Insights from CISA HPH Sector Risk and Vulnerability Assessment
In an ever-evolving digital landscape, the healthcare and public health (HPH) sector faces increasing cybersecurity challenges. The United States Cybersecurity and Infrastructure Security Agency (CISA) recently conducted a Risk and Vulnerability Assessment (RVA), delving into the cybersecurity posture of an unnamed HPH organization utilizing on-prem software. This article aims to provide insights into the assessment’s findings, shed light on potential vulnerabilities, and offer practical strategies for bolstering cybersecurity in the healthcare sector.
CISA carefully investigated every aspect of the target entity’s cybersecurity defenses over the course of two weeks. The assessment included penetration testing, scrutinizing web applications, phishing susceptibility evaluations, resilience to simulated adversary attacks, and a thorough review of databases, network configurations, and connected devices for vulnerabilities.
The firm successfully blocked malware payloads, demonstrating a notable resilience against phishing attempts, according to CISA’s review. Although employees were tricked by phishing emails, multi-factor authentication for cloud accounts and restricted access due to compromised credentials worked well.
However, internal penetration testing exposed misconfigurations, weak passwords, and other critical issues that could potentially compromise the organization’s domains. Noteworthy findings included default credentials protecting multiple web interfaces, the use of default printer credentials, and successful compromise of the organization’s domain through various attack paths.
CISA highlighted four high-severity and one medium-severity issues demanding immediate attention. These included weak passwords, a web server template lacking user permission restrictions, the deployment of unnecessary network services, a service account with elevated privileges, and systems lacking SMB signing enforcement.
CISA advises organizations in the Health and Public Health (HPH) sector to implement key strategies for mitigating cyber threats. These strategies include:
Asset Management and Security:
- Develop and maintain an asset management policy to minimize the risk of exposing vulnerabilities.
- Address asset inventory, procurement, decommissioning, and network segmentation for hardware, software, and data assets.
Identity Management and Device Security:
- Secure devices and digital accounts to protect sensitive data and personally identifiable information (PII)/protected health information (PHI).
- Focus on email security, phishing prevention, access management, password policies, data protection, loss prevention, and device logs and monitoring solutions.
Vulnerability, Patch, and Configuration Management:
- Mitigate known vulnerabilities and establish secure configuration baselines.
- Emphasize vulnerability and patch management, as well as configuration and change management to reduce the risk of threat actors exploiting organizational networks.
CISA’s cybersecurity assessment serves as a valuable resource for the broader healthcare community, offering a roadmap to enhance defenses against evolving cyber threats. Healthcare businesses can strengthen their cybersecurity posture, protect sensitive data, and add to the sector’s overall resilience in the face of cyber risks by addressing the vulnerabilities that have been found and putting the suggested strategies into practice.
Discover how healthcare organizations can achieve compliance with key security practices.
The sources for this article include a story from SecurityWeek.