The Cybersecurity and Infrastructure Security Agency (CISA) has released a Cybersecurity Advisory detailing key findings from a Risk and Vulnerability Assessment (RVA) conducted in the healthcare and public health (HPH) sector. The advisory emphasizes potential exploitable vulnerabilities that could compromise the confidentiality, integrity, and availability of the tested environment. Tailored for organizations of all sizes within the HPH sector and critical infrastructure, the advisory provides recommended mitigations mapped to 16 specific cybersecurity weaknesses identified during the RVA.
CISA’s assessments team identified common vulnerabilities and insecure configurations that could lead to detrimental cyber activities, such as ransomware, data breaches, or denial-of-service. The advisory aims to assist organizations in maintaining the availability, confidentiality, and integrity of critical healthcare and public health systems, functions, and data. The CISA Deputy Director, Nitin Natarajan, stresses the importance of implementing recommended actions, especially for manufacturers of HPH technology products, aligning with Principles and Approaches for Secure by Design Software.
The advisory builds upon existing resources like the CISA and Health and Human Services Healthcare Cybersecurity Toolkit and Mitigation Guide for HPH Sector. It provides network defenders with recommended actions mapped to Cross-Sector Cybersecurity Performance Goals and offers guidance for software manufacturers aligned with the Principles and Approaches for Secure by Design Software. CISA encourages healthcare entities and all organizations to review the advisory, implement mitigations, and enroll in their vulnerability scanning service to further reduce cyber risk.
For more information and resources, HPH entities are directed to visit CISA’s Healthcare and Public Health Cybersecurity Toolkit and Healthcare and Public Health Sector webpages. The advisory underscores CISA’s role as the nation’s cyber defense agency and its commitment to understanding, managing, and reducing risk to critical infrastructure security in the digital and physical realms.
