HHS Health Care Cybersecurity Performance Goals: Proposed Incentives, Penalties and Compliance Standards Review
As promised in the U.S. Department of Health and Human Services (HHS) concept paper in December 2023, the agency published voluntary health care and public health cybersecurity performance goals (HPH CPGs) in January 2024 and then recently proposed in the FY 2025 Budget to establish certain HPH CPG compliance incentives and penalties for hospitals.
The HPH CPGs are divided into “essential” goals, which are intended to serve as baseline standards for organizations, and “enhanced” goals meant to promote more sophisticated practices. HHS used the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) Cross-Sector CPGs released in March 2023 as well as other industry cybersecurity frameworks to develop the HPH CPGs:
Essential Goals:
- Mitigate Known Vulnerabilities;
- Email Security;
- Multifactor Authentication;
- Basic Cybersecurity Training;
- Strong Encryption;
- Revoke Credentials for Departing Workforce Members, Including Employees, Contractors, Affiliates, and Volunteers;
- Basic Incident Planning and Preparedness;
- Unique Credentials;
- Separate User and Privileged Accounts; and
- Vendor/Supplier Cybersecurity Requirements.
Enhanced Goals:
- Asset Inventory;
- Third Party Vulnerability Disclosure;
- Third Party Incident Reporting;
- Cybersecurity Testing;
- Cybersecurity Mitigation;
- Detect and Respond to Relevant Threats and Tactics, Techniques, and Procedures (TTP);
- Network Segmentation;
- Centralized Log Collection;
- Centralized Incident Planning and Preparedness; and
- Configuration Management.
FY 2025 Budget in Brief: Proposed Funding and Penalties
The HPH CPGs are an important part of the Biden Administration’s FY 2025 Budget in Brief, released in March 2024, in which the administration proposed to establish “essential” and “enhanced” incentive structures to encourage hospitals, if applicable, to upgrade their cybersecurity practices. HHS also proposed penalties for certain hospitals that fail to implement “essential” and “enhanced” cybersecurity practice standards.
First, available during FY 2027 and FY 2028, HHS would transfer $800 million from the Medicare Hospital Insurance Trust Fund to approximately 2,000 high-needs hospitals that would be used to implement “essential” cybersecurity practice standards. In connection with hospitals’ participation in the Promoting Interoperability Program, acute care hospitals that do not adopt essential cybersecurity practices would be responsible for penalties of up to 100 percent of the annual market basket increase and beginning in FY 2031 potential additional penalties of up to 1 percent off the base payment; non-compliant Critical Access Hospitals (CAHs) would receive up to a 1 percent payment reduction (or a total of 1 percent if it is being penalized for non-compliance with other portions of the Promoting Interoperability Program).
Next, for availability during FY 2029 and FY 2030, HHS would transfer $500 million from the Medicare Hospital Insurance Trust Fund to all hospitals to implement “enhanced” cybersecurity practices. CMS has the opportunity to transition the “enhanced” cybersecurity practice standards to being required under the Promoting Interoperability Program as of FY 2031, and acute care hospitals that do not adopt CMS-chosen enhanced cybersecurity practices would be responsible for penalties of up to 100 percent of the annual market basket increase and beginning in FY 2031 potential additional penalties of up to 1 percent off the base payment. Non-compliant Critical Access Hospitals (CAHs) would receive up to a 1 percent payment reduction (or a total of 1 percent if it is being penalized for non-compliance with other portions of the Promoting Interoperability Program). According to the Budget in Brief, this proposal would be for $1.3 billion over 10 years. These penalties have some similarities to the HHS proposed framework to establish and manage “appropriate disincentives” for health care providers under the Information Blocking Rule.
Noting that recent cyberattacks in health care were a driving force behind the proposal, American Hospital Association criticized the proposal in a March 13, 2024 letter to Senate Finance Committee leaders, stating in part: “The AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime. Many recent cyberattacks against hospitals and the health care system, including the current Change Healthcare cyberattack, have originated from third-party technology and other vendors. No organization, including federal agencies, is or can be immune from cyberattacks. Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cybercrime and would be counterproductive to our shared goal of preventing cyberattacks. The Administration’s budget proposal for hospitals is misguided, and it will not improve the overall cybersecurity posture of the health care sector.”
