CISA publishes Mitigation Guide to assist HPH entities in reducing cybersecurity risks, preventing intrusions

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published last week a Mitigation Guide that offers recommendations and best practices to combat pervasive cyber threats affecting the healthcare and public health (HPH) sector. By identifying vulnerabilities within organizations across the HPH sector, organizations can proactively mitigate risks and prevent intrusions. Failing to address these vulnerabilities increases the chances of hackers employing malicious tactics, techniques, and procedures (TTPs) against HPH organizations.

The vulnerability mitigation guidance maps CISA’s cross-sector cybersecurity performance goals (CPGs) to Health and Human Services (HHS) and the Health Sector Coordinating Council’s (HSCC) joint publication: 405(d) ‘Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients,’ which is detailed in the CPG HICP Crosswalk guide. 

The Mitigation Guide laid down three mitigation strategies that the HPH sector can adopt. These include asset management and security, identity management and device security, and vulnerability, patch, and configuration management. It evaluates common vulnerabilities exposed in the HPH sector and provides tailored recommendations and best practices for HPH organizations of all sizes. 

In addition to the CPGs, HICPs, and the HPH sector cybersecurity framework implementation guide, CISA recommends manufacturers of HPH technology products take actions in line with CISA’s principles and approaches for security by design and -default to reduce the burden of cybersecurity on their customers. 

The HPH Cyber Risk Summary and Mitigation Guide evaluates and analyzes vulnerability data from internet-accessible assets of HPH sector entities enrolled in CISA’s Cyber Hygiene (CyHy) Vulnerability Scanning (VS) and Web Application Scanning (WAS) services. 

“To contextualize vulnerability trends and to help HPH entities further understand the threats and risks to their sector, this guide incorporates CISA’s KEV catalog, open-source information, commercial threat intelligence feeds, and the MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework,” the CISA Mitigation Guide detailed. “Additionally, this guide provides recommended mitigation guidance with baseline mitigations mapped to CISA’s CPGs. Using similar sourcing, this guide provides additional guidance and support to HPH entities by leveraging and expanding on data presented by the Cyber Risk Summary for the HPH Sector.”

Due to the high value of protected health information (PHI) and the criticality of patient-focused services, hackers continuously look for new ways to exploit vulnerabilities within the HPH sector. Organizations that have not implemented or maintained an asset management policy risk exposing vulnerabilities or services that could be exploited by hackers to gain unauthorized access, steal sensitive data, disrupt critical services, or deploy ransomware, causing significant harm to patients and the organization’s reputation. 

As an initial and priority mitigation strategy, CISA recommends implementing and maintaining an inventory of assets for your environment. Knowing which assets are on the organization’s network is fundamental to cybersecurity: ‘You can’t secure what you can’t see.’ 

“Cybersecurity professionals within the HPH sector should identify and understand all relationships or interdependencies, functionality of each asset, what it exposes, and what software is running to make sure every organization protects electronic PHI (ePHI) and enables Health Insurance Portability and Accountability Act (HIPAA) compliance,” according to CISA’s Mitigation Guide. “Organizations can complete asset inventories using active scans, passive processes, or a combination of both techniques.”

Additionally, CISA recommends tasking designated personnel within your organization with maintaining the inventory by updating, tracking, and adding or removing assets—especially during procurement or decommissioning stages. The agency also encourages HPH entities to codify the procurement and decommission of assets and technology into a standard operating procedure (SOP), assigning roles and responsibilities for each function. 

Upon the creation of asset inventory, CISA recommends implementing network segmentation to isolate IT and OT devices into different segments. Network segmentation divides a network into smaller parts, enabling control over cross-segment network communication. An important component of network security is controlling which assets can access OT networks, which assets can access the internet from an internal network, and which assets should be siloed into their compartment. 

As the HPH sector continues to transition more of its assets and systems online, CISA recommends entities secure their devices and digital accounts and manage their online access to protect sensitive data and PHI from compromise, the Mitigation Guide outlined. “Several key areas discussed in this section include email security and phishing prevention, access management and monitoring, password policies, and data protection practices.”

