BlogCompliance
CISA Cyber Performance Goals: Third-Party & Supply Chain Requirements
5 Minute Read
Read CISA Cyber Performance Goals: Third-Party & Supply Chain RequirementsCompliance
By CORL Technologies | December 14, 2023
The healthcare industry is currently facing unprecedented challenges in the form of cyber threats and attacks. As the digital revolution continues in healthcare, it has become crucial for healthcare organizations to have strong cybersecurity measures. Yet cyber incidents that disrupt patient care services have steadily increased yearly since 2018. In an effort to stem the tide, and at the behest of the Biden administration’s National Cybersecurity Strategy released in March 2023, the Department of Health and Human Services (HHS) has released its introductory strategy for Healthcare Sector Cybersecurity. In this blog post, we will explore the importance of this announcement and why Covered Entities and Business Associates need to begin planning the work to meet these guidelines.
The HHS introductory strategy outlines four key steps to advance cyber resiliency in the healthcare sector.
We’ve been reading the tea leaves at CORL for all of 2023, and we thought there might be some kind of Meaningful-use carrots-and-sticks program applied to cybersecurity with all the different HHS and CISA activities around healthcare and critical infrastructure. This HHS announcement looks like that’s exactly what’s coming. Here are the three biggest takeaways from this strategy document and our analysis of what to expect.
Takeaway 1) With input from the industry, HHS will establish and publish Healthcare & Public Health Sector-specific Cyber Performance Goals (HPH CPGs)
Just like the reasoning behind the CISA Cross-Sector CPGs, this effort aims to help the healthcare sector prioritize implementing the most critical cybersecurity practices. The number and size of relevant frameworks that apply to healthcare cybersecurity make it difficult for cyber risk professionals to prioritize where to start and what to cover, especially in smaller organizations. It’s not clear yet how much these HPG CPGs will differ from the CISA CPGs or the Health Industry Cybersecurity Practices (HICP). We assume that they will very closely mirror the cross-sector CPGs but cover some of the most critical areas from HICP that are not included in the CISA CPGs while also focusing the Operational Technology (OT) content even more narrowly down to the medical devices, IoT and IoMT that are more frequently found in the healthcare industry.
Takeaway 2) HHS will work with Congress to obtain funding to provide upfront investments to help “high-need” HDOs cover the cost of implementing the “essential” HPH CPGs and performance incentives for implementing the “enhanced” CPGs
This is exactly the Meaningful Use (MU) approach that has been discussed for a few years, but many were skeptical that it could come to pass. It’s a welcome announcement. It is no secret that cash-strapped health systems have difficulty prioritizing cybersecurity spending against patient care spending and critical operations spending. This approach will help them overcome that. And all systems will chase incentive dollars, just like they did with MU. It’s a win/win and one of the most powerful ways the federal government can support healthcare, raising its security game.
Takeaway 3) HHS will increase its enforcement for not meeting the CPGs through CMS and an update to the HIPAA Security Rule
Unfortunately, we can’t have our cake and eat it too. With increased incentives also comes increased enforcement, which is a good thing in the long run. That enforcement pressure reorients healthcare C-suites and boards towards prioritizing cybersecurity, which is still needed in many cases in our industry. The tenor of this announcement makes us think there could be some tie-in to meeting certain HPH CPGs as a condition of participating in Medicare and Medicaid, which will undoubtedly gain the attention of budget owners and business/clinical decision-makers. Additionally, the HIPAA Security Rule has been long overdue for an update. If the updates stay in sync with the HPH CPGs and the process flows from incentives first to enforcement second, this can potentially be a major win for all parties.
What should healthcare organizations do right now in reaction to this announcement?
While the announcement does not reveal much regarding the timeline (the only date mentioned is that the work to begin updating the HIPAA Security Rule will begin in the spring of 2024), it’s safe to say that healthcare organizations need to start planning how to react to this right now. Here are some steps we recommend:
Where do vendors in the healthcare space fit into this equation?
It’s safe to say that any organization classified as a Business Associate should expect to be obligated to meet these requirements. The final version of this plan will most likely continue the years-long trend of forcing Business Associates to comply with HIPAA in their own right so that Covered Entities aren’t left holding the bag for BAs not taking security seriously.
But even if you’re not classified as a BA, it’s hard to imagine you being able to find interested suitors for your products and services if you’re not meeting these CPGs. Healthcare entities will be judged on their ability to meet the CPGs, and one of these requirements includes verbiage stating that they must vet their vendors’ security posture to “evaluate in vendor selection if, given two offerings of roughly similar cost and function, the more secure offering and/or supplier is preferred.”
If you’re a vendor unsure how to meet an appropriate security bar for your buyers, let CORL help. Our CORL Cleared program serves as the TSA PreCheck of the healthcare TPRM industry. It offers the methodology and technology that can make it possible for you to never answer a security questionnaire again.
Overall, the importance of this announcement cannot be overstated. When we start talking about overhauling HIPAA, promising incentive payments, and hinting at placing cybersecurity conditions on Medicare and Medicaid participation, we are talking about industry-changing topics. This announcement is yet another sign that cybersecurity is a critical component of healthcare, and organizations must take it seriously or risk damaging their business and reputation.
CORL Technologies
CORL transforms TPRM chaos into clarity
CORL is a leading provider of vendor risk management solutions for the healthcare industry. CORL gets results by scaling organizational and vendor risk programs through our healthcare vendor risk clearinghouse solution, dashboard reporting that business owners can understand, and proven workflows that drive measurable risk reduction. CORL accelerates the speed of vendor risk assessments and holds vendors accountable for remediating risk exposures.
Related Posts
BlogCompliance
By CORL Technologies | November 14, 2022
5 Minute Read
Read CISA Cyber Performance Goals: Third-Party & Supply Chain RequirementsBlogCompliance
By CORL Technologies | June 28, 2022
7 Minute Read
Read Healthcare Vendors Sharing PHI with Facebook: Analysis & RecommendationsBlogCompliance
By CORL Technologies | May 20, 2021
7 Minute Read
Read Regs on the Radar: Emerging Supply Chain Regulations & StandardsInfographics
INFOGRAPHIC Supply Chain Rocks! New Bills and Regulations Emerge Recent and forthcoming regulations and government guidance regarding cybersecurity and supply chains globally have spurred a sense of urgency for organizations to invest in compliance. In this infographic you will learn about: Download ‘Supply Chain Rocks: New Bills and Regulations Emerge’ infographic now. Want to download […]