HPH Cybersecurity Performance Goals
Purpose
The Department of Health and Human Services (HHS) helps the Healthcare and Public Health (HPH) critical infrastructure sector prepare for and respond to cyber threats, adapt to the evolving threat landscape, and build a more resilient sector. As outlined in the HHS Healthcare Sector Cybersecurity concept paper, HHS is publishing these voluntary healthcare specific Cybersecurity Performance Goals (CPGs) to help healthcare organizations prioritize implementation of high-impact cybersecurity practices.
These CPGs are a voluntary subset of cybersecurity practices that healthcare organizations, and healthcare delivery organizations in particular, can prioritize to strengthen cyber preparedness, improve cyber resiliency, and ultimately protect patient health information and safety. They were built off the chassis of CISA’s CPGs and informed by common industry cybersecurity frameworks, guidelines, best practices, and strategies (e.g., Healthcare Industry Cybersecurity Practices, National Institute of Standards and Technology (NIST) Cybersecurity Framework, and Healthcare and Public Health Sector Cybersecurity Framework Implementation Guide). The HPH CPGs directly address common attack vectors against U.S. domestic hospitals as identified in the 2023 Hospital Cyber Resiliency Landscape Analysis.
Essential Goals
To help healthcare organizations address common vulnerabilities by setting a floor of safeguards that will better protect them from cyber attacks, improve response when events occur, and minimize residual risk.
To aid in further understanding the alignment to HICP we have included the links to the HICP sub-practices page for each CPG.
Reduce the likelihood of threat actors exploiting known vulnerabilities to breach organizational networks that are directly accessible from the Internet.
HICP Practices
- Vulnerability Management
- Endpoint Protection
NIST Controls
CA-2, CA-5, CA-7, CA-8, PM-4, PM-15, RA-3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5, RA-1, RA-3, RA-5, SI-2, CA-5, PM-4, PM-9, PM-28, RA-7, CA-1, CA-2, RA-1, PM-4, PM-15, RA-7, SI-5, SR-6 AC-1, AC-17, AC-19, AC-20, SC-15
CISA CPG IDs
- Mitigating Known Vulnerabilities (1.E)
- No Exploitable Services on the Internet (2.W)
Additional Resources
Reduce risk from common email-based threats, such as email spoofing, phishing, and fraud.
HICP Practices
- Email Protection Systems
NIST Controls
MP-2, MP-3, MP-4, MP-5, MP-6, MP-7, MP-8, SC-28, SC-8, SC-11, AC-4, AC-5, AC-6, AU-13, PE-19, PS-6, SC-7, SI-4, AC-12, AC-17, AC-18, CP-8, SC-5, SC-7, SC-10, SC-11, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-38, SC-47, AC-14, IA-1, IA-2, IA-3, IA-5, IA-8, IA-9, IA-10, IA-11
CISA CPG IDs
- Email Security (2.M)
Additional Resources
Add a critical, additional layer of security, where safe and technically capable, to protect assets and accounts directly accessible from the Internet.
HICP Practices
- Identity & Access Management
NIST Controls
AC-14, IA-1, IA-2, IA-3, IA-5, IA-8, IA-9, IA-10, IA-11, IA-1, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, IA-10, IA-11, IA-12
CISA CPG IDs
- Phishing-Resistant Multifactor Authentication (MFA) – 2.H
Additional Resources
Ensure organizational users learn and perform more secure behaviors.
HICP Practices
- Email Protection Systems
- Cybersecurity Oversight & Governance
NIST Controls
AT-2, PM-13, PM-14, AT-3, PM-13
CISA CPG IDs
- Basic Cybersecurity Training (2.I)
Additional Resources
Deploy encryption to maintain confidentiality of sensitive data and integrity of Information Technology (IT) and Operational Technology (OT) traffic in motion.
HICP Practices
- Email Protection Systems
- Endpoint Protection Systems
- Data Protection & Loss Prevention
NIST Controls
SC-8, SC-11
CISA CPG IDs
- Strong and Agile Encryption (2.K)
Prevent unauthorized access to organizational accounts or resources by former workforce members, including employees, contractors, affiliates, and volunteers by removing access promptly.
HICP Practices
- Identity & Access Management
NIST Controls
IA-1, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, IA-10, IA-11, IA-12, PS-1, PS-2, PS-3, PS-4, PS-5, PS-6, PS-7, PS-8, PS-9, SA-21
CISA CPG IDs
- Revoking Credentials for Departing Employees (2.D)
Ensure safe and effective organizational responses to, restoration of, and recovery from significant cybersecurity incidents.
HICP Practices
- Cybersecurity Oversight & Governance
NIST Controls
CP-10, IR-4, IR-8, CP-2, CP-3, IR-3, IR-8, CP-2, IR-4, IR-8, SI-5, PM-15
CISA CPG IDs
- Incident Planning and Preparedness (5.A)
Additional Resources
Use unique credentials inside organizations’ networks to detect anomalous activity and prevent attackers from moving laterally across the organization, particularly between IT and OT networks.