HIPAA Security Rule
For organizations reviewing how the HPH CPGs change their compliance posture, they should carefully review the HPH-CPGs against the HIPAA Security Rule, which hospitals as Covered Entities are already required to comply. Ostensibly, many of these goals are already deeply ingrained within organizations’ HIPAA compliance programs. Hospitals, in particular, should be aware of the instances in which the HPH CPGs either have more specificity or do not squarely fit into HIPAA Security Rule standards.
Regulated entities’ compliance with administrative safeguard, technical safeguard, and organizational requirements under the HIPAA Security Rule will serve as one form baseline for organizations when reviewing their compliance with the HPH CPGs. For example, one Essential Goal is Email Security, which organizations may already have in place pursuant to implementation of access controls (45 C.F.R. § 164.312(a)) and transmission security standards (45 C.F.R. § 164.312(e)). However, one example of an essential HPH CPG that is not expressly required by the HIPAA Security Rule is “Multifactor Authentication” (though it is generally understood as an industry-wide best practice). An example of an enhanced goal is “Cybersecurity Mitigation”, which HIPAA-compliant organizations are likely to have addressed pursuant to the security incident procedures standard and their duty to mitigate, to the extent practicable, harmful effects of security incidents under the HIPAA Security Rule (45 C.F.R. § 164.308(6)). However, hospitals will want to review all "enhanced" HPH CPGs against their current controls based on HIPAA Security Rule compliance. In its December 2023 concept paper, HHS also mentioned the possibility of also amending the HIPAA Security Rule, but has not since provided any additional information.
NIST CSF and NIST 800-53 Mapping: Mitigating Known Vulnerabilities
In addition to HIPAA Security Rule obligations, hospitals have many sets of cybersecurity standards to choose from, as we discussed in our prior post, and overlap across the HPH CPGs and those various standards was expected. For hospitals looking to see how their current cybersecurity program compares to the HPH CPGs, HHS mapped the HPH CPGs against the National Institute of Standards and Technology Common Security Framework Version 1.1 (NIST CSF V1.1) desired outcomes and NIST 800-53 Revision 5 (REV5) controls.
To illustrate one example of a HPH CPG mapped against NIST standards and controls, the following are NIST CSF V1.1 desired outcomes that apply to the “Mitigate Known Vulnerabilities” HPH CPG:
- Asset vulnerabilities are identified and documented (ID.RA-1)
- A vulnerability management plan is developed and implemented (PR.IP-12)
- Vulnerability scans are performed (DE.CM-8)
- Newly identified vulnerabilities are mitigated or documented as accepted risks (RS.MI-3)
- Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers) (RS.AN-5)
- Risk responses are identified and prioritized (ID.RA-6)
- Remote access is managed (PR.AC-3)
Additionally, below are the direct NIST 800-53 REV5 controls, which are a catalog of security and privacy controls for information systems and organizations, that HHS mapped against the “Mitigate Known Vulnerabilities” HPH CPG:
- Control Assessments (CA-2)
- Plan of Action and Milestones (CA-5)
- Continuous Monitoring (CA-7)
- Penetration Testing (CA-8)
- Plan of Action and Milestone Process (PM-4)
- Security and Privacy Groups and Associations (PM-15)
- Risk Assessment (RA-3)
- Vulnerability Monitoring and Scanning (RA-5)
- System Documentation (SA-5)
- Developer Testing and Automation (SA-11)
- Flaw Remediation (SI-2)
- System Monitoring (SI-4)
- Security Alerts, Advisories, and Directives (SI-5)
- Policies and Procedures (RA-1)
- Risk Management Strategy (PM-9)
- Risk Framing (PM-28)
- Risk Response (RA-7)
- Policies and Procedures (CA-1)
- Supplier Assessments and Reviews (SR-6)
- Policies and Procedures (AC-1)
- Remote Access (AC-17)
- Access Control for Mobile Devices (AC-19)
- Use of External Systems (AC-20)
- Collaborative Computing Devices and Applications (SC-15)
These standards feature some additional specificity around controls for organizations looking to confirm that they are meeting HHS's intended requirements for HPH CPGs.
Next Steps
Given the proposed incentives and penalties outlined above, in additional to reviewing against their HIPAA compliance program, organizations will want to use the additional resources provided by HHS, such as the NIST CSF V1.1 and NIST 800-53 Rev 5 to see how their current controls compare to the controls enumerated by those standards. Organizations will also want to consider that that NIST recently released NIST CSF 2.0 in February 2024, which may also be a useful tool for HPH CPG compliance review.