High-Impact Cyber Practices Proposed by HHS for Health and Public Health Sector

The Department of Health and Human Services released its highly anticipated cyber performance goals, through the Administration for Strategic Preparedness and Response (ASPR).

The move follows the release of the healthcare sector cybersecurity strategy and concept paper, issued in December as part of the agency’s plan to adhere to the Administration’s National Cyber Strategy to secure the nation’s critical infrastructure. The newly proposed essential and enhanced goals from HHS will support the safe and reliable operation of critical infrastructure in healthcare and help network defenders with meeting these objectives to improve the industry’s overall cyber posture and resiliency.

The 10 essential goals are tailored to entities looking to prioritize safeguards critical to improving response times, minimizing risk, and improving protection from cyberattacks. The 10 enhanced goals are directed to entities looking to mature their overall cyber capabilities and “reach the next level of defense.”

“These CPGs are a clear indicator of where the regulatory/compliance ‘puck’ is headed,” said First Health Advisory Strategic Advisory Board Member Drex DeFord. “So, don’t delay: Healthcare CXO’s should map current gaps, identify and communicate resource shortfalls, and regularly communicate progress and challenges to their executives and board (and HHS).”

The proposed voluntary framework controls (or CPGs) aim to bolster security and resilient operations of critical infrastructure in healthcare with prescriptive practices that address the areas where organizations are most exposed. These goals may eventually serve as a model for incentivizing healthcare organizations with their cybersecurity investments.

First Health Advisory would like to acknowledge the dedication and collaboration that went into this important effort and strategy document that could effectively support provider organizations who need it the most. The threats against healthcare no longer pose just a threat to patient data and their privacy. Unmitigated risk in the care setting is a serious risk to patient safety and care morbidity.

HHS leaders’ concerted effort will prove beneficial for every entity operating in healthcare environment. It’s First Health’s hope that as the policy and goals evolve to meet the needs of the majority, provider entities will be better equipped – in both resources and education – to invest in security measures able to address systemic vulnerabilities and the ever-changing threat landscape.

First Health will provide feedback as the CPG controls are evaluated, and we encourage other companies who support this critical industry to do the same. Securing healthcare takes an all-hands approach, unifying our vast viewpoints into a concise plan of action to support low-resourced providers, their patients, and all of us as an industry.

Read more about the specific expectations and cyber performance goals from HHS ASPR.