Outsmarting Advanced Attacks: What We Can Learn from the 2024 HHS Cybersecurity Goals

In January 2024, the U.S. Department of Health and Human Services (HHS) released its 2024 Cybersecurity Performance Goals (CPGs) for Healthcare and Private Health. The goals, organized into Essential and Enhanced categories, are “intended to help healthcare organizations, and healthcare delivery organizations, prioritize implementation of high-impact cybersecurity practices.” In this blog, I’ll analyze the recommendations, what they represent for the healthcare industry and HDOs, and where they may fall short in achieving true cybersecurity health and resilience.

The 20 HHS Cybersecurity Performance Goals

One important note about these industry-specific cybersecurity goals is that they are voluntary. They are meant to serve as guideposts and provide direction to hospitals and healthcare delivery organizations. It is notably not a mandatory reporting exercise. It is instead geared toward giving HDOs the resources and context necessary to self-assess their cybersecurity efficacy. The hope is that even though many issues are deep-rooted in the healthcare industry, healthcare organizations can begin to measure their systems against these goals and take proactive steps to bolster their defenses in advance of a mandatory directive potentially being implemented. The Essential category includes themes like email security best practices, basic training, unique credentials, and multi-factor authentication. The Enhanced category branches into asset inventory, third-party vulnerability disclosure, testing, network segmentation, and incident planning and preparedness.

For an industry that is constantly plagued by attacks such as ransomware and continues to be the target of many bad actors due to the criticality of their services, healthcare and private health organizations should take this opportunity to take a hard look at their current systems and how they measure up. The simplicity of a concise list of 20 goals may make a daunting task clearer and make it easier to align internal practices and get executive buy-in for any cybersecurity initiatives, rather than comparing against multiple different frameworks and guidelines.

Why Separate Into Two Categories?

One limitation of the CPGs, as I pointed out in a recent webinar with Critical Insight, is found in the structure itself–dividing the goals and advice into 10 Essential Goals and 10 Enhanced Goals. Healthcare is often a prime target for ransomware attacks, with the average attack costing $4.45 million in 2022 according to IBM. The landscape of digital risk in healthcare has also massively expanded with the recent surge in remote care offerings. HDOs are dealing with more than just difficulties with login credentials and basic training requirements of their staff about security best practices. They need to be aware of the realistic threat landscape, their true exposure risk via their myriad devices and assets, and have not only an accurate inventory but tried and tested plans for preventing and managing any future attacks.

In actuality, bad actors are not only exploiting failings in the Essential category. Classifying the Enhanced list as secondary security controls that can be actioned at a later date does not encapsulate the reality of the threats healthcare organizations, and every industry for that matter is facing in the current environment. Therefore, I would caution any Healthcare and Private Health organizations to take heed of both sets of goals if they truly wish to outsmart any attacks.

For more about the reality of cyber attacks in healthcare, check out this blog: https://www.armis.com/blog/attack-surface-management-healthcare-based-attacks-put-patients-at-risk/

Key Takeaways and the Armis Advice

The good news is that the CPGs put forth by the U.S. Department of Health and Human Services are voluntary and are intended to start a conversation. Hospitals and healthcare providers should use these as a framework to assess their current cybersecurity posture and continue the conversation about increasing their protection against bad actors. The bad news is the scope is too narrowly defined in some goals. We all know that attacks and breaches go far beyond the realm of the Essential goals and well into the Enhanced territory. However, this can be a great starting point for taking stock internally and getting executive approval for further cybersecurity initiatives. We recommend viewing the cybersecurity goals through the following lenses:

1. Visibility – While these goals provide good recommendations, the fundamental element needed to begin assessing your organization is visibility. For each CPG, consider how much you can see in your environment and what you need in order to achieve it. For example, how would complete visibility of vulnerabilities be achieved if you’re currently only seeing and managing approximately 30% of the devices on your network?
2. Work in Parallel – Do not wait to complete the essentials before beginning work on the enhanced goals. The CPGs, while providing a good highlight of some pressing needs, are not necessarily prioritized in the most optimal manner for every organization to follow prescriptively. Aim to have a maturity scale for each CPG–essential and enhanced–and work to continue to mature your cybersecurity program as a whole.
3. Wider Buy-in – Moving the needle on these goals will require buy-in from the greater organization. Cybersecurity teams now rely increasingly on other business units and staff members to ensure cybersecurity resilience. This must extend beyond yearly security awareness training. Effective partnership and collaboration is fundamental to getting visibility into, assessing, and reducing the risk of medical devices.
4. Prioritization – Vulnerability management continues to be a pillar of cybersecurity that teams are grappling with. The business and clinical contexts of devices is growing evermore crucial in focusing prioritization efforts, but may not be effectively captured by the CPGs or guidance provided.
5. Think Beyond Traditional IT – Anchoring goals to a cybersecurity framework remains fundamental in guiding security teams at a higher strategic level. However, several goals focus on enterprise assets such as laptops, computers, and servers. The healthcare device ecosystem now comprises a large variety of devices, often outnumbering enterprise assets. To make progress, teams must expand their scope and ensure holistic visibility and risk assessment from the ground to the cloud, from devices to users, and the outside in.

HDOs can and should continue to use the NIST cybersecurity framework to make informed decisions going forward and use the CPGs as a reminder of the work still to be done to protect essential healthcare activities and devices.