HHS Cybersecurity Performance Goals (CPGs) Achieved by Only 1 in 4 Health Systems
Post Summary
Only 25% of U.S. healthcare systems meet cybersecurity standards set by HHS. This puts millions of patients at risk of data breaches, ransomware attacks, and disruptions to care. The Department of Health and Human Services (HHS) developed Cybersecurity Performance Goals (CPGs) to improve healthcare security, but compliance remains low due to tight budgets, outdated systems, and vendor risks.
Key Takeaways:
- What are CPGs? A roadmap for healthcare cybersecurity, aligned with NIST and HIPAA frameworks, focusing on protecting patient data and ensuring operational stability.
- Why it matters: Non-compliance leads to data theft, service interruptions, and loss of patient trust.
- Challenges: Limited budgets, staffing shortages, legacy systems, and supply chain vulnerabilities.
- Solutions: Automation tools like Censinet RiskOps™, standard frameworks, and real-time monitoring can help healthcare systems improve compliance.
With only 1 in 4 health systems meeting these standards, addressing these gaps is critical for protecting patients and ensuring reliable care.
Main Barriers to CPG Compliance
Healthcare organizations face tough challenges when trying to meet the HHS Cybersecurity Performance Goals (CPGs). These hurdles not only make compliance difficult but also leave systems more exposed to potential cyber threats.
Budget and Staffing Limitations
For many health systems, patient care takes precedence over cybersecurity investments, especially when budgets are tight. Adding to the problem is the ongoing shortage of cybersecurity professionals. This leaves overstretched IT teams to manage security, often without the expertise or resources needed for the advanced measures required by the CPGs. Smaller organizations, in particular, struggle to allocate funds and staff for these critical tasks.
Outdated Systems and Integration Problems
Legacy systems and older medical devices are another major roadblock. Many of these systems lack modern encryption capabilities, making it harder to secure electronic protected health information (ePHI) both at rest and in transit. This is especially problematic given the December 2024 HIPAA update, which makes encryption a required safeguard under the CPGs[1]. Compounding the issue, many medical devices aren’t designed to receive regular security updates, leaving them vulnerable to attacks. On top of that, fragmented data systems - spanning billing, electronic health records (EHRs), lab results, and imaging - create disjointed security environments. These outdated infrastructures also make vendor management a greater challenge.
Third-Party and Supply Chain Risks
Relying on multiple vendors and suppliers adds another layer of risk. The CPGs include specific requirements for vendor cybersecurity measures, such as vulnerability disclosure and incident reporting[2]. However, many health systems, especially smaller ones, find it difficult to monitor and enforce these standards with their external partners. Without the clout to demand stronger security practices, smaller organizations face significant supply chain vulnerabilities, which further complicate their ability to achieve and sustain compliance.
Solutions to Improve CPG Compliance
Addressing compliance gaps in Consumer Packaged Goods (CPG) requires effective strategies that simplify processes and reduce risks.
Automated Risk Management with Censinet RiskOps™
Relying on manual risk assessments can slow things down and leave room for errors, making CPG compliance harder to achieve. Automated solutions like Censinet RiskOps™ change the game by streamlining risk management tasks.
Censinet RiskOps™ automates critical processes like third-party and enterprise risk assessments. This includes handling annual enterprise assessments for frameworks like HHS CPGs and NIST. With AI-powered tools, the platform reduces the time it takes to complete security questionnaires from weeks to mere seconds. It also auto-summarizes evidence, cutting down on tedious administrative tasks.
What’s more, the platform incorporates a human-in-the-loop approach, ensuring that key decision-making stays in the hands of experts. Configurable rules and review processes allow risk teams to maintain control while scaling operations efficiently. This approach not only enhances visibility into supply chain risks but also addresses exposures from fourth-party vendors. By automating these tasks, organizations can focus on strengthening their overall cybersecurity strategies.
Using Standard Frameworks and Checklists
Automation works best when paired with structured frameworks. Established systems like the NIST Cybersecurity Framework offer a clear path for aligning controls and safeguards with CPG requirements. These frameworks provide organizations with a consistent checklist to address challenges like staff shortages and outdated systems, making compliance efforts smoother and more effective.
sbb-itb-535baee
Best Practices for Long-Term Cybersecurity Compliance
Reaching compliance with Cybersecurity Practices for the Healthcare Sector (CPG) is a milestone, but it’s far from the finish line. Healthcare organizations need strategies that can keep pace with evolving threats and ever-changing regulatory demands. A strong cybersecurity program hinges on ongoing monitoring, shared intelligence, and centralized management.
Regular Monitoring and Performance Tracking
Cybersecurity isn’t a "set it and forget it" deal - it requires constant attention. Healthcare organizations should go beyond annual audits by implementing quarterly risk reviews and monthly evaluations of security metrics. Key indicators to track include mean time to detect threats, patch management completion rates, and incident response times.
The best-performing systems rely on automated dashboards that provide real-time visibility into their security posture. These tools can flag potential compliance gaps early, giving teams a chance to act before minor issues snowball into major problems. Routine scanning and testing also play a crucial role in staying ahead of new threats while maintaining compliance.
Detailed records are another cornerstone of effective monitoring. Documenting risk assessments, remediation efforts, and policy updates not only simplifies audits but also helps refine security programs over time. This continuous evaluation creates a strong foundation for sharing threat intelligence with others.
Shared Risk Networks and Threat Information
Cybersecurity in healthcare is a team sport. No organization operates in a vacuum, and collaboration is key to staying ahead of increasingly sophisticated attacks. Sharing threat intelligence with other organizations helps healthcare systems gain valuable insights into emerging risks and effective defenses.
