As promised within the U.S. Department of Health and Human Services (HHS) idea paper in December 2023, the company introduced voluntary Health Care and Public Health Cybersecurity Performance Goals (HPH CPGs) in January 2024 and only in the near past The HHS FY2025 funds proposed the next: Establish sure HPH CPG compliance incentives and penalties for hospitals.
The HPH CPG is split into “required” targets, that are supposed to function baseline requirements for organizations, and “enhancement” targets, that are supposed to foster extra refined practices. HHS developed the HPH CPG utilizing the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) Cross-Sector CPG and different {industry} cybersecurity frameworks launched in March 2023 .
Key targets:
Mitigates identified vulnerabilities. Email safety. Multi-factor authentication. Basic Cyber Security Training. Strong encryption. Revoke the credentials of departing workers, together with workers, contractors, associates, and volunteers. Basic incident planning and preparation. Unique credentials. Separate consumer and privileged accounts. Vendor/Supplier Cybersecurity Requirements.
Enhanced targets:
Asset stock. Disclosure of vulnerabilities by third events. Incident reporting by third events. Cybersecurity testing; Cybersecurity mitigation. Detect and reply to related threats and techniques, methods, and procedures (TTPs). Network segmentation. Centralized log assortment. Centralized incident planning and preparation. Configuration administration.
2025 Budget Summary: Proposed Funding and Fines
The HPH CPG is a key a part of the Biden administration’s fiscal 12 months 2025 funds abstract, launched in March 2024, which the administration calls “necessary” and “enhanced” to encourage enhancements in hospital cybersecurity practices. ” urged establishing an incentive construction. HHS additionally proposed penalties for sure hospitals that don’t implement “required” and “enhanced” cybersecurity apply requirements.
First, accessible in fiscal 12 months 2027-2028, HHS will switch $800 million from the Medicare Hospital Insurance Trust Fund to roughly 2,000 high-need hospitals for use to implement “required” cybersecurity apply requirements. . In reference to a hospital’s participation within the Interoperability Promotion Program, acute care hospitals that fail to implement necessary cybersecurity practices shall be topic to penalties of as much as 100% of the annual market basket improve, starting in 2031. An extra positive of as much as 1 could also be imposed. Percent low cost on base fee. Critical entry hospitals (CAHs) that aren’t compliant will obtain fee reductions of as much as 1% (complete of 1% if penalties are imposed for noncompliance with different elements of the Interoperability Accelerator Program) ).
Next, to be made accessible throughout fiscal 12 months 2029-2030, HHS will switch $500 million from the Medicare Hospital Insurance Trust Fund to all hospitals to implement “enhanced” cybersecurity practices. . CMS has the chance to transition “enhanced” cybersecurity practices to requirements required underneath the Interoperability Promotion Program beginning in FY 2031, and CMS has the chance to not undertake enhanced cybersecurity practices of its selection. Acute care hospitals shall be topic to penalties of as much as 100%. It is a part of the annual market basket improve, and beginning in 2031, an extra penalty of as much as 1 p.c off the essential fee quantity could also be imposed. Critical entry hospitals (CAHs) that aren’t compliant will obtain fee reductions of as much as 1% (or the entire quantity if penalties have been imposed for noncompliance with different elements of the Interoperability Accelerator Program) These penalties are much like HHS’s proposed framework to ascertain and handle “acceptable disincentives” for well being care suppliers underneath data blackout guidelines, in keeping with the funds abstract. .
The American Hospital Association criticized this proposal in a letter dated March 13, 2024, to Senate Finance Committee management, noting that current cyberattacks within the healthcare sector have been the driving power behind this proposal. It was acknowledged partially as follows: The hacker blamed the hospital, as if it have been the hospital’s fault for committing the crime. Many current cyberattacks towards hospitals and well being techniques, together with the present Change Healthcare cyberattack, originate from third-party applied sciences and different distributors. No group, together with federal businesses, is resistant to cyberattacks. Imposing fines or lowering Medicare funds would cut back hospital assets wanted to combat cybercrime and be counterproductive to the widespread purpose of stopping cyberattacks. The authorities’s funds proposals for hospitals are incorrect and won’t enhance the general cybersecurity posture of the well being sector. ”
HIPAA Security Rules
Organizations contemplating how HPH CPGs change their compliance posture ought to fastidiously contemplate HPH-CPGs within the context of the HIPAA Security Regulations with which hospitals as coated entities are already required to conform. have to do it. On the floor, many of those targets are already deeply embedded in a company’s HIPAA compliance program. In specific, hospitals must be cautious of HPH CPGs when they’re extra particular or don’t intently align with HIPAA Security Rule requirements.
