The Department of Health and Human Services (HHS) has introduced voluntary cybersecurity performance goals for the healthcare sector, forming a crucial component of the Biden administration’s broader strategy to bolster cybersecurity in hospitals and related entities. While these goals are presented as voluntary, sources suggest that they will play a pivotal role in shaping upcoming HHS rule-making, providing both incentives and potential consequences to encourage the adoption of robust cybersecurity practices across various segments of the healthcare sector. Released in a 13-page document, the Cybersecurity Performance Goals include essential objectives outlining foundational practices and enhanced goals geared toward promoting the adoption of more advanced cybersecurity measures within the industry.
The HHS guidance, grounded in industry cybersecurity frameworks and best practices, addresses common vulnerabilities faced by U.S. domestic hospitals, including threats like ransomware and disruptive cyberattacks. Notably, the essential goals encompass a range of protective measures, such as mitigating known vulnerabilities, implementing email security, multifactor authentication, encryption, incident response planning, and more. On the other hand, the enhanced goals aim to elevate healthcare organizations’ cybersecurity capabilities to defend against additional attack vectors, covering aspects like asset inventory, vulnerability disclosures, cybersecurity testing, network segmentation, and various control areas.
The release of these cybersecurity performance goals marks a significant step forward, providing clarity and direction for the healthcare industry in adopting essential cybersecurity practices. HHS envisions these goals influencing future rule-making processes, with the department planning to leverage them as both incentives and potential consequences for healthcare organizations. The goal is to create a resilient healthcare sector better equipped to navigate cyberthreats, aligning with the broader national imperative of ensuring patient safety in the face of evolving cybersecurity challenges.
Reference:
- HHS Releases New Voluntary Performance Goals to Enhance Cybersecurity Across the Health Sector and Gateway for Cybersecurity Resources
- Cybersecurity Performance Goals