With the continued threat of phishing emails and business email compromise (BEC) attacks, it is essential for organizations to properly configure and secure their email systems, the document said. “Additionally, to remain in compliance, organizations must apply the appropriate email safeguards to meet the HIPAA Security Rule requirements, which protect ePHI. Organizations should ensure modern anti-malware software is installed and signatures are automatically updated where possible,” it added. 

It also suggested that organizations should establish and maintain a cybersecurity training program for the workforce covering basic cybersecurity concepts, such as phishing awareness, business email compromise, basic operational security, and password security. At a minimum, the training should occur annually, and new employees should receive initial cybersecurity training within the first 10 days of onboarding. 

CISA’s Mitigation Guide also addressed the creation of strong and unique credentials and passwords that are vital to account and device security. Hackers have leveraged weak and shared credentials to gain initial network access and carry out various attacks. Organizations should seek to change all default passwords before placing any hardware, software, or firmware on their network, and immediately change any vendor-supplied default passwords. The password length should be a minimum of 15 characters. To make passwords harder for threat actors to guess or crack, organizations should require a minimum password length of 15 or more characters where technically feasible. 

For data protection and loss prevention, organizations should ensure proper storage and access management for all sensitive information, including credentials, and maintain strong and updated encryption protocols and algorithms. “To protect devices and prevent threat actors from moving laterally through your organization’s network, consider implementing an endpoint detection and response (EDR) solution. An EDR is an endpoint security solution that continuously monitors end-user devices to detect suspicious behavior, provide contextual information, and respond with remediation suggestions. When selecting an EDR solution, ensure it incorporates user and entity behavior analytics (UEBA) and closely monitor access logs to detect deviations outside of normal behavior,” the Mitigation Guide added.

The document also addressed vulnerability management as an ongoing process of identifying, assessing, reporting on, managing, and remediating cyber vulnerabilities in software and systems. The process involves proactively scanning devices and systems for vulnerabilities or technology flaws that threat actors could exploit. 

Often used interchangeably with vulnerability management, patch management is a vital component of every vulnerability management solution. Patch management involves applying updates to servers, applications, and software to address security flaws. Vulnerability and patch management are key components in planning for and determining the appropriate implementation of controls and the management of risk.

Alongside established vulnerability and patch management solutions, HPH entities should implement security configuration management (SecCM) to identify and address misconfigurations in default system settings, according to CISA’s Mitigation Guide. This process involves identifying, controlling, accounting for, and auditing changes made to pre-established baselines, to move beyond the original design of a system, to a hardened, operationally sound version.

With internet-connected systems linked to vital health systems, it is essential for technology manufacturers used by HPH entities to prioritize secure-by-design practices. CISA, in collaboration with 17 U.S. and international partners, updated in October their ‘Secure by Design’ principles joint guide to include expanded principles and guidance for technology providers to increase the safety of their products. Additionally, manufacturers must enhance their design and development processes to create products with built-in security and default configurations that are secure.

In its Mitigation Guide, CISA recommends that manufacturers of HPH products take steps to build their products in a secure-by-design manner and that HPH entities prioritize the importance of purchasing secure-by-design products. 

To do this, organizations should develop and establish purchasing criteria that emphasize the importance of secure-by-design practices, establish policies and procedures that require procurements of technology, including medical devices, undergo security evaluations, and forge strategic partnership relationships with key IT suppliers.  They must also collaborate with industry peers, and when leveraging cloud systems, ensure understanding of the supplier’s security responsibilities. 

In its conclusion, the CISA Mitigation Guide supports HPH entities by formulating recommendations based on pertinent malicious TTPs and vulnerability exposure data. As highlighted, HPH sector entities should be vigilant in their vulnerability mitigation practices to prevent and minimize the risk from cyber threats. Once an organization assesses and deems a vulnerability a risk, it must treat the vulnerability. 

CISA recommends that HPH entities implement this guidance to reduce their cybersecurity risk. The agency also encourages HPH entities to use the threat intelligence information to address and remediate their vulnerability exposure. They must also work on protecting their organizations from potential ransomware attacks, data breaches, loss or theft of equipment or data, and attacks against network-connected medical devices.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.