HHS Releases Cybersecurity Performance Goals to Enhance Cybersecurity for Health Care and Public Health Sectors

The Department of Health and Human Services ("HHS") has released voluntary cybersecurity performance goals for the health care and public health sectors, which outline an increasingly standardized regulatory approach and preview more intensive future enforcement efforts.

Following the HHS's 2023 concept paper outlining strategies to enhance cybersecurity for the health care and public health sectors, the HHS released its Healthcare and Public Health Sector-Specific Cybersecurity Performance Goals ("CPGs"). These CPGs are categorized into "essential" and "enhanced" goals to address common cyber-related vulnerabilities in the health sector. According to HHS, the CPGs are built from and informed by common industry cybersecurity frameworks, guidelines, and best practices. Although compliance with CPGs is currently voluntary, HHS's concept paper reported its intention to implement enforceable cybersecurity standards informed by CPGs. 

Essential CPGs. The "essential" CPGs "outline minimum foundational practices for cybersecurity performance," setting a floor to facilitate better protection against cyberattacks, improve incident responsiveness, and minimize residual risk. The 10 essential CPGs direct health care organizations to:

  • Mitigate known vulnerabilities;
  • Improve email security against common threats (e.g., spoofing, phishing);
  • Implement multifactor authentication;
  • Establish basic cybersecurity training;
  • Use strong encryption in motion;
  • Revoke credentials for departing workforce members;
  • Facilitate cybersecurity incident planning and preparedness;
  • Use unique network credentials;
  • Separate common user and privileged accounts; and
  • Identify and mitigate risks associated with outside vendors.

Enhanced CPGs. The "enhanced" CPGs outline priorities to "mature [] cybersecurity capabilities" and propel organizations to "the next level of defense[.]" The 10 enhanced CPGs focus on:

  • Conducting asset inventories;
  • Processes for third-party vulnerability discovery and response;
  • Processes for third-party incident and breach reporting;
  • Cybersecurity testing;
  • Cybersecurity mitigation of vulnerabilities identified through testing;
  • Detection and response for relevant threats and tactics, techniques, and procedures;
  • Network segmentation to impede lateral movement by threat actors;
  • Centralized log collection to facilitate visibility, cost effectiveness, and efficient response;
  • Centralized cybersecurity incident planning and preparedness; and
  • Consistent baseline configuration management for devices and systems.

The CPGs are consistent with heightened scrutiny on cybersecurity practices in the health sector more generally. Whereas, historically, health data regulations allowed a flexible approach to implementation of cybersecurity practices, the CPGs presage standardized regulatory thresholds. Further, based on HHS's prior concept paper, health care entities may also expect concerted enforcement and steeper costs for noncompliance.

Industry stakeholders should consider:

  • Reviewing their cybersecurity practices relative to essential CPGs;
  • Reviewing enhanced CPGs and investments to implement advanced practices; 
  • Reviewing resources across federal departments, including HHS's Cybersecurity Gateway, for additional guidance and updates; and
  • Monitoring for proposed regulations to provide comment and facilitate compliance.
Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.