CISA releases results from risk and vulnerability assessment

The Cybersecurity & Infrastructure Security Agency (CISA) recently released its insights from the Healthcare and Public Health Sector risk and vulnerability assessment. 

What happened

At the beginning of the year, the CISA was asked to conduct a Risk and Vulnerability Assessment (RVA) by the Healthcare and Public Health (HPH) sector organization. The assessment is designed to identify vulnerabilities and areas for security improvement. It involves a two-week test; the first is spent on external testing, and the second on assessing the internal work.

The CISA assessed a large organization deploying on-premises software installed onto the company’s hardware infrastructure rather than operating remotely. According to the CISA’s report, the assessment was not able to exploit the company’s external systems but was able to exploit internal systems. 

Going deeper

During the external phase, the team attempted to exploit public-facing systems through phishing, web application testing, and penetration. 

In this phase, the team was unable to exploit the company via penetration or web applications. In the phishing test, the CISA team successfully received 12 responses through a malicious form, but was unable to access external-facing resources and multi-factor authentication prevented further breaching.

During the internal phase, the team attempted to breach the environment as an actor with internal access. They completed database, web application, and wireless testing. They were unable to identify exploitable conditions from the database or wireless testing. 

They were, however, able to complete internal penetration with a connection to the organization’s network but no valid domain account. The team attempted to acquire initial access to an organization and ultimately escalate privileges until they could compromise vital assets. While four attack attempts were unsuccessful, the fifth attempt was. 

The team determined that one of the company’s most vulnerable components was the company’s password requirements, which were too easy to infiltrate.  

Why it matters

The CISA attempts to infiltrate the company helped showcase how various organizations are breached and where vulnerabilities lie in the HPH sector at large. 

Following the test, the CISA provided a variety of strategies HPH companies could take to reduce vulnerability. Mitigation strategies included: 

• Asset Management and Security: The CISA recommends that organizations implement and maintain an asset management policy to reduce the risk of exposing vulnerabilities that could be exploited. Organizations should assess their “asset inventory, procurement, decommissioning, and network segmentation as they relate to hardware, software, and data assets.” 
• Identity Management and Device Security: The CISA recommends that entities secure devices and accounts to protect sensitive data. Organizations should focus on email security, phishing prevention, password policies, device logs, access management, and data protection and loss prevention. 
• Vulnerability, Patch, and Configuration Management: The CISA recommends entities mitigate known vulnerabilities and establish secure configuration baselines.  
  
  

The big picture

Through assessments like this, companies can better understand the variety of breaches possible and evaluate their current security systems. While the assessed company likely has differences from others in the HPH sector, every HPH organization should consider what steps or strategies it can implement to better protect data. 

Related: HIPAA Compliant Email: The Definitive Guide