New guidance released by the Cybersecurity and Infrastructure Security Agency (CISA) offers best practices for organizations in the healthcare and public health sector to adopt to combat rising cyber threats.

The guidance, published by CISA on Friday, is voluntary and meant to be a companion to information the agency distributed to healthcare organizations in July.

The guidance includes mitigation strategies for:

  • Asset management and security;
  • Identity management and device security; and
  • Vulnerability, patch, and configuration management.

Regarding asset management, CISA recommended healthcare organizations start by implementing and maintaining an inventory of assets. The second focus area should be implementing network segmentation to isolate information technology and operational technology devices to different segments.

For identity management and device security, CISA offered best practices on email security and phishing prevention, access management and monitoring, password policies, data protection and loss prevention, and device logs and monitoring solutions. It is important organizations establish and maintain annual cybersecurity training for their workforce, the agency said, recommending new employees receive initial training within the first 10 days of onboarding.

On vulnerability and patch management, CISA advised organizations follow the multistep cycle of:

  1. Identify;
  2. Assess and prioritize;
  3. Act;
  4. Verify; and
  5. Improve.

Meanwhile, steps for configuration and change management included:

  1. Identify configuration items;
  2. Establish secure baselines;
  3. Implement and audit changes; and
  4. Assess and remediate.

CISA further recommended manufacturers of healthcare products “take steps to build their products in a secure-by-design manner, and that [healthcare] entities prioritize the importance of purchasing secure-by-design products.”