Priya PatelTLDR:
Key Points:
- HHS published voluntary health care and public health cybersecurity performance goals in January 2024.
- The goals are divided into essential and enhanced categories, with proposed incentives and penalties for hospitals.
Article Summary:
The U.S. Department of Health and Human Services (HHS) published voluntary health care and public health cybersecurity performance goals (HPH CPGs) in January 2024. These goals are divided into essential and enhanced categories. The essential goals serve as baseline standards, while the enhanced goals promote more sophisticated cybersecurity practices. The goals were developed using industry cybersecurity frameworks like the Department of Homeland Security’s CISA Cross-Sector CPGs. HHS has proposed incentives and penalties for hospitals to comply with these goals.
In the FY 2025 Budget in Brief, HHS proposed funding and penalties related to the HPH CPGs. The budget includes transferring funds from the Medicare Hospital Insurance Trust Fund to hospitals for implementing essential and enhanced cybersecurity practices. Penalties would be imposed on hospitals that do not comply with the standards. Critics, including the American Hospital Association, have raised concerns about the proposed penalties, arguing that hospitals are not solely at fault for cyberattacks.
Organizations are advised to review the HPH CPGs against the HIPAA Security Rule, which hospitals are already required to comply with. Additionally, HHS mapped the HPH CPGs against the NIST CSF V1.1 and NIST 800-53 Revision 5 controls to help organizations assess their cybersecurity programs. It is important for organizations to align their existing controls with the standards to ensure compliance.
Given the proposed incentives and penalties, organizations should utilize resources like the NIST frameworks to evaluate their cybersecurity controls. The industry is evolving, with new tools and frameworks like NIST CSF 2.0 being released. Compliance with the HPH CPGs and other cybersecurity standards is crucial for maintaining a strong cybersecurity posture in the health care sector.
