Healthcare and Public Health Sector: Address Resource Constraints
Recognizing that the nation’s healthcare systems and providers have been under severe resource constraints—especially since the start of COVID-19—members of the Healthcare and Public Health (HPH) sector should actively take steps to address their constraints.
Use free or low-cost services to make near-term improvements when resources are scarce
The tools and resources offered by CISA in this toolkit are available at no cost. In addition, HHS hosts Knowledge on Demand (KOD), a free cybersecurity education platform that includes multiple delivery methodologies to reach health care facilities of all sizes across the country.
Public health entities should work with the state planning committee to leverage the State and Local Cybersecurity Grant Program (SLCGP)
The SLCGP provides $1 billion over 4 years for a first-of-its-kind grant program specifically for state, local, and territorial (SLT) governments funding to support efforts addressing cyber risk to their information systems. The two major first year requirements for this program include the establishment of a Statewide Cybersecurity Planning Committee and the development, by this committee, of a Statewide Cybersecurity Plan. Public health is a required member of the Planning Committee, therefore ensuring the cybersecurity needs of public health organizations are accounted for. While the funding is granted directly to the State Administrative Agency, publicly funded healthcare entities are eligible to receive sub-award money.
Expect more from technology providers
HPH organizations should expect the technology used for essential services and life-saving support to have strong security controls enabled by default—at no additional charge.
During the technology procurement and renewal process:
Ensure that vendors do not charge more for security features like MFA and logs. Be aware of the “Single Sign On (SSO) tax”. As you deploy products be sure to review the product’s “hardening guide”, a set of steps to make the product less dangerous.
As you become aware of upcharges for security features, or unsafe defaults:
Start a dialog with other healthcare sector and Health-ISAC members to assess a strategy for working with the vendor to remediate. CISA is an advocate for the HPH community in advancing technology products equipped to support our nation’s HPH system.
Consider cloud migration to lessen the burden of on-site cybersecurity
Many HPH entities operate their own IT systems, requiring them to take time to patch, monitor, and respond to potential security events. Consider which on-premise IT services could be migrated to the cloud. While it is not possible to categorically state that “the cloud is more secure,” migration to the cloud will be a more secure and resilient option for many healthcare organizations. Certain offerings in the cloud are more mature. For example, consider migrating your user identity and mail systems to the cloud first. Depending on business needs or requirements, certain items may need to remain on-premise. Talk to your CISA regional representative for guidance on secure cloud migration.