The Cybersecurity and Infrastructure Security Agency (CISA) has issued a new Mitigation Guide aimed at assisting healthcare and public health (HPH) organizations in understanding and addressing cyber threats and risks. This guide is a supplementary resource to a Cyber Risk Summary released earlier and is part of an ongoing effort to provide cybersecurity resources to the HPH sector.
The guide utilizes data from organizations participating in CISA's vulnerability and web application scanning programs, as well as information from the agency's Known Exploited Vulnerabilities (KEV) catalog and other sources. It also employs the MITRE ATT&CK framework to provide context to vulnerability trends. The guide further offers mitigation strategies aligned with CISA's Cross-Sector Cybersecurity Performance Goals (CPGs) and additional advice and support for HPH organizations.
CISA's guidelines commence with a focus on asset management and security, emphasizing the importance of protecting health information and other data that HPH organizations handle, which are often targeted by cybercriminals. The guide then moves on to discuss identity management and device security, offering advice on email security, phishing prevention, password management, access monitoring, and data protection practices. It also covers the identification and management of vulnerabilities and configurations.
HPH organizations are urged to create asset inventories to detect flaws, ensure timely patching of all servers and applications, and implement security configuration management to identify and rectify misconfigurations. The guide also recommends that manufacturers of HPH products adhere to secure-by-design principles, given the critical nature of health systems and functions connected to internet-facing systems.
The document concludes with guidance on vulnerability remediation, helping HPH organizations prioritize patching vulnerabilities based on their internal network architecture and risk posture. CISA highlights five vulnerabilities known to be exploited in attacks: CVE-2021-44228 (Log4Shell bug impacting Apache Log4j2), CVE-2019-11043 and CVE-2012-1823 (RCE flaws in PHP), CVE-2021-34473 (a Microsoft Exchange issue known as ProxyShell), and CVE-2017-12617 (RCE in Apache Tomcat).
CISA emphasizes the importance of vigilance in vulnerability mitigation practices to prevent and minimize the risk from cyber threats. If an organization identifies a vulnerability as a risk, it must address it. "As highlighted within this guide, HPH Sector entities should be vigilant in their vulnerability mitigation practices to prevent and minimize the risk from cyber threats. Once an organization assesses and deems a vulnerability a risk, it must treat the vulnerability. CISA recommends HPH entities implement this guidance to significantly reduce their cybersecurity risk," CISA concludes.