CISA Releases Healthcare Mitigation Guide

Healthcare continues to be under attack from cyber threats. According to the Institute for Security and Technology, at least 299 hospitals have suffered ransomware attacks in 2023. These ransomware attacks have a ripple effect throughout the healthcare infrastructure and can have a potentially fatal impact on patient care. Sadly, most healthcare institutions remain under-protected and exposed to even simple attacks. To help mitigate the risk, the Cybersecurity and Infrastructure Security Agency (CISA) released its Healthcare Mitigation Guide.

This latest guidance from CISA comes as the healthcare industry continues to deal with a disturbing trend of cyber-attacks. Below are just some of the incidents that have made headlines in recent weeks:

• Proliance, a Seattle-based surgical group, notified more than 400,000 people that their personal information, including social security numbers, financial account numbers, and treatment history, may have been compromised after a ransomware attack. The company is already facing a class action lawsuit.
• Ardent Health Services was hit with a ransomware attack that impacted 30 hospitals and over 200 outpatient locations over 6 states. Ardent had to close emergency rooms, divert patients, and cancel appointments and procedures. Over a week after the attack, Ardent had still not been able to fully restore their Information System services.
• Medical transcription firm Perry Johnson and Associates was the victim of a cyber attack that compromised the personal information of nearly 9 million people. The company is already facing multiple class action lawsuits.

The costs of a ransomware attack go far beyond the average ransom payment of $1 million. The 2023 Sophos report “The State of Ransomware in Health 2023” noted that the average recovery cost was an additional $1.82 million.

CISA has offered recommendations and best practices to defend against cyber threats affecting the Healthcare and Public Health (HPH) Sector. CISA identified the following common vulnerabilities that increase the likelihood of threat actors targeting an organization:

• Web application vulnerabilities
• Encryption weaknesses
• Unsupported software
• Unsupported Windows operating systems
• Known exploited vulnerabilities
• Vulnerable services

The Healthcare Mitigation Guide maps CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs) to Health and Human Services (HHS) and the Health Sector Coordinating Council’s (HSCC) joint publication: Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients which is detailed in the CPG HICP Crosswalk guide.

The guidance recommends healthcare organizations utilize the following strategies to better protect their data.

Asset Management and Security

CISA emphasizes knowing which assets are on the organization’s network is fundamental to cybersecurity. Methods for completing asset inventory include:

• Active scans, which can be done using network monitoring tools with automated discovery functionality that scan the network with a variety of different packet types to identify all assets connected.
• Passive discovery techniques, including reviewing logs from switches, routers, active directories, and elsewhere to identify network assets.

After completing the asset inventory, CISA recommends implementing network segmentation to isolate IT and operational technology (OT) devices into different segments. Dividing a network into smaller parts enables control over cross-segment network communication. An important component of network security is controlling which assets can access OT networks, which assets can access the internet from an internal network, and which assets should be siloed into their own compartment.

Identity Management and Device Security

CISA recommends organizations secure their devices and digital accounts and manage their online access with the following strategies.

Email Security and Phishing Prevention

Organizations should ensure modern anti-malware software is installed and signatures are automatically updated where possible.

For optimal email security, CISA recommends these security controls:

• Enable StartTLS
• Implement Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM)
• Set Domain-Based Message Authentication Reporting and Conformance (DMARC) to “reject”

Organizations should require employees to go through thorough training so they can identify these common phishing techniques and indicators:

• Spoofed hyperlinks
• Suspicious “from” addresses
• Misspellings and grammar mistakes
• “Urgent” messages

Access Management

The Healthcare Mitigation Guide recommends the following access management controls:

• Phishing-resistant multi-factor authentication
• Maintain unique and separate accounts for each user in your organization
• Terminate access as soon as a user leaves your organization
• Restrict the use of elevated privileged accounts

Password Policies

CISA recommends organizations implement these password policies:

• Change all default passwords
• 15-character minimum for passwords

Data Protection and Loss Prevention

CISA recommends the following strategies to effectively protect data:

• Sensitive data, such as credentials, should not be sorted in plaintext, and should only be accessed by authenticated and authorized users. Consider privileged account management solutions, such as a credential/password manager, to ensure all credentials are securely stored.
• Organizations should ensure properly configured and up-to-date encryption protocols, such as transport layer security (TLS), are utilized to protect data, both at rest and in transit. Organizations should also plan to identify the use of outdated or weak encryption ciphers and update these to sufficiently strong algorithms.

Device Logs and Monitoring Solutions

To protect devices and prevent attackers from moving laterally through your organization’s network, consider implementing an endpoint detection and response (EDR) solution. An EDR is an endpoint security solution that continuously monitors end-user devices to detect suspicious behavior, provide contextual information, and respond with remediation suggestions.

Vulnerability, Patch, and Configuration Management

Vulnerability and Patch Management

Vulnerability and patch management involve proactively scanning devices and systems for vulnerabilities or technology flaws that threat actors could exploit. Often used interchangeably with vulnerability management, patch management involves applying updates to servers, applications, and software to address security flaws.

CISA recommends this multi-step process for vulnerability management:

1. Identify all vulnerabilities that may exist in your organization’s environment.
2. Assess and prioritize to appropriately deal with the posed risks according to your organization’s risk strategy.
3. Act to remediate, mitigate or accept the risks
4. Verify that remediation of mitigation efforts were effective

Configuration and Change Management

This process involves identifying, controlling, accounting for, and auditing changes made to pre-established baselines, to improve the security of the original design of a system. Like vulnerability management, configuration and change management follows several cyclical steps:

1. Identify the configuration items (hardware, software, firmware, etc.) within your organization’s environment that require management. Maintain documentation of basic attributes, such as make/model, serial number, operating system, location, and owner.
2. Establish secure baselines by using benchmarks from trusted institutions like NIST.
3. Implement and audit changes
4. Assess and remediate the changes that have been made to evaluate effectiveness and identify any additional changes needed.

Your Next Steps

Looking at the CISA Report you may feel overwhelmed at the cost and effort involved in implementing all of these recommendations. CompliancePoint recommends that a good first step is to perform a comprehensive risk assessment to determine where your organization is in implementation of cybersecurity practices and prioritize your risk mitigation efforts.

CompliancePoint has a team of experienced cybersecurity and healthcare professionals. We can help your organization design and implement an effective cybersecurity program, achieve HIPAA compliance, and obtain a HITRUST certification. Contact us at connect@compliancepoint.com to learn more.