HIPAA TIP: HHS HPH Cybersecurity Essential Goals

In a previous HIPAA Tip we discussed the HHS Cybersecurity Performance Goals (CPG) released for Health Care and Public Health (HPH) – essential and enhanced goals.

The essential goals need to be put into place for all healthcare organizations and their Business Associates – think Change Healthcare Breach!

  • Mitigate Known Vulnerabilities: reduce the likelihood of threat actors exploiting known vulnerabilities to breach organizational networks directly accessible from the internet.
  • Email Security: reduce risk from common email-based threats, such as spoofing, phishing and fraud.
  • Multifactor Authentication: add an additional layer of security, to protect assets and accounts directly accessible from the internet.
  • Basic Cybersecurity Training: ensure all staff within the organization learn and perform more secure behaviors.
  • Strong Encryption: deploy encryption to maintain confidentiality of sensitive data and integrity of Information and Operational Technology (IT/OT) traffic in motion.
  • Revoke Credentials for Departing Workforce Members, Contractors, Affiliates and Volunteers: prevent unauthorized access by removing access promptly once staff, vendors, contractors and volunteers are terminated or resign.
  • Basic Incident Planning and Preparedness: ensure effective organizational responses to, restoration of, and recovery from significant cybersecurity incidents.
  • Unique Credentials: use unique credentials inside organizations’ networks to detect anomalous activity and prevent attackers moving laterally across the organization.
  • Separate User and Privileged Accounts: establish secondary accounts to prevent threat actors from accessing privileged or administrative accounts when common user accounts are compromised.
  • Vendor/Supplier Cybersecurity Requirements: identify, assess and mitigate risks associated with third party products and services.

HIPAA compliance isn’t a one-time checklist. It’s ongoing, programmatic in nature, and requires demonstrated reasonable diligence to stay in good standing with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Anatomy IT can provide you peace of mind with our expert HIPAA compliance services. To learn more, contact us here.