Industry-specific intelligence feeds provide real-time updates on threats like new malware strains, phishing tactics, and vulnerabilities targeting healthcare systems. By tapping into this collective knowledge, organizations can reinforce their defenses before attackers strike.
Participation in cybersecurity consortiums offers even more benefits. These groups enable security professionals to exchange best practices, address shared challenges, and coordinate responses to large-scale threats. Many healthcare organizations report that active involvement in these networks significantly boosts their ability to detect and respond to incidents.
Supply chain risk management also benefits from collaboration. Sharing information about vendor security practices and incidents helps organizations make informed decisions about third-party relationships. This collective approach strengthens defenses across the entire network.
Centralized Management and Oversight
Collaboration is powerful, but it needs to be paired with strong internal oversight. Centralized management ensures that insights from external intelligence are integrated into cohesive security policies. For long-term compliance, healthcare systems should adopt unified governance structures that oversee cybersecurity efforts across all locations and departments.
Centralized security operations centers (SOCs) are a great example of this approach in action. These centers streamline risk management, standardize incident response, and keep vendor oversight consistent. By maintaining uniform compliance standards across the board, healthcare organizations can focus on safeguarding patient data and meeting regulatory requirements.
Cross-functional committees are another piece of the puzzle. These groups bring together representatives from IT, clinical operations, legal, compliance, and leadership to ensure that cybersecurity decisions align with broader organizational goals. Regular committee reviews can assess the effectiveness of security measures, analyze incident responses, and update policies to address new challenges.
Finally, risk-based decision-making becomes far more effective when supported by centralized data and analytics. Platforms that aggregate security data across the organization give leadership a clear view of their overall risk and compliance status. This comprehensive approach not only helps healthcare systems adapt to new threats but also reinforces their alignment with HHS CPGs.
Conclusion: Closing the CPG Compliance Gap in Healthcare
The fact that only 25% of health systems meet HHS Cybersecurity Performance Goals highlights the pressing need for cybersecurity reform. With 364 hacking incidents impacting over 33 million individuals as of October 2025, the stakes couldn’t be higher [3] [4].
Healthcare organizations face significant hurdles - tight budgets, outdated legacy systems, and complex third-party risks. Overcoming these challenges requires strategic investments and industry-wide collaboration. Scalable solutions, such as automated risk management, play a key role in addressing these issues.
Censinet RiskOps™ is one such solution, simplifying third-party assessments, offering real-time risk insights, and enabling collaborative risk management. These capabilities help organizations manage resource limitations while maintaining strong security oversight.
Building an integrated cybersecurity strategy is equally critical. This includes adopting standardized frameworks, enhancing staff training, and implementing robust incident response programs. Such measures prepare healthcare organizations to adapt as cybersecurity standards evolve, potentially becoming mandatory.
"Cyber safety is patient safety, and that focused investment and accountability are vital to protect our data, systems, and patients against the rising epidemic of cyber-attacks on the sector." - Health Sector Coordinating Council [6]
Regulatory changes, like the FY 2025 Budget’s incentives and penalties, further emphasize the urgency for swift and decisive action [5]. Healthcare leaders who prioritize strengthening their cybersecurity posture now will be better equipped for the future, while those who delay risk facing regulatory penalties and operational vulnerabilities.
FAQs
What are the main challenges healthcare systems face in meeting the HHS Cybersecurity Performance Goals (CPGs)?
Healthcare systems frequently encounter obstacles in meeting the HHS Cybersecurity Performance Goals (CPGs). Common shortcomings include failing to address known vulnerabilities, inconsistent use of multi-factor authentication (MFA), and inadequate protection for email systems. These issues leave organizations exposed to potential threats.
Other recurring challenges involve providing regular and effective cybersecurity training, enforcing encryption standards, and properly managing credentials - such as promptly revoking access for former employees.
On top of that, many healthcare organizations struggle to maintain incident response plans, keep user and privileged accounts separate, and ensure vendors and suppliers meet cybersecurity requirements. These gaps underscore the importance of prioritizing basic cybersecurity measures to enhance compliance and minimize risks.
What steps can smaller healthcare organizations take to improve cybersecurity compliance with limited budgets and staff?
Smaller healthcare organizations can strengthen their cybersecurity efforts by adopting practical and budget-friendly measures. A good starting point is conducting regular risk assessments to pinpoint weaknesses and decide which areas need immediate attention. Educating staff on basic cybersecurity practices - like spotting phishing scams and creating secure passwords - can also go a long way in minimizing mistakes.
Affordable solutions, such as encryption software and secure firewalls, offer reliable ways to safeguard sensitive information. Even simple steps, like making sure employees log off their computers after use, can have a noticeable impact. For organizations with limited resources, outsourcing certain cybersecurity tasks to reliable providers can fill critical gaps without breaking the bank. Staying on top of security requires continuous monitoring and steady, small-scale improvements.
How does managing third-party and supply chain risks help healthcare systems meet HHS Cybersecurity Performance Goals (CPGs), and what steps can they take to address these risks effectively?
Managing third-party and supply chain risks plays a crucial role in achieving the HHS Cybersecurity Performance Goals (CPGs), particularly the one centered on Vendor/Supplier Cybersecurity Requirements. For healthcare organizations, ensuring that external vendors and suppliers don't create vulnerabilities in their systems is a top priority.
To tackle these risks, healthcare systems need a strong vendor risk management program. This involves assessing the cybersecurity practices of vendors, clearly defining security expectations within contracts, and continuously monitoring compliance. Taking these steps helps organizations stay ahead of potential threats and strengthens their overall cybersecurity defenses.
