The Cybersecurity and Infrastructure Security Agency has issued an advisory to guide public health organizations and other healthcare entities in building a resilient IT defense infrastructure.
CISA announced Friday that the cybersecurity advisory is based on findings from a risk and vulnerability assessment conducted within the health and public healthcare, or HPH, sector in January.
The assessment found 16 vulnerabilities that can be addressed through the strict management and security of assets, identity and devices. CISA also recommended strategies for vulnerability, patch and configuration management. HPH organizations’ cyber weaknesses ranged from guessable credentials and passwords to active but unnecessary network services.
The agency reiterated the importance of secure-by-design principles to software manufacturers. It also recommended that HPH entities regularly test their cybersecurity infrastructure using Mitre‘s ATT&CK Framework.
“Exposure of common vulnerabilities and insecure configurations can result in detrimental cyber activity for U.S. healthcare organizations, such as ransomware, data breaches, or denial-of-service. The intent of this advisory is to help organizations maintain the availability, confidentiality, and integrity of their critical healthcare and public health systems, functions, and data,” CISA Deputy Director Nitin Natarajan said.