How ASCs Can Leverage Cybersecurity Performance Goals

On January 24, 2024, the U.S. Department of Health and Human Services (HHS) published voluntary healthcare-specific Cybersecurity Performance Goals (CPGs) to help healthcare organizations prioritize the implementation of high-impact cybersecurity practices. As of mid-2026, these goals have evolved into a critical benchmark for regulatory readiness, especially as federal agencies shift from recommending voluntary compliance to establishing mandatory minimum standards for providers. 

“These CPGs are a voluntary subset of cybersecurity practices that healthcare organizations, and healthcare delivery organizations in particular, can prioritize to strengthen cyber preparedness, improve cyber resiliency, and ultimately protect patient health information and safety.”

“The HPH CPGs directly address common attack vectors against U.S. domestic hospitals as identified in the 2023 Hospital Cyber Resiliency Landscape Analysis.”

There is speculation, and increasingly, legislative evidence, that Medicare or Medicaid funding, as well as HIPAA safe harbor protections, could be tied to the implementation of these goals. Regardless of potential strategies to encourage healthcare providers to follow the guidelines, it is worth delving into the guidelines to understand their goals and what they could mean to the ASC market. 

The Urgency for ASCs: Why 2026 is a Turning Point

Many ASCs are not directly associated with hospital systems, but despite that, there are many lessons an ASC could learn from the HHS CPGs. After all, 2023 was a record year for healthcare-related cybersecurity breaches in the U.S. It has been reported that there were 734 known Healthcare breaches resulting in the theft of records belonging to over 135 million unique patients, the equivalent of 40% of the U.S. population.

The trend has only grown more complex. Recent healthcare data breach statistics indicate that while total breach volume stabilized in 2025, the severity and “information gain” per attack have skyrocketed due to the use of generative AI in phishing and vulnerability discovery.  

At the core of the CPGs is the principle that the goals should be relatively achievable and have the most significant impact in reducing the cybersecurity risk of a healthcare provider. From an ASC’s perspective, these goals could be easily considered a distraction from their primary focus of providing the best patient care/outcomes. Unfortunately, cybercriminals have continued developing their ever-evolving array of tools and techniques to steal valuable healthcare information that they can sell. One of the most alarming shifts is the rise of triple ransomware extortion, where criminals bypass the organization entirely to harass patients directly. 

Breaking Down the CPGs: Essential vs. Enhanced 

The CPGs are split into two categories: Essential Goals & Enhanced Goals. The Essential Goals set the minimum cybersecurity standard expected of healthcare providers. The Enhanced Goals help healthcare organizations mature their cybersecurity capabilities and reach the next level of defense needed to protect against additional attack vectors. 

The Essential Goals: Your Baseline Defense

The Essential Goals are as follows:

1. Mitigate Known Vulnerabilities: (Operating Systems, Applications, Firmware)
2. Email Security: (Malware Detection and Quarantining, DMARC)
3. Multifactor Authentication (MFA): By 2026, the focus has shifted toward phishing-resistant MFA, such as FIDO2 security keys, to combat sophisticated session-hijacking.
4. Basic Cybersecurity Training: (Employees are often considered the weakest link in cybersecurity)
5. Strong Encryption: (Makes stolen data harder to use) — This is a cornerstone of protecting data integrity in healthcare, ensuring that patient records remain accurate and untampered during a breach.
6. Revoke Credentials for Departing Workforce Members: (Including employees, contractors, affiliates, and volunteers in a timely manner)
7. Basic Incident Planning and Preparedness: (Plan for loss of service)
8. Unique Credentials: (Every employee uses different credentials to compartmentalize the risk)
9. Separate User and Privileged Accounts: (Reduce the number of employees with admin access)
10. Vendor/Supplier Cybersecurity Requirements: (What are our IT vendors doing to protect our data?)

The Critical Role of Third-Party Risk

Readers of the HST Cybersecurity blog should be aware of most, if not all, of these items, as they have been previously discussed. An MSSP (a Managed Security Service Provider) can help with some. Others could be integrated into plans for patient care when IT services are unavailable.

Of particular attention should be the last one: Vendor management.

