How to Effectively Navigate the New HPH Cybersecurity Performance Goals (CPGs)

In December 2023, the U.S. Department of Health and Human Services (HHS) announced the publication of its new concept paper that builds on President Biden’s National Cybersecurity Strategy. Between 2018 and 2022, the HHS explained that the Office for Civil Rights (OCR), the branch tasked with managing Health Insurance Portability and Accountability Act (HIPAA) compliance, has seen a 93% increase in large breaches reported to it with a 287% increase in large breaches involving ransomware. 

Between the newly published concept paper and the HHS Cybersecurity Performance Goals, the regulatory agencies that oversee the healthcare and public health sectors continue to formalize their cybersecurity best practices. 

What is the purpose of the HHS concept paper?

The HHS concept paper builds on President Biden’s National Cybersecurity Strategy to align the agency’s strategy with the overarching objectives that the White House established. As the agency that oversees the healthcare and public health sector, HHS performs the following activities:

  • Sharing cyber threat information and intelligence with the sector
  • Providing technical assistance, guidance, and resources 
  • Issues cybersecurity guidance and threat alerts for medical devices
  • Publishing healthcare-specific cybersecurity best practices, resources, and guidance

To fulfill its responsibilities, HHS outlined the following steps it plans to take to drive a path forward on cybersecurity improvements:

  • Establish voluntary cybersecurity performance goals for the healthcare sector: reducing confusion with performance goals that set clear strategy with Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs)
  • Provide resources to incentivize and implement these cybersecurity practices: establishing an upfront investments program and an incentives program
  • Implement an HHS-wide strategy to support greater enforcement and accountability: proposing actions based on HPH CPGs and updating HIPAA Security Rule to include new cybersecurity requirements
  • Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity: enhancing HHS and Federal Government coordination to increase incident response capabilities and prove more resources, like technical assistance or vulnerability scanning
HPH CPGs: A Step Toward Formalizing 405(d)’s Health Industry Cybersecurity Practices (HICP)

The good news for healthcare delivery organizations (HDOs) is that the regulatory agencies aren’t creating entirely new cybersecurity performance goals from scratch. The less great news for HDOs is that the HPH CPGs act as a first step toward formalizing the HICP controls and risk mitigation strategies. For many HDOs, the three volumes of controls published in 2023 can feel overwhelming, especially when bringing the Internet of Medical Things (IoMT) and medical devices into the picture. 

The HPH CPGs identify Essential Goals that act as a foundation for cyber hygiene, and Enhanced Goals that enable HDOs to mature their cybersecurity capabilities. 

Essential Goals

HHS outlines ten Essential Goals to help HDOs address common vulnerabilities and build a baseline for cyberattack risk mitigation, response improvement, and residual risk minimization:

  • Mitigate Known Vulnerabilities: Mapped to HICP 7.M.A (Host/Server-Based Scanning), 7.M.B (Web Application Scanning), and 2.M.B (, this reduces the likelihood that threat actors can exploit known vulnerabilities on assets connected to the Internet.  These sections refer to Host/Server-Based Scanning (7.M.A), Web Application Scanning (7.M.B), and Basic Endpoint Protection (2.M.A)
  • Email Security: Mapped to HICP 1.M.A, 1.M.B, and 1.M.D, this reduces risks from common email-based threats, like spoofing, phishing, and fraud. 
  • Multifactor Authentication (MFA): Mapped to HICP 3.M.A, 3.M.C, and 3.M.D, this provides an additional security layer for assets and accounts connected to the Internet.
  • Basic Cybersecurity Training: Mapped to HICP 1.M.D and 10.M.C, this teaches users to learn and perform more secure behaviors.
  • Strong Encryption: Mapped to HICP 1.M.C, this helps maintain sensitive data confidentiality and traffic in motion integrity. 
  • Revoke Credentials for Departing Workforce Members: Mapped to HICP 3.M.B and 3.M.C, this mitigates unauthorized access risk by users and accounts formerly granted access.
  • Basic Incident Planning And Preparedness: Mapped to HICP 10.M.A, 8.M.B, and 4.M.D, this enables efficient and effective incident response, recovery, and restoration.
  • Unique credentials: Mapped to HICP 3.M.A, 3.M.B, 3.M.C, and 3.M.D, this makes detecting and monitoring abnormal activity easier, especially between IT and operational technology (OT) networks.
  • Separating User And Privileged Accounts: Mapped to HICP 3.M.A, 3.M.B, 3.M.C, 3.M.D, this limits threat actors’ ability to compromise privileged or administrative accounts.
  • Vendor/Supplier Cybersecurity Requirements: Mapped to HICP 10.M.B, this helps reduce third-party security risk.

