CISA’s Healthcare Risk and Vulnerability Assessment Reveals Sector-Wide Improvement Areas

December 20, 2023 - The Cybersecurity and Infrastructure Security Agency (CISA) published a cybersecurity advisory based on key findings that the agency uncovered during a risk and vulnerability assessment (RVA) conducted at a healthcare organization in early 2023. The results of the RVA revealed improvement areas that CISA says can be applied to the entire sector, from asset management to identity and vulnerability management.

CISA conducted the RVA at the request of a large healthcare organization that was in the process of deploying on-premises software. The RVA consisted of a two-week penetration test of the entire organization, including one week of external testing and one week of internal network assessments.

“During the one-week external assessment, the assessment team did not identify any significant or exploitable conditions in externally available systems that may allow a malicious actor to easily obtain initial access to the organization’s network,” CISA stated.

“Furthermore, the assessment team was unable to gain initial access to the assessed organization through phishing. However, during internal penetration testing, the team exploited misconfigurations, weak passwords, and other issues through multiple attack paths to compromise the organization’s domain.”

With the permission of the assessed organization, CISA issued the advisory to help other network defenders improve their cyber posture and reduce the impact of follow-on activity after initial access. The advisory consists of several suggested mitigations mapped to 16 specific cybersecurity weaknesses that the CISA assessments team identified during the RVA.

For example, when it comes to poor credential hygiene, CISA’s advisory pointed to several mitigation tactics that healthcare organizations of all sizes can use, such as following National Institute of Standards and Technologies (NIST) guidelines when creating password policies and using phishing-resistant multi-factor authentication (MFA).

In addition to the highly detailed explanations of common threats and vulnerabilities, CISA highlighted three mitigation strategies that all organizations should implement immediately: asset management and security, identity management and device security, and vulnerability, patch, and configuration management.

To harden internal environments further, CISA urged healthcare organizations to use phishing-resistant MFA, verify the implementation of appropriate hardening measures, and implement network segmentation controls.

“Exposure of common vulnerabilities and insecure configurations can result in detrimental cyber activity for U.S. healthcare organizations, such as ransomware, data breaches, or denial-of-service. The intent of this advisory is to help organizations maintain the availability, confidentiality, and integrity of their critical healthcare and public health systems, functions, and data,” said CISA Deputy Director Nitin Natarajan.

“Adversaries and criminals will continue to target organizations seen as target rich, cyber poor. To reduce the burden of cybersecurity on customers, manufacturers of HPH technology products should implement the recommended actions in the advisory that are aligned to our Principles and Approaches for Secure by Design Software white paper.”

The advisory showcased CISA’s assessment capabilities while providing actionable tips for healthcare defenders to follow, building on CISA and HHS’ recently released Healthcare Cybersecurity Toolkit and CISA’s new vulnerability mitigation guide for the healthcare sector. The influx of new guidance will ideally help healthcare organizations better defend against emerging threats.