Now on Demand: Zero Trust Strategies Summit - Access All Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Government

CISA Releases Cybersecurity Guidance for Healthcare, Public Health Organizations

New CISA guidance details cyber threats and risks to healthcare and public health organizations and recommends mitigations.

The US cybersecurity agency CISA has published new guidance to help healthcare and public health organizations understand the cyber threats and risks to their sector and apply mitigations.

Titled Mitigation Guide: Healthcare and Public Health (HPH) Sector (PDF), the document was released as a supplemental companion to a Cyber Risk Summary distributed in July, and comes roughly one month after CISA and HHS announced cybersecurity resources for the HPH sector.

Using data collected from the organizations enrolled in CISA’s vulnerability scanning and web application scanning programs, the new guide incorporates the agency’s Known Exploited Vulnerabilities (KEV) catalog, information from other sources, and the MITRE ATT&CK framework, to contextualize vulnerability trends.

It also recommends mitigations in line with CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs), and provides additional guidance and support for HPH organizations.

CISA’s recommendations start with asset management and security, a sensitive issue given the high value of protected health information (PHI) and other types of information that HPH organizations work with, and which represents an attractive target for threat actors.

Next, the guidance covers identity management and device security, providing recommendations on email security, phishing prevention, passwords, access management and monitoring, and data protection practices.

Vulnerabilities, patching, and managing configurations are also covered. Organizations are advised to create asset inventories to identify flaws, to ensure on-time patching of all servers and applications, and to implement security configuration management to identify and address misconfigurations.

The guidance also recommends that secure-by-design principles be adopted by the manufacturers of HPH products: “With internet-facing systems connected to critical health systems and functions, it is crucial that manufacturers of technology products used by HPH entities employ secure by design practices.”

Advertisement. Scroll to continue reading.

Finally, the document provides vulnerability remediation guidance, to help HPH organizations prioritize the patching of vulnerabilities based on their internal network architecture and risk posture.

CISA draws attention to five vulnerabilities known to be used in attacks, namely CVE-2021-44228 (the infamous Log4Shell bug impacting Apache Log4j2), CVE-2019-11043 and CVE-2012-1823 (RCE flaws in PHP), CVE-2021-34473 (a Microsoft Exchange issue known as ProxyShell), and CVE-2017-12617 (RCE in Apache Tomcat).

“As highlighted within this guide, HPH Sector entities should be vigilant in their vulnerability mitigation practices to prevent and minimize the risk from cyber threats. Once an organization assesses and deems a vulnerability a risk, it must treat the vulnerability. CISA recommends HPH entities implement this guidance to significantly reduce their cybersecurity risk,” CISA concludes.

Related: US Government Releases Security Guidance for Open Source Software in OT, ICS

Related: CISA, NSA Share Guidance on Hardening Baseboard Management Controllers

Related: US Government Releases Anti-Phishing Guidance

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.