On Jan 24. the U.S. Department of Health and Human Services (HHS), through the Administration for Strategic Preparedness and Response (ASPR), released voluntary Cybersecurity Performance Goals (CPGs) to better protect the health care sector from cyberattacks, improve response when events occur, and minimize residual risk.
“We have a responsibility to help our health care system weather cyber threats, adapt to the evolving threat landscape, and build a more resilient sector,” HHS Deputy Secretary Andrea Palm said in a statement. “The release of these cybersecurity performance goals is a step forward for the sector as we look to propose new enforceable cybersecurity standards across HHS policies and programs that are informed by these CPGs.”
The CPGs include 10 essential goals to outline minimum foundational practices for cybersecurity performance and 10 enhanced goals to encourage adoption of more advanced practices. ASPR designed the goals in response to common attack vectors against U.S. hospitals identified in the 2023 Hospital Cyber Resiliency Landscape Analysis.
The agency used common industry cybersecurity frameworks, best practices, and strategies, including Health Industry Cybersecurity Practices, the National Institute of Standards and Technology Cybersecurity Framework, and the National Cybersecurity Strategy and Implementation Plan, to design the goals.
Contact Director of Policy Rob Nelb, MPH, at rnelb@essentialhospitals.org or 202.585.0127 with questions.
Author