| The Cybersecurity and Infrastructure Security Agency (CISA) has released a Cybersecurity Advisory detailing the agency’s key findings and activities during a Risk and Vulnerability Assessment (RVA) conducted at a healthcare and public health (HPH) organization in early 2023. Even though this advisory is based on HPH findings and activities, it provides mitigation strategies that are applicable to all organizations. |
| The CISA assessments team identified several findings as potentially exploitable vulnerabilities that could compromise the confidentiality, integrity, and availability of the tested environment. Tailored for HPH organizations of all sizes as well as for all critical infrastructure organizations, the advisory provides several recommended mitigations mapped to 16 specific cybersecurity weaknesses identified during the RVA. Also, the advisory provides three mitigation strategies that all organizations should implement: |
| Asset management and security, Identity management and device security, and Vulnerability, patch, and configuration management. |
| Each strategy has specific focus areas with details and steps on how HPH entities can implement them to strengthen their cybersecurity posture. |
| This advisory builds on the CISA and Health and Human Services Healthcare and Public Health Cybersecurity Toolkit and CISA’s Mitigation Guide for HPH Sector that were recently released. The recommended mitigations for network defenders are mapped to the Cross-Sector Cybersecurity Performance Goals (CPGs). |
| All HPH sector and other critical infrastructure organizations deploying on-premises software, as well as software manufacturers, are encouraged to apply the recommended mitigations to harden networks against malicious activity and to reduce the likelihood of domain compromise. |