CISA Cross-Sector Cybersecurity Performance goals: What Healthcare Organization Needs to Know

The US Cybersecurity and Infrastructure Security Agency (CISA) recently released voluntary cross-sector Cybersecurity Performance Goals (CPGs) to help organizations protect themselves from cyber threats. What do healthcare organizations need to know about the new CPGs and how they can use them to reduce risk and increase security?

What is the CISA Cross-Sector Cybersecurity Performance Goals?

According to the CISA, the CPGs are “a prioritized subset of IT and operational technology (OT) cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques. The goals were informed by existing cybersecurity frameworks and guidance, as well as the real- world threats and adversary tactics, techniques, and procedures (TTPs) observed by CISA and its government and industry partners. By implementing these goals, owners and operators will not only reduce risks to critical infrastructure operations but also to the American people.”

The CPGs are intended to be:

  • A baseline set of cybersecurity practices broadly applicable across the critical infrastructure with known risk-reduction value
  • A benchmark for critical infrastructure operators to measure and improve their cybersecurity maturity
  • A combination of recommended practices for IT and OT owners, including a prioritized set of security practices
  • Unique from other control frameworks as they consider not only the practices that address risk to individual entities, but also the aggregate risk to the nation

The Cybersecurity and Infrastructure Security Agency (CISA) has pointedly stated that the adoption of the CPGs is optional. Though we can anticipate that these rules will be employed in upcoming cybersecurity regulations, for now, they are still purely voluntary.

The CISA has identified that the CPGs do not replace frameworks such as NIST Cybersecurity Framework (NIST CSF). These guidelines, however, offer a beginning point for companies to deploy essential security measures first and determine which sections require more urgent attention to prevent current attack schemes. The CPGs are linked with the NIST CSF and viewed by the CISA as “a kind of starter guide” when working with NIST CSF.

How Do the CPGs Impact Healthcare Organizations?

The CPGs make it easier for healthcare organizations and other essential sector entities to swiftly implement the most reliable security controls needed to prevent modern cyberattacks.

With cyberattacks on the rise throughout all essential infrastructure sectors, the potential danger posed to healthcare is particularly alarming. Not only do these attacks jeopardize our digital security and data, but they can also threaten the well-being of American citizens who rely heavily on technology for their medical care. The healthcare industry is constantly under cyberattack, and no organization can evade this stark reality. Although development in health information technology should be celebrated as it has the potential to address some of our most daunting issues – ranging from clinical care to population health – these advancements will only work if they are secure. As information systems play a key role within today’s healthcare system and its future, we must do all that we can to ensure their protection.

Disruptive cyber-attacks obstruct healthcare professionals from providing crucial medical services and treatments. Consequently, they prevent the smooth flow of patient data across multiple health care systems – something that was designed to improve with digitalization. For instance, a medical facility in Missouri consisting of less than 50 beds and focusing on trauma and stroke patients experienced a ransomware attack which forced them to divert ambulances out of caution. The entire Electronic Health Record system was compromised by the assault, leading the organization to take measures to ensure that their quality of care would not be impacted.

Cybersecurity is an ongoing struggle between people, processes and technology that works to protect our investments in digital data. Unfortunately, hackers are resourceful – finding inventive techniques to bypass defensive cyber measures. The health care industry has become more dependent on electronic transmission of information via mobile devices, the cloud, medical equipment and infrastructure systems… thus making them even more vulnerable targets for malicious attacks.

How do organizations implement the CISA Cross-Sector Cybersecurity Performance Goals?

The CPG publication offers helpful and practical resources to resolve the common “where do I start” quandary that many healthcare organizations struggle with when looking to incorporate security frameworks.

This list of CPGs is accompanied by a helpful worksheet to assist asset owners and operators in (1) assessing the importance of each CPG before implementation, (2) tracking progress throughout the implementations’ stages, and (3) easily conveying any priority changes or statuses to non-technical executives. Allowing for clarity between all parties involved.

The CPG Worksheet provides rough estimates of the cost, complexity, and potential outcomes associated with each goal. These approximations are intended to assist in formulating investment strategies for filling existing gaps in cybersecurity safeguards.

