HIPAA TIP: HHS HPH Cybersecurity Enhanced Goals

Last week’s HIPAA Tip reviewed the HPH Cybersecurity essential goals. It’s now time to go through the 10 enhanced goals.

The enhanced goals were put in place to help healthcare organizations mature their cybersecurity capabilities and reach the next level of defense needed to protect against additional attack vectors.

  • Asset Inventory: identify known, unknown (shadow) and unmanaged assets to more rapidly detect and respond to new vulnerabilities.
  • Third Party Vulnerability Disclosure: establish processes to promptly discover and respond to known threats and vulnerabilities in assets provided by vendors and service providers.
  • Third Party Incident Reporting: establish processes to promptly discover and respond to known security incidents or breaches across vendors and service providers.
  • Cybersecurity Testing: establish processes to promptly discover and responsibly share vulnerabilities in assets discovered through penetration testing and attack simulations.
  • Cybersecurity Mitigation: establish processes internally to act quickly on prioritized vulnerabilities discovered through penetration testing and attack simulations.
  • Detect and Respond to Relevant Threats and Tactics, Techniques and Procedures: ensure organizational awareness and ability to detect relevant threats and TTPs at endpoints. Organizations need to be able to secure entry and exit points to their network with endpoint protection.
  • Network Segmentation: mission critical assets are separated into discrete network segments to minimize lateral movement by threat actors after initial compromise.
  • Centralized Log Collection: collection of necessary telemetry from security log data sources that maximizes visibility, cost effectiveness and faster response to incidents.
  • Centralized Incident Planning and Preparedness: ensure organizations consistently maintain, drill, and update cybersecurity incident response plans for relevant threat scenarios.
  • Configuration Management: define secure device and system settings in a consistent manner and maintain them according to established baselines.

HPH Cybersecurity Enhanced Goals