Compliance with administrative safeguards, technical safeguards, and organizational necessities underneath the HIPAA Security Rule for regulated entities serves as one type of baseline for organizations to confirm compliance with the HPH CPG. It works. For instance, one vital purpose could also be e-mail safety, which a company might have already got in place by implementing entry controls (45 CFR § 164.312(a)) and transmission safety requirements (45 CFR § 164.312(e)). There is a gender. However, one instance of an vital HPH CPG that’s not explicitly required by the HIPAA Security Rule is “multi-factor authentication” (though that is usually understood as an industry-wide greatest apply). An instance of an enhanced purpose is “Cybersecurity Mitigation.” This could also be as a result of HIPAA-compliant organizations working in accordance with the Security Incident Procedures Standard and their obligations to mitigate, to the extent practicable, the dangerous results of safety incidents underneath the HIPAA Security Rule. (45 CFR § 164.308(6)). However, hospitals might want to contemplate all “enhanced” HPH CPGs towards their present controls based mostly on HIPAA Security Rule compliance. HHS additionally talked about the potential of amending the HIPAA Security Rule in a December 2023 idea paper, however has not supplied any extra data since then.
NIST CSF V1.1 Mapping: Mitigating Known Vulnerabilities
As we mentioned in our earlier put up, along with the mandates of the HIPAA Security Rule, hospitals have a big set of cybersecurity requirements from which to decide on, overlap throughout the HPH CPG, and the way these completely different requirements are anticipated. I did. For hospitals wishing to match their present cybersecurity packages with HPH CPGs, HHS compares his HPH CPGs with the specified outcomes of the National Institute of Standards and Technology Common Security Framework Version 1.1 (NIST CSF V1.1) and NIST 800-53 REV5 mapped to the management. .
To present an instance of an HPH CPG mapped to NIST requirements and controls, the specified final result of NIST CSF V1.1 as utilized to the “Known Vulnerability Mitigation” HPH CPG is proven beneath.
Asset vulnerabilities are recognized and documented (ID.RA-1) A vulnerability administration plan is developed and carried out (PR.IP-12) A vulnerability scan is carried out (DE.CM-8 ) Newly recognized vulnerabilities are mitigated or documented as accepted dangers (RS.MI-3) Disclosed to the group from inside and exterior sources (e.g. inside testing, safety bulletins, safety researchers) A course of is established to obtain, analyze, and reply to recognized vulnerabilities (RS.AN-5) Risk responses are recognized and prioritized (ID.RA-6) Remote entry is managed (PR.AC-3)
In addition, the next are direct NIST 800-53 Rev 5 controls: This is a catalog of safety and privateness controls for data techniques and organizations that HHS has mapped to the Mitigation of Known Vulnerabilities HPH CPG.
Control Assessment (CA-2) Action Plan and Milestones (CA-5) Continuous Monitoring (CA-7) Penetration Testing (CA-8) Action Plan and Milestones Process (PM-4) Security and Privacy Groups and Associations (PM) -15) Risk Assessment (RA-3) Vulnerability Monitoring and Scanning (RA-5) System Documentation (SA-5) Developer Testing and Automation (SA-11) Defect Remediation (SI-2) System Monitoring (SI-4) Security Alerts, Advisories, and Directives (SI-5) Policies and Procedures (RA-1) Risk Management Strategy (PM-9) Risk Framework (PM-28) Risk Response (RA-7) Policy and Procedures (CA-1) Supplier Assessments and Reviews (SR-6) Policies and Procedures (AC-1) Remote Access (AC-17) Mobile Device Access Control (AC-19) Use of External Systems (AC-20) Collaborative Computing Devices and Applications (SC- 15)
These requirements have extra management specificities for organizations that need to guarantee they meet HHS’s supposed necessities for HPH CPGs.
subsequent step
Given the proposed incentives and penalties outlined above, along with reviewing your HIPAA compliance program, organizations ought to use extra assets supplied by HHS, resembling NIST CSF V1.1 and NIST 800-53 Rev 5. , you will need to see how your organization is doing. Compare your present controls to these listed in these requirements. Organizations must also contemplate that NIST lately launched its NIST CSF 2.0 in February 2024. This can also be helpful for HPH CPG compliance evaluations.
[View source.]