HICP Practices
- Identity and Access Management
NIST Controls
IA-1, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, IA-10, IA-11, IA-12
CISA CPG IDs
- Unique Credentials (2.C)
Establish secondary accounts to prevent threat actor’s from accessing privileged or administrative accounts when common user accounts are compromised.
HICP Practices
- Identity & Access Management
NIST Controls
AC-1, AC-2, AC-3, AC-5, AC-6, AC-14, AC-16, AC-24
CISA CPG IDs
- Separating User and Privileged Accounts (2.E)
Identify, assess, and mitigate risks associated with third party products and services.
HICP Practices
- Cybersecurity Oversight & Governance
HICP Sub-Practices
- Cybersecurity Risk Assessment & Management (10.M.B)
NIST Controls
SA-4, SA-9, SR-2, SR-3, SR-5
CISA CPG IDs
- Vendor / Supplier Cybersecurity Requirements (1.I)
Enhanced Goals
To help healthcare organizations mature their cybersecurity capabilities and reach the next level of defense needed to protect against additional attack vectors.
To aid in further understanding the alignment to HICP we have included the links to the HICP sub-practices page for each CPG.
Identify known, unknown (shadow), and unmanaged assets to more rapidly detect and respond to new vulnerabilities.
HICP Practices
- IT Asset Management
NIST Controls
CM-8, PM-5, CM-8, AC-20, PM-5, SA-9, AU-12, CA-7, CM-3, SC-5, SC-7, SI-4
CISA CPG IDs
- Asset Inventory (1.A)
Establish processes to promptly discover and respond to known threats and vulnerabilities in assets provided by vendors and service providers.
HICP Practices
- Cybersecurity Oversight and Governance
HICP Sub-Practices
- Cybersecurity Risk Assessment and Management (10.M.B)
NIST Controls
PM-30, SA-9, SR-1, SR-2, SR-3, SR-5, PM-9, RA-3, SA-15, SR-2, SR-3, SR-5, SR-6
CISA CPG IDs
- Supply Chain Vulnerability Disclosure (1.H)
Establish processes to promptly discover and respond to known security incidents or breaches across vendors and service providers.
HICP Practices
- Cybersecurity Oversight and Governance
- Vulnerability Management
- Security Operations Center and Incident Response
NIST Controls
SA-4, SA-9, SR-2, SR-3, SR-5, PM-9, RA-3, SA-15, SR-2, SR-3, SR-5, SR-6
CISA CPG IDs
- Supply Chain Incident Reporting (1.G)
Establish processes to promptly discover and responsibly share vulnerabilities in assets discovered through penetration testing and attack simulations
HICP Practices
- Vulnerability Management
- Security Operations Center and Incident Response
NIST Controls
CA-2, CA-7, PM-16, PM-28, RA-2, RA-3
CISA CPG IDs
- Vulnerability Disclosure / Reporting (4.B)
Establish processes internally to act quickly on prioritized vulnerabilities discovered through penetration testing and attack simulations.
HICP Practices
- Security Operations Center and Incident Response
NIST Controls
CA-2, CA-7, PM-16, PM-28, RA-2, RA-3
CISA CPG IDs
- Third Party Validation of Cybersecurity Control Effectiveness (1.F)
Ensure organizational awareness of and ability to detect relevant threats and TTPs at endpoints. Ensure organizations are able to secure entry and exit points to its network with endpoint protection.
HICP Practices
- Endpoint Protection Systems
HICP Sub-Practices
- Endpoint Detection and Response (2.L.C)
NIST Controls
PM-15, PM-16, RA-10, SI-5, PM-12, PM-16, RA-3, RA-10, SI-5, AU-12, CA-7, CM-3, SC-5, SC-7, SI-4
CISA CPG IDs
- Detecting Relevant Threats and TTPs (3.A)
Mission critical assets are separated into discrete network segments to minimize lateral movement by threat actors after initial compromise.
HICP Practices
- Network Management
HICP Sub-Practices
- Network Segmentation (6.M.B)
NIST Controls
AC-4, AC-10, SC-7, SC-10, SC-20, AC-12, AC-17, AC-18, CP-8, SC-5, SC-7, SC-10, SC-11, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-38, SC-47
CISA CPG IDs
- Network Segmentation (2.F)
Collection of necessary telemetry from security log data sources within an organization’s network that maximizes visibility, cost effectiveness, and faster response to incidents.
HICP Practices
- Security Operations Center and Incident Response
NIST Controls
AU-1, AU-2, AU-3, AU-6, AU-7, AU-12, AU-13, AU-14, AU-16
CISA CPG IDs
- Log Collection (2.T)
Ensure organizations consistently maintain, drill, and update cybersecurity incident response plans for relevant threat scenarios.
HICP Practices
- Security Operations Center and Incident Response
NIST Controls
CM-3, CM-4, SA-10
CISA CPG IDs
- Incident Response (IR) Plans (2.S)
Define secure device and system settings in a consistent manner and maintain them according to established baselines.
HICP Practices
- Vulnerability Management
HICP Sub-Practices
- Patch Management, Configuration Management (7.M.D)
NIST Controls
CM-1, CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-9, SA-10
CISA CPG IDs
- Document Device Configurations (2.O)