Quick Look at the New CISA Healthcare Mitigation Guide

It’s the small vines, not the large branches, that trip us up in the forest. Apparently, it’s no different in Healthcare.

In November, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Mitigation Guide aimed at the Healthcare and Public Health (HPH) sector. In the midst of current hybrid cloud security challenges, hyper-distributed environment considerations, an AI-empowered threat landscape, and immediate nation-state emerging threats, the focus of this brand-new guide was, surprisingly, on the little things.

Or, perhaps, not so surprisingly after all.

Mitigation Strategy #1 Asset Management and Security

It’s a race to find out your vulnerabilities first. Many times, attackers win. But, with so much on the line, CISA thinks their winning streak should come to an end. What’s the worst that could happen? It’s becoming a matter of life and death.

A 2022 Juniper Research study estimated that smart hospitals across the world would deploy over 7 million medical IoT devices by 2026, with China and the U.S. leading the pack. And while digitally connected pacemakers seem like a great thing, it doesn’t take much to imagine the impact should something go wrong. CISA’s suggestions?

Focus Area 1: Asset Inventory | Utilize active scans, passive processes, or both, but know what your assets are and which need protecting.

Focus Area 2: Securing Your Assets | CISA recommends that the HPH industry segment its networks, separating IT from OT in different segments. This prevents lateral movement by attackers, should one system be compromised and limits exposure to outside threats.

Recommended mitigations in this category include:

• Port and service exposure | Observe the Principle of Least Privilege when it comes to network access.
• Network and Security Monitoring | Update IDS signature sets regularly.
• Database Security | Sanitize your database inputs and revoke the “execute” function on generous SQL server functions.

Mitigation Strategy #2 Identity Management and Device Security

As more healthcare organizations move online – sometimes incentivized by law – more and more devices, services, and processes need to be secured there, too. HIPAA law requires PHI to be protected to the full extent technologically possible, and there are several ways to ensure that.

Focus Area 1: Email Security and Phishing | This includes turning a non-encrypted email platform into an encrypted one, “watermarking” your outgoing emails, and preventing unauthorized messages from reaching your inbox by implementing Domain-Based Message Authentication Reporting and Conformance (DMARC) to “reject” them.

Focus Area 2: Access Management | Like their physical counterparts, digital medical services need to unfailingly require a “badge at the door”. This includes:

• Utilizing multi-factor authentication (MFA) across the board.
• Giving employees their own distinct accounts (as opposed to sharing them).
• Revoking access and privilege rights as soon as an employee leaves the company.
• Being stringent about who gets to use elevated privilege accounts.

Focus Area 3: Password Policies | It’s a real return to basics as CISA pushes the Healthcare sector to observe a minimum 15-character length and switch out default passwords.

Focus Area 4: Data Protection and Loss Prevention | This is where the rubber meets the road. HPH organizations are advised to:

• Ensure sensitive data is secured in safe, non-public digital places.
• Maintain strong encryption protocols and algorithms: Up-to-date protocols like transport layer security (TLS) only.

Focus Area 5: Device Logs and Monitoring Solutions | CISA recommends implementing an endpoint detection and response (EDR) solution that incorporates user and entity behavior analytics (UEBA) and “closely monitor access logs to detect deviations outside of normal behavior.” A SIEM is also suggested as a way to store logs securely for the time required by compliance guidelines.

Mitigation Strategy #3: Vulnerability, Patch, and Configuration Management

Lastly, security needs to be ongoing if it is to be sustainable. And that is where vulnerability, patch, and configuration management come into play.

Focus Area 1: Vulnerability and Patch Management | Healthcare organizations need to be consistently proactive about “identifying, assessing, reporting on, managing, and remediating” any software or system vulnerabilities.

That is done in five basic steps:

1. Identify your assets with an inventory.
2. Prioritize which are the most at-risk. Fortra’s penetration testing services can help vet which CVEs present the most imminent threat.
3. Remediate (fully fix and patch) or mitigate (reduce the impact of) the problems.
4. Verify any fixes with another vulnerability scan, the guide suggests.
5. Improve continuously with a virtuous cycle of scans, verification, and repairs.

Focus Area 2: Configuration and Change Management | Configuration and change management (CCM) involves the following cyclical steps:

• Find out and document which configuration items (hardware, software, firmware) need management.
• Establish secure baselines. This may involve some work as out-of-the-box vendor default settings mean well but are rarely sufficient to tackle today’s most common threats.
• Implement and audit changes; consider leveraging automated tools to complete the configuration process, which could otherwise be error-prone.
• Assess and remediate on a continual basis to make sure changes stick.

All in all, CISA wants the Healthcare sector to start moving towards a security-by-design approach. They even recommend that HPH buyers look for manufacturers who do the same and form strategic partnerships with these like-minded IT suppliers.

Healthcare protects things too valuable to be left to chance. Although simple, these CISA rec guidelines can shut the door on a host of breaches due to human error and low-level threats. After all, an apple a day still keeps the doctor away.