HHS releases new voluntary cybersecurity performance goals

Last week, HHS released several voluntary cybersecurity goals for healthcare organizations.

What happened

In 2023, healthcare organizations saw a massive increase in data breaches. These cyberattacks have had costly and harmful impacts on patients and organizations alike, but with constantly evolving attack tactics, they can be difficult to prevent. 

The HHS is stepping in to provide goals and safeguards that could help prevent attacks, improve incident response, and minimize remaining risks. Last week, they released a new guidance outlining cybersecurity goals for healthcare organizations.  

The release of the goals follows an HHS concept paper from December, where the HHS acknowledged a 93% increase in large breaches between 2018 and 2022. The concept paper outlined a plan of action for the HHS, including establishing voluntary cybersecurity performance goals. 

Read more: HHS releases new healthcare cybersecurity strategy

Going deeper

The voluntary goals are divided into two categories: essential goals and enhanced goals. Essential goals are designed to help healthcare organizations resolve common vulnerabilities with proper safeguards. Enhanced goals are designed to help companies reach “the next level of defense needed” in their cybersecurity capabilities. 

The document outlines steps every healthcare company should take. Their essential goals, or goals that every organization should prioritize, are as follows: 

• Mitigate known vulnerabilities
• Email security
• Multifactor authentication 
• Basic cybersecurity training
• Strong encryption
• Revoke credentials for departing workforce members, such as employees, contractors, affiliates, and volunteers
• Basic incident planning and preparedness
• Unique credentials
• Separate user and privileged accounts
• Vendor/supplier cybersecurity requirements

The document also outlines several enhanced goals, or goals that companies should strive for to obtain top security measures. The goals are as follows: 

• Asset inventory
• Third-party vulnerability disclosure
• Third-party incident reporting
• Cybersecurity testing
• Cybersecurity mitigation
• Detect and respond to relevant threats and tactics, techniques, and procedures (TTP)
• Network segmentation
• Centralized log collection
• Centralized incident planning and preparedness
• Configuration management

According to the HHS, these goals were developed from common industry cybersecurity frameworks, guidelines, best practices, and strategies.

What was said

According to the document, “These resiliency-based goals complement HHS’ ongoing work to improve cybersecurity in medical devices through the Food and Drug Administration’s establishment of pre-market cybersecurity requirements and recommendations for medical devices.”

The authors further added they hoped the goals would “promote cybersecurity through the Office for Civil Rights’ continuous administration and enforcement of the Health Insurance Portability and Accountability Act Privacy, Security, and Breach notification rules.” 

Why it matters 

The HHS is aiming to create a more united front against attacks, with clearer industry standards and expectations.

Moreover, their list of goals is significantly more measurable than prior overarching concept papers we’ve seen. The HHS is taking steps to provide actionable items for organizations to take, which could result in more compliance. 

Ultimately, protecting against security vulnerabilities must become a priority for healthcare organizations. Without taking the proper steps, it’s easy to become a target. By using a list like the one from the HHS, organizations can ensure they are up to par with the latest security innovations and standards. 

The big picture

While this list of goals is helpful, it’s part of a larger plan from the HHS. We can soon expect them to release incentives for healthcare organizations to encourage compliance, as well as an HHS-wide strategy to improve accountability. 

One of the essential goals of the HHS is email security. Many healthcare organizations are vulnerable to phishing attacks, often partially the result of ill-trained employees, human error, or faulty technology.

Read more: HIPAA Compliant Email: The Definitive Guide

Paubox makes it simple to secure email; emails are always encrypted, taking out all guesswork and room for error. Furthermore, Paubox has never experienced a breach; our technology is reliable and HITRUST certified. To help your company meet the essential goals proposed by HHS, try Paubox today.