In an era marked by persistent cyber threats, the Cybersecurity and Infrastructure Security Agency (CISA) has released a cyber attack Mitigation Guide specifically tailored for the Healthcare and Public Health (HPH) Sector.
This guide not only identifies vulnerabilities but also provides recommendations and best practices to preemptively counteract cyber threats, ensuring the integrity and security of critical healthcare infrastructure.
The guide leverages vulnerability data collected through CISA’s Cyber Hygiene Vulnerability Scanning and Web Application Scanning services.
By scrutinizing internet-accessible assets, the guide offers a nuanced understanding of vulnerability trends within the HPH Sector.
It incorporates data from various sources, including CISA’s KEV catalog, open-source information, commercial threat intelligence feeds, and the MITRE ATT&CK framework, to contextualize threats and risks.
Mitigation Strategy #1: Asset Management and Security:
Recognizing the high value of protected health information (PHI) and the critical nature of patient-focused services, the guide emphasizes the implementation of robust asset management policies.
It underscores the importance of maintaining an updated inventory of assets, encompassing hardware, software, and data.
Active and passive discovery techniques, coupled with network segmentation, are advocated to fortify cybersecurity defenses.
Mitigation Strategy #2: Identity Management and Device Security:
As the HPH Sector transitions more assets online, securing devices and managing digital identities becomes paramount.
In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway
The guide delves into email security, phishing prevention, access management, password policies, and data protection practices.
It highlights the necessity of multifactor authentication (MFA), unique user accounts, timely termination of access, and stringent password policies to mitigate risks effectively.
Mitigation Strategy #3: Vulnerability, Patch, and Configuration Management:
The guide underscores vulnerability management’s continuous and evolving nature, encompassing identification, assessment, prioritization, and remediation.
It advocates for regular vulnerability assessments, utilizing threat intelligence, and implementing robust patch management.
Configuration and change management are also emphasized to address misconfigurations and maintain secure baselines.
CISA recommends that manufacturers of Healthcare and Public Health (HPH) products undertake measures to imbue their creations with secure design principles.
Simultaneously, HPH entities are advised to prioritize the procurement of products adhering to security by design standards. Key recommendations include:
Development of Purchasing Criteria:
Integration of cybersecurity criteria into procurement processes via vendor Requests for Information (RFIs).
Emphasis on secure-by-design principles, such as adherence to CISA’s guidelines, publication of secure-by-design and memory safety roadmaps, provision of Software Bill of Materials (SBOM), implementation of a vulnerability disclosure policy, and alignment with NIST’s Secure Software Development Framework (SSDF) and CISA’s Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity Practices (CPGs).
Implementation of Security Evaluations:
Establishment of policies necessitating security evaluations for all technology procurements.
Insistence on receiving a Manufacturer Disclosure Statement (MDS) to glean insights into crucial security aspects.
Strategic Partnerships:
Formation of strategic alliances with key IT suppliers, embedding secure by-design practices in formal contracts and agreements.
The expectation of transparency from technology suppliers, requiring service level agreements (SLAs) aligned with secure offerings and risk-informed disclosure of security vulnerabilities.
Collaboration with Industry Peers:
Cultivation of collaborative relationships with industry peers to discern products and services embodying security by design principles.
Cloud System Considerations:
Scrutiny of cloud providers’ security responsibilities, prioritizing those demonstrating transparency in their security posture.
In conclusion, the CISA Mitigation Guide serves as a comprehensive roadmap for fortifying cybersecurity in the HPH Sector.
By proactively addressing vulnerabilities, implementing sound asset and identity management practices, and embracing effective vulnerability and configuration management, healthcare entities can significantly enhance their cyber resilience.
As the healthcare landscape becomes increasingly digitized, a proactive approach to cybersecurity is not just a best practice but a crucial imperative to safeguard patient data and ensure the uninterrupted delivery of critical healthcare services.
Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.