Vendor management is not usually the most glamorous of subjects, but some recent breaches have impacted healthcare providers (including ASCs), not because their own networks were attacked but rather because their third-party service providers were compromised. This has led to the theft of tens of millions of patient records, which has affected multiple healthcare providers. In these cases, not only did the business associate have to report the breach to HHS, but also the covered entity.

In the current landscape, supply chain attacks are a primary entry point. ASCs must verify that their partners are not just compliant, but resilient. For practical implementation, following specific ASC cybersecurity tips can help administrators audit their vendors effectively. 

By not ensuring third-party service providers have robust security practices validated by independent audits, ASCs can be at risk through the negligence of others.

The Enhanced Goals 

The Enhanced Goals are for organizations with an existing security program that want to improve their maturity. These are no longer “optional extras” but are becoming necessary as ASCs adopt more connected medical devices (IoMT) and shift toward cloud-based surgical management.

As with the Essential Goals, if, as an ASC, you are dependent on third-party service providers, directing these goal requirements at vendors would help an ASC judge the maturity of that provider’s security program and whether, as an ASC, you can feel confident in placing trust in that Vendor. The Enhanced Goals are as follows:

1. Asset Inventory: Maintaining a dynamic, real-time list of every device on your network, from surgical robots to smart thermostats, is the first step in Zero Trust. You cannot protect what you cannot see.
2. Third-Party Vulnerability Disclosure: ASCs should require vendors to have a formal process for discovering and communicating security flaws before they are exploited by bad actors.
3. Third-Party Incident Reporting: Contracts must mandate that vendors notify the ASC of any breach within a specific timeframe (often 24-72 hours) to ensure patient data remains protected.
4. Cybersecurity Testing: Regular penetration testing and “red teaming” simulate real-world attacks to find cracks in your perimeter before a hacker does.
5. Cybersecurity Mitigation: Testing is useless without a documented, rapid-response plan to patch or “harden” the vulnerabilities discovered during assessments.
6. Detect and Respond to Relevant Threats and TTPs: Using advanced monitoring to identify the specific “Tactics, Techniques, and Procedures” (TTPs) used by healthcare-focused ransomware groups allows for proactive defense.
7. Network Segmentation: By isolating surgical systems and medical devices from the general office Wi-Fi, you prevent a single infected laptop from shutting down the entire operating suite.
8. Centralized Log Collection: Consolidating “digital fingerprints” from all systems into one secure location makes it possible to spot early warning signs of an intruder moving through your network.
9. Centralized Incident Planning and Preparedness: This ensures that every department, from clinical to billing, knows exactly how to maintain patient safety when IT systems go dark.
10. Configuration Management: Standardizing the “security baseline” for every device ensures that no equipment is ever deployed with “default” or “weak” settings that are easy for hackers to guess.

What to Consider in the Event of a Cybersecurity Breach

Despite the most robust defenses, no system is impenetrable. When a breach occurs, the focus shifts from prevention to damage control and accountability. Managing the aftermath of a cyber incident requires asking hard questions about your facility’s resilience and its duty to its patients. 

1. Who will be responsible for informing their patients that their confidential information has been stolen?
2. What reputational damage will be incurred by the affected ASC?
3. What financial cost will the ASC incur through interruptions in care, resolution of I.T. issues, and repair of the aforementioned reputational damage?
4. What is the financial cost to patients of having their data stolen and sold on the dark web?
5. Who will the patient hold accountable?

Answering these questions ahead of time is the difference between a managed recovery and a permanent loss of patient trust. By integrating these considerations into your preparedness planning, you ensure that the human side of healthcare remains protected even when the digital side fails. 

Bridging the Gap Between Security and Surgery 

It should be stated in fairness to all IT vendors that even meeting these goals is no guarantee that cybercriminals, especially with the advent of generative A.I., will not be able to breach them. Much in the same way, there is no guarantee that a surgical procedure will always have a perfect outcome. It does, however, significantly decrease the odds of a cybercriminal being successful, which helps the ASC and its patients.

For more information on the HHS Cybersecurity Goals and to access the latest toolkits for 2026, visit the official HHS CPG resource portal. Additionally, stay informed on specific threats by reviewing recent CISA advisories on ransomware tactics that target healthcare infrastructure.

Stay vigilant.