HHS releases voluntary cybersecurity performance goals to beef up healthcare's digital defenses

The Department for Health and Human Services (HHS) has published voluntary cybersecurity performance goals tailored for healthcare organizations, the first move in the administration’s strategic plan to enhance industrywide cybersecurity.

The goals (PDF), released through HHS’ Administration for Strategic Preparedness and Response, are hosted on a new gateway website that the department has launched to centralize the cybersecurity resources it and other government groups have on offer.

They are broken into two categories, “Essential Goals” and “Enhanced Goals,” that each reflect cybersecurity frameworks, best practices and strategies that have been developed by the healthcare industry, the department said.

Additionally, they address several of the common attack vectors against U.S. hospitals that HHS spotted when putting together the 2023 Hospital Cyber Resiliency Landscape Analysis, which was published last spring.

“We have a responsibility to help our healthcare system weather cyberthreats, adapt to the evolving threat landscape, and build a more resilient sector,” HHS Deputy Secretary Andrea Palm said in a statement. “The release of these cybersecurity performance goals is a step forward for the sector as we look to propose new enforceable cybersecurity standards across HHS policies and programs that are informed by these CPGs.”

The new voluntary goals span initial protection, response and mitigation of residual risk. They also lay out a prioritization roadmap for layers of protection across various points of weakness—redundancies that the department said can prevent a potential breach should any single line of defense be compromised.

For example, to address identity-based attacks that, per the 2023 analysis, make up 80% of the hospital industry’s cyberattacks, HHS’ list of voluntary goals include “relatively lower cost, high yield” measures such as implementing basic cybersecurity training, email security and revoked credentials for departing employees. Following those, healthcare organizations can implement enhanced goals listed in the resource, such as network segmentation.

“The actions announced today make it easier for health care organizations to protect patients by prioritizing those key cybersecurity practices upon which they should focus their efforts,” Assistant Secretary for Preparedness and Response Dawn O’Connell said in a statement.

The voluntary performance goals have earned quick backing from the hospital industry. In a statement, American Hospital Association President and CEO Rick Pollack recommended that not just providers but “all components of the healthcare sector … including third-party technology providers and business associates” implement the practices released Wednesday.

“The AHA has worked closely with federal agencies and the hospital field to build trusted relationships and channels for the mutual exchange of cyber threat information, risk mitigation practices and resources to implement these practices,” Pollack said. “The AHA will continue to work collaboratively with HHS and other federal partners to enhance cybersecurity efforts for the entire healthcare field, including hospitals and health systems, technology providers and other vendors, to ensure we are protected against the primary source of cyber risk—criminal and nation state-supported cyber adversaries.”

Chip Kahn, President and CEO of the Federation of American Hospitals, said protecting against cyberattacks is "a key priority" for his organizations members and that his organization appreciates initiatives like the voluntary goals "that advance our shared efforts to defend our patients agianst these criminal actors."

The volume of large healthcare data breaches has risen 93% from 2018 to 2022, according to HHS, and is accompanied by a 278% increase in the number of attacks involving ransomware.

AHA's Pollack had already signaled support for government-developed voluntary cybersecurity guidelines back in December but had balked at HHS’ plan to follow today’s release with additional financial consequences or requirements for hospitals through Medicare or HIPAA.

"Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cybercrime and would be counterproductive to our shared goal of preventing cyberattacks,” he said last month.

Carter Groome, founder and CEO of digital health risk assurance firm First Health Advisory, told Fierce Healthcare that HHS' cybersecurity strategy is "a bold and long overdue stance on healthcare cybersecurity practice guidance." Today's new online resource and voluntary goals are "a major step in health-specific coordination" that, thanks to input from those on the front lines, "are prescriptive while taking care not to put undue burden on health entities that may eventually be required to comply."

That said, the voluntary goals "are clearly setting the foundation for future cyber baselines in the health sector," he said.

"Every health entity should pay close attention to this guidance as officers will eventually become accountable for adherence and simply accepting the risk will carry even greater financial and patient safety consequences in the future," he said.

Ty Greenhalgh, HHS 405(d) ambassador and industry principal for healthcare at cybersecurity firm Claroty, told Fierce Healthcare that the HHS' voluntary goals and promises of security funding won't be enough to drive sector-wide changes. Upcoming moves to incorporate the practices into existing regulations and reimbursement programs will likely face industry pushback "since this framework makes it almost impossible for smaller hospitals to afford and implement these solutions," he said. 

"The White House’s National Cybersecurity Strategy (NCS) pillars are more in line with the broader long-term approach needed to solve hospitals' cybersecurity challenges," he said. "By applying these wider concepts—Preparedness & Support, Information Sharing, Financial Support and Incentives, Incident Response and Recovery, Workforce Development and Regulatory Reform—hospitals will have a much better chance at fending off attacks.”

The Biden administration has not outlined a concrete timeline for when monetary penalties or other financial incentives it pitched in December, such as upfront investment program for low-resourced hospitals, could be unveiled. Several of the potential strategies would require HHS to collaborate with lawmakers for the necessary statutory authority.