CISA Releases Healthcare Cybersecurity Vulnerability Mitigation Guide

November 22, 2023 - The Cybersecurity and Infrastructure Security Agency (CISA) issued a cybersecurity vulnerability mitigation guide for the healthcare sector, stressing the importance of remediating known vulnerabilities and reducing risk across the sector.

CISA identified web application vulnerabilities, encryption weaknesses, and unsupported software as the top vulnerabilities exposed by the healthcare sector in 2022.

“Exposure of these vulnerabilities can result in detrimental cyber activity, such as ransomware, data breaches, or denial-of-service. Each of these can compromise the availability, confidentiality, and integrity of criticial HPH systems, functions, and data,” the guide stated.

To combat these risks, CISA released this guide to tailor recommendations and best practices specifically to the top vulnerabilities, aligning them to CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs) and the Health Sector Coordinating Council's (HSCC) 405(d) Health Industry Cybersecurity Practices (HICP) joint publication.

For example, the guide’s first mitigation strategy centered around asset management and security, in an attempt to address threats such as outdated and unsupported software, loss or theft of data, and ransomware attacks.

“Due to the high value of protected health information (PHI) and the criticality of patient-focused services, threat actors continuously look for new ways to exploit vulnerabilities within the HPH Sector,” CISA stated.

“Organizations that have not implemented or maintained an asset management policy risk exposing vulnerabilities or services that could be exploited by threat actors to gain unauthorized access, steal sensitive data, disrupt critical services, or deploy ransomware, causing significant harm to patients and the organization’s reputation.”

In this section, CISA recommended that healthcare organizations focus on maintaining an asset inventory and implementing network segmentation to isolate IT and OT devices. The guide provided a detailed roadmap for implementing an asset inventory and pointed to specific vulnerable services to address.

Other focus areas in the guidance included identity management and device security, phishing prevention, and access management safeguards. CISA also emphasized the importance of vulnerability, patch, and configuration management.

Specific recommended actions included changing default passwords, implementing multifactor authentication (MFA), and maintaining strong encryption protocols.

In addition, CISA highlighted the idea of “secure by design” and recommended that manufacturers of healthcare products take steps to design these products with security at the forefront.

Organizations can leverage this guide to strengthen their security programs and mitigate risk via tried-and-true methods.