Blog

How Cylera Helps AHA Members Align with HHS Cyber Performance Goals

Published on July 30, 2024

By: Maureen Sahualla

5 — minute read

In its July 24th, 2024 Cybersecurity Advisory, the American Hospital Association (AHA) announced new offerings from Microsoft, Google, Cylera, and other AHA partners. These offerings are designed to help healthcare delivery organizations align with the Health and Human Services (HHS) Cybersecurity Performance Goals (CPGs), a set of voluntary guidelines to enhance cybersecurity practices in the healthcare sector.

The HHS CPGs, first announced in December 2023 in the HHS Healthcare Sector Cybersecurity concept paper, then officially released on January 24th, 2024, provide a comprehensive framework for improving cybersecurity across the Healthcare and Public Health (HPH) sector. The AHA also recommends that all components of the health care sector implement the CPGs, including third-party technology partners and business associates.

Key Focus Areas of the HHS CPGs

The HHS CPGs emphasize several critical areas to bolster cybersecurity:

Mitigating known vulnerabilities: Reduce the likelihood of threat actors exploiting known vulnerabilities.

Improving email security: Protect against common email-based threats like phishing and spoofing.

Enhancing overall cyber resilience: Implement layered defenses to protect patient health information and safety.

Continue reading for a quick FAQ on the CPGs and learn more about how Cylera supports this important healthcare cybersecurity initiative.

Frequently Asked Questions about HHS CPGs

Who created the HHS CPGs?

The HHS Cybersecurity Performance Goals (CPGs) were developed by the U.S. Department of Health and Human Services (HHS), specifically through the Administration for Strategic Preparedness and Response (ASPR). These guidelines were developed to help healthcare organizations enhance their cybersecurity practices and protect patient health information.

Why were the HHS CPGs created?

HHS published the CPGs to help healthcare organizations, specifically healthcare delivery organizations, prioritize the implementation of high-impact cybersecurity practices. The HPH CPGs are designed to better protect the healthcare sector from cyberattacks, improve response when events occur, and minimize residual risk.

Healthcare delivery organizations can use the CPGs to:

Strengthen cyber preparedness: By prioritizing high-impact cybersecurity practices, healthcare organizations can better prepare for potential cyber threats.

Improve cyber resiliency: Implementing these goals helps organizations build layered defenses, making it harder for cyberattacks to succeed and ensuring that there are backup measures in place if one line of defense is compromised.

Protect patient health information and safety: By addressing common vulnerabilities and improving response to cyber incidents, the guidelines help safeguard sensitive patient data and ensure the continuity of healthcare services

HPH CPGs include both Essential goals, which outline minimum foundational practices for cybersecurity performance, and Enhanced goals, which encourages the adoption of more advanced practices.

For additional details regarding the Essential and Enhanced goals, see HHS Cybersecurity Performance Goals.

When will hospitals have to start proving they are aligned with, or follow, the HHS CPGs?

Currently, the HHS CPGs are voluntary and not legally enforced. However, there are ongoing discussions about incorporating these goals into future regulations and policies, which could lead to enforceable standards.

How do the HHS CPGs relate to other healthcare cybersecurity standards?

The HHS CPGs relate to other healthcare cybersecurity standards as follows:

Alignment with CISA’s CPGs: The CPGs are adapted from the Cybersecurity and Infrastructure Security Agency’s (CISA) Cross-Sector Cybersecurity Performance Goals. This alignment ensures that the healthcare sector’s cybersecurity practices are consistent with national critical infrastructure standards.

Integration with Industry Frameworks: The CPGs are informed by common industry cybersecurity frameworks, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Health Industry Cybersecurity Practices (HICP). This integration helps healthcare organizations implement high-impact cybersecurity practices that are already recognized and respected in the industry2.

Layered Defense Approach: The CPGs emphasize a layered defense strategy, which is crucial for mitigating the impacts of cybersecurity incidents. This approach is consistent with best practices in cybersecurity, ensuring multiple lines of defense to protect against various attack vectors.

Focus on Healthcare-Specific Threats: The goals directly address common attack vectors against U.S. hospitals, as identified in the 2023 Hospital Cyber Resiliency Landscape Analysis. This focus ensures that the CPGs are tailored to the unique challenges faced by the healthcare sector.

How are the HHS CPGs related to HIPAA?

The HHS CPGs are designed to work alongside the Health Insurance Portability and Accountability Act (HIPAA) regulations, providing healthcare organizations with additional tools and practices to enhance their cybersecurity defenses:

Complementary Framework: The CPGs provide a set of voluntary cybersecurity practices consistent with HIPAA rules, enabling stronger and help promote compliance with HIPAA’s security measures.

Enhanced Security Measures: While HIPAA sets the baseline for protecting patient information, the CPGs go beyond the minimum requirements, addressing sophisticated and evolving cyber threats.

Alignment with HIPAA: The CPGs are aligned with the HIPAA Security Rule, ensuring that the recommended practices support and enhance HIPAA compliance efforts. This alignment helps healthcare organizations integrate the CPGs into their existing HIPAA compliance programs.

Future Regulatory Influence: The CPGs may influence future updates to the HIPAA Security Rule. HHS has indicated that these goals could serve as inputs for future regulatory requirements, potentially leading to more robust cybersecurity standards in healthcare.

How does Cylera help with HHS CPG alignment?

Every healthcare delivery organization responsible for ensuring secure care delivery should ensure they understand the HHS CPGs, as well as show how their healthcare IoT and connected medical device cybersecurity plans align with the CPGs.

The healthcare cybersecurity experts at Cylera have been closely monitoring the development of the CPGs, and the Cylera healthcare IoT and connected medical device cybersecurity platform today helps healthcare organizations align with both Essential and Enhanced CPG goals. Learn more.

As an AHA Preferred Cybersecurity Provider, Cylera also provides a discount for all AHA members who want to use the Cylera platform to help their organizations align with CPG goals.

Contact Cylera for additional details or request a demo to learn how your organization can enhance its cybersecurity posture and align with the HHS CPGs.

For more information on the Essential and Enhanced goals, visit the HHS Cybersecurity Gateway.

Maureen Sahualla

Maureen Sahualla started her cybersecurity career in the mid to late 1990s, right when most people and organizations began to fully embrace the Internet, but often without fully understanding all the associated risks. Since then, it has been a wild ride as the world has gone online, threats have diversified and multiplied, and the cybersecurity industry has continued to grow at the speed of light. Maureen has seen a lot and worn a lot of different hats during her years working for enterprise software companies focused on trying to protect organizations around the world from cyber threats. Currently Maureen serves as Senior Director, Product Marketing at Cylera, a leading healthcare IoT asset intelligence and security company.