HHS has set out cybersecurity expectations for healthcare in its Healthcare and Public Health Cybersecurity Performance Goals — a set of Essential and Enhanced goals that increasingly define what “good enough” security looks like for hospitals and health systems. They are voluntary today, but the direction of travel is toward mandatory minimums with potential Medicare implications, which makes getting ahead of them a smart move now. Taction Software helps you implement the technical controls behind the CPGs and produce the assessment, roadmap, and documentation to demonstrate where you stand.
We provide the security engineering and assessment; the regulatory determination of what applies to your organization rests with your compliance and security leadership, with whom we work. For broader assessment work, see our healthcare security audit and HIPAA risk assessment practices.
Schedule a CPG Compliance Assessment (Free 60-Min) → (NDA-protected)
Healthcare cybersecurity specialists · NIST CSF expertise · HIPAA Security Rule program experience · ISO 27001-certified
What HHS CPGs Require
Essential Goals
A baseline set of practices every healthcare organization is expected to have — the fundamentals that block the most common attacks.
Enhanced Goals
A more advanced tier for organizations maturing beyond the baseline toward stronger resilience.
Voluntary vs. Mandatory Pathway
The CPGs are currently voluntary guidance. HHS has signaled intent to move toward mandatory minimum requirements, and has proposed strengthening the HIPAA Security Rule, so treating the CPGs as a preview of future obligations is prudent. Your compliance team confirms what currently binds you.
Medicare Reimbursement Implications
There have been proposals to tie healthcare cybersecurity requirements to Medicare participation. These are evolving rather than settled, so we help you prepare for the trajectory without overstating what is in force today.
Essential Goals We Implement
Mitigate Known Vulnerabilities
Patch management and vulnerability scanning so known weaknesses are found and closed on a cadence — complementing our penetration testing work.
Implement Phishing Defense
Email security controls and support for user training, since phishing remains the top entry point.
Strong Authentication
MFA implementation and privileged access management so credentials alone do not open the door.
Asset Inventory & Network Segmentation
Asset management and network-segmentation architecture so you know what you have and a breach cannot move freely — drawing on our data security practice.
Enhanced Goals We Implement
For organizations going further: advanced identity management, cyber resilience and recovery (backup, recovery, and tested incident response), third-party risk management, and building a cybersecurity mindset and skills across the organization.
Our CPG Compliance Methodology
Current-State Assessment
We assess your existing security posture against the CPG practices.
Gap Analysis Against CPGs
We identify exactly where you fall short of the Essential and Enhanced goals.
Implementation Roadmap
We build a prioritized roadmap, sequencing the highest-risk gaps first.
Engineering Work to Close Gaps
We do the technical work — segmentation, MFA/PAM, patching and scanning programs, logging, recovery — to close the gaps, drawing on our software modernization and security practices.
Documentation & Reporting
We produce the documentation that demonstrates your posture for leadership, boards, and any future attestation.
Combined CPG + Other Compliance
The CPGs overlap with frameworks you may already maintain, and we map controls across them to avoid duplicate work: CPGs + the HIPAA Security Rule (see our HIPAA consulting and HIPAA-compliant development practices) and CPGs + NIST CSF, plus any other frameworks your organization holds.
Medicare & Funding Implications
We help you weigh the hospital reimbursement impact as requirements evolve, the benefits of voluntary adoption now (real risk reduction and readiness for whatever becomes mandatory), and the enforcement trajectory — without treating proposals as settled law. The honest summary: the bar is rising, and early movers carry less risk.
Schedule a CPG Compliance Assessment (Free 60-Min) →
Frequently Asked Questions
Are CPGs mandatory yet?
As of now they are voluntary guidance. HHS has signaled a move toward mandatory minimum requirements and has proposed strengthening the HIPAA Security Rule, with potential ties to Medicare under discussion. So they are not universally mandatory today, but the trajectory points toward enforcement — which is why preparing now is the low-risk choice. Confirm your current obligations with your compliance team.
Cost of compliance?
It depends entirely on your current maturity. An organization with solid security may have modest gaps; one starting further back has more to do. We assess first and give a roadmap with scoped cost, so you invest against real gaps rather than a generic checklist.
HIPAA Security Rule sufficiency?
Meeting the HIPAA Security Rule does not automatically satisfy all the CPGs. The Security Rule is risk-based and flexible, while the CPGs are more specific and prescriptive, and the proposed Security Rule update would raise the bar further. We map where your HIPAA program already covers CPGs and where additional work is needed.
Reporting requirements?
Formal reporting expectations are still taking shape as the requirements evolve. We build the documentation and evidence now so that whatever attestation or reporting is ultimately required, you can produce it without scrambling.
Schedule a CPG Compliance Assessment (Free 60-Min) →
Reviewed by Taction Software’s healthcare security engineering team. ISO 27001-certified information security management. We provide security engineering and assessment; regulatory determinations rest with your compliance leadership. PHI is handled under a signed BAA.