HHS has adapted CISA’s Cybersecurity Performance Goals, released in March 2023, for healthcare entities to better protect those in the healthcare sector from cyberattacks. These voluntary goals aim to strengthen cyber preparedness, improve cyber resiliency, and protect patient health information and safety. In this episode, we will review the HPH CPGs as they will be the basis of the proposed HIPAA Security Rule changes slated to be released later this year.
In this episode:
HPH Sector Cyber Performance Goals Released – Ep 444
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Thanks to our donors.
The HIPAA Privacy and Security Boot Camp
3.5 day In Person Event
April 9, 10, 11 and 12, 2024
PriSecBootCamp.com
Podcast Sidebar
Check out episode 141 of DarkNet Diaries about business email compromise. If you think you know what that is and how that works, you probably don’t. Even Donna and David were surprised that the turn this one took.
HPH Sector Cyber Performance Goals Released
[08:49] HHS has a new website connecting you with all of the different cybersecurity resources within HHS. This is exactly what was covered in their concept paper we reviewed recently.There will be many more things coming out but the most important one is what was just released Jan 25.
Healthcare and Public Health Sector-Special: Cybersecurity Performance Goals
HPH Cybersecurity Performance Goals website lets you download the document and get an online tour.
This is the guide that explains how our sector should apply the CISA CPGs. Another episode discusses those. The changes to the Security Rule that is currently being worked on are supposed to be based on these CPGs. Of course, they map them to the HICP Practices and Sub-Practices. Yet another thing you can take care of if you just adopted Recognized Security Practices using Healthcare Industry Cybersecurity Practices released by the 405(d) Working Group. There is your 405(d) Tip of the Week!
Here is the opening:
These goals are a voluntary subset of cybersecurity practices that healthcare organizations, and healthcare delivery organizations in particular, can prioritize to strengthen cyber preparedness, improve cyber resiliency, and ultimately protect patient health information and safety.
We can’t cover every single one of these in detail on one show but we can review the requirements and how it is structured.
Most important to note is it is broken down into Essential vs Enhanced Goals. Something we have discussed before is that there are minimums and then there are better than the minimums. Clearly, the Essentials in this list are not required by HIPAA today but look for that to be coming soon. Enhanced may be the bonus under RecSec.
Essentials Goals
[18:25] To help healthcare organizations address common vulnerabilities by setting a floor of safeguards that will better protect them from cyber attacks, improve response when events occur, and minimize residual risk.- Mitigate Known Vulnerabilities
- Email Security
- Multi-factor Authentication
- Basic Cybersecurity Training
- Strong Encryption
- [32:51] Revoke Credentials for Departing Workforce Members, Including Employees, Contractors, Affiliates, and Volunteers
- Basic Incident Planning and Preparedness
- Unique Credentials
- Separate User and Privileged Accounts
- Vendor/Supplier Cybersecurity Requirements
Enhanced Goals
[47:36] To help healthcare organizations mature their cybersecurity capabilities and reach the next level of defense needed to protect against additional attack vectors.- Asset Inventory
- Third Party Vulnerability Disclosure
- Third Party Incident Reporting
- Cybersecurity Testing
- Cybersecurity Mitigation
- Detect and Respond to Relevant Threats and Tactics, Techniques, and Procedures
- [55:10] Network Segmentation
- Centralized Log Collection
- Centralized Incident Planning and Preparedness
- Configuration Management
We’d recommend that you aim to address all 20 of these goals. Don’t stop at just the essentials. Document what you are doing today and how you are addressing them in some manner.
Here are a few other podcast episodes where we’ve discussed CPGs and
New HHS Cyber Plan Announced – Ep 438
Decoding CISA’s HPH Mitigation Guide – Ep 437
What the heck is a CPGs? – Ep 414
If you are already following the HICP guides for small or medium and large organizations you will be well on your way to incorporating the HPH CPGs as HHS has mapped them to the HICP practices and sub-practices. Plus, HHS says that they are mapping the changes to the HIPAA Security Rule based on these HPH CPGs. So get onboard folks. Things are a changin’. But there are more resources to help you sort through it all and implement these security measures.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
