Healthcare: Time to Review Your Cybersecurity Plan

Introduction
2024 was one of the worst years for breaches of health records. According to HHS 184,108,767 records were breached at 701 organizations. HHS has taken actions to help the industry improve security. One step was the introduction of the HHS CPG’s (Cybersecurity Performance Goals), developed in collaboration with CISA. A second is the proposed rewrite of the HIPAA Security Rule, now in progress. This note looks at the applicability and implementation of the CPG’s.

The CPG’s
The HHS CPG’s were introduced in December 2023, again in response to record breaches in the health sector. They offer a set of 10-20 cybersecurity goals that are manageable by small-medium medical practices. These goals differ from the HIPAA Security Rule in that they are voluntary. They also facilitate a continuous improvement program since they are divided into 10 essential practices and 10 more enhanced goals. Adding a continuous PDCA (Plan Do Check Act) process can strengthen any security program.
A big advantage of the CPG’s is that they were set up to thwart today’s attacks. A second is that they are compact enough to be immediately useful to small businesses. A third is continuous improvement is baked into the CPG’s. In contrast, the HIPAA Security Rule is a one size fits all document; it was issued in 2003 and was updated in 2013. HHS is currently revising this Rule; you can submit comments up to March 7, 2025. The HIPAA Security Rule contains 27 “Implementation Specifications”. The revised version does reference the HHS CPG’s.

The list of CPGs has been divided into “Essential Goals” and “Enhanced Goals,” with 10 goals for each category.

Let’s look at the biggest breaches of 2024 to see which CPG Control Objective would address that breach. Here is the top 6 list from the HHS Breach Portal. I list the top breaches for which causes have been reported.

For these six breaches we can report that the HHS CPG’s are aligned to help prevent that breach. All the CPG controls have been designed to protect against specific common breach types as of 2023-2024. The table also shows that you will need to implement both the essential and enhanced goals to be protected.

Implementation Guidelines
Smaller organizations or those just implementing new security programs may choose to use the HHS CPG’s directly. You could use the 10 essential goals or all 20 essential and enhanced goals. You can develop a plan to implement new controls and to improve those you have already implemented. Other organizations may choose to use the CPG’s as KRI (Key Risk Indicator) and KPI (Key Performance Indicator) metrics to track their program’s progress and status. The CPG’s map directly into the NIST CSF (Cybersecurity Framework). For each metric both the status and rate of change should be reported. Rate of change metrics can indicate the success of a security program or its impending demise. The concept—continuous improvement–is an inherent part of the CSF and ISO 27001. It is also suggested by HHS CPG with the concept of Essential and Enhanced Goals. One missing element in the CPG’s is the concept of one person being responsible for cybersecurity. This has been built into the HIPAA Security Rule, so it would be necessary for any health organization. It specifically asks for “Assigned security responsibility,” although I would think more than one person would usually provide this. The NIST CSF doesn’t require a single person to lead cybersecurity.
The other point about the HHS CPG’s is that they address only downside risks and not business benefits from the 20 goals. You should look for ways these goals will facilitate business operations. Alix Partners has a good taxonomy to analyze cybersecurity contributions to overall business success. This highlights areas such as: building trust with customers; improvements in business agility; improving business processes.

The Future
In December 2024 four U.S. Senators proposed new legislation entitled “Healthcare Cybersecurity Act of 2024”. The legislation seems to have died and may not be revived in the 119th Congress. There were two provisions included: mandating more collaboration between HHS and CISA; providing more cybersecurity training for hospitals. Both seem like good ideas. HHS and CISA have joint ownership of the Health Critical Infrastructure Sector. For sure, awareness training is the most economical method of improving security, if done right.
The biggest potential trend to watch is the use of AI to improve cybersecurity; the flip-side wild card is use of AI to generate new threats. Security vendors have been using AI for years to help detect anomalies in network traffic and eliminate spam from email. Google claims to eliminate 99.9% of spam from Gmail users. For the future, we can visualize generative AI helping with incident response tactics and helping to provide more focused “awareness” training. At the same time the volume and sophistication of cyberattacks will continue to increase in all sectors.