Governance
Ignore Uncle Sam’s cybersecurity goals? Careful about getting hurt!
Critical cybersecurity performance goal If you are responsible for infosec at a US hospital or other healthcare organization, and you treat the government’s new “voluntary” cybersecurity performance goals (CPGs) as, well, voluntary, you’re ignoring the writing on the wall. “The benefit of the CPG is…
Headline
Critical cybersecurity performance goal If you are responsible for infosec at a US hospital or other healthcare organization, and you treat the government’s new “voluntary” cybersecurity performance goals (CPGs) as, well, voluntary, you’re ignoring the writing on the wall. “The…
Context
If you are responsible for infosec at a US hospital or other healthcare organization, and you treat the government’s new “voluntary” cybersecurity performance goals (CPGs) as, well, voluntary, you’re ignoring the writing on the wall. “The benefit of the CPG is that it indicates where the ball is bouncing next, and what the standards and expectations are for what organizations should be working on.”
Evidence
Pending intelligence enrichment.
Analysis
“It may not be today, but what’s on the HHS document is likely to become actual final rulemaking or new regulatory requirements that become law,” said Taylor Lehmann.”If you think that being voluntary doesn’t mean you have to do something, you’re probably wrong.The voluntary goal becomes mandatory, which is often the case with other rulemaking in healthcare as it relates to safety.” In early January, with a record 46 health networks (a total of 141 hospitals) still plagued by ransomware infections and data theft in 2023, rumors spread that the White House would soon require U.S. hospitals to meet basic cybersecurity standards before receiving federal funding. During this time, the criminals behind the intrusion used their own increasingly dangerous extortion methods to force hospitals to pay ransom demands.When asked about hospital regulations, the Centers for Medicare and Medicaid Services referred Sign-up to a concept paper released in December outlining the cybersecurity strategy of the U.S. Department of Health and Human Services (HHS). Later in January, the Department of Health and Human Services issued a voluntary, health-care-specific cpg. These goals fall into two categories, basic and enhanced, and each category has ten specific things you can do to better protect yourself from cyberattacks. The basic goal sounds like basic security – something one hopes hospitals and clinics already have. But, according to Taylor Lehmann, they are all based on real-world attacks and compromises. “I would love to say these are all very obvious, but obviously they haven’t all materialised,” he said. They include mitigating known vulnerabilities, using multi-factor authentication, implementing email security, training employees in safe behavior, encrypting sensitive data, and revoking the credentials of employees, contractors, and volunteers when they leave the organization. Basic incident response planning, use of unique credentials, separation of user and privileged accounts, and assessment of vendor and vendor risk are all basic goals.
Key Points
- The government’s new cybersecurity performance targets are important to the department responsible for information security at a U.S. hospital or other health care organization.
- In January, the U.S. Department of Health and Human Services released voluntary, healthcare-specific CPGS.There are two types of these goals, the basic goals and enhanced.
Actions
Pending intelligence enrichment.
