• The government’s new cybersecurity performance targets are important to the department responsible for information security at a U.S. hospital or other health care organization.
  • In January, the U.S. Department of Health and Human Services released voluntary, healthcare-specific CPGS.There are two types of these goals, the basic goals and enhanced.

Critical cybersecurity performance goal

If you are responsible for infosec at a US hospital or other healthcare organization, and you treat the government’s new “voluntary” cybersecurity performance goals (CPGs) as, well, voluntary, you’re ignoring the writing on the wall. 

“The benefit of the CPG is that it indicates where the ball is bouncing next, and what the standards and expectations are for what organizations should be working on.”

Taylor Lehmann, a director in Google Cloud’s Office of the Chief Information Security Officer

“It may not be today, but what’s on the HHS document is likely to become actual final rulemaking or new regulatory requirements that become law,” said Taylor Lehmann.”If you think that being voluntary doesn’t mean you have to do something, you’re probably wrong.The voluntary goal becomes mandatory, which is often the case with other rulemaking in healthcare as it relates to safety.”

Information security is still being challenged

In early January, with a record 46 health networks (a total of 141 hospitals) still plagued by ransomware infections and data theft in 2023, rumors spread that the White House would soon require U.S. hospitals to meet basic cybersecurity standards before receiving federal funding.
During this time, the criminals behind the intrusion used their own increasingly dangerous extortion methods to force hospitals to pay ransom demands.When asked about hospital regulations, the Centers for Medicare and Medicaid Services referred Sign-up to a concept paper released in December outlining the cybersecurity strategy of the U.S. Department of Health and Human Services (HHS).

Two goals

Later in January, the Department of Health and Human Services issued a voluntary, health-care-specific cpg. These goals fall into two categories, basic and enhanced, and each category has ten specific things you can do to better protect yourself from cyberattacks.


The basic goal sounds like basic security – something one hopes hospitals and clinics already have. But, according to Taylor Lehmann, they are all based on real-world attacks and compromises. “I would love to say these are all very obvious, but obviously they haven’t all materialised,” he said. They include mitigating known vulnerabilities, using multi-factor authentication, implementing email security, training employees in safe behavior, encrypting sensitive data, and revoking the credentials of employees, contractors, and volunteers when they leave the organization.
Basic incident response planning, use of unique credentials, separation of user and privileged accounts, and assessment of vendor and vendor risk are all basic goals.

Another important goal – revoking an employee’s credentials when they leave the company – is also not as easy as it sounds.”If you’re an academic health system and you have five or more academic institutions, you don’t know when those students are graduating and when they’re leaving,” Lyman said.Data confidentiality and the protection of patient PII and health information have long been seen as the only goal to ensure healthcare, as failure to protect confidential information can bog down hospitals with government agencies.”Availability is as important, if not more important, than confidentiality,” Lehmann said.He added that many healthcare institutions have not evolved enough to think about safety in this way.”I care if my data is compromised, but I care more if I die because of it.”