HHS Unveils New Health Care Cybersecurity Goals

January 25, 2024

The Biden administration this week published voluntary cybersecurity performance goals for hospitals and other health care organizations as well as a new website for key cyber resources.

The goals are part of a broader initiative from the U.S. Department of Health and Human Services (HHS) to set new industry standards to protect our health care system from ransomware and other digital threats that can jeopardize patient security and interrupt facility operations. The goals are divided into two categories to set a floor for safeguards (essential) and next-level strategies to protect against attack vectors (enhanced).

“We have a responsibility to help our health care system weather cyber threats, adapt to the evolving threat landscape, and build a more resilient sector,” said HHS Deputy Secretary Andrea Palm.

Here’s what you need to know:

• Background:  The voluntary goals are one of the initial steps from HHS as it develops its approach to improve cybersecurity in health care.
  •  In a paper published last month, the federal agency said it plans to create incentives to help organizations implement these goals.
  • Future steps will evaluate HHS's enforcement role and the creation of a "one-step shop" for cybersecurity.
• The issue:  From 2018–2022, there was a 93 percent increase in large breaches reported to the federal government, including a 278 percent increase in large breaches involving ransomware.
• Essential goals:  The essential goals cover steps to mitigate known vulnerabilities; email security; multi-factor authentication; basic training, encryption; revoking credentials for departing members; and basic incident planning and preparedness.
• Enhanced goals:  Enhanced goals outline more advanced measures related to asset inventory, third party vulnerability disclosure and incident reporting, cybersecurity testing and mitigation, and other initiatives.
• Quotable:  “These cybersecurity performance goals are targeted at defending against the most common tactics used by cyber adversaries to attack health care and related third parties, such as exploitation of known technical vulnerabilities, phishing emails and stolen credentials,” American Hospital Association President and CEO Rick Pollack said in a statement this week. “We recommend that all components of the health care sector implement these practices including third-party technology providers and business associates.

The new federal website and voluntary performance goals are available online. HHS also has published an overview of the new initiative.

HAP will continue to monitor federal regulatory activity and other health care cybersecurity trends and provide updates to members. For questions about the new voluntary goals, contact Jason Tomashunas, MS, CHEP, manager, emergency management.