CISA Mitigation Guide for Healthcare Organizations: Part Two

Whole hospital security means knowing every cyber asset in real-time detail

On November 20, 2023, the Cybersecurity Infrastructure and Security Agency (CISA) issued guidance for healthcare delivery organizations (HDOs) struggling to secure their data and systems against a growing and pernicious onslaught of attacks from threat actors across the globe. The purpose of CISA’s Mitigation Guide: Healthcare and Public Health (HPH) Sector is to articulate “best practices to combat pervasive cyber threats affecting the Healthcare and Public Health (HPH) Sector.”

We recently published our first blog that touched on Mitigation Strategy #1: Asset Management and Security, with important best practices around gaining visibility into what assets are actually on your network, and proactively implementing segmentation policies. In this installation of our three-part series, we look at CISA’s second Mitigation Strategy: Identity Management and Device Security and how Ordr helps healthcare organizations raise their security posture to meet the identified objectives.

Mitigation Strategy #2: Identity Management and Device Security

CISA observes that, “As the HPH Sector continues to transition more of its assets and systems online, CISA recommends entities secure their devices and digital accounts and manage their online access to protect sensitive data and PHI from compromise.” For many healthcare organizations that may seem like a daunting task. A typical mix of traditional IT, connected medical devices, building controls, and cloud-based services and applications can be difficult to inventory, manage, and secure–especially with traditional tools.

To protect the network–and patient health–means first, discovery and classification of every asset, identifying vulnerabilities and threats, and profiling behavior  and communications, and then securing every device. Ordr calls this the See, Know, Secure approach to “whole hospital” security . Let’s take a look at the focus areas CISA has identified in this section.

Focus Area 1: Email security and phishing prevention

CISA’s Mitigation Guide shifts focus from the importance of identifying and inventorying all of an enterprise’s assets, to executing against specific policies that in total, represent common attack vectors. CISA reports that more than 90% of all cyberattacks originate with email, so it makes sense that prioritizing email security would be at the top of this list. Whether a spray-and-pray approach to spamming an organization with messages containing weaponized links and attachments, or more targeted phishing campaigns, this is a first-line defense. Ordr can complement email security by identifying devices communicating to known malicious “phishing” sites, or identifying suspicious device behavior that may be an early indication of a compromised device.

Focus Area 2: Access management

Because users are one of the assets that Ordr tracks, we are able to help organizations with access management through robust tracking using AD/RADIUS and wireless integration, enabling security teams to monitor who is accessing what assets and when. That provides two key perspectives, including the time an asset was accessed and the session’s duration. This can help healthcare organizations recognize risks associated with poor cyber-hygiene such as password sharing, or leaving access to an asset open after a task is completed. The level of detail Ordr tracks and records can also prove invaluable during forensic investigations after an incident occurs.

Focus Area 3: Password policies

Too often assets are deployed with weak, default, or no passwords, leaving them vulnerable to threat actors. CISA recommends healthcare organizations observe a 15-character (minimum) password and to change factory defaults. Ordr customers benefit from our ability to identify and report assets operating with default or weak passwords so that security teams can change them in accordance with policy.

Focus Area 4: Data protection and loss prevention

Because Ordr provides granular details on every asset operating in the enterprise (make, model, serial number, operating system, and software version), we are able to help healthcare organizations identify–and apply appropriate policies–those assets that can store and/or transmit sensitive data like protected health information (PHI). What’s more, Ordr can track patching and disk encryption to maximize protection.

Focus Area 5: Device logs and monitoring solutions

Ordr Software Inventory Collector helps healthcare organizations comply with CISA recommendations on tracking assets and log data. By delivering granular asset details, including  EDR installation status, version number, and active/inactive state, Ordr helps teams identify assets with out of date, disabled or missing EDR software while confirming whether devices are patched and communicating with the appropriate servers. This helps healthcare security teams to identify and close security gaps,and  more quickly detect and respond to threats before they can succeed.

Stay Tuned for Part Three

In our next segment we’ll discuss CISA’s Mitigation Strategy #3 Vulnerability, Patch, and Configuration Management, and offer insights and approaches for achieving the goals of that portion of the Guide. The good news is, with the right tools, healthcare organizations can do what is needed with less trouble, cost, and complexity than they might think.

In the meantime, check out our new white paper, Mapping Ordr Capabilities to CISA Mitigation Guide: Healthcare and Public Health (HPH) Sector. It goes into greater detail of how the Ordr platform can be used to quickly and easily do what the CISA Mitigation Guide suggests, while serving as a roadmap for formulating a strategy to align organization policy with CISA guidelines.

Wes Wright

Chief Healthcare Officer

Wes is responsible for driving Ordr’s engagements in healthcare. Previously he was the CTO for Imprivata, and prior to that VP and CTO at Sutter Health, a 26 hospital network in Northern California. Prior to Sutter, Wes was CTO and then CIO at Seattle Childrens’, which, to this day, he says was his most gratifying work experience.