The Department of Health and Human Services (HHS), working in partnership with the Cybersecurity and Infrastructure Security Agency (CISA), has rolled out the new Healthcare and Public Health Cybersecurity Performance Goals (HPH CPGs). This framework is designed to strengthen cyber resilience across the healthcare sector, setting a clear baseline for organizations of all sizes.
While adoption is currently voluntary, it is highly likely that these standards may soon become mandatory, making it critical for healthcare stakeholders to get ahead of the curve. Here are five important things that MSPs and IT leaders at SMBs need to know about the new HPH CPGs, plus a handy FAQ that can offer clarity about implementation.
1. Why are HPH CPGs important?
With new technologies transforming patient care and cybercrime alike, the healthcare cyberthreat landscape is evolving rapidly. Cybercriminals relentlessly target providers, leaving them under constant pressure to defend sensitive data. In 2024, 94% of U.S. healthcare organizations experienced a cyberattack. Organizations must adopt a forward-looking mindset to address today’s concerns and prepare for what’s next. The HPH CPG framework offers a clear roadmap to tackle major challenges like these.
Healthcare remains a top cybercrime target
Healthcare continues to be one of the most targeted industries for cybercrime, with ransomware leading the way. In 2024, 67% of healthcare organizations reported being impacted by ransomware attacks. That’s a jump from 60% in 2023 and nearly double the 34% reported in 2021.
Successful attacks have expensive consequences
The cost of falling victim to a cyberattack has never been higher for healthcare organizations. According to IBM’s Cost of a Data Breach 2025 Report, healthcare recorded the highest average breach cost among industries for the 14th consecutive year, clocking in at $7.42 million. Investing in cyber resilience to avoid crushing bills like these makes good business sense.
- A ransomware attack on DaVita in early 2025 cost the dialysis provider about $13.5 million in Q2 alone, including $12.5 million in administrative costs and $1 million in patient care disruption.
- Even attacks on healthcare-related entities can devastate providers. In February 2024, a ransomware attack on UnitedHealth Group’s Change Healthcare unit left providers unable to file claims for eight months, financially crippling many smaller practices.
Patient care must be at the core of any security strategy
The HPH CPGs highlight a fundamental shift in cybersecurity philosophy for healthcare organizations. Instead of focusing solely on IT defenses to minimize operational disruptions, healthcare organizations are prioritizing moves that help them foster patient safety and continuity of care even during a cyber incident. This new direction also acknowledges patients’ growing concerns about data handling.
Regulatory changes are on the horizon
While currently voluntary, the HPH CPGs are expected to form the basis for enforceable requirements in the near future. These regulations could be tied to HIPAA, Medicare or Medicaid eligibility, and providers may also face new local rules governing data handling. Organizations that prepare now will be better positioned to remain compliant and maintain a competitive edge.
Preventing dangerous disruptions in patient care is critical
A cyberattack on a healthcare organization doesn’t just shut down the business office. It disrupts care itself. Today’s medical care relies on extensive technology, and healthcare providers, especially critical care centers, can’t afford downtime. In fact, an estimated 69% of providers hit by cyber incidents in the last year have reported patient care impacts from delayed treatments and increased complications to higher mortality rates.
2. The structure of HPH CPGs
The new HPH CPGs are designed to be practical and accessible for healthcare organizations of all sizes, from small clinics to large hospital systems. They follow a two-tiered structure — Essential Goals and Enhanced Goals — allowing organizations to prioritize actions based on risk, resources and maturity level.
Essential Goals: These baseline, lower-cost controls represent the foundation of a strong cybersecurity program. They focus on high-impact, achievable measures that every healthcare organization should implement immediately. By addressing these essentials first, organizations can significantly reduce risk without requiring large budgets or complex infrastructure.
Enhanced Goals: Once the foundational measures are in place, Enhanced Goals offer more advanced practices to further strengthen an organization’s cybersecurity posture. Adopting these advanced measures help healthcare organizations proactively defend against sophisticated threats, better manage third-party risks and align with emerging regulatory expectations.
