The Cybersecurity and Infrastructure Security Agency released new guidance for high-risk nonprofit and other resource-constrained community organizations to improve their understanding and efforts to mitigate cyberthreats.
But the upcoming 2024 election could have a huge impact on CISA’s broader efforts, including recently completed national cyber exercises on data protection, to address security deficiencies across several critical sectors, Director Jen Easterly reported to the Senate last week.
WHY IT MATTERS
Because civil society organizations, which include certain healthcare organizations, are “ill-prepared for and vulnerable to” social engineering attempts and other common cyber threats, CISA coauthored “Mitigating Cyber Threats with Limited Resources: Guidance for Civil Society” published on May 14.
With the compilation of best practices, CISA and its national and international law enforcement and security agency coauthors hope to help civil society organizations that are prone to rely on insecure communication channels and have low defense capacity.
“These organizations lack internal IT support and essential cyber hygiene to prevent the possibility of malicious activity (e.g., lifecycle management, patch management, multifactor authentication, password management),” they said.
Recommended actions and mitigations for these vulnerable organizations link to CISA courses and other resources, like Access Now’s Digital Security Helpline, which offers civil organizations 24/7 support in nine languages. It responds in two hours, according to the “grassroots-to-global” organization’s website.
However, to further protect vulnerable and high-risk communities from cyberattacks, the agencies also recommend vendors publicly commit to Secure by Design practices.
“This commitment entails embracing Secure by Design principles, including (1) assuming accountability for customer security outcomes, (2) embrace radical transparency and unwavering accountability and (3) lead from the top and implement top-down leadership to drive transformative changes aimed at prioritizing security at every stage of software development and deployment,” CISA and its coauthors said in the new guide.
They recommend software vendors work to eliminate product vulnerabilities, enable multifactor authentication by default, report suspicious network behaviors to their customers and set up alerts for unsafe configurations.
In addition to bolstering low-resourced vulnerable organizations, CISA has been busy focusing on better-resourced organizations across critical sectors.
Last month, the agency held Cyber Storm IX national cyber preparedness exercises that gave more than 2,200 participants a chance to test their response to cyberattacks on cloud resources. The periodic national capstone cyber exercise brings together the public and private sectors to simulate and report on the response to a cyber crisis impacting the nation’s critical infrastructure.
Participants in previous exercises in 2020 and 2022 included providers like Cleveland Clinic, HCA Healthcare and the University of Kansas Health System, healthIT vendors like Nuance, Siemens and Cisco, security companies like CrowdStrike and coordinating entities like HHS and the Health Information Sharing and Analysis Center.
This year’s exercise “centered on adversary exploitation of common misconfigurations of cloud environments to cause various impacts to data confidentiality, integrity and availability,” Easterly said in her May 16 recap of the event.
Though the healthcare sector is currently under siege from various ransomware groups looking to profit from major system outages, like a debilitating ALPHV cyberattack requiring parent company UnitedHealth Group to rebuild Change Healthcare systems with cloud-based security and a presumed Black Basta ransomware attack on non-profit Ascension, 2024 presents an additional cybersecurity hurdle for the agency to clear.
Easterly told the Senate Select Committee on Intelligence at a May 15 hearing on foreign threats to the upcoming elections that, while U.S. election network environments are more secure than ever, “Today’s threat environment is more complex than ever.”
“We cannot be complacent,” she said in her opening statement, noting that “CISA is providing more services in more jurisdictions than ever before.”
THE LARGER TREND
Years of major breaches have caused lengthy care disruptions and diversions that put patients at risk, pushing the government to act.
Following the release of a National Cybersecurity Strategy last year, the U.S. Department of Health and Human Services outlined its healthcare cybersecurity strategy, with some pushback from the American Hospital Association and other groups.
In addition to new voluntary cybersecurity performance goals, HHS said it would collaborate with Congress to create incentives to improve cybersecurity performance for domestic hospitals and would require more accountability and coordination with the healthcare sector.
In a letter to HHS Secretary Xavier Becerra on Thursday, the Workgroup for Electronic Data Interchange called on the federal government to create an Office of National Cybersecurity Policy to be led by a new “Cyber Policy Czar,” and offered several other recommendations to help coordinate and lead national cyber response
WEDI asked HHS, and other federal agencies, to do more to help health systems maintain operations and mitigate the consequences of successful cyberattacks by ensuring information exchange capabilities.
In addition to CISA’s and HHS’ efforts, Anne Neuberger, deputy national security adviser for cyber and emerging technologies, has focused on healthcare cybersecurity through multiple federal agencies.
Earlier this month, the Healthcare Leadership Council met with the deputy national security adviser for an off-the-record cybersecurity discussion.
“We appreciate Ms. Neuberger’s candor and willingness to collaborate with healthcare leaders on this critical priority, and look forward to working with the administration to strengthen the healthcare industry’s resilience and promote patient safety,” the council said in an online statement.
ON THE RECORD
“This guide, along with the [HHS] Cybersecurity Performance Goals, can help resource-challenged hospitals prioritize cybersecurity practices and develop a roadmap for implementation,” said John Riggi, AHA’s national advisor for cybersecurity and risk, in a statement.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
