The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published a healthcare cybersecurity mitigation guide that outlines defensive mitigation strategies for combatting healthcare-specific cyber threats. The guidance document – The Mitigation Guide: Healthcare and Public Health (HPH) Sector – serves as a companion to previously issued guidance – The HPH Cyber Risk Summary – which was published by CISA in July 2023.
Through its own efforts and those of its partner organizations, CISA has identified several common vulnerabilities and misconfigurations that are often exploited by malicious actors to gain initial access to healthcare networks. Focusing on addressing these vulnerabilities allows HPH sector organizations to improve their security postures by reducing risks before intrusions occur.
In order for vulnerabilities to be managed and reduced, HPH sector organizations need to have a complete inventory of all of their assets, the importance of which is stressed in CISA’s first mitigation strategy – Asset Management and Security. “As an initial and priority mitigation strategy, CISA recommends implementing and maintaining an inventory of assets for your environment. Knowing which assets are on your organization’s network is fundamental to cybersecurity: “you can’t secure what you can’t see.” The asset inventory must be maintained, with assets added and removed as part of procurement and decommissioning processes. Once assets have been identified they can then be secured. CISA makes several recommendations and suggests asset management and security best practices in the healthcare cybersecurity mitigation guide.
The second mitigation strategy covers Identity Management and Device Security. This mitigation strategy makes recommendations and suggests cybersecurity best practices for email security and phishing prevention, access management and monitoring, password policies, and data protection practices to improve defenses against the most common initial access vectors. The third mitigation strategy concerns vulnerability, patch, and configuration management. Vulnerability, patch, and configuration management is a continuous cycle across 5 functional areas: identity, assess & prioritize, act, verify, and improve. These processes are dependent on having a complete and up-to-date asset inventory and conducting vulnerability scans of all assets. It is also important to ensure security configuration management processes are in place to identify misconfigurations in default system settings.
CISA also highlights the importance of manufacturers of technology products shifting to a more secure future by ensuring that their products are developed according to secure-by-design principles. Cybersecurity must be incorporated in the design stage of products and protections and processes must be implemented that cover the entire life cycle of the products. New products should only be brought to market that are secure-by-default, straight out of the box, with no configuration changes required or additional purchases to make products secure.