On November 17, 2023, the Cybersecurity & Infrastructure Security Agency (CISA) released a supplemental mitigation guide for the healthcare and public health sector to the Cyber Risk Summary for those sectors published on July 19, 2023.

“This guide provides defensive mitigation strategy recommendations and best practices to combat pervasive cyber threats affecting this critical infrastructure sector. It also identifies known vulnerabilities for organizations to assess their networks and minimize risks before intrusions occur.”

The Guide lists the top vulnerabilities to the health care and public health sectors from highest to lowest as:

• Web application vulnerability (89%)
• Encryption weakness (89%)
• Unsupported software (41%)
• Unsupported Windows OS (36%)
• KEV (known exploited vulnerabilities) (35%)
• Vulnerable services (34%)

The Guide provides three mitigation strategies to employ to address the vulnerabilities and threats posed and the associated MITRE ATT&CK techniques used, including areas of focus for organizations to prioritize. This is a must-read for organizations in the healthcare and public health sector.