To implement the CPGS:

1. Companies should first evaluate their present safety protocols and controls. Likely some existing compliance procedures may already be in place. All CPGs are also mapped with corresponding measurements from these benchmarks for stress-free incorporation and monitor progress.
2. Organizations should determine and list their CPG implementation gaps in order of importance, considering cost, complexity, and the effect it will have.
The CPG Worksheet is a helpful tool to aid organizations in this process.
3. With that the gaps have identified and prioritized, organizations can begin to invest in and execute cybersecurity projects. Utilizing a worksheet may be beneficial when working with leadership teams to secure funding for such tasks.
4. For continuous evaluation of improved cybersecurity practices, organizations should review progress on a yearly basis. After 12 months have elapsed, the worksheet should be revisited to capture any changes that occurred and showcase results.

The CPGs are split into eight sections:

Account Security
Protecting login information and online accounts from any malicious use or access by third parties is the objective of account security. It is essential to ensure that an individual’s or organization’s data always remains secure. Good password policies include:
  • Separating user and privileged accounts makes it harder for hackers to access valuable administrative data, keeping your system secure.
  • Multi-Factor Authentication offers multiple obstacles of security, so even if you face a breach in your login information, accounts are still safeguarded.
  • Companies can safeguard their systems and data from former employees who could represent a security hazard by swiftly eradicating their credentials when they no longer work at the company.
  • Assigning a minimal password strength makes it more difficult for cybercriminals to crack an organization’s credentials.
Device security To help ensure success, taking the proper steps to deter unwelcome access to important systems and information is critical. Cyberattacks and data theft can be better avoided by utilizing appropriate security measures. Additionally, this CPG includes the additional features:
  • Establishing a clearance procedure for hardware and software can profoundly bolster technological transparency, thus decreasing the chances of security incidents caused by unauthorized installations.
  • By default, macros and other related scripts used by adversaries are far less threatening when disabled.
  • A comprehensive asset inventory will uncover which assets are managed, unidentified, and those not being monitored. By doing so, we can identify the latest security threats that need to be addressed right away for maximum protection.
  • By denying criminals the ability to connect their own devices, you demonstrate that your security measures are taken seriously.
Data Security Safeguarding confidential and sensitive data from any unwelcome viewers is the primary motive for emphasizing digital security. To reduce the risk of cyberattacks or other information breaches, this initiative should be looked at through these lenses:
    • To protect organizational security records, secure log storage is employed to prevent unauthorized access.
    • Detailed audit logs document events, account for the user responsible or service involved, record exactly when it happened and identify what was impacted.
    • By securely storing sensitive data, you can ensure that it is protected from any unwanted intrusions.
  Governance and Training
The purpose of good governance and training is to boost employees’ awareness of their roles in protecting an organization’s systems and data. This goal works as such:
  • With the proper foundation of cybersecurity knowledge, users and staff will be able to accurately identify and utilize security measures.
  • Leveraging a secure cyber framework holds leaders accountable and ensures the integrity of the company’s data.
  • To safeguard against and respond effectively to cyber threats occurring within Operational Technology (OT), it is essential to build stronger bridges between IT and OT cybersecurity teams.
  • To ensure the cyber security of an organization’s OT systems, one individual must take on the responsibility as a leader in OT cybersecurity.
Vulnerability Management
By achieving the CISA cybersecurity performance goal of effective vulnerability management, your organization will be able to detect, evaluate, remediate and report vulnerabilities found in its software and systems. As a result, you can anticipate the following positive outcomes:
  • The process of reporting and disclosing vulnerabilities is essential for businesses, as it supplies them with the key information necessary to identify their system’s weaknesses.
  • A way to protect OT devices from cyberattacks on the public internet is by limiting them to only a few who can access it. By doing so, you can reduce the risk of your system being compromised.
  • Regularly patching your network vulnerabilities is essential in decreasing the likelihood of a malicious attack and infiltration.
  • Verified cybersecurity controls are a reliable method of protecting vulnerable technologies, ensuring that they stay safe from potential threats.
Supply Chain/ Third Party
By monitoring the security of their vendors and third parties, businesses can reduce their risk of cyberattacks or data breaches due to weak infrastructure. Utilizing a secure, private, and accessible data system may help protect your internal systems and data from any unwanted guests. Ultimately, the desired outcome is as follows:
  • By regularly reporting and documenting incidents that happen in their supply chains, businesses can gain insight into the security of all their suppliers and partners as well as take corrective action.
  • Adhering to cybersecurity standards not only helps protect against potential threats, but also ensures secure services and products from vendors.
Response And Recovery
To ensure a smooth recovery in the event of a digital emergency, it is crucial to craft an actionable plan that covers data breaches, malicious viruses, and other cyber threats.
  • To properly respond to and recover from incidents, one must take the necessary steps of reporting them, creating incident response plans, backing up systems, and thoroughly documenting the network’s topology.
  • By monitoring their network architecture, organizations can quickly and effectively respond to threats while ensuring that operations run smoothly.
  • By making regular system backups, you minimize the amount of time and effort spent recovering from any potential data or operational losses.
Some other Cyber Security Performance Goals include:
  • Network Segmentation.
    Network segmentation is a vital security tactic that splits up the network into smaller, distinct parts to ensure maximum protection. Each sub-network can have its own specific security controls, making it easier and faster for network teams to apply all necessary safety measures.
  • Tactics, Techniques, and Procedures (TTP) and threat detection.
    Security teams can utilize TTP analysis to better identify and address threats by recognizing the methods that malicious actors use.
  • Email Security.
    Boost your understanding of email security and the potential risks associated with it, like Phishing or Social Engineering. Phishing is a crime that involves obtaining sensitive information such as passwords or financial data through deceptive emails. Similarly, social engineering is any deceitful manipulation which could lead people to open malicious links in their inboxes. With awareness comes safety!
Every one of the CPGs clarifies the risks the objective attempts to address, details what is expected in terms of security outcomes, and lists out recommended procedures for accomplishing those objectives.

