HHS Cybersecurity Performance Goals: A Mixed Bag of Necessity and Redundancy

Written By L Trotter II

In the wake of escalating cyber threats, the healthcare sector's cybersecurity landscape is evolving. The recent release of the Healthcare and Public Health Sector-Specific Cybersecurity Performance Goals marks a significant step. But is this the same old complacency story?

The spotlight on healthcare cybersecurity is timely and crucial. With the sector facing an alarming rate of breaches, there’s an undeniable need for robust security measures. The idea of performance goals is commendable, providing a structured path for healthcare entities to bolster their defenses. The inclusion of a cyber defense matrix serves as a practical guide, aiding organizations in identifying and mitigating various cyber threats.

However, despite these positives, the performance goals raise some concerns. They seem to echo existing guidance like CISA CPGs and the NIST Cybersecurity Framework, bringing into question their uniqueness. The approach, while foundational, might be too basic for today’s complex healthcare cybersecurity needs. It risks encouraging a 'business as usual' mindset, potentially overlooking advanced threats.

A glaring omission is the lack of emphasis on privacy. With privacy being a cornerstone in the cyber industry and considering the substantial fines for non-compliance, its exclusion is notable. A more modern cybersecurity industry integrates privacy controls (e.g., NIST's Cybersecurity and Privacy controls), a practice that these new goals could benefit from.

There's an underlying message in these goals that might undermine the rigor of HIPAA Security and Privacy rules. By outlining strategies without mandating comprehensive adoption, it may inadvertently suggest that not all measures are critical. This could dilute the intent of HIPAA.

While the new cybersecurity performance goals for the healthcare sector are a step in the right direction, they fall short in certain areas. There is a fine line between providing guidance and fostering complacency. The healthcare sector needs a dynamic, forward-thinking approach that not only addresses current threats but is also agile enough to adapt to emerging ones. Integrating privacy into the cybersecurity narrative and advancing beyond the basics are crucial steps towards a more secure and resilient healthcare sector.

L Trotter II

As Founder and CEO of Inherent Security, Larry Trotter II is responsible for defining the mission and vision of the company, ensuring execution aligns with the business purpose. Larry has transformed Inherent Security from a consultancy to a cybersecurity company through partnerships and expert acquisitions. Today the company leverages its healthcare and government expertise to accelerate compliance operation for clients.

Larry has provided services for 12 years across the private industry developing security strategies and managing security operations for Fortune 500 companies and healthcare organizations. He is influential business leader who can demonstrate the value proposition of security and its direct link to customers.

Larry graduated from Old Dominion University with a bachelor’s degree in Business Administration with a focus on IT and Networking. Larry has accumulated certifications such as the CISM, ISO27001 Lead Implementer, GCIA and others. He serves on the Board of Directors for the MIT Enterprise Forum DC and Baltimore.

https://www.inherentsecurity.com
Previous

Business Associate vs Covered Entity
Next

Healthcare is unwilling to struggle