In January 2024, the Department of Health and Human Services (HHS) published voluntary health care specific Cybersecurity Performance Goals to help healthcare organizations prioritize the implementation of high-impact cybersecurity practices. These goals are voluntary cybersecurity practices that organizations can prioritize to strengthen cyber preparedness, improve resiliency, and protect patient health information and safety.

The HHS cybersecurity performance goals are split into two categories: essential goals to outline minimum foundational practices for cybersecurity performance and enhanced goals to encourage adoption of more advanced practices. Essential goals include activities such as basic cybersecurity training. Enhanced goals include activities such as cybersecurity testing.

Although these cybersecurity performance goals are not currently mandatory, the HHS has indicated that they may change eventually. The HHS has noted that that with additional authorities and resources that it will request from Congress, HHS will propose incorporation of the cybersecurity performance goals into existing regulations and programs that will inform the creation of new enforceable cybersecurity standards. HHS has also noted that it may encourage the implementation of its cybersecurity performance goals via financial consequences and incentives on hospitals.

HHS is working towards and expects to seek comment on the following proposed actions:

• The Centers for Medicare &Medicaid Services (CMS) will propose new cybersecurity requirements for hospitals through Medicare and Medicaid
• HHS Office for Civil Rights (OCR) will begin an update to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, in the Spring 2024, to include new cybersecurity requirements.

The CAP is assessing the effects that these cybersecurity performance goals would have on pathologists and laboratories if they became mandatory in the future.