In recent years, healthcare facilities have been subject to many cyberattacks, leading to private information being leaked and delayed care. In cooperation with health-related federal agencies, CISA has released a free cybersecurity toolkit for the healthcare and public health sector.
During the Covid-19 pandemic, health centers and hospitals were optimal targets for cyber criminals, and the industry continues to be vulnerable. The attacks these medical centers weathered often had serious consequences for patients, with hospitals being forced to shut down some facilities because of the dysfunctional computer systems.
In a recent roundtable discussion on cybersecurity challenges in the healthcare industry, Nitin Natarajan, the Deputy Director of the Cybersecurity and Infrastructure Security Agency (CISA), said because “healthcare organizations have a combination of personally identifiable information, financial information, health records, and countless medical devices, they are essentially a one-stop shop for an adversary”. CISA recently released a cybersecurity toolkit specifically for the Healthcare and Public Health (HPH) sector to combat this issue.
The toolkit is a reflection of CISA’s continual efforts to help improve the cybersecurity of regions that are “target rich, resource poor”, a concern they raised in the strategic plan they released earlier this year. The Department of Health and Human Services (HHS) and the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group collaborated with CISA to produce a set of online resources that can be used by “HPH organizations at every level”. The coordination between agencies involved here is another sign that CISA is making progress in its goal to “Address Immediate Threats”.
The resources are composed of three main sections on cyber hygiene, improving cybersecurity defenses, and resource constraints. The page, “Know the RIsks, Use Cyber Hygiene”, includes industry-specific documents on cyber threat management, planning for emergencies, a detailed adaptation of the NIST Cybersecurity Framework, and a study on the specific methods being used against hospitals by threat actors in a Resiliency Analysis.
There are also directions to more general tools, like CISA’s cybersecurity awareness program “Secure Our World”, their Known Exploited Vulnerabilities Catalog, and Cyber Hygiene Services. The section “Strengthen your Defenses and Mature your Cybersecurity Efforts” pairs less specific cybersecurity information (a cyber incident plan, communications and cyber resiliency toolkit, cybersecurity training exercises). The final section “Address Resource Constraints” offers recommendations on affordable means of reducing cyber risk, along with what to expect from technology providers.
Hopefully, all healthcare sector professionals will explore the wealth of resources provided by CISA's toolkit and integrate them into their cybersecurity strategy. By understanding the risks, adopting best practices, and building a strong culture of cyber-awareness within healthcare organizations, everyone will contribute to creating a more secure and resilient industry. Ultimately, improving cybersecurity will not only safeguard sensitive information and networks but also protect patients' lives.