CISA releases guidance for high-risk nonprofits

The Cybersecurity and Infrastructure Security Agency announced this new guidance for at-risk nonprofits and other community-based organizations with limited resources to improve their understanding and efforts to mitigate cyber threats.

But the upcoming 2024 elections could have a huge impact on CISA’s broader efforts, including recently completed national data protection cyber exercises, to address security deficiencies in several critical sectors, director Jen Easterly told the Senate last week.

WHY IT MATTERS

Because civil society organizations, including certain healthcare organizations, are “ill prepared for and vulnerable to” social engineering attempts and other common cyber threats, CISA co-authored Mitigating Cyber ​​Threats with Limited Resources: Guidance for Civil Society, published at May 14.

With the collection of best practices, CISA and its national and international law enforcement and security agencies co-authors hope to help civil society organizations that tend to rely on insecure communications channels and have low defense capabilities.

“These organizations lack internal IT support and essential cyber hygiene to prevent the possibility of malicious activity (e.g. lifecycle management, patch management, multi-factor authentication, password management),” they say.

Recommended actions and solutions for these vulnerable organizations are linked to CISA courses and other resources, such as those from Access Now Digital security helplinewhich offers civil society organizations 24/7 support in nine languages ​​and responds within two hours, according to the grassroots-to-global organization’s website.

However, to further protect vulnerable and at-risk communities from cyberattacks, the agencies also recommend that suppliers publicly commit to Secure by Design practices.

“This commitment includes embracing the Secure by Design principles, including (1) taking responsibility for customer security outcomes, (2) embracing radical transparency and unwavering accountability, and (3) leading the top and implementing top-down leadership to drive transformative changes focused on prioritizing security at every stage of software development and deployment,” CISA and its co-authors said in the new guide.

They recommend that software vendors eliminate product vulnerabilities, enable multi-factor authentication by default, report suspicious network behavior to their customers, and set alerts for insecure configurations.

In addition to strengthening vulnerable, under-resourced organizations, CISA has been busy focusing on better-resourced organizations in critical sectors.

Last month, the Cyber ​​Storm IX agency held national cyber preparedness exercises that gave more than 2,200 participants the opportunity to test their responses to cyber attacks on cloud resources. The periodic national cyber exercise brings together the public and private sectors to simulate and report on the response to a cyber crisis impacting the country’s critical infrastructure.

Participants inside previous exercises in 2020 and 2022 included providers such as Cleveland Clinic, HCA Healthcare and the University of Kansas Health System, health IT vendors such as Nuance, Siemens and Cisco, security companies such as CrowdStrike and coordinating entities such as HHS and the Health Information Sharing and Analysis Center.

This year’s exercise “centers on adversarial exploitation of common misconfigurations of cloud environments to have various impacts on data confidentiality, integrity and availability,” Easterly said in her May 16 report. summary of the event.

While the healthcare industry is currently under siege by several ransomware groups looking to take advantage of major system outages, such as a debilitating ALPHV cyberattack that required parent company UnitedHealth Group to rebuild Change Healthcare’s systems with cloud-based security and a suspected Black Basta ransomware attack on non- Profit Ascension, 2024 presents an additional cybersecurity hurdle for the agency to overcome.

Easterly told the Senate Intelligence Committee during a May 15 hearing on foreign threats to the upcoming elections that while U.S. election network environments are more secure than ever, “the current threat environment is more complex than ever.”

“We cannot be complacent,” she said in her pick up linenoting that “CISA is providing more services in more jurisdictions than ever before.”

THE BIG TREND

Years of major breaches have led to long-term disruptions to care and diversions that put patients at risk, forcing the government to take action.

Following the release of a national cybersecurity strategy last year, the U.S. Department of Health and Human Services laid out its healthcare cybersecurity strategy, with some pushback from the American Hospital Association and other groups.

In addition to new voluntary cybersecurity performance goals, HHS said it would work with Congress to create incentives to improve the cybersecurity performance of domestic hospitals and would require greater accountability and coordination with the health care industry.

In a letter to HHS Secretary Xavier Becerra on Thursday, the Working Group on Electronic Data Interchange called on the federal government to create an Office of National Cybersecurity Policy, led by a new “Cyber ​​Policy Czar,” and made several other recommendations to help coordinate and lead the national cyber response

WEDI asked HHS and other federal agencies to do more to help health care systems maintain operations and mitigate the impact of successful cyberattacks by ensuring information-sharing capabilities.

In addition to CISA and HHS efforts, Anne Neuberger, Deputy National Security Advisor for Cyber ​​and Emerging Technologies, has focused on healthcare cybersecurity through multiple federal agencies.

Earlier this month, the Healthcare Leadership Council met with the Deputy National Security Advisor for an off-the-record cybersecurity discussion.

“We appreciate Ms. Neuberger’s candor and willingness to work with healthcare leaders on this critical priority, and look forward to working with the government to strengthen the healthcare sector’s resilience and improve patient safety promote,” the council said in a statement. online statement.

ON THE RECORD

“This guide, together with the (HHS) Cybersecurity Performance Goals, can help hospitals with limited resources prioritize cybersecurity practices and develop a roadmap for implementation,” said John Riggi, AHA’s national advisor on cybersecurity and risk, in a rack.

Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Related Post