On October 4, 2023, the U.S. Department of Health and Human Services (HHS) unveiled a new set of voluntary Cybersecurity Performance Goals (CPGs) specifically tailored for the healthcare and public health sector. This initiative responds to the increasing frequency and severity of ransomware attacks and other cyber threats that have disrupted healthcare operations and compromised sensitive patient information in recent years.

The CPGs consist of 10 specific goals, categorized into three tiers: Tier 1 (essential), Tier 2 (enhanced), and Tier 3 (advanced). Essential goals include basic measures such as developing a cybersecurity incident response plan, implementing multi-factor authentication, and establishing a risk management program. Enhanced goals build on these with requirements like vulnerability management and email security protocols, while advanced goals incorporate more sophisticated practices such as zero trust architecture and supply chain risk management.

HHS Secretary Xavier Becerra emphasized the urgency of these measures, stating, 'Cyberattacks on our healthcare system are not just a threat to data—they are a threat to lives. These goals provide a clear roadmap for healthcare organizations to protect patients and strengthen our nation's health infrastructure.' The framework was developed through a collaborative effort involving the Health Sector Coordinating Council Cybersecurity Working Group, the Cybersecurity and Infrastructure Security Agency (CISA), and other federal entities.

Background context highlights the vulnerability of the healthcare sector. According to HHS, cyberattacks have surged, with notable incidents like the 2023 Change Healthcare ransomware attack affecting millions of patients and causing widespread billing disruptions. The CPGs are designed to be scalable, allowing small practices and large hospitals alike to adopt measures appropriate to their resources.

While voluntary, HHS encourages adoption by integrating these goals into broader regulatory expectations and providing technical assistance. No immediate mandates were announced, but the release underscores a proactive stance amid ongoing threats. Healthcare leaders have welcomed the guidance, with one association representative noting, 'This is a vital step toward a more resilient sector.' Implications include potential reductions in breach costs, estimated at billions annually, and improved continuity of care during cyber incidents.

The goals are available on the HHS website for immediate implementation, with ongoing support promised through resources and training.