CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?



CISA Releases Cybersecurity Guidance for Healthcare, Public Health Organizations

New CISA guidance details cyber threats and risks to healthcare and public health organizations and recommends mitigations.

The US cybersecurity agency CISA has published new guidance to help healthcare and public health organizations understand the cyber threats and risks to their sector and apply mitigations.

Titled Mitigation Guide: Healthcare and Public Health (HPH) Sector (PDF), the document was released as a supplemental companion to a Cyber Risk Summary distributed in July, and comes roughly one month after CISA and HHS announced cybersecurity resources for the HPH sector.

Using data collected from the organizations enrolled in CISA’s vulnerability scanning and web application scanning programs, the new guide incorporates the agency’s Known Exploited Vulnerabilities (KEV) catalog, information from other sources, and the MITRE ATT&CK framework, to contextualize vulnerability trends.

It also recommends mitigations in line with CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs), and provides additional guidance and support for HPH organizations.

CISA’s recommendations start with asset management and security, a sensitive issue given the high value of protected health information (PHI) and other types of information that HPH organizations work with, and which represents an attractive target for threat actors.

Next, the guidance covers identity management and device security, providing recommendations on email security, phishing prevention, passwords, access management and monitoring, and data protection practices.

Vulnerabilities, patching, and managing configurations are also covered. Organizations are advised to create asset inventories to identify flaws, to ensure on-time patching of all servers and applications, and to implement security configuration management to identify and address misconfigurations.

The guidance also recommends that secure-by-design principles be adopted by the manufacturers of HPH products: “With internet-facing systems connected to critical health systems and functions, it is crucial that manufacturers of technology products used by HPH entities employ secure by design practices.”

Advertisement. Scroll to continue reading.

Finally, the document provides vulnerability remediation guidance, to help HPH organizations prioritize the patching of vulnerabilities based on their internal network architecture and risk posture.

CISA draws attention to five vulnerabilities known to be used in attacks, namely CVE-2021-44228 (the infamous Log4Shell bug impacting Apache Log4j2), CVE-2019-11043 and CVE-2012-1823 (RCE flaws in PHP), CVE-2021-34473 (a Microsoft Exchange issue known as ProxyShell), and CVE-2017-12617 (RCE in Apache Tomcat).

“As highlighted within this guide, HPH Sector entities should be vigilant in their vulnerability mitigation practices to prevent and minimize the risk from cyber threats. Once an organization assesses and deems a vulnerability a risk, it must treat the vulnerability. CISA recommends HPH entities implement this guidance to significantly reduce their cybersecurity risk,” CISA concludes.

Related: US Government Releases Security Guidance for Open Source Software in OT, ICS

Related: CISA, NSA Share Guidance on Hardening Baseboard Management Controllers

Related: US Government Releases Anti-Phishing Guidance

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Artificial Intelligence

Microsoft and Mitre release Arsenal plugin to help cybersecurity professionals emulate attacks on machine learning (ML) systems.


Private equity giant plans to buy Forcepoint’s Global Governments and Critical Infrastructure (G2CI) business unit for $2.5 billion.