Governance & Risk Management , Healthcare , Industry Specific

CISA Urges Health Sector to Apply Critical Cyber Measures

Advice Is Based on Agency's 2-Week Security Assessment of a Large Entity
CISA Urges Health Sector to Apply Critical Cyber Measures
Image: CISA

The U.S. Cybersecurity and Infrastructure and Security Agency is urging healthcare sector entities to take critical steps in fortifying their environments based on findings from a two-week risk and vulnerability assessment performed by the federal agency on a medical organization earlier this year.

See Also: Securing Healthcare: Minimizing Risk in an Ever-Changing Threat Landscape

In a Friday advisory, CISA said it had performed the assessment in January at the request of a "large organization deploying on-premise software" that the agency did not identify.

The risk and vulnerability assessment is a two-week penetration test of an entire organization. The first week is spent on external testing, and the second week focuses on assessing the internal network. The CISA team identified default credentials for multiple web interfaces and used default printer credentials while penetration testing. Other internal assessment testing found several other weaknesses.

Based on its findings, the agency recommends healthcare and public health sector organizations ensure measures such as enhancing their internal environments to mitigate follow-on activity after initial access, using phishing-resistant multifactor authentication for all administrative access, and segregating networks. It also recommends verifying the implementation of those hardening measures, including changing, removing or deactivating all default credentials.

CISA said its recommendations can apply to all critical infrastructure organizations as well as to software manufacturers.

The agency said that as part of its assessment, its team had conducted web application, phishing, penetration, database and wireless assessments.

The assessments resulted in positive and negative findings. In its one-week external assessment of the organization, the CISA team did not identify any significant or exploitable conditions in externally available systems that could allow a malicious actor to easily obtain initial access to the organization’s network.

The assessment team also was unable to gain initial access to the assessed organization through phishing.

But during internal penetration testing, the CISA team exploited misconfigurations, weak passwords and other issues through multiple attack paths to compromise the organization's domain.

CISA used the MITRE ATT&CK for Enterprise framework, version 14 for mapping its findings, which are detailed in the agency report.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.