Table of Contents
CISA’s New Cybersecurity Guidance
The Cybersecurity and Infrastructure Security Agency (CISA) has released a new cybersecurity guidance advising both healthcare and public health organizations on how to enhance their digital protection measures. By offering comprehensive and industry-specific guidance, the agency aims to safeguard increasingly digital healthcare services from potential cyber threats.
Supplement to July’s Cyber Risk Summary
As a supplement to the Cyber Risk Summary released in July, the guidance provides healthcare organizations with an updated, succinct overview of recent cyber threats and vulnerabilities. This overview is strategically curated to inform decision makers and prompt timely responses to potential cyber risks.
Use of Data from Organizations in CISA’s Vulnerability Scanning Programs
The guidance utilizes data derived from healthcare organizations participating in CISA's vulnerability scanning programs. By monitoring these organizations' security postures, CISA ensures that the guidance stays relevant and effective in addressing the ever-evolving cybersecurity landscape.
Assistance with Contextualizing Vulnerability Trends
Helping healthcare organizations understand and navigate vulnerability trends is one of the main benefits of CISA's cybersecurity guidance. By providing trend contextualization, the agency empowers these organizations to better anticipate, prevent, and address potential cyber threats.
CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs)
Additionally, CISA's cybersecurity guidance encompasses Cross-Sector Cybersecurity Performance Goals (CPGs). These are designed to encourage adoption of best-practice strategies and capabilities across sectors, offering wide-ranging benefits of improved security performance and enhanced resilience against potential cyber attacks.
Support for Healthcare and Public Health (HPH) Organizations
With a specific focus on Healthcare and Public Health organizations, the guidance offers a significant pillar of support to a sector that is increasingly becoming a target of cyber threats. By providing industry-specific cybersecurity advice, the guidance helps these organizations improve their digital defenses in a practical and effective way.
Areas of Focus in the Guidance
The new CISA guidance targets key areas within the healthcare and public health sector that could potentially be vulnerable to cyber threats. It provides detailed recommendations and best practices, enabling organizations to enhance their cyber security, appropriately manage digital assets, and address vulnerabilities in a timely and effective manner.
Asset Management and Security for Protected Health Information
With the healthcare sector handling sensitive and private health information daily, asset management and security is vital. The guidance provides robust strategies for protecting these valuable assets from unwarranted accesses and breaches, thus ensuring patient confidentiality and trust.
Identity Management and Device Security Recommendations
Given the proliferation of digital devices in the healthcare industry, CISA's guidance offers practical recommendations for effective identity management and device security. These measures are crucial in mitigating the risk of unauthorized access and data breaches.
Recommendations on Email Security, Phishing Prevention, Passwords, Access Management and Monitoring, Data Protection Practices
Additional key elements of the guidance include recommendations on increasing email security, preventing phishing attempts, enhancing password protection, regulating access management and monitoring, and implementing optimal data protection practices. By focusing on these practical areas, organizations can reinforce their defense mechanisms and reduce the risk of cyber attacks.
Vulnerabilities, Patching, and Configuration Management
The guidance also proactively addresses potential vulnerabilities by suggesting timely patching and configuration management strategies. By ensuring that digital infrastructures are regularly updated and appropriately configured, healthcare organizations can stay ahead of evolving cyber threats.
Secure-by-design Principles for HPH Products Manufacturers
Last but not least, the guidance underlines the importance of secure-by-design principles for Healthcare and Public Health product manufacturers. By incorporating these principles, manufacturers can ensure that security is an integral part of product design, thereby minimizing potential vulnerabilities from the outset.
Identification of Notable Vulnerabilities
The CISA cybersecurity guidance has identified several notable vulnerabilities frequently used in cyber attacks on healthcare and public health organizations. It highlights the necessity of continuous vigilance and proactive strategies in vulnerability mitigation practices.
Recognition of Five Vulnerabilities Used in Attacks
CISA has specifically pinpointed five major vulnerabilities that have been commonly exploited in cyber attacks against healthcare organizations. Recognizing these threats is an important first step in ensuring adequate protections are in place.
CVE-2021-44228, CVE-2019-11043, CVE-2012-1823, CVE-2021-34473, and CVE-2017-12617
The identified vulnerabilities include CVE-2021-44228, CVE-2019-11043, CVE-2012-1823, CVE-2021-34473, and CVE-2017-12617. These vulnerabilities, if not properly addressed, could potentially lead to significant breaches of security and data protection.
Importance of Vigilance in Vulnerability Mitigation Practices
The guidance strongly emphasizes the need for vigilance in vulnerability mitigation practices, as cyber threats continue to evolve rapidly. Regular monitoring, assessment, and upgrading of defense mechanisms are fundamental for maintaining a strong cybersecurity posture.
Relevance of Internal Network Architecture and Risk Posture in Prioritizing Patching of Vulnerabilities
The guidance also stresses the importance of considering internal network architecture and risk posture when prioritizing patching of vulnerabilities. By doing so, organizations can ensure that resources are optimally allocated to address the most critical vulnerabilities first.
CISA’s Final Conclusion
As part of its final conclusion, CISA reiterates the importance of vulnerability mitigation for healthcare and public health organizations. Notably, it highlights the need for treating identified vulnerabilities as imminent risks that necessitate immediate action.
Obligation for Organizations to Treat Identified Vulnerabilities as Risks
CISA underscores the obligation of organizations to treat identified vulnerabilities as serious risks, not simply potential threats. This proactive mindset can significantly improve an organization's ability to promptly detect, address, and prevent cyber threats.
Call for HPH Entities to Implement CISA’s Guidance to Reduce Cybersecurity Risk
In its final message, CISA calls upon all Healthcare and Public Health entities to utilize and implement its detailed cybersecurity guidance as part of a comprehensive strategy to reduce cybersecurity risk in an increasingly digital health sector.
