As promised in the U.S. Department of Health and Human Services (HHS) concept paper in December 2023, the agency announced voluntary Health Care and Public Health Cybersecurity Performance Goals (HPH CPGs) in January 2024 and just recently The HHS FY2025 budget proposed the following: Establish certain HPH CPG compliance incentives and penalties for hospitals.
The HPH CPG is divided into “Essential” goals, which are intended to serve as baseline standards for organizations, and “Enhancing” goals, which are intended to foster more sophisticated practices. HHS developed the HPH CPG using the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) Cross-Sector CPG and other industry cybersecurity frameworks released in March 2023 .
important goals:
- Mitigates known vulnerabilities.
- Email security.
- Multi-factor authentication.
- Basic Cyber Security Training.
- Strong encryption.
- Revoke the credentials of departing employees, including employees, contractors, affiliates, and volunteers.
- Basic incident planning and preparation.
- Unique credentials.
- Separate user and privileged accounts.and
- Vendor/Supplier Cybersecurity Requirements.
enhanced goals:
- Asset inventory.
- Disclosure of vulnerabilities by third parties.
- Incident reporting by third parties.
- Cybersecurity testing;
- Cybersecurity mitigation.
- Detect and respond to relevant threats and tactics, techniques, and procedures (TTPs).
- Network segmentation.
- Centralized log collection.
- Centralized incident planning and preparation.and
- Configuration management.
2025 Budget Summary: Proposed Funding and Fines
The HPH CPG is a key part of the Biden administration's fiscal year 2025 budget summary, released in March 2024, which the administration calls “mandatory” and “enhanced” to encourage improvements in hospital cybersecurity practices. ” suggested establishing an incentive structure. HHS also proposed penalties for certain hospitals that do not implement “required” and “enhanced” cybersecurity practice standards.
First, available in fiscal year 2027-2028, HHS will transfer $800 million from the Medicare Hospital Insurance Trust Fund to approximately 2,000 high-need hospitals to be used to implement “required” cybersecurity practice standards. . In connection with a hospital's participation in the Interoperability Promotion Program, acute care hospitals that fail to implement required cybersecurity practices will be subject to penalties of up to 100% of the annual market basket increase, beginning in 2031. An additional fine of up to 1 may be imposed. Percent discount on base payment. Critical access hospitals (CAHs) that are not compliant will receive payment reductions of up to 1% (total of 1% if penalties are imposed for noncompliance with other parts of the Interoperability Accelerator Program) ).
Next, HHS will appropriate $500 million from the Medicare Hospital Insurance Trust Fund for availability during fiscal years 2029 and 2030. all Hospitals must implement “enhanced” cybersecurity practices. CMS has the opportunity to transition “enhanced” cybersecurity practices to standards required under the Interoperability Promotion Program starting in FY 2031, and CMS has the opportunity to not adopt enhanced cybersecurity practices of its choosing. Acute care hospitals will be subject to penalties of up to 100%. It is part of the annual market basket increase, and starting in 2031, an additional penalty of up to 1 percent off the basic payment amount may be imposed. Critical access hospitals (CAHs) that are not compliant will receive payment reductions of up to 1% (or the total amount if penalties have been imposed for noncompliance with other parts of the Interoperability Accelerator Program) These penalties are similar to HHS's proposed framework to establish and manage “appropriate disincentives” for health care providers under information blackout rules, according to the budget summary. .
The American Hospital Association criticized this proposal in a letter dated March 13, 2024, to Senate Finance Committee leadership, noting that recent cyberattacks in the healthcare sector were the driving force behind this proposal. It was stated in part as follows: The hacker blamed the hospital, as if it were the hospital's fault for committing the crime. Many recent cyberattacks against hospitals and health systems, including the current Change Healthcare cyberattack, originate from third-party technologies and other vendors. No organization, including federal agencies, is immune to cyberattacks. Imposing fines or reducing Medicare payments would reduce hospital resources needed to fight cybercrime and be counterproductive to the common goal of preventing cyberattacks. The government's budget proposals for hospitals are wrong and will not improve the overall cybersecurity posture of the health sector. ”
HIPAA Security Rules
Organizations considering how HPH CPGs change their compliance posture should carefully consider HPH-CPGs in the context of the HIPAA Security Regulations with which hospitals as covered entities are already required to comply. need to do it. On the surface, many of these goals are already deeply embedded in an organization's HIPAA compliance program. In particular, hospitals should be wary of HPH CPGs when they are more specific or do not closely align with HIPAA Security Rule standards.
