Taking a Look at CISA’s Cybersecurity Toolkit for Healthcare

The barrage of cyberattacks healthcare organizations face is partly a result of storing lots of valuable, sensitive personal and financial information, but it’s also down to other factors like the critical nature of healthcare services and the high dependence on digital technologies. To help better address cyber risks in the sector, CISA recently collaborated with the Department of Health and Human Services (HHS) to release a cybersecurity healthcare toolkit. This article provides a clear overview of what the CISA Cybersecurity Toolkit for Healthcare contains and why these resources are worth using. 

Basic Cyber Hygiene  

Navigating this toolkit provides links to consolidated resources around three main areas, the first of which addresses basic cyber hygiene. This basic cyber hygiene comes in the form of free vulnerability scanning performed by CISA’s highly trained information security experts.   

The service evaluates the security posture of a network’s externally facing infrastructure by scanning static IP addresses to identify potential weaknesses. Companies that sign up get weekly vulnerability reports and ad-hoc alerts. The basic cyber hygiene section also advises organizations to identify searchable online IT assets and reduce their exposure to attack (e.g., by closing unnecessary ports).  

CISA’s cybersecurity toolkit for healthcare clearly emphasizes that attack surface management is pivotal in maintaining basic cyber hygiene. By effectively managing the attack surface, healthcare companies reduce the number of vulnerabilities that attackers could potentially exploit.  

The importance of managing and monitoring external-facing assets is driven by healthcare organizations expanding their digital footprints. Telemedicine and remote collaboration see healthcare transforming into an increasingly digital, online service that depends on the cloud. Securing apps, endpoints and cloud services accessible via the internet is imperative in maintaining basic cyber hygiene, and CISA’s vulnerability scanning aims to help companies achieve that baseline security.  

Maturing Cyber Resilience in Healthcare 

In a world of increasingly sophisticated threat actors and cyberattack methods, getting the basics right is nice, but it’s not enough to thwart all attacks. That’s why the second part of the toolkit revolves around maturing cyber resilience in healthcare. This increased cyber resilience stems from both knowledge of the top cybersecurity threats in the health industry and applying the recommended best practices set out by HHS.

A 47-page document collates all the info for this part of the toolkit, highlighting five specific top threats and best practices for mitigating each threat.  

  1. Social engineering. This captures everything from basic phishing to more sophisticated business email compromise (BEC) scams. It’s with good reason that social engineering is a key cyber threat in the sector; 2023 alone saw a 279% increase in BEC scams against healthcare companies.  

While social engineering encompasses a broad range of possible tactics, some general best practices for fending off many of these attacks include:  

  • Implementing multi-factor authentication for users and transactions.  
  • Training staff to recognize suspicious emails and other social engineering red flags, along with how to report these signs.  
  • Opting for advanced email security tools that can test emails for malicious links, attachments or other content. 
  1. Ransomware. From a threat actor’s perspective, healthcare is an ideal target for ransomware due to the sector’s combo of highly valuable data and services for which any disruption potentially endangers human life. The data reflects the popularity of ransomware as an attack method, with 60% of healthcare companies being attacked this way in 2022.  

For ransomware attacks, HHS’ recommended best practices include: 

  • Implementing a backup strategy and securing the backups away from the main network whose resources they’re backing up 
  • Using network segmentation and establishing distinct network zones to reduce the chances of lateral movement by hackers 
  • Developing a ransomware recovery playbook and testing it out regularly
  1. Loss or theft of equipment/dataWith healthcare work being more portable than ever, physicians and other practitioners increasingly use laptops, tablets and other devices to access data and workflows. When lost, one device can quickly spiral into a data breach incident that compromises patient privacy and leads to identity theft.  

The suggested advice for mitigating this threat includes: 

  • Encrypting sensitive data, both stored and transmitted on personal devices and USB drives 
  • Using data loss prevention tools that can block unauthorized transfers of specific data types 
  • Maintaining an accurate and up-to-date asset inventory   
  1. Insiders – accidental or malicious data loss

While this threat might seem to overlap with the previous point, this one is less about equipment loss and more about people. The threat refers to employees, contractors or other users, sometimes known as insiders. These individuals may use their access to infrastructure, networks or databases to accidentally or maliciously cause data leaks and losses. The example alluded to by HHS is an employee printing off copies of sensitive patient data and selling this info on the dark web.  

Some best practices worth adopting here are:  

  • Including legal safeguards in contracts or agreements with business partners and external contractors 
  • Limiting access to data to a need-to-know basis (the principle of least privilege) 
  • Revoke access to resources when employees no longer need that access (such as when they change roles or leave the organization)  
  1. Attacks against network-connected medical devices

Last but not least, the toolkit addresses the growing threats posed by connected medical devices that use networking protocols like TCP/IP or Bluetooth to transmit or exchange data. This includes patient monitoring devices, smart infusion pumps, wearable glucose monitors and even radiology equipment.  

With forecasted annual growth of 8.5% each year from 2023 to 2032, medical devices will continue to proliferate throughout healthcare IT environments. While these devices undoubtedly offer advancements in diagnostics and patient care, considerable cybersecurity risks emerge with their increased use. In fact, one statistic cited in the document is that 53 percent of connected medical devices or other IoT devices in healthcare have at least one critical security vulnerability.  

When it comes to dealing with these threats, the offered advice includes practices like: 

  • Running cyber risk assessments on new devices and validating vendor security practices 
  • Maintaining regular communication with product security teams at the manufacturers of smart medical devices 
  • Implementing essential security operations on these devices, like patching on time, and appropriate detection/response capabilities

Implementing NIST’s Cybersecurity Framework in Healthcare 

The toolkit’s third part is a document offering healthcare-specific advice on adopting a comprehensive framework like NIST Cybersecurity’s Framework. A cybersecurity framework can bring cybersecurity into closer alignment with overall strategic business objectives by facilitating easier communication about how cybersecurity investments lead to meaningful risk reduction.  

Frameworks achieve this by going beyond technical details of threats, vulnerabilities and controls to a common language, structure and methodology for managing cyber risks. Far more details are included in the implementation guide 

Improve Healthcare Cyber Security with Nuspire 

The publication of CISA’s cybersecurity toolkit for healthcare is an essential step in helping healthcare organizations become aware of cyber threats and reduce their risks via a slew of different resources. Nuspire also offers managed services for strengthening healthcare cybersecurity 

We go beyond mere HIPPA compliance to help you with managed detection and response 24×7 endpoint visibility, micro-segmentation strategies and security evaluations of new devices.  

Learn more here.  

Have you registered for our next event?