The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published a new mitigation guide for Healthcare and Public Health (HPH) Sector for combating pervasive cyber threats affecting the sector. The guidance is a supplemental companion to the HPH Cyber Risk Summary, published by CISA on July 19, 2023, and maps CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs) to the 405(d) Health Industry Cybersecurity Practices (HCIP): Managing Threats and Protecting Patients guidance that was jointly published by the Department of Health and Human Services (HHS) and the Health Sector Coordinating Council (HSCC).

CISA has identified vulnerabilities and insecure configurations across the HPH sector that present opportunities for mitigating risks before they can be exploited by threat actors. The top vulnerabilities in the HPH sector are web application vulnerabilities, encryption weaknesses, unsupported software and Windows operating systems, known exploited vulnerabilities, and vulnerable services. These vulnerabilities are commonly exploited in phishing, ransomware, and denial of service attacks, and often lead to data breaches. The 25-page guidance document outlines three mitigation strategies for improving defenses against the most common attack vectors and includes recommendations and cybersecurity best practices for asset management and security, identity management and device security, and vulnerability, patch, and configuration management.

Knowing what assets are on the organization’s network is fundamental to cybersecurity. All assets must be known, as well as their relationships and interdependencies, the functions of each asset, what each exposes, and the software/firmware that each is running.  Organizations that have not implemented and maintained a complete inventory of all assets risk exposing vulnerabilities and services that can be exploited by threat actors. Once the asset inventory has been created, healthcare organizations can focus on securing all assets, segmenting networks to limit the potential for lateral movement, and using demilitarized zones (DMZs) and firewalls to shield assets from unauthorized access. The guidance includes recommendations for network segmentation, securing vulnerable and exploitable services, and asset security mitigations.

As the HPH sector continues to transition from on-premises to online systems, is vital that devices and digital accounts are properly secured through effective identity management and device security controls. The guidance suggests several focus areas, including email security and phishing prevention, access management, password policies, data protection and data loss prevention strategies, and logging and monitoring for unauthorized access.

Vulnerabilities and weak configurations are commonly exploited by cyber actors to gain initial access to internal systems and data. CISA stresses the importance of proactively scanning devices and systems for vulnerabilities or technology flaws that threat actors could exploit, and engaging in a continuous process of identifying vulnerabilities, assessing and prioritizing threats, mitigating vulnerabilities, verifying vulnerabilities have been addressed, and improving defenses. In addition to vulnerability management, HPH entities should implement security configuration management (SecCM) to identify and address misconfigurations in default system settings.

In addition to the recommendations for healthcare organizations, CISA has urged technology manufacturers to employ secure by design principles and ensure their products have the necessary security measures built in for the entire product lifecycle and to ensure that their default configurations are secure.

The post CISA Publishes Mitigation Guide for the Healthcare and Public Health Sector appeared first on HIPAA Journal.