Compliance with administrative safeguards, technical safeguards, and organizational requirements under the HIPAA Security Rule for regulated entities serves as one form of baseline for organizations to verify compliance with the HPH CPG. It works. For example, one important goal may be email security, which an organization may already have in place by implementing access controls (45 CFR § 164.312(a)) and transmission security standards (45 CFR § 164.312(e)). There is a gender. However, one example of an important HPH CPG that is not explicitly required by the HIPAA Security Rule is “multi-factor authentication” (although this is generally understood as an industry-wide best practice). An example of an enhanced goal is “Cybersecurity Mitigation.” This may be due to HIPAA-compliant organizations working in accordance with the Security Incident Procedures Standard and their obligations to mitigate, to the extent practicable, the harmful effects of security incidents under the HIPAA Security Rule. (45 CFR § 164.308(6)). However, hospitals will need to consider all “enhanced” HPH CPGs against their current controls based on HIPAA Security Rule compliance. HHS also mentioned the possibility of amending the HIPAA Security Rule in a December 2023 concept paper, but has not provided any additional information since then.
NIST CSF V1.1 Mapping: Mitigating Known Vulnerabilities
As discussed in a previous post, in addition to the mandates of the HIPAA Security Rule, hospitals have a large set of cybersecurity standards from which to choose, overlap across the HPH CPG, and how these different standards are expected. I did. For hospitals wishing to compare their current cybersecurity programs with HPH CPGs, HHS compares his HPH CPGs with the desired outcomes of the National Institute of Standards and Technology Common Security Framework Version 1.1 (NIST CSF V1.1) and NIST 800-53 REV5 mapped to the control. .
To provide an example of an HPH CPG mapped to NIST standards and controls, the desired outcome of NIST CSF V1.1 as applied to the “Known Vulnerability Mitigation” HPH CPG is shown below.
- Asset vulnerabilities are identified and documented (ID.RA-1)
- A vulnerability management plan is developed and implemented (PR.IP-12)
- A vulnerability scan is performed (DE.CM-8)
- Newly identified vulnerabilities are mitigated or documented as accepted risks (RS.MI-3)
- A process is established to receive, analyze, and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g., internal testing, security bulletins, security researchers) (RS.AN-5)
- Risk responses are identified and prioritized (ID.RA-6)
- Remote access is managed (PR.AC-3)
In addition, the following are direct NIST 800-53 Rev 5 controls: This is a catalog of security and privacy controls for information systems and organizations that HHS has mapped to the Mitigation of Known Vulnerabilities HPH CPG.
- Control evaluation (CA-2)
- Action Plan and Milestones (CA-5)
- Continuous monitoring (CA-7)
- Penetration testing (CA-8)
- Action Plan and Milestone Process (PM-4)
- Security and Privacy Groups and Associations (PM-15)
- Risk assessment (RA-3)
- Vulnerability monitoring and scanning (RA-5)
- System documentation (SA-5)
- Developer Testing and Automation (SA-11)
- Repairing defects (SI-2)
- System monitoring (SI-4)
- Security Alerts, Advisories, and Directives (SI-5)
- Policies and Procedures (RA-1)
- Risk management strategy (PM-9)
- Risk framing (PM-28)
- Risk response (RA-7)
- Policies and Procedures (CA-1)
- Supplier Ratings and Reviews (SR-6)
- Policies and Procedures (AC-1)
- Remote access (AC-17)
- Mobile Device Access Control (AC-19)
- Use of external systems (AC-20)
- Collaborative Computing Devices and Applications (SC-15)
These standards have additional control specificities for organizations that want to ensure they meet HHS's intended requirements for HPH CPGs.
next step
Given the proposed incentives and penalties outlined above, in addition to reviewing your HIPAA compliance program, organizations should use additional resources provided by HHS, such as NIST CSF V1.1 and NIST 800-53 Rev 5. , you'll want to see how your company is doing. Compare your current controls to those listed in these standards. Organizations should also consider that NIST recently released its NIST CSF 2.0 in February 2024. This may also be useful for HPH CPG compliance reviews.
[View source.]
