Heads Up for Healthcare: Preparing for Incoming Regulatory Changes

Medical information is worth a lot of money these days. In fact, it’s up to 50 times more valuable than financial information — a figure that perhaps explains why the healthcare industry saw a 136% increase in data breaches between 2022 and 2023.

Although the health sector is subject to a great deal of regulation already, these stats are a pretty good indicator that there’s a need for a healthcare-specific cybersecurity standard. The cybersecurity performance goals (CPGs) developed by the Department of Health and Human Services (HHS) are a step toward that end.

In this article, we outline what the CPGs are, who they affect, and how they might benefit your MSP.

What’s Happening in Healthcare?

The Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) released the Cross-Sector Cybersecurity Performance Goals (CPGs) in March 2023. These CPGs serve as a baseline for cybersecurity practices across national critical-infrastructure entities and are the inspiration behind HHS’ development of healthcare-specific CPGs.

In addition to CISA’s CPGs, the Healthcare and Public Health (HPH) CPGs are built on the guidance of frameworks such as the Healthcare Industry Cybersecurity Practices, the National Cybersecurity Strategy, and the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Although the CPGs are currently voluntary, they could be setting the foundation for future regulatory requirements in the health sector (so pay attention).

Essential and Enhanced Goals

The HPH has divided the CPGs into two categories: essential and enhanced goals.

The essential goals encompass the most common vulnerabilities in the health sector. They define safeguards to protect against cyberattacks, minimize residual risk, and improve response plans when attacks do occur.

The enhanced goals are intended for organizations that have met the essential goals and wish to further improve their cybersecurity capabilities. These are the next level of defense, so to speak, and they protect against additional attack vectors.

Implementing the Essential Goals

The essential goals are exactly what they claim to be… essential. They’re the first step in implementing a cybersecurity program in the healthcare field, and the enhanced goals are what comes after the first set of controls are in place and functioning as they should.

With that understood, let’s start at the beginning. This is what’s listed under the essential goals:

Vulnerability management: Continuously identify, document, and manage asset vulnerabilities to reduce the risk of cyberattacks through organizational networks that are directly accessible from the Internet.
Email security: Implement user and device authentication and protection of communications and control networks to reduce common email threats, such as spoofing, phishing and fraud.
Multi-factor authentication (MFA): Protect assets and accounts directly accessible from the Internet by authenticating users, devices and other assets as well as managing identities and credentials.
Cybersecurity training: Inform and train users, privileged users and third-party stakeholders on more secure behaviors.
Encryption: Deploy encryption to maintain confidentiality of sensitive data and integrity of Information Technology (IT) and Operational Technology (OT) traffic in motion.
Credential revocation: Promptly revoke the credentials of former employees, contractors, affiliates and volunteers to prevent unauthorized access to organizational accounts and resources.
Incident response: Plan and prepare an effective response to cybersecurity incidents, including personnel training and coordination with stakeholders.
Unique passwords: Issue and manage unique identities and credentials in order to detect anomalous activity and prevent attackers from laterally penetrating a network.
Segregation of privileged accounts: Use secondary accounts to prevent attackers from accessing privileged accounts when common users are compromised.
Supply chain risk management: Identify, assess, and mitigate risks associated with third party partners and suppliers through the use of contracts.

Who is Impacted?

Healthcare organizations and healthcare delivery organizations are under no obligation, legal or regulatory, to adopt these practices. As of now, the HPH CPGs are completely voluntary.

With that said, we know that medical records are highly valued by would-be attackers and the threat to the health sector grows year-on-year. The CPGs address the most common methods used to attack healthcare organizations and provide a basic level of protection that benefits both the organization and their patients.

Without at least that basic level of protection, organizations risk finding themselves on the Office for Civil Rights (OCR) “Wall of Shame.” A very public list of the organizations under investigation for data breaches in the last 24 months, placement on the Wall of Shame can bring with it major reputational damage.

