The US cybersecurity agency CISA and the Department of Health and Human Services (HHS) on Wednesday released cybersecurity resources for healthcare and public health (HPH) organizations.
These entities heavily rely on digital technologies to store personal and medical information, perform medical procedures, and communicate with patients, which increases their attack surface, but often face challenges in finding the necessary resources to invest in cybersecurity.
The newly released cybersecurity healthcare toolkit is meant to help organizations at every level build their cybersecurity foundation and implement more advanced tools to improve their defenses.
The toolkit details cyber hygiene steps that both organizations and individuals should take, provides an overview of the threat landscape, documents cybersecurity best practices, and provides a cybersecurity framework implementation guide.
Furthermore, it provides organizations with risk assessment tools and information on recommended tools, such as vulnerability scanning services and CISA’s Known Exploited Vulnerabilities (KEV) catalog.
The toolkit also recommends resources to help organizations strengthen their security stance, prevent ransomware attacks, access free cybersecurity services and tools, and implement incident response plans.
For organizations constrained by resources, the toolkit recommends accessing the State and Local Cybersecurity Grant Program (SLCGP), and free and low-cost services for near-term improvements, and details what organizations in the health sector should expect from technology providers.
“Because cybersecurity is one of many areas where the healthcare and public health sector is facing persistent challenges, CISA and HHS are providing this toolkit filled with remedies to give sector stakeholders a greater ability to proactively assess vulnerabilities and implement solutions,” CISA and HHS note.
The toolkit was released on the same day that CISA and HHS co-hosted a roundtable discussion on the cybersecurity challenges the health sector faces and on how collaboration between the government and the industry can help reduce risks.
“Adversaries see healthcare and public health organizations as high value yet relatively easy targets – or what we call target rich, cyber poor. Given that healthcare organizations have a combination of personally identifiable information, financial information, health records, and countless medical devices, they are essentially a one-stop shop for an adversary,” CISA deputy director Nitin Natarajan said.