The US cybersecurity agency CISA has published new guidance to help healthcare and public health organizations understand the cyber threats and risks to their sector and apply mitigations.
Titled Mitigation Guide: Healthcare and Public Health (HPH) Sector (PDF), the document was released as a supplemental companion to a Cyber Risk Summary distributed in July, and comes roughly one month after CISA and HHS announced cybersecurity resources for the HPH sector.
Using data collected from the organizations enrolled in CISA’s vulnerability scanning and web application scanning programs, the new guide incorporates the agency’s Known Exploited Vulnerabilities (KEV) catalog, information from other sources, and the MITRE ATT&CK framework, to contextualize vulnerability trends.
It also recommends mitigations in line with CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs), and provides additional guidance and support for HPH organizations.
CISA’s recommendations start with asset management and security, a sensitive issue given the high value of protected health information (PHI) and other types of information that HPH organizations work with, and which represents an attractive target for threat actors.
Next, the guidance covers identity management and device security, providing recommendations on email security, phishing prevention, passwords, access management and monitoring, and data protection practices.
Vulnerabilities, patching, and managing configurations are also covered. Organizations are advised to create asset inventories to identify flaws, to ensure on-time patching of all servers and applications, and to implement security configuration management to identify and address misconfigurations.
The guidance also recommends that secure-by-design principles be adopted by the manufacturers of HPH products: “With internet-facing systems connected to critical health systems and functions, it is crucial that manufacturers of technology products used by HPH entities employ secure by design practices.”
Finally, the document provides vulnerability remediation guidance, to help HPH organizations prioritize the patching of vulnerabilities based on their internal network architecture and risk posture.
CISA draws attention to five vulnerabilities known to be used in attacks, namely CVE-2021-44228 (the infamous Log4Shell bug impacting Apache Log4j2), CVE-2019-11043 and CVE-2012-1823 (RCE flaws in PHP), CVE-2021-34473 (a Microsoft Exchange issue known as ProxyShell), and CVE-2017-12617 (RCE in Apache Tomcat).
“As highlighted within this guide, HPH Sector entities should be vigilant in their vulnerability mitigation practices to prevent and minimize the risk from cyber threats. Once an organization assesses and deems a vulnerability a risk, it must treat the vulnerability. CISA recommends HPH entities implement this guidance to significantly reduce their cybersecurity risk,” CISA concludes.