Health-ISAC Hacking Healthcare 2-1-2024

This week, Hacking Healthcare™ examines the publication of healthcare specific cybersecurity performance goals (CPGs). We breakdown where this initiative has come from, what the CPGs are, how they might eventually be used, and what Health-ISAC members may wish to consider doing with them in the meantime.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

PDF Version:
TLP WHITE - 2.1.2024 -- Hacking Healthcare™

 

Text Version:

Welcome back to Hacking Healthcare™.

HHS Publishes Healthcare Sector Cybersecurity Performance Goals

Last Wednesday, the U.S. Department of Health and Human Services (HHS)’s Administration for Strategic Preparedness and Responses (ASPR) announced the publication of “voluntary health care specific cybersecurity performance goals (CPGs).”[i] These healthcare and public health sector (HPH) specific CPGs were developed with the intention of improving the security and resiliency of healthcare sector entities and with an eye towards facilitating “new enforceable cybersecurity standards across HHS policies and programs that are informed by these CPGs.”[ii] Let’s examine the newly released HPH CPGs and the concurrently released Healthcare and Public Health Sector Cybersecurity Gateway website to assess the impact this new product may have.

HPH CPGs: Origin

For those of you having trouble remembering why HHS has expended the resources to help create healthcare specific CPGs, a brief refresher is in order. As part of the Biden administration’s longstanding focus on elevating and maturing the government’s cybersecurity policy, the White House has continually developed executive orders and actions on the issue. One of these, published back in Late July of 2021, was the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems.[iii]

That document identified the need for “baseline cybersecurity goals that are consistent across all critical infrastructure sectors, as well as a need for security controls for select critical infrastructure that is dependent on control systems.”[iv] Ultimately, the task of developing a consistent baseline of “cybersecurity goals” fell to the Department of Homeland Security (DHS) and their Cybersecurity and Infrastructure Security Agency (CISA).

Published in October of 2022, the Cross-Sector Cybersecurity Performance Goals were touted as “A common set of protections that all critical infrastructure entities – from large to small – should implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques.”[v] As a follow-on action, and in recognition that every critical infrastructure sector has its own unique risks, threats, and implementation challenges, CISA was tasked with building out sector-specific CPGs.

HPH CPGs: Content

So, what can you expect from this new document?

Thankfully, the organization and length of the HPH CPGs are comprehensible and reasonable, even if it is a bit of a departure from its parent Cross-Sector CPGs. At 13 pages, the document doesn’t overwhelm and stays high-level. After a quick introduction, the document breaks down into roughly 3 components.

The first component introduces ten “Essential” and ten “Enhanced” goals, with the former “setting a floor of safeguards,” while the later “[helping] healthcare organizations mature their cybersecurity capabilities.” Each goal is accompanied by a brief definition and are mapped to the Health Industry Cybersecurity Practices (HICP).

The goals themselves should largely be familiar to organizations that have used HICP or come across some of CISA’s cyber hygiene initiatives.[vi] Essential Goals include MFA implementation, the use of strong encryption, and basic incident planning and preparedness. The more mature Enhanced Goals add items like cybersecurity testing, third party vulnerability disclosure, and asset inventory.

The second component, making up the bulk of the document, is a more technical appendix that provides additional detail on each goal, the general types of threats mitigated by each, and how those goals map to the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF), HICP, and NIST’s publication 800-53 Rev.5 Security and Privacy Controls for Information Systems and Organizations.

Lastly, the third component is a mapping of the HPH CPGs to the Cyber Defense Matrix in an attempt to illustrate how the HPH CPGs might be deployed and how they provide protection to an organization.

Health Sector Cybersecurity Gateway

Concurrently announced with the HPH CPGs was the Healthcare and Public Health Sector Cybersecurity Gateway website, which is hoped will “[Connect] the Healthcare and Public Health (HPH) Sector with specialized healthcare specific cybersecurity information & resources from across the U.S. Department of Health and Human Services and other federal agencies.”[vii] As of this writing, the Gateway appears to link to the HPH CPGs, and has a partially interactive “wheel” that links users to a variety of HHS departments and offices.

Action & Analysis
**Included with Health-ISAC Membership**

Additional Information

As a reminder for members, the Health-ISAC regularly puts out more timely announcements of topical policy developments than we are capable of with Hacking Healthcare’s weekly cadence. We would encourage you to keep an eye out for these as they are published on the Cyware platform.

For those interested in reading more, please see the Health-ISAC HPH CPG Announcement here: https://health-isac.cyware.com/webapp/user/myfeeds/e8891935

 

Congress

Tuesday, January 30

No relevant hearings

Wednesday, January 31

No relevant meetings

Thursday, February 1

No relevant meetings

 

International Hearings/Meetings

No relevant meetings

 

EU