Enhancing Cybersecurity in Healthcare: An Overview of the HPH CPGs 

by Lucas Baiocchi

As healthcare organizations increasingly rely on digital systems for patient care, they become attractive targets for cyber threats. Recognizing this crucial need, the U.S. Department of Health and Human Services (HHS) released the Healthcare and Public Health (HPH) Sector-Specific Cybersecurity Performance Goals, also known as HPH CPGs, on December 6, 2023.

The release of the HPH CPGs has significant implications for the healthcare industry. It underscores the importance of a proactive approach to cybersecurity, reminding healthcare organizations that safeguarding digital assets and patient data is about more than compliance. It is also about ensuring the resilience and continuity of healthcare services.

The Importance of Cybersecurity in Healthcare

Cybersecurity in healthcare is about more than protecting sensitive data. It is also about preserving the integrity of healthcare systems, ensuring the availability of critical services, and maintaining the trust of patients. Cyberattacks on healthcare systems can disrupt patient care, compromise patient safety, and result in significant financial losses.

The HPH CPGs provide a roadmap for healthcare providers to enhance their cybersecurity measures, reinforcing the need to prioritize key security practices. By adhering to these guidelines, healthcare providers can significantly mitigate their risk of cyber threats, ensuring they are well-equipped to protect their systems and continue delivering essential patient care.

Linking Cybersecurity and the HPH CPGs

As the predecessor of the HPH CPGs, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) introduced its Cross-Sector Critical Practice Guides (CPGs) in October of 2022. The CPGs act as a baseline for cybersecurity within the national critical infrastructure and is agnostic to all industries.

The HHS worked with CISA and industry partners to adapt these CPGs and create the HPH CPGs. The HPH CPGs are built off the chassis of CISA’s CPGs and more tailored to the Healthcare and Public Health sector.

The HPH CPGs directly tackle common attack vectors against domestic hospitals in the United States, as identified in the 2023 Hospital Cyber Resiliency Landscape Analysis of 2023.

With the HIPAA Security Rule slated to be updated in late 2024, there is speculation that the HPH CPGs will be basis of the Security Rule updates.

Understanding the HPH CPGs

These voluntary guidelines serve as a roadmap for healthcare organizations to prioritize and implement high-impact cybersecurity practices. The intentions are to bolster cybersecurity in the healthcare sector, enhance protection of sensitive patient health information, and refine response capabilities to potential cyber threats.

The HPH CPGs are organized into two categories: Essential Goals and Enhanced Goals.

Essential Goals establish a foundation, concentrating on prolific vulnerabilities and safeguarding healthcare organizations from prevailing cyberattacks. Essential Goals include strategies such as mitigating known vulnerabilities, strengthening email security, implementing multifactor authentication, providing basic cybersecurity training, deploying robust encryption, revoking credentials for ex-staff, and erecting incident planning and preparedness.

Figure 1: Essential Goals

Enhanced Goals, on the other hand, are designed to help healthcare organizations level up their cybersecurity capabilities and arm against more sophisticated attack vectors. Among the Enhanced goals are asset inventory management, third-party vulnerability disclosure, third-party incident reporting, cybersecurity testing, mitigation implementation, threat response, network segmentation, centralized log collection, comprehensive incident planning and preparedness, and configuration management.

Figure 2: Enhanced Goals

Implement HPH CPGs

The guidelines set forth by HHS advocate for the incorporation of enforceable cybersecurity standards into existing programs. This move indicates a shift towards a more robust and standardized approach to cybersecurity in healthcare, promoting a culture of continuous improvement and adaptation to evolving cyber threats.

The HPH CPGs align with industry standard cybersecurity frameworks and guidelines, such as the National Institute of Standards and Technology's (NIST) Cybersecurity Framework (CSF) and the National Cybersecurity Strategy.

This alignment makes implementing the HPH CPGs fairly straightforward. You can download the Essential and Enhanced Goals off the HPH website here. Also, you can use the released mappings to the CISA CPGs, NIST CSF, HICP, or NIST 800-53.

As cyber threats continue to evolve, the healthcare sector must stay ahead by continually enhancing its cybersecurity measures. The HPH CPGs serve as a valuable resource for healthcare organizations, offering clear and actionable guidance on improving cybersecurity performance. By embracing these guidelines, healthcare providers can fortify their defenses, safeguard their systems and data, and ensure the continuity and quality of patient care.

As experts in cybersecurity and compliance for healthcare organizations, Meditology can assist with the alignment and implementation of HPH CPGs.

Meditology Services is a leading provider of risk management, cybersecurity, and regulatory compliance consulting services that is exclusively focused on serving the healthcare community. More than a provider of services, Meditology is a strategic partner committed to providing our clients actionable solutions to achieve their most pressing objectives. With experience serving healthcare organizations ranging in size, structure, and operational complexity, we uniquely understand the challenges our clients face every day and dedicate ourselves to helping solve them.

Our service lines span cybersecurity certifications, security risk assessments, penetration testing, medical device security, incident response, staff augmentation, and more. Our team is run by former CISOs and privacy officers who have walked in our clients’ shoes, and our experienced consultants hold certifications spanning CISSP, CEH, CISA, HCISPP, CIPP, OSCP, HITRUST, and more. In addition, we maintain strong relationships with healthcare regulatory and standards bodies, including serving as HIPAA expert advisors to the Office for Civil Rights, providing us a uniquely thorough perspective on the healthcare cybersecurity landscape.

Lucas Baiocchi, HCISPP, CCSFP| Manager, IT Risk Management

Lucas is a seasoned information security, governance, and risk management leader at Meditology Services. While working as a Manager for Meditology, he has found a specialization in building and implementing risk management functions for entities from start-up to national enterprise. Working with Meditology for the past 6 years, he has found himself deeply involved in NIST CSF, NIST 800-53, HITRUST, HIPAA, Promoting Interoperability, and CEHRT attestation while currently holding a HealthCare Information Security and Privacy Practitioner (HCISPP) and Certified CSF Practitioner (CCSFP) certification. With a lifelong passion for artificial intelligence, cryptographic technologies, and advanced malware threats, he finds meaning in ensuring his clients have the most comprehensive yet feasible information security controls against the ever-changing threat landscape and regulatory environment.


Healthcare Sector Cybersecurity - ASPR -

HHS Announces Next Steps in Ongoing Work to Enhance ...

HHS Issues Cybersecurity Performance Goals Specific to ...

HHS Releases New Voluntary Performance Goals to ... - ASPR

HHS Unveils Healthcare Cybersecurity Performance Goals

Most Recent Posts
Global IT Outage Impacts Healthcare: What Happened? Read More
Why Cybersecurity Checks are a Must Before Acquiring or Merging with Another Hospital Read More
URGENT SECURITY ALERT: MOVEit Vulnerability Identified Read More