Essential and Enhanced Cyber Performance Goals Your Healthcare Org Should Be Meeting

Recent cyberattacks against healthcare companies in the United States have caused huge disruptions to patient care and business continuity.

Some of the recent cyberattacks against healthcare organizations include:

• Ascension (2024): A cyberattack in May caused system outages to Ascension hospitals nationwide. Disrupting operations and impacting patient care. The outages affected access to the company’s EHR (Electronic Health Records).

Ascension expects EHR restoration across its network by June 14 | Healthcare Finance News

• Prospect Medical Holdings(2023): A ransomware attack shut down hospital operations in multiple states.
• CommonSpirit Health(2022) A ransomware attack caused missed appointments and prescriptions not to be refilled.

While the specific details of the Ascension and some of the other highly publicized cyberattacks are still under investigation, they are part of a growing list of targeted attacks by cyber criminals. BlackCat, BlackBasta, and Rhysida are some of the well-known cybercriminal organizations that use ransomware as a service (RaaS) to target organizations in healthcare. These are criminal enterprises who provide a platform for these cyberattacks. They create and maintain the ransomware tools then lend the tools out to other criminals who launch the attacks themselves.

Cybercriminal such as BlackCat, Black Basta, and Rhysida tactics include gaining access through compromised credentials, then moving latterly within the targets network. They then encrypt a victim’s data, steal it, and then threaten to release the data to extort the victim into paying a ransom. The level of sophistication of these groups has grown more alarming and makes any organization with vulnerabilities and weak cybersecurity practices a potential target.

The catastrophic nature of these attacks and the increased frequency has caused The US Department of Health and Human Services (HHS) to issue an advisory in response to some of these recent large cyberattacks in the healthcare sector. The HHS advisory concludes by saying that the entire healthcare industry must double down on “cybersecurity.”  They advise all healthcare organizations to adopt what they call CPGs or Cyber Performance Goals. These are voluntary practices HHS has deemed to have the highest impact for helping healthcare organizations stay protected from cyberattacks.

HHS has divided the goals into two categories. Essential Goals and Enhanced Goals. Essential goals address common vulnerabilities while enhanced goals mature healthcare organizations cybersecurity to prepare for additional attack vectors.

 

The ten essential goals include:

• Mitigate Known Vulnerabilities
• Email Security
• Multifactor Authentication
• Basic Cybersecurity Training
• Strong Encryption
• Revoking Credentials for termed employees
• Basic Incident Planning and Preparedness
• Unique Credentials
• Separate User and Privileged Accounts
• Vendor/Supplier Cybersecurity Requirements.

 

The ten enhanced goals include:

• Asset Inventory:
• Third Party Vulnerability Disclosure
• Third Party Incident Reporting
• Cybersecurity Testing
• Cybersecurity Mitigation
• Detect and respond to Relevant Threats and Tactics
• Network Segmentation
• Centralized Log Collection
• Centralized Incident Planning and Preparedness
• Configuration Management

Cyberattacks targeting healthcare organizations in the United States continue and show no signs of leveling off. The US Department of Health and Human Services (HHS) Cybersecurity Performance Goals (CPGs) provide a valuable framework for improving cybersecurity in the healthcare industry.  By implementing these measures, healthcare organizations of any size can strengthen their cybersecurity posture and minimize risk against catastrophic cyberattacks.

Contact MTS today and learn how we can help improve your cyber readiness.