.st0{fill:#FFFFFF;}

Podcast

Decoding CISA’s HPH Mitigation Guide – Ep 437 

 December 15, 2023

By  Donna Grindle

Share0
Tweet0
Share0

CISA has released a mitigation guide to combat the critical and complex cyber threats affecting the Healthcare and Public Health Sector. It provides best practices, essential strategies and insights for safeguarding our healthcare infrastructure against ever-evolving cyber threats. Join us as we navigate through this important document, breaking down its complexities and highlighting its significance in the ongoing battle against cyber threats in the healthcare sector.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

Decoding CISA’s HPH Mitigation Guide – Ep 437

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Thanks to our donors.

HIPAA Briefs

[05:19] Why does HIPAA require an asset inventory?

Because if you don’t know what you got, you can’t protect it. Start first with identifying where all your data is and then you can evaluate what physical, administrative and technical safeguards you should utilize to protect it. Start at the beginning.

David had a great analogy: You can put all kinds of locks on the doors and windows of your house, but if you don’t know where your family is, you can’t protect them. You need to know how many family members there are to protect, how old they are, how they move around, how you communicate with them, etc.

Insights from CISA’s HPH Mitigation Guide

[07:47] Everyone is offering up the same messages in response to all of these attacks happening now – make sure you are doing all you can possibly do to prevent these attacks or mitigate their damage. Actually, we have all said that for years. But, more people are saying it and saying it louder.

CISA Releases Cybersecurity Guidance for Healthcare, Public Health Organizations – SecurityWeek

CISA Releases The Mitigation Guide: Healthcare and Public Health (HPH) Sector

This guide is another way to present the same concepts we have covered in many ways. It takes a new approach that says there are 3 important mitigation strategies you should employ. Each strategy includes focus areas that specifically define what should be done.

There is a specific “Data Note” right at the top of the document.

The HPH Cyber Risk Summary and this Mitigation Guide evaluates and analyzes vulnerability data from internet-accessible assets of HPH Sector entities enrolled in CISA’s Cyber Hygiene (CyHy) Vulnerability Scanning (VS) and Web Application Scanning (WAS) services. To contextualize vulnerability trends and to help HPH entities further understand the threats and risks to their sector, this guide incorporates CISA’s KEV catalog, open-source information, commercial threat intelligence feeds, and the MITRE ATT&CK® (Adversarial Tactics, Techniques, and Common Knowledge) framework.

If it can connect, it can infect.

What are the strategies?

[14:46] Mitigation Strategy #1 Asset Management and Security

Here’s the point. If you don’t know what you have and where it is, you have no chance of protecting what it can do. Remember, as Donna says, if it can connect, it can infect. With the high stakes involved in protecting patient information, bad actors are always on the lookout for new ways to sneak into healthcare systems. If an organization doesn’t stay on top of managing its assets, it could leave open doors for these cyber crooks. They could potentially access sensitive information, disrupt vital patient services, or even lock down systems with ransomware, causing massive damage to both patients and the organization’s good name. We’ll explore the nuts and bolts of asset management and security, covering everything from keeping track of what’s in your tech arsenal to safely phasing out old gear, and the importance of organizing your network in a way that keeps your hardware, software, and data secure.

You have to keep up with everything – hardware, software AND your data. These are all assets. Hardware includes way more than just your list of computers and servers being monitored. What about firewalls, printers, scanners, access points, medical devices, etc.? They are all important to keep up with.

Once you know what you have, where it is and what it does, now you have to figure out how to secure it in a reasonable and appropriate manner. Network segmentation is where it starts, but then it goes through specific categories of mitigations and some recommended outcomes.

Then the section ends with some resources from 405d, NIST, HHS, CISA and even SANS.