This tiered approach ensures that organizations can start with the essentials and gradually scale up, making the HPH CPGs a flexible and actionable roadmap for improving cybersecurity across the healthcare sector.
3. The Essential Goals
The HPH CPG Essential Goals are an excellent example of the “must-have” cybersecurity standards and practices that any healthcare organization should have in place:
- Regularly patching systems to mitigate known vulnerabilities
- Strong email protections (filters, authentication)
- Multifactor authentication (MFA) for all remote and privileged access
- Basic cybersecurity awareness training for all staff
- Encryption of sensitive data in transit
- Immediate revocation of credentials for departing employees
- Incident response planning and preparedness
- Unique user IDs for all accounts
- Separation of standard and privileged accounts
- Cybersecurity requirements for vendors and suppliers
4. The Enhanced Goals
Organizations ready to take the next step can work toward these HPH CPG Enhanced Goals to strengthen their cyber resilience and achieve security maturity:
- Comprehensive asset inventory
- Processes for third-party vulnerability disclosure and incident reporting
- Routine cybersecurity testing and exercises
- Network segmentation to limit lateral movement
- Centralized log collection for visibility
- Strong configuration management practices
- Improved detection and response to threats
5. The benefits of implementing HPH CPGs
Adopting the HPH CPG framework gives healthcare organizations a clear, actionable path to stronger cybersecurity and operational resilience. Key benefits include:
Reduced risk of disruption: Protect patient care by minimizing downtime during cyber incidents.
Stronger financial safeguards: Lower the likelihood of costly breaches and ransomware payouts.
Regulatory readiness: Align with existing compliance requirements and positions organizations for future mandates.
Improved vendor oversight: Ensures third-party services meet security standards, reducing supply-chain risks.
Increased patient trust: Demonstrates a commitment to safeguarding sensitive health data, strengthening reputation.
The HPH CPG goals provide helpful guidance that can help organizations build a cybersecurity posture that protects patients, staff and business operations alike.
Real questions asked by MSPs and SMBs, answered
The rollout of the HPH CPGs has raised important questions. These insights can provide clarity about common concerns.
Are these standards mandatory or voluntary for now?
As of 2025, the HPH CPGs are voluntary, but they are widely seen as the foundation for upcoming regulations.
How do the CPGs align with existing frameworks like HIPAA, NIST and HICP?
HPH CPGs align closely with the Health Insurance Portability and Accountability Act (HIPAA) and the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework. Many HPH CPG controls also correspond directly to Healthcare Industry Cybersecurity Practices (HICP) recommendations, offering a healthcare-specific, actionable roadmap that helps organizations turn broad guidance into concrete, practical measures.
How should SMBs and MSPs prioritize implementation?
Start with the Essential Goals, which are affordable, impactful and in many cases already overlap with HIPAA compliance.
Will there be funding or incentives for compliance?
HHS has signaled plans to provide incentives for compliance and potentially tie penalties to reimbursement eligibility.
What are the legal and liability implications if the CPGs are not followed?
Although voluntary, ignoring CPGs could create liability issues if a breach occurs. Regulators or courts may view non-implementation as negligence.
How do I measure an organization’s maturity or progress?
HHS recommends self-assessments. The guidance suggests categorizing each goal as “not implemented”, “partially implemented”, “largely implemented” or “fully implemented”.
Do MSPs need to flow these requirements down to their clients?
Yes. MSPs serving healthcare must ensure their services and vendor partners align with CPGs, especially around essentials like MFA, credential management and incident response.
A roadmap to future-ready cybersecurity in healthcare
While the HPH CPGs are voluntary today, they offer a clear view of where healthcare cybersecurity standards are headed. For MSPs and SMBs, this is an opportunity to get ahead of future regulations and future cyberthreats. By starting with the Essential Goals and progressing toward the Enhanced Goals, healthcare organizations can strengthen compliance readiness while making cybersecurity an integral part of patient care.