Enhanced Goals

For HDOs that achieve essential goals, the following ten Enhanced Goals enable them to reach the next level of defense:

  • Asset Inventory: Mapped to HICP 5.M.A, 5.M.B, 5.M.C, and 7.M.C, this helps identify known, unknown, and unmanaged assets for faster detection and response.
  • Third-Party Vulnerability Disclosure: Mapped to HICP 10.M.B, this helps discover and respond to known threats and vulnerabilities.
  • Third-Party Incident Reporting: Mapped to HICP 10.M.B, 7.M.D, and 8.M.C, this helps reduce the impact of supply chain attacks. 
  • Cybersecurity Testing: Mapped to HICP 7.L.A, 7.L.C, and 8.M.C, this helps proactively mitigate risks through penetration testing and attack simulations.
  • Cybersecurity Mitigation: Mapped to HICP 8.M.C, 7.M.D, and 7.L.B, this helps prioritize remediation actions found during penetration testing and attack simulations.
  • How to Respond to Relevant Threats: Mapped to HICP 2.L.C, this helps mitigate risks by protecting endpoints that act as network entry and exits points.
  • Network Segmentation: Mapped to HICP 6.M.B, this helps mitigate risk that threat actors can move from low to high risk systems after initial access. 
  • Centralized Log Collection: Mapped to HICP 8.M.A and 8.M.B, this helps mitigate risk by correlating security log data across all systems and networks for faster detection, investigation, response, and recovery. 
  • Centralized Incident Planning and Preparedness: Mapped to HICP 8.M.A and 8.M.B, this proactive training helps improve incident response efficiency and effectiveness.
  • Configuration Management: Mapped to HICP 7.M.D, this helps maintain and document secure device and system settings.
Asimily: Accelerate Cybersecurity Initiatives with IoMT and Medical Device Monitoring

Based on these two publications, HHS sets the stage for using the HICP documents as the foundation for its future compliance requirements, including updates to HIPAA’s Security Rule that will levy fines and penalties for HDOs who violate these new terms. For HDOs that want to take a proactive approach to enhancing their security posture, implementing and monitoring security controls for IoMT and medical devices is critical.

Identify and Inventory Assets

To identify and remediate known vulnerabilities and vendor/supplier security risks under Essential Goals, HDOs need to know the devices that pose a risk, including IoMT and medical devices that connect to their networks. Although an asset inventory falls within the Enhanced Goal category, HDOs may not effectively achieve a comprehensive vulnerability management program without insight into all connected devices. 

HICP focuses on the following:

  • 5.M.A Inventory of endpoints and servers: focused on IT asset management which should include enterprise Internet of Things (IoT) devices, like printers or security cameras
  • 5.M.B Procurement: focused on incorporating ITAM processes into the supply chain management program 
  • 5.M.C Secure storage for inactive devices: focused on returning assets not in circulation to their appropriate IT department for secure storage
  • 7.M.C System placement and data classification: focused on identifying risks, ranking them, and prioritizing remediation for vulnerabilities discovered

With Asimily, HDOs can accelerate their security maturity journey by automating the IoMT and medical device asset inventory process. Further, with this asset inventory, they can move towards the Enhanced Goals of creating a focused program for:

  • Third-Party Vulnerability Disclosure
  • Third-Party Incident Reporting
  • Configuration Management

Asimily’s passive scanning monitoring solution regularly detects and fingerprints devices connected to the network, providing the following information:

  • Hardware: manufacturer, model, serial number
  • Software: operating system, version, firmware revisions
  • Device type and function
  • Security assessment: vulnerabilities and risks

With our built-in risk metrics, HDOs can set baselines for normal activity that help them achieve Enhanced Goals, including Configuration Management and How To Respond To Relevant Threats. 

Identify Vulnerabilities, Suggest and Prioritize Simple Remediation Actions

A robust vulnerability management program typically includes the following:

  • Vulnerability and risk categorization
  • Vulnerability disclosure programs
  • Software bill of materials (SBOM) and vulnerability lookups
  • Vulnerability scanning

Asimily’s platform enables HDOs to implement these processes and suggests actionable remediation strategies by:

  • Identifying where exploitable vulnerabilities are within the environment and for each specific device 
  • Prioritizing activities on real-time exploitability
  • Leveraging our clinically validated recommendations for vulnerabilities via digitized MDS2 information

Further, as HDOs find themselves facing even more compliance requirements, Asimily enables them to monitor HICP metrics, including:

  • Number of unmitigated high-risk vulnerabilities on network-connected medical devices measured monthly
  • Number of devices that have unknown risks due to lack of manufacturer-disclosed information, measured monthly. 

Incorporate IoMT and Medical Devices into Incident Response

As part of Basic Incident Planning and Preparedness under Essential Goals, HDOs should incorporate some IoMT and medical devices because their inherent lack of security makes them a primary threat actor target. 

With Asimily, HDOs can capture raw packets to or from deployed devices that reveal attacker tactics, techniques, and procedures (TTPs), enabling them to improve basic incident response and implement some fundamental Enhanced Goals by incorporating monitoring, detection, and response activities based on:

  • Baselining devices
  • Network behavior
  • Clinical context
  • Profiling and grouping devices
  • Deep packet inspection

To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.

Reduce Vulnerabilities 10x Faster with Half the Resources

Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.