Skip to main content

Care Groups

Cybersecurity standards raised for healthcare

Healthcare Cybersecurity

Cyber attacks can be particularly damaging in the healthcare field, given the sensitive patient data that must be protected in electronic health records (EHRs) and other digital files. Healthcare, along with water and emergency communications, has been identified as a critical infrastructure area designated for increased cybersecurity standards.

Healthcare facilities that experience cyber attacks such as ransomware attacks may find that they have to halt operations completely. At the very least, the threat can cause disruptions not only in their business operations but, more importantly, in the safety of the patients involved. In larger facilities such as hospitals and medical centers, patient mortality has seen an increase after a ransomware or other major cyber attacks.

The White House has identified healthcare, water, and emergency communications as “soft spots” in critical infrastructure resiliency for the US. These are all areas that could directly affect individuals’ safety if their digital information were compromised.

Elation Health offers EHR developers an ONC-certified solution that enables independent physicians to improve patient outcomes at scale with a forward-thinking partner that drives results. Learn more here.

At the end of October 2022, the Department of Homeland Security (DHS) released its Cybersecurity Performance Goals (CPGs), voluntary practices outlining the highest-priority baseline measures that healthcare technology developers and users can take to protect themselves against cyber threats. These CPGs were developed through the Cybersecurity and Infrastructure Security Agency (CISA), at the direction of the White House.

These 37 voluntary cybersecurity performance goals are designed to raise security baselines, serving as a broadly digestible roadmap to minimum operational security. Spanning the tactical and the technical, the goals weigh the cost, complexity, and impact of the security initiatives. CISA says that the goals “capture a core set of cybersecurity practices with known risk-reduction value broadly applicable across sectors.” In establishing the goals, CISA has placed a premium on high impact, low cost security efforts that account for over 40% of the list.

In addition, CISA emphasizes that the CPGs are intended to be:

  • A benchmark for critical infrastructure operators to measure and improve their cybersecurity maturity. 
  • A combination of recommended practices for IT and OT owners, including a prioritized set of security practices. 
  • Unique from other control frameworks as they consider not only the practices that address risk to individual entities, but also the aggregate risk to the nation. 

The CPGs are:

  • Voluntary: The National Security Memorandum does not create new authorities that compel owners and operators to adopt the CPGs or provide any reporting regarding or related to the CPGs to any government agency. 
  • Not Comprehensive. They do not identify all the cybersecurity practices needed to protect national and economic security and public health and safety. They capture a core set of cybersecurity practices with known risk-reduction value broadly applicable across sectors.

Criteria used to develop the CPGs include the fact that they:

  • Significantly and directly reduce the risk or impact caused by commonly observed, cross-sector threats and adversary TTPs.
  • Are clear, actionable, and easily definable.
  • Are reasonably straightforward and not cost-prohibitive for even small- and medium-sized entities to successfully implement.

For example, the CPG of “ensuring that none of an organization’s internet-facing systems have any Known Exploited Vulnerabilities (KEV)” is definable, achievable, and directly reduces the risk from a known threat — that nation-state adversaries actively exploit those weaknesses in the wild. However, a practice such as “Implement Zero Trust (ZT)” would not be a suitable CPG, as this practice is vague, insufficiently defined, hard to measure, and can be overly burdensome for small organizations.

The CISA publication, Cross-Sector Cybersecurity Performance Goals 2022, lists the specific CPGs. These include:

  • The outcome.
  • Tactics, techniques, and procedures (TTP) or risk assessed.
  • The scope of involved assets.
  • The recommended action for each.