Voluntary cybersecurity performance goals can help healthcare organizations establish layered protection and are adaptable, according to U.S. Health and Human Services. The agency’s next steps include architecting investments and incentives for healthcare organizations to implement the goals and enforcement standards.
WHY IT MATTERS
HHS published the CPGs to help healthcare organizations prioritize implementing high-impact cybersecurity practices.
Comprised of essential and enhanced goals, they align with the HHS 405(d) Program and Health Sector Coordinating Council Cybersecurity Working Group’s Healthcare Industry Cybersecurity Practices as well as the NIST Cybersecurity Framework and the Cybersecurity and Infrastructure Security Agency’s National Cybersecurity Strategy.
The 2023 Edition of HICP, which the HHS Cybersecurity Task Force released in April along with a Hospital Cyber Resiliency Landscape Analysis and an educational platform, includes the most relevant and cost-effective ways to keep patients safe and mitigate cybersecurity threats.
Ahead of the CPGs, industry groups have debated which should fall within the “essential bucket” as healthcare providers will receive funding to adhere to them, according to Ty Greenhalgh, HHS 405(d) Ambassador and Industry Principal of Healthcare at Claroty, a cybersecurity firm serving healthcare and other industries, in an email sent to Healthcare IT News after the CPGs posted Wednesday.
HHS said in its concept paper released last month that the essential goals set “a floor of safeguards” that will better protect healthcare organizations from cyber attacks, improve incident response and minimize risk, while the enhanced goals can help healthcare organizations mature their cybersecurity capabilities.
The agency will then “work with Congress to obtain new authority and funding to administer financial support and incentives for domestic hospitals to implement high-impact cybersecurity practices,” it said.
HHS noted that it envisions upfront investments to help high-need healthcare providers, like low-resourced hospitals, to cover costs associated with implementing the essential CPGs and an incentives program to encourage all hospitals to invest in the enhanced goals.
THE LARGER TREND
In October, CISA, HHS and HSCC released a healthcare cybersecurity toolkit as part of an effort to close gaps in resources and cyber capabilities. They recommend enterprise-wide risk analyses and a series of best practices, including vulnerability scans of all systems and devices to reduce the risks of common cyberattacks.
The enhanced goals in the new voluntary CPGs, which include developing an asset inventory, are considered fundamental to healthcare cyber protection. According to CISA, an asset inventory is an initial mitigation step.
“Knowing which assets are on your organization’s network is fundamental to cybersecurity: ‘you can’t secure what you can’t see,'” CISA said in a Mitigation Guide for combatting pervasive cyber threats affecting the Healthcare and Public Health Sector the agency released in November.
Frank Sinatra, the chief information security officer at Newark’s University Hospital, said he has used multiple risk assessments, including HICP, each year. He cited many upsides to HICP compliance, including improved business continuity planning. But, “It’s always a question of prioritization and where you are going to assign your resources,” he shared on HIMSSTV in May.
ON THE RECORD
“We have a responsibility to help our healthcare system weather cyber threats, adapt to the evolving threat landscape and build a more resilient sector, said HHS Deputy Secretary Andrea Palm in a statement.
“The release of these cybersecurity performance goals is a step forward for the sector as we look to propose new enforceable cybersecurity standards across HHS policies and programs that are informed by these CPGs.”
Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.
>>> Read full article>>>
Copyright for syndicated content belongs to the linked Source : Healthcare IT News – https://www.healthcareitnews.com/news/hhs-proffers-cyber-performance-goals-health-systems
