CISA's new ransomware vulnerability notification program

The cybersecurity agency proactively identifies critical infrastructure information systems that contain known ransomware vulnerabilities and provides owners with mitigation guidance to take immediate action.
By Andrea Fox
11:04 AM

The Cybersecurity and Infrastructure Security Agency leverages multiple open-source and internal tools to proactively research and detect vulnerabilities within U.S. critical infrastructure as part of its new Ransomware Vulnerability Warning Pilot, which started on January 30.

WHY IT MATTERS

On Monday, CISA announced the creation of its RVWP program required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022.

CISA says it can accomplish ransomware-vulnerability warning by leveraging its existing services, data sources, technologies and authorities, including the agency's Cyber Hygiene Vulnerability Scanning service and its Administrative Subpoena Authority granted under Section 2209 of the Homeland Security Act of 2002, according to the FAQ on its website.

"Organizations across all sectors and of all sizes are too frequently impacted by damaging ransomware incidents," CISA said in the new FAQ.

Most organizations may be unaware that a vulnerability used by ransomware threat actors is present on their network. But damaging intrusions could be avoided by warning critical infrastructure entities, like hospitals and healthcare systems, of detected security vulnerabilities.

Once CISA identifies affected systems, regional cybersecurity personnel notify system owners.

CISA also offers no-cost cybersecurity resources and tools. It recommends that organizations sign up for its no-cost Cyber Hygiene Vulnerability Scanning service and take a self-assessment to determine progress in implementing cybersecurity performance goals. 

By building a relationship with a regional CISA cybersecurity advisor, healthcare organizations can participate in additional services, the agency added.

THE LARGER TREND

To improve the cybersecurity posture of healthcare, the Department of Health and Human Services has recommended enterprise-wide risk analyses and a series of best practices, including vulnerability scans of all systems and devices to reduce the risks of common cyberattacks.

Vulnerability management has been the most important part of cybersecurity for the past 20 years, according to Darren Lacey, vice president and CISO for Johns Hopkins University and Johns Hopkins Medicine.

"We chase down vulnerabilities and, in fact, if you had to say what was the biggest change in cybersecurity over the last 10 years along with the ransomware spike would be the number of publicized vulnerabilities," he told Healthcare IT News in September.

Ransomware attacks doubled between 2020 and 2022, and with cyberattacks getting more innovative in their approaches over time, it behooves all healthcare organizations to make use of all the cybersecurity services CISA, HHS and industry resources offer.

ON THE RECORD

"Many of these incidents are perpetrated by ransomware threat actors using known vulnerabilities," CISA says in its new RVWP program FAQ. "By urgently fixing these vulnerabilities, organizations can significantly reduce their likelihood of experiencing a ransomware event."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.