CybersecurityConnected & Cyber-Physical DevicesHPH-CPG

Healthcare and Public Health Cybersecurity Performance Goals

HHS's sector-specific list of essential and enhanced cybersecurity goals for healthcare, derived from HICP and the NIST CSF.

Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed June 20, 2026

Definition

The Healthcare and Public Health Cybersecurity Performance Goals are a voluntary set of cybersecurity goals published by HHS (in coordination with CISA) for the Healthcare and Public Health (HPH) critical infrastructure sector. They are organized into Essential Goals (baseline practices every HPH organization should meet) and Enhanced Goals (advanced practices for mature organizations). The CPGs are aligned to the NIST Cybersecurity Framework and derived from HICP 2023, so they form a layered model: NIST CSF → HICP → HPH-CPG, with the CPGs being the most prescriptive and outcome-oriented.

What the regulation says

Published by HHS in January 2024 as voluntary goals, with explicit signal that they will inform future HIPAA Security Rule rulemaking. CISA includes HPH-CPGs in its Cross-Sector Cybersecurity Performance Goals program for critical infrastructure.

What this means in practice

HPH-CPGs are quickly becoming the primary measuring stick for healthcare cybersecurity maturity. HHS has signaled that future rulemaking under the HIPAA Security Rule and conditions of participation for Medicare may incorporate CPG-style requirements. Medical device manufacturers should expect hospital RFPs and procurement reviews to ask explicitly which CPGs your product helps the hospital achieve, particularly around asset inventory, vulnerability management, MFA, and incident response.

Common pitfalls

•Treating Essential CPGs as the ceiling, they are the floor. Enhanced Goals reflect what mature health systems are already doing.
•Mapping device features to CPGs in marketing without evidence, hospitals will ask for technical artifacts (MDS2, SBOM, configuration guides) tied to specific CPGs.
•Ignoring the supply-chain CPGs that flow down to device manufacturers via Business Associate Agreements.

Primary references

3 sources

Link health: 3 verified· last checked 2026-06-20

CISA·1MDCG·1HSCC·1

Inline markers like [1] jump to the matching reference above.

On this term

Category: Cybersecurity
Acronym: HPH-CPG
Sources: 3
Updated: 6/20/2026

Compare with another term

Learn in 60 seconds

HHS's sector-specific list of essential and enhanced cybersecurity goals for healthcare, derived from HICP and the NIST CSF.

·HPH-CPGs are quickly becoming the primary measuring stick for healthcare cybersecurity maturity.
·HHS has signaled that future rulemaking under the HIPAA Security Rule and conditions of participation for Medicare may incorporate CPG-style requirements.
·They are organized into Essential Goals (baseline practices every HPH organization should meet) and Enhanced Goals (advanced practices for mature organizations).

Remember this

Watch out: Treating Essential CPGs as the ceiling, they are the floor. Enhanced Goals reflect what mature health systems are already doing.

Related terms

You may also need

Auto-suggested from Cybersecurity and shared keywords.

All Cybersecurity terms

From the Blue Goat network

Related resources and services on this topic.