The U.S. Department of Health and Human Services (“HHS”) has expanded upon its recent Healthcare Sector Cybersecurity Concept Paper (which we covered in a prior blog post), issuing cybersecurity performance goals (“CPGs”) for the healthcare and public health (“HPH”) sector. These CPGs aim to help healthcare organizations protect against cyberattacks and improve responses when attacks on critical healthcare infrastructure occur. HHS worked closely with the Department of Homeland Security’s Cybersecurity and Infrastructure Agency to develop these nationwide CPGs for the healthcare industry.

The new HPH-focused CPGs are taxonomized into two categories: essential goals, which outline minimum practices for cybersecurity performance, and enhanced goals, which provide the foundation for more advanced cybersecurity measures. The goals align with the healthcare industry cybersecurity practices and sub-practices outlined in the latest edition of Cybersecurity Practices for Medium and Large Healthcare Organizations published by the Healthcare & Public Health Sector Coordinating Council. HHS has also linked these practices and sub-practices with NIST500-53 REV5 Controls to further aid healthcare organizations with implementation and compliance efforts.

Essential goals aim to assist healthcare organizations in implementing foundational safeguards that improve protections against cyberattacks. HHS has identified 10 essential goals, which include, in part, bolstering email security, implementing multifactor authentication and encryption across electronic systems, and identification and mitigation of cybersecurity risks associated with third‑party products and services.

Enhanced goals are designed to assist healthcare organizations with defending against cyberattacks from multiple attack vectors. HHS has identified 10 enhanced goals, which include, in part, cybersecurity testing, cybersecurity mitigation, network segmentation, and configuration management. Similar to the essential goals, HHS has linked the enhanced goals to 21 health industry cybersecurity practices and sub-practices.

The release of these HPH-focused CPGs follows the recent release of the HHS HPH Cybersecurity Gateway, a new online portal that allows healthcare industry stakeholders to track additional HHS guidance in the cybersecurity space.

Proskauer will continue to provide updates about HHS’s cybersecurity strategy for the healthcare sector, as additional guidance is expected in the near future.

Photo of Matthew J. Westbrook Matthew J. Westbrook

Matt Westbrook is a senior counsel in the Corporate Department and a member of the Health Care Group. His practice focuses on providing regulatory compliance advice for the Firm’s health care clients, including service providers, health plans, operators, investors, and lenders, among others.

Matt Westbrook is a senior counsel in the Corporate Department and a member of the Health Care Group. His practice focuses on providing regulatory compliance advice for the Firm’s health care clients, including service providers, health plans, operators, investors, and lenders, among others. Matt specifically provides advice on fraud and abuse matters arising under the Federal False Claims Act (FCA), Civil Monetary Penalties Law, Federal Anti-Kickback Statute (AKS), and Physician Self-Referral Law (Stark Law), as well as on the regulations promulgated by the Drug Enforcement Administration (DEA) and the Department of Health and Human Services, including the Office of Inspector General (OIG), Centers for Medicare & Medicaid Services (CMS), and Food and Drug Administration (FDA).

Before joining the Firm, Matt served as senior counsel in OIG’s Administrative and Civil Remedies Branch. At OIG, Matt was responsible for determining whether to impose administrative sanctions, including civil money penalties and Federal health care program exclusions, against health care providers and suppliers, and whether to impose civil money penalties on hospitals and physicians in connection with matters referred to CMS under the Emergency Medical Treatment and Labor Act (EMTALA). During his tenure, Matt also litigated exclusion appeals before administrative law judges and appellate panels of the Departmental Appeals Board; advised United States Attorney’s Offices on exclusions appealed to Federal district courts; resolved voluntary self-disclosures submitted by providers and grant and contract recipients; and participated in the negotiations and settlements of FCA matters by the Department of Justice involving the AKS, Stark Law, CMS reimbursement issues, and DEA and FDA compliance issues. In connection with certain FCA resolutions, Matt also negotiated and monitored corporate integrity agreements.

On the Florida junior circuit and in college, Matt was a competitive tennis player. Matt played on the varsity team and was captain his senior year at Rhodes College, earning ITA Division III and SCAC All-Academic Honor Roll awards his sophomore, junior, and senior years. Matt is an active member of the American Health Law Association (AHLA) and currently serves as a Vice Chair of AHLA’s Fraud and Abuse Practice Group.

Articles:

Matthew J. Westbrook and David M. Blank, “Using OIG’s Cross-Component Audit and Enforcement Data to Strengthen Your Compliance Program,” Compliance Today (February 2024).

Ed Kornreich, Matthew Westbrook, and Angela Gichinga, “Bracing for the Impact of the No Surprises Act,” Westlaw Today (June 16, 2022).

Presentations:

Bill Mathias and Matt Westbrook, “‘Lightning Round’:  A Fraud & Abuse Due Diligence Game Show,” American Health Law Association (Health Care Transactions Conference, May 5–6, 2025).

Matthew J. Westbrook and David M. Blank, “Recent Trends in CMPL Enforcement, American Health Law Association (Webinar, May 24, 2023).

Read more about Matthew J. WestbrookEmail
Show more Show less
Photo of Michael Menconi Michael Menconi

Michael Menconi is an associate in the Corporate Department and a member of the Health Care Group.

Read more about Michael MenconiEmail