What’s more, it’s highly likely that these goals will become the basis for future mandates in healthcare. That probability was made very clear in the HPH CPG concept paper, which stated:

“Given the increased risk profile of hospitals, HHS aspires to have all hospitals meeting sector-specific CPGs in the coming years. With additional authorities and resources, HHS will propose incorporation of HPH CPGs into existing regulations and programs that will inform the creation of new enforceable cybersecurity standards.”

What it all Means for MSPs

If you’ve read our latest guide to selling CaaS, you’ll know that we recommend including the following in any CaaS protect offering :

Multi-factor authentication
Backups
Security awareness training
Policies and procedures
Antivirus
Assessments

You’ll notice that this product offering covers most of the HPH CPG’s essential goals. Multifactor authentication and cybersecurity awareness training are part of your CaaS service offering, so no need to address that further. Vulnerability management and supply chain risk management are accomplished through antivirus and assessments, incident response plans are supported by backups, and encryption is either something you’re already doing, or are capable of doing.

Every other goal outlined by the HPH (as well as all of the above), are supported and enforced by the policies and procedures component of a CaaS package.

Why Policies and Procedures?

While you may already be offering most of the products listed in the product offering, what’s generally missing for most MSPs is the policies and procedures part. In our view, policies and procedures are the missing link in any compliance offering.

Creating a culture of compliance

Policies provide guidelines and define expectations, while procedures outline the steps to achieve those expectations. Together, they shape how business is conducted on the day to day.

Policies and procedures tell employees how to behave and set consequences for not complying. They define the roles, rules and boundaries that ensure consistency and accountability. In other words, policies and procedures operationalize compliance by making it part of company culture and an integrated component of how business is conducted.

(Reading tip: Compliance Coaching: Can You Tell Policies, Standards, and Procedures Apart?)

Shifting left of boom

Policies and procedures also enable you to build defensibility, shifting from being reactive to compliance risks, to proactively mitigating them. Having a vulnerability management policy enables you to identify potential risks in advance and establish preventive measures to address them. Having a policy that outlines a review cadence allows organizations to stay ahead of regulatory changes and industry best practices.

When you operate left of boom, you take ownership of compliance, ultimately reducing the likelihood of costly violations and reputational damage. But, in order to do that, you need policies that outline why things are done in a certain way, and procedures that define how they’re done.

Compliance Scorecard for Policies and Procedures

If policies and procedures are the missing link in your CaaS package, Compliance Scorecard is the tool to fill the gap. It’s built for policy and procedure management and offers everything an MSP needs to build and sell a CaaS package for healthcare clients.

Templates galore

Need an ethics template? A security template? A privacy template? Find all those and then some in Compliance Scorecard. Better yet, check out our HIPAA Policy Pack, which includes healthcare-specific policy templates for employee training, business associate agreements, access controls and incident response policies.

Enhanced efficiency

With Compliance Scorecard, you only need to write a policy once, and you can deploy it as many times as you need. That means that all the heavy lifting is done the first time around, and with each subsequent client, you save precious time and resources. The same can be said for our assessments, by the way. Do it once and duplicate it every time after that.

Supporting authorization and adoption

Policies and procedures mean nothing if they’re not authorized and adopted by the client. Compliance Scorecard facilitates these essential aspects of implementing CPGs across an organization. It enables MSPs to have their clients read, understand and acknowledge every policy and procedure created, and send reminders until they’ve been signed off.

Start Selling CaaS to Your Healthcare Clients

The HPH CPGs are voluntary — for now. But the HHS has hinted that these are likely to become required of all healthcare organizations and healthcare delivery organizations in the very near future.

Start your shift from a reactive stance to a proactive one by jumping on this opportunity to sell CaaS to your healthcare clients. You’re likely already providing a number of the products required to meet the goals, all that’s needed is a tool to create and manage the policies and procedures that operationalize compliance.

Compliance Scorecard is that tool. Contact Compliance Scorecard to learn more about how we help you sell CaaS to healthcare clients, or book a demo to see for yourself how it works.