What Are Some Best Practices for Healthcare Organizations?

Drawing on data from CISA, the government, and industry partners regarding hostile actors’ tactics, techniques and procedures (TTPs), the CPGs have been developed to reflect real-world threats. Some of the things you can do now in your organization to prevent cyberattacks are:

Role-based access control
Access to restricted information like health records and other confidential data should be controlled carefully, granting access only on an “as needed” basis for those authorized based upon their occupation titles. By using Role Based Access Control (RBAC), administrators can assign roles to each user that provide appropriate levels of access tailored specifically towards their role in the organization – such as clinical prescribing data, dispensing medication, administering medications, ordering expensive investigations etc. Access control is essential for bolstering the safety of a system and preventing internal malicious attacks. Healthcare organizations seeking to fortify their cybersecurity should take this measure into serious consideration, as it can be instrumental in achieving an added layer of protection.
Educating healthcare workers to avoid potential security breaches.
Healthcare professionals need to be equipped with the proper training and knowledge in order to properly handle and report security breaches. They should have an understanding of practices such as not clicking on suspicious links, avoiding emails from unknown senders, refraining from downloading or installing unverified software, etc. With this proactive approach amongst healthcare staff members, cybercriminals will find it increasingly difficult to penetrate any potential openings for attack.

Vulnerability Assessment and Penetration Testing
Cybercriminals actively search for unaddressed system vulnerabilities, as they provide an easy route of attack. Therefore, to prevent such attacks all security patches must be kept up-to-date and checked regularly. To guarantee your organization’s IT infrastructure remains secure from potential weaknesses or breaches, regular Vulnerability Assessments and Penetration Testing should be conducted.


Papaya Technologies, recommends that healthcare organizations of all shapes and sizes review the CPGs and leverage them to support and mature their cybersecurity programs. Papaya offers a plethora of guidance content covering all major sections that CISA recommends implementing, with no previous security or technical experience required to understand. Papaya also offers several solutions such as a Learning Management System (LMS) that can train your staff on leading best practices for HIPAA Security and Privacy.

Using a proven risk management approach, Papaya evaluates all potential threats and risks to your business, including their probability and impact so you can make well informed decisions. With Papaya as part of your team, you can be confident your company is guarded against cyber-attacks. Request a demo today!