[30:50] Mitigation Strategy #2 Identity Management and Device Security

As healthcare entities increasingly digitize their assets and systems, CISA advises these organizations to fortify their devices and digital accounts. Effective management of online access is crucial for safeguarding sensitive information and Protected Health Information (PHI) against unauthorized access. This section of the guide emphasizes the importance of several critical areas, notably the security of email systems and the prevention of phishing attacks, as well as the vigilant management and monitoring of access to these digital resources.

This is where you get into the specific issues we discuss often. It is also the section with the most focus areas – 5.

Focus Area 1: Email Security and Phishing Prevention

Focus Area 2: Access Management

Focus Area 3: Password Policies

Focus Area 4: Data Protection and Loss Prevention

Focus Area 5: Device Logs and Monitoring Solutions

[44:37] Mitigation Strategy #3 Vulnerability, Patch, and Configuration Management

Focus Area 1: Vulnerability and Patch Management

Focus Area 2: Configuration and Change Management

Secure by Design

A section that is kind of stuck off by itself is titled Shifting Towards a More Secure Future: Secure by Design. This section goes with the goal that we had a big moment over in March discussing the shift of responsibility from the user to the developer. Making things secure by design means going back to the old way in some respects. It is all about making things secure when you get them, not through updates and patches.

Gotta have the geeky part

[49:46] The last section gives you the CVEs and some details about mitigations. The intent is to show how you should evaluate and prioritize vulnerabilities that have been identified sector wide, based on vulnerability scanning, high exploitation probability, top prevalence within the sector, and commercial risk rating categorizations.

The conclusion section does make an interesting comment:

This guide supports HPH entities by formulating recommendations based on pertinent malicious TTPs and vulnerability exposure data. As highlighted within this guide, HPH Sector entities should be vigilant in their vulnerability mitigation practices to prevent and minimize the risk from cyber threats. Once an organization assesses and deems a vulnerability a risk, it must treat the vulnerability.

CISA recommends HPH entities implement this guidance to significantly reduce their cybersecurity risk. CISA also strongly encourages HPH entities to use the threat intelligence information mentioned in the Cyber Risk Summary report1 to effectively address and remediate their vulnerability exposure, and to protect their organizations from:

  • Potential ransomware attacks,
  • Data breaches,
  • Loss or theft of equipment or data, and
  • Attacks against network connected medical devices.

CISA also recommends HPH entities follow the mitigation strategies and recommendations addressed in this guide to improve organizational cybersecurity posture.

Sounds like a list we have seen before:

  1. Phishing and Social Engineering
  2. Ransomware
  3. Lost or stolen devices
  4. Insider issues
  5. Attacks against connected devices

They merged them to some extent but everything is still in there.

There is also a toolkit CISA and HSCC published for CSAM specifically for HPH.

Healthcare and Public Health Cybersecurity | CISA

To help improve cybersecurity within the HPH sector, the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and Health Sector Coordinating Council (HSCC) Cybersecurity Working Group are working together to deliver tools, resources, training, and information that can help organizations within this sector. Together, CISA brings technical expertise as the nation’s cyber defense agency, HHS offers extensive expertise in healthcare and public health, and the HSCC Cybersecurity Working Group offers the practical expertise of industry experts working on cybersecurity issues in HPH every day.

We also have the crosswalk for those CPGs directly to HICP. Yes, another thing to document. CPG HICP Crosswalk guide is a spreadsheet you can download. We mentioned CPGs in a previous episode.

The toolkit gives you links to all kinds of resources, but one I really liked is Secure Our World which is a CISA resource for us all. A section for personal, business, and products. Guess what – the message is basically the same, just put out in different ways.

Go to top

Cybersecurity plays a critical role in the healthcare sector. CISA’s HPH Mitigation Guide is a roadmap to fortify our defenses against the sophisticated and relentless nature of cyber threats. By embracing these strategies, from asset management to threat mitigation, healthcare organizations can significantly enhance their resilience against cyber attacks. Remember, cybersecurity in healthcare is not a one-time effort but a continuous commitment to protect not just data, but ultimately, the well-being of patients.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: