.st0{fill:#FFFFFF;}

Podcast

What the heck is a CPGs? – Ep 414 

 July 7, 2023

By  Donna Grindle

Share0
Tweet0
Share0

CPG cybersecurity performance goalsChecklists are important for many people who deal with cybersecurity. David and Donna explain that this new checklist is not just for healthcare, but for all businesses. We talk about Cybersecurity Performance Goals (CPGs) recently published by CISA, and how they can help strengthen your cybersecurity.

 

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

What the heck is a CPG? – Ep 414

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

HIPAA Briefs

[01:49]Our new feature we are calling HIPAA Briefs is all about getting quick answers. We have slowly been working on a feature on our YouTube channel that includes small snippets of episodes and this will be our extension on it for a YouTube short. They are just quick snippets of information to answer your burning HIPAA questions. Subscribe to your channel and get notifications when we publish over there.

[05:30]Encryption at rest and in transit are addressable. They are not optional. In today’s world you need to be certain that your data is as protected as possible. Addressable means you took care of it in some other manner than direct encryption. The ability to protect without encryption in transit is virtually impossible. The “at rest” protections require way too many limitations without encryption.

Just do it! Encrypt it at rest and in transit at all times.

HIPAA Say What!?!

[07:31]What is the difference between TLS, SSL, HTTPS?

  • SSL (Secure Sockets Layer) – OG – The third and latest version of the SSL protocol was released in 1996.
  • TLS (Transport Layer Security) – The descendant of SSL – TLS 1.2 was introduced in 2008 and still in current.
    • NIST date set to support the new version TLS 1.3 by January 1, 2024 for govt agency use.
  • HTTPS (Hypertext Transfer Protocol Secure) mostly uses TLS now but started with SSL and is still in use with it.

SSL and TLS are security transmission layers used on the Internet between systems. Email servers use TLS to send and receive from each other. These security layers protect the conversations you are having. A VPN adds another layer of security protocols around ALL the conversations not just one at a time.

————————————-

[15:48]What’s the deal with Amazon Clinic and PHI? Senators Seek Answers From Amazon Over Collection of Patient Data

Amazon Clinic doesn’t accept health insurance at this time. Instead, you pay a flat fee for the care you receive. You can pay with your FSA or HSA debit card.

At this time, Amazon Clinic isn’t intended for beneficiaries of government payer programs, including Medicare and Medicaid.

https://clinic.amazon.com/privacy

What the heck is CPGs?

[19:19]CPGs are voluntary cross-sector Cybersecurity Performance Goals or CPGs because we need to use TLAs. The intent of these goals are to help establish a baseline set of basic cybersecurity practices for critical infrastructure, and “especially help small- and medium-sized organizations kickstart their cybersecurity efforts”.

Cross-Sector Cybersecurity Performance Goals

For all those folks who claim they want to do the minimum possible work may find these helpful in implementing their cybersecurity program. At least it will show them the minimums are not the minimums they think they will be. However, they do make it very clear that this list is not comprehensive so don’t think you are all set if you only do these.

CISA does stress the importance that these goals are more specific than most frameworks which is why they encourage the Critical Infrastructure Sectors to review these things and address how they should be used in their sector. CPGs do map to the NIST CSF and use the IPDRR functions to organize the practices..

The 2023 version of HICP has been mapped to these CPGs. The landscape analysis paper included that mapping in their recommendations. For example:

HICP Practice: Email Protection Systems => CISA Common Performance Goals Mapping: 2.M, 2.N

The associated CPG checklist makes it easy to see what is recommended and compare where you stand. The same document lets you do your first assessment and the second year assessment right on that page.

[24:18]The really nice part is it adds a line showing cost, impact, and complexity. Making decisions just got a lot easier when you can share that info at the top for those who only care about the most basic info needed to make a decision.

CPG cybersecurity performance goals

So here’s an example of one item that is low cost, high impact, and low complexity. So you would think everyone should just get that one done first thing. Right? Yeah. Just get it done. So here is the recommended action that you should take:

A named role position title is identified as responsible and accountable for planning, resourcing, and execution of cybersecurity activities. This role may undertake activities such as managing cybersecurity operations at the senior level, requesting and securing budget resources or leading strategy development to inform future positioning.

This is where you have people saying they were “volun-told” to do it. It isn’t something you can outsource completely. Accountability is what this is talking about and while is not expensive, has high impact, and shouldn’t be complex it is often overlooked completely.

That’s just one of the items in your checklist but it does make it very clear what needs to be done and why.

Go to top

CPGs are helpful for small and medium-sized organizations that want to start improving their cybersecurity. The mapping of the 2023 HICP to these CPGs in the landscape analysis paper shows how important they are even in healthcare. They provide a basic set of practices, but it’s important to remember that they’re not complete. The CPG checklist makes it easy for organizations to assess their progress and compare recommendations. It considers factors like cost, impact, and complexity to help with decision-making. The comprehensive checklist provided by CISA’s CPGs is a useful guide that clearly explains what actions to take and why, helping organizations improve their cybersecurity.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

 

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: