Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock () or https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
The Department of Health and Human Services (HHS) helps the Healthcare and Public Health (HPH) critical infrastructure sector prepare for and respond to cyber threats, adapt to the evolving threat landscape, and build a more resilient sector. As outlined in the HHS Healthcare Sector Cybersecurity concept paper, HHS is publishing these voluntary healthcare specific Cybersecurity Performance Goals (CPGs) to help healthcare organizations prioritize implementation of high-impact cybersecurity practices.
These CPGs are a voluntary subset of cybersecurity practices that healthcare organizations, and healthcare delivery organizations in particular, can prioritize to strengthen cyber preparedness, improve cyber resiliency, and ultimately protect patient health information and safety. They were built off the chassis of CISA’s CPGs and informed by common industry cybersecurity frameworks, guidelines, best practices, and strategies (e.g., Healthcare Industry Cybersecurity Practices, National Institute of Standards and Technology (NIST) Cybersecurity Framework,Healthcare and Public Health Sector Cybersecurity Framework Implementation Guide, and the National Cybersecurity Strategy). The HPH CPGs directly address common attack vectors against U.S. domestic hospitals as identified in the 2023 Hospital Cyber Resiliency Landscape Analysis.
To help healthcare organizations address common vulnerabilities by setting a floor of safeguards that will better protect them from cyber attacks, improve response when events occur, and minimize residual risk.
To aid in further understanding the alignment to HICP we have included the links to the HICP sub-practices page for each CPG.
Reduce the likelihood of threat actors exploiting known vulnerabilities to breach organizational networks that are directly accessible from the Internet.
CA-2, CA-5, CA-7, CA-8, PM-4, PM-15, RA-3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5, RA-1, RA-3, RA-5, SI-2, CA-5, PM-4, PM-9, PM-28, RA-7, CA-1, CA-2, RA-1, PM-4, PM-15, RA-7, SI-5, SR-6 AC-1, AC-17, AC-19, AC-20, SC-15
Reduce risk from common email-based threats, such as email spoofing, phishing, and fraud.
MP-2, MP-3, MP-4, MP-5, MP-6, MP-7, MP-8, SC-28, SC-8, SC-11, AC-4, AC-5, AC-6, AU-13, PE-19, PS-6, SC-7, SI-4, AC-12, AC-17, AC-18, CP-8, SC-5, SC-7, SC-10, SC-11, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-38, SC-47, AC-14, IA-1, IA-2, IA-3, IA-5, IA-8, IA-9, IA-10, IA-11
Add a critical, additional layer of security, where safe and technically capable, to protect assets and accounts directly accessible from the Internet.
AC-14, IA-1, IA-2, IA-3, IA-5, IA-8, IA-9, IA-10, IA-11, IA-1, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, IA-10, IA-11, IA-12
Ensure organizational users learn and perform more secure behaviors.
AT-2, PM-13, PM-14, AT-3, PM-13
Deploy encryption to maintain confidentiality of sensitive data and integrity of Information Technology (IT) and Operational Technology (OT) traffic in motion.
Prevent unauthorized access to organizational accounts or resources by former workforce members, including employees, contractors, affiliates, and volunteers by removing access promptly.
IA-1, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, IA-10, IA-11, IA-12, PS-1, PS-2, PS-3, PS-4, PS-5, PS-6, PS-7, PS-8, PS-9, SA-21
Ensure safe and effective organizational responses to, restoration of, and recovery from significant cybersecurity incidents.
CP-10, IR-4, IR-8, CP-2, CP-3, IR-3, IR-8, CP-2, IR-4, IR-8, SI-5, PM-15
Use unique credentials inside organizations’ networks to detect anomalous activity and prevent attackers from moving laterally across the organization, particularly between IT and OT networks.
IA-1, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, IA-10, IA-11, IA-12
Establish secondary accounts to prevent threat actor’s from accessing privileged or administrative accounts when common user accounts are compromised.
AC-1, AC-2, AC-3, AC-5, AC-6, AC-14, AC-16, AC-24
Identify, assess, and mitigate risks associated with third party products and services.
SA-4, SA-9, SR-2, SR-3, SR-5
To help healthcare organizations mature their cybersecurity capabilities and reach the next level of defense needed to protect against additional attack vectors.
To aid in further understanding the alignment to HICP we have included the links to the HICP sub-practices page for each CPG.
Identify known, unknown (shadow), and unmanaged assets to more rapidly detect and respond to new vulnerabilities.
CM-8, PM-5, CM-8, AC-20, PM-5, SA-9, AU-12, CA-7, CM-3, SC-5, SC-7, SI-4
Establish processes to promptly discover and respond to known threats and vulnerabilities in assets provided by vendors and service providers.
PM-30, SA-9, SR-1, SR-2, SR-3, SR-5, PM-9, RA-3, SA-15, SR-2, SR-3, SR-5, SR-6
Establish processes to promptly discover and respond to known security incidents or breaches across vendors and service providers.
SA-4, SA-9, SR-2, SR-3, SR-5, PM-9, RA-3, SA-15, SR-2, SR-3, SR-5, SR-6
Establish processes to promptly discover and responsibly share vulnerabilities in assets discovered through penetration testing and attack simulations
CA-2, CA-7, PM-16, PM-28, RA-2, RA-3
Establish processes internally to act quickly on prioritized vulnerabilities discovered through penetration testing and attack simulations.
CA-2, CA-7, PM-16, PM-28, RA-2, RA-3
Ensure organizational awareness of and ability to detect relevant threats and TTPs at endpoints. Ensure organizations are able to secure entry and exit points to its network with endpoint protection.
PM-15, PM-16, RA-10, SI-5, PM-12, PM-16, RA-3, RA-10, SI-5, AU-12, CA-7, CM-3, SC-5, SC-7, SI-4
Mission critical assets are separated into discrete network segments to minimize lateral movement by threat actors after initial compromise.
AC-4, AC-10, SC-7, SC-10, SC-20, AC-12, AC-17, AC-18, CP-8, SC-5, SC-7, SC-10, SC-11, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-38, SC-47
Collection of necessary telemetry from security log data sources within an organization’s network that maximizes visibility, cost effectiveness, and faster response to incidents.
Ensure organizations consistently maintain, drill, and update cybersecurity incident response plans for relevant threat scenarios.
Define secure device and system settings in a consistent manner and maintain them according to established baselines.
CM-1, CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-9, SA-10