November 20, 2023 at 10:09AM
The US cybersecurity agency CISA has published a guidance document to help healthcare and public health organizations understand cyber threats and risks in their sector. The document incorporates vulnerability trends and provides recommendations on asset management, identity management, device security, patching, and vulnerability remediation. The agency emphasizes the need for mitigations to reduce cybersecurity risk in the healthcare sector.
The US cybersecurity agency, CISA, has recently published a new guide titled “Mitigation Guide: Healthcare and Public Health (HPH) Sector.” This guide aims to assist healthcare and public health organizations in understanding cyber threats and risks specific to their sector and implementing appropriate mitigations.
The guide incorporates data collected from organizations participating in CISA’s vulnerability scanning and web application scanning programs. It also includes information from other sources and utilizes the MITRE ATT&CK framework to provide context to vulnerability trends.
CISA’s recommendations in the guide align with their Cross-Sector Cybersecurity Performance Goals (CPGs) and cover various aspects of cybersecurity in the HPH sector. Key areas of focus include asset management and security, identity management and device security, email security and phishing prevention, passwords, access management and monitoring, data protection practices, vulnerability management, patching, and configuration management.
Furthermore, the guide emphasizes the importance of secure-by-design principles for manufacturers of HPH products, especially those connected to critical health systems and functions.
CISA also highlights five vulnerabilities that have been exploited in attacks, namely CVE-2021-44228 (Log4Shell bug), CVE-2019-11043 and CVE-2012-1823 (PHP flaws), CVE-2021-34473 (ProxyShell issue in Microsoft Exchange), and CVE-2017-12617 (Apache Tomcat flaw).
Ultimately, the guide concludes by urging HPH organizations to be vigilant in their vulnerability mitigation practices and to implement the recommendations outlined in the guide to significantly reduce their cybersecurity risk.
Related resources released by the US government include security guidance for open source software in operational technology (OT) and industrial control systems (ICS), guidance on hardening baseboard management controllers, and anti-phishing guidance.