In today’s digital age, securing sensitive healthcare data is paramount. With the rise in cyber threats targeting healthcare organisations, the United States' Department of Health and Human Services (HHS) has taken proactive steps to enhance cybersecurity by implementing new performance goals. These goals focus on improving the security and resilience of healthcare systems and data by implementing measures such as improving threat detection and response capabilities, enhancing workforce training and awareness, ensuring secure access to patient information, and promoting collaboration and information sharing within the healthcare sector. By prioritising cybersecurity efforts, the HHS aims to safeguard sensitive healthcare data, mitigate cyber threats, and enhance the overall resilience of the healthcare ecosystem. The HHS's introduction of new cybersecurity performance goals underscores the importance of readiness and resilience in safeguarding sensitive healthcare data. As organisations strive to meet these goals, proactive breach preparation, such as information governance and tabletop simulation training exercises, emerge as a crucial component of cybersecurity preparedness. The HHS’s latest provisions emphasise how critical it is for healthcare organisations to have strong cyber incident response plans. 

How are the News HHS Performance Goals Different than HIPAA?

While the US' HIPAA (Health Insurance Portability and Accountability Act) rules remain intact, the new performance goals encompass broader aspects of cybersecurity, such as safeguarding against cyber threats beyond protected health information (PHI) breaches, protecting critical infrastructure, and ensuring the resilience of healthcare systems. Unlike HIPAA, the news goals emphasise a more proactive approach to cybersecurity risk management, including measures to identify and mitigate vulnerabilities before they can be exploited, rather than solely focusing on compliance with regulatory standards like HIPAA. The other focus of the goals not found in HIPAA is the need for increased collaboration among healthcare organisations, government agencies, cybersecurity experts, and other stakeholders to enhance collective cybersecurity resilience.

Why Healthcare is Unique

Unlike many other industries, the healthcare sector deals with sensitive patient information. Cyber incidents in healthcare can directly impact patient safety, leading to disruptions in care delivery, compromised medical devices, and even endangering patient lives. As a result, healthcare incident response plans prioritise rapid response and recovery to minimise the impact on patient care.

There is also heavy regulatory compliance as US healthcare organisations are subject to the HIPAA, which mandates the protection of patient data and requires prompt reporting of security incidents. Cyber incident response plans in healthcare must align with these regulatory standards and include protocols for notifying regulatory authorities, patients, and other stakeholders in the event of a data breach or cyberattack. In addition to notifying patients, response plans also account for providing them with services to prevent fraud, such as identity and credit monitoring, as well as monitoring specific to healthcare information such as medical records, health savings accounts, and health insurance information. 

Though most organisations have complex infrastructure, healthcare organisations have incredibly complex systems and networks as they have many interconnected systems, devices, and applications, including electronic health records (EHRs), medical devices, and telehealth platforms. Cyber incident response plans in healthcare must account for the unique challenges posed by these diverse technologies and ensure seamless coordination among IT, clinical, and administrative teams during a security incident.

Making things even more challenging is that many healthcare organisations operate under resource constraints, including limited IT budgets and shortages of cybersecurity expertise. Cyber incident response plans in healthcare must be tailored to accommodate these limitations, emphasising the efficient use of resources, leveraging external partnerships, and prioritising investments in technologies and training that enhance incident detection, response, and recovery capabilities.

Ensuring Compliance

To comply with the new HHS cybersecurity goals, increased investment in advanced employee training programmes and preparedness will be needed. Comprehensive cybersecurity awareness training, which includes tabletop simulation exercises for cyber readiness, can empower staff to identify and respond to security incidents effectively.

Tabletop exercises are simulated scenarios designed to test an organisation’s response to various cybersecurity incidents. These exercises involve key stakeholders coming together to walk through hypothetical scenarios, identify gaps in response protocols, and refine incident response strategies. By providing a controlled environment for decision-making and collaboration, tabletop exercises help organisations build readiness and enhance their ability to mitigate cyber threats effectively.

How tabletop exercise help organisations meet the new HHS cybersecurity goals:  

1. Alignment with strategic objectives -The HHS cybersecurity performance goals set clear expectations for healthcare organisations to enhance their cybersecurity posture. Tabletop exercises allow these organisations to align their incident response capabilities with the strategic objectives outlined in the HHS goals. By simulating scenarios relevant to the healthcare sector, organisations can tailor their exercises to address specific threats and vulnerabilities identified in the performance goals.
2. Identification of weaknesses and gaps - Through tabletop exercises, healthcare entities can identify weaknesses and gaps in their cybersecurity defences and incident response protocols. By simulating realistic scenarios, organisations can uncover areas for improvement in detection, containment, and remediation processes. This proactive approach enables organisations to address vulnerabilities before they are exploited by malicious actors, thereby enhancing overall resilience.
3. Validation of response plans - Tabletop exercises provide an opportunity to validate and refine incident response plans in a low-stakes environment. By testing the efficacy of response procedures and communication protocols, organisations can ensure that their teams are well-prepared to handle cybersecurity incidents effectively. Regular exercises enable continuous improvement and allow organisations to adapt to evolving threats and regulatory requirements.
4. Enhanced collaboration and coordination - The collaborative nature of tabletop exercises fosters cross-functional collaboration and coordination among internal teams, external partners, and regulatory agencies. By bringing together stakeholders from various departments, including IT, legal, compliance, and executive leadership, organisations can facilitate information sharing and decision-making during crisis situations. This collaborative approach strengthens relationships and ensures a unified response to cyber threats.
5. Compliance and Risk Management - In light of the HHS cybersecurity performance goals, tabletop exercises are vital in supporting compliance efforts and risk management initiatives. By demonstrating proactive measures to identify and mitigate cyber risks, organisations can align with regulatory requirements and industry best practices. Tabletop exercises also help organisations prioritise investments in cybersecurity controls and allocate resources effectively to address high-risk areas.

Conclusion

As healthcare organisations navigate the evolving threat landscape and strive to meet the new HHS cybersecurity performance goals, tabletop exercises emerge as a cornerstone of cybersecurity preparedness. These exercises enable organisations to enhance their resilience and effectively respond to cyber threats by simulating realistic scenarios, identifying weaknesses, and fostering collaboration. In an era where cybersecurity incidents are increasingly prevalent, investing in tabletop exercises is not just a best practice—it’s a strategic imperative for safeguarding sensitive healthcare data.