3rd Party Risk Management , Governance & Risk Management
CISA Releases Health Sector Vulnerability Mitigation Guide
Agency Maps its Advice to Other Health Industry Cyber Best Practice ResourcesA new guide from the Cybersecurity and Infrastructure Security Agency aims to help healthcare and public health sector entities get a much tighter grip on managing serious risks posed by the most troublesome types of vulnerabilities threatening the beleaguered industry.
See Also: The State of Asset Security: Uncovering Alarming Gaps & Unexpected Exposures
CISA's new publication, The Mitigation Guide: Healthcare and Public Health, released on Thursday, maps previous CISA guidance materials - such as the Cross-Sector Cybersecurity Performance Goals guide for critical infrastructure sectors - with other healthcare-specific industry and government resources. They include the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients 2023 edition, a security best practices playbook co-developed and released earlier this year by the Health Sector Coordinating Council and the Department of Health and Human Services' 405(d) cybersecurity task group (see: Updated Best Practice Playbook for Healthcare Cyberthreats).
Guidance Details
In its new mitigation guide, CISA evaluates the most common vulnerabilities exposed in the healthcare and public health sector, providing "tailored recommendations and best practices" for organizations of all sizes, the Department of Homeland Security agency writes.
"Exposure of these vulnerabilities can result in detrimental cyber activity, such as ransomware, data breaches or denial-of-service. Each of these can compromise the availability, confidentiality and integrity of critical systems, functions and data," the guide says.
The top vulnerabilities CISA sees as posing significant risk to healthcare and public health sector entities include web application issues, encryption weaknesses, unsupported software and operating systems, known exploited vulnerabilities and vulnerable services, the agency said.
The mitigation strategies highlighted by CISA in the guide are designed to "improve organizational cybersecurity posture." Focus areas include asset management and security, identity management and device security, vulnerability and patch management, and configuration and change management.
"CISA recommends healthcare and public health entities follow the mitigation strategies and recommendations addressed in this guide to improve organizational cybersecurity posture," the guide says.
Healthcare and public health sector entities should be vigilant in their vulnerability mitigation practices to prevent and minimize the risk from cyberthreats, CISA said. "Once an organization assesses and deems a vulnerability a risk, it must treat the vulnerability."
Secure by Design
CISA's guidance also urges manufacturers of health technology and IT products to revamp their design and development efforts to a "secure by design" approach and recommends that healthcare delivery organizations prioritize their purchasing from such vendors.
"Historically, technology manufacturers and vendors have relied on one-off fixes for vulnerabilities after products have been deployed, requiring customers to apply patches at their own expense," the agency said.
"CISA and its partners "aim to shift the balance for product development to secure-by-design, where the security of the customers is a core business requirement, not just a technical feature - and secure-by-default, for product security out of the box, with no configuration changes needed and security features available without additional cost," the guide says.
Resource Mapping
Greg Garcia is executive director of the HSCC cybersecurity working group, which collaborated with HHS' 405(d) cyber task group in developing the HICP 2023 guidance with which CISA maps its new vulnerability mitigation guide. He said the combined recommendations, if implemented, can help healthcare and public health sector entities greatly boost their security programs.
"We commend CISA for enhancing their consultations with us in the HSCC and with HHS over the past few months, as we have been working to consolidate a coherent package of recommendations for how healthcare providers and their supporting infrastructure can address evolving cybersecurity challenges impacting the health sector," Garcia told Information Security Media Group.
"CISA's mitigation guide appropriately references and maps to the HHS-HSCC joint HICP," he said. "It's important to recognize that HICP is applicable and scalable for all health subsectors, but we know the most vulnerable targets are healthcare providers large and small, rural and urban," he said.
Garcia said smaller healthcare provider organizations are especially urged to implement the HICP practices, focusing on Volume 1. Volume 2 is geared to medium-sized and large organizations, he said.
"It may be just a matter of time before HICP - although voluntary - could be held up as a key reference by government and insurers for health sector accountability to fundamental cybersecurity practices that will measurably reduce vulnerabilities and increase preparedness and response capabilities," he said.
"Best to get ahead of that curve."