volume of large healthcare data breaches has increased by 93% from 2018 to 2022, accompanied by a 278% increase in attacks involving ransomware. While the release of the voluntary goals is seen as a positive step, concerns have been raised about potential financial consequences or requirements for hospitals. However, the Biden administration has not outlined a timeline for implementing additional financial incentives or penalties. Experts in the field have highlighted the importance of adhering to the voluntary goals and preparing for future cybersecurity baselines in the healthcare sector.