Read Ordr Security Bulletin on Volt Typhoon Advisory Read more here!
Go back to blogs

CISA Mitigation Guide for Healthcare Organizations: Part One

Build your cybersecurity strategy on a solid foundation of asset visibility and segmentation

On November 20, 2023, the Cybersecurity Infrastructure and Security Agency (CISA) issued guidance for healthcare delivery organizations (HDOs) struggling to secure their data and systems against a growing and pernicious onslaught of attacks from threat actors across the globe. The purpose of CISA’s Mitigation Guide: Healthcare and Public Health (HPH) Sector is to articulate “best practices to combat pervasive cyber threats affecting the Healthcare and Public Health (HPH) Sector.”

The Mitigation Guide follows on the heels of CISA’s Cyber Risk Summary: Healthcare and Public Health (HPH) Sector Calendar Year 2022 in which the agency identified six common weaknesses in healthcare cybersecurity, including:

  • Web application vulnerabilities
  • Encryption weaknesses
  • Unsupported software
  • Unsupported Windows operating systems (OS)
  • Known exploited vulnerabilities (KEVs)
  • Vulnerable services

To help HDOs and other healthcare enterprises create and execute more effective cybersecurity strategies to address these weaknesses, the Mitigation Guide calls out strategies for improving security, with focus areas for each. We’ll be analyzing each of the guidelines provided by CISA in a series of blogs, starting with the first Mitigation Strategy: Asset Management and Security.

Mitigation Strategy #1: Asset Management and Security

Focus Area 1: Asset inventory

At the top of CISA’s list is an issue that is at the core of Ordr’s mission, namely gaining visibility across the enterprise for identifying, inventorying, and securing all of an organization’s assets. Without real-time visibility and complete, accurate details, of every asset on the network (including Internet of Medical Things (IoMT), operational technologies (OT), Internet of Things (IoT) devices, you are building your security program on a foundation of sand. The Mitigation Guide highlights the reason gaining visibility across the IT estate and compiling a thorough asset inventory is vital to improving cybersecurity when it says:

“Organizations that have not implemented or maintained an asset management policy risk exposing vulnerabilities or services that could be exploited by threat actors to gain unauthorized access, steal sensitive data, disrupt critical services, or deploy ransomware, causing significant harm to patients and the organization’s reputation.”

Establishing a complete and accurate asset inventory has been a major challenge for HDOs because of the highly varied nature of the technologies that connect to and operate within healthcare networks. HDOs not only have all the traditional systems and devices of other enterprises: servers, routers, desktop and laptop computers, tablets and handheld devices, and the like, but they also have a wide array of Internet of Medical Things (IoMT), operational technologies (OT), Internet of Things (IoT) devices that are critical to patient care services. These can include devices like patient monitors, respirators, imaging and surgical equipment, and therapeutic devices as well as HVAC, security, communications, environmental control, and other equipment.

CISA recommends utilizing active scans, passive processes, or both to discover these devices, but we believe organizations should use a passive approach in order to not impact the operations of sensitive medical devices, IoT and OT. This is consistent with the medical profession’s “do no harm” philosophy, as active scanning can be detrimental to the performance of some equipment. In fact, one organization I’m familiar with experienced a catastrophic failure of its telephone system after active scanning was applied that interfered with the telephony/IP interface.

Furthermore, many systems are either incompatible with active scanning, or may have prohibitions in place due to FDA rules. For these reasons it is best to avoid active scanning. Ordr’s passive scanning approach has proven effective at discovering and identifying all connected assets, has no negative effect on performance or communications, and enables real-time tracking and monitoring of all devices on the network.

Focus Area 2: Securing your assets

CISA recommends that, once a complete and accurate device inventory is compiled, healthcare organizations segment their networks to keep medical devices separate from other technologies.  This prevents attackers that succeed in compromising traditional IT from using IoMT to move laterally to their target destination.

I was happy to see that CISA ranked segmentation so high as a priority action. Too often organizations will try to tackle tasks like risk evaluation first, but for every minute the healthcare organization operates with a flat network, those critical devices are vulnerable to attack. By segmenting medical equipment as a second step after compiling a complete inventory, you’ve already increased network security and improved patient safety by disassociating those assets from traditional IT and OT.

Although network segmentation is a great best practice, the reason most organizations put it off–or avoid it completely–is that (as CISA’s schematic and description implies), it can be difficult to do using traditional approaches. Ordr simplifies segmentation. You can start off with macrosegmentation based on asset type, and then evolve to microsegmentation by enabling the creation and automation of Zero Trust segmentation policies to control what devices can connect and communicate with across the network. Segmentation policies created with Ordr can be enforced through integrations with NAC, switches and firewalls.

Stay Tuned for Part Two

In my next segment I’ll discuss CISA’s Mitigation Strategy #2: Identity Management and Device Security and offer some insights and approaches for achieving the goals of that portion of the Guide. The good news is, with the right tools, healthcare organizations can do what is needed with less trouble than they might think.

In the meantime, you might want to check out our new white paper, Mapping Ordr Capabilities to CISA Mitigation Guide: Healthcare and Public Health (HPH) Sector. It goes into much greater detail of how the Ordr platform can be used to quickly and easily do what the CISA Mitigation Guide suggests, while serving as a roadmap for formulating a strategy to align organization policy with CISA guidelines.

Wes Wright

Wes is responsible for driving Ordr’s engagements in healthcare. Previously he was the CTO for Imprivata, and prior to that VP and CTO at Sutter Health, a 26 hospital network in Northern California. Prior to Sutter, Wes was CTO and then CIO at Seattle Childrens’, which, to this day, he says was his most gratifying work experience.

Follow by Author

Get Your Devices in Ordr

Request a Demo

Let our product experts show you how Ordr addresses your critical use cases.

Get A Demo

Request an Assessment

Get a no-obligation, free assessment for your business. Identify assets and the risks they bring.

Get an Assessment