The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

CISA Releases Decision Tree Methodology for Assessing and Remediating Software Vulnerabilities

Posted By on Nov 14, 2022

CISA has issued a decision tree methodology that can be adopted by healthcare organizations to help them develop an efficient and effective vulnerability management program.

The Importance of an Efficient Patch Management Program

When it comes to vulnerability management, the best practice is to patch promptly. When software updates and patches are released, they should be applied as soon as possible to prevent bad actors from exploiting the flaws.  In practice, promptly patching all vulnerabilities can be a major challenge due to the sheer number of patches and software updates that are being released, and nor is it wise, as vulnerabilities are not all equal. Some are much more likely to be exploited than others and the impact of the successful exploitation of vulnerabilities can vary considerably. When it comes to vulnerability management, IT teams need to prioritize patching and deal with critical and actively exploited vulnerabilities first.

Healthcare organizations with mature vulnerability management programs are more likely to have efficient processes for vulnerability management. They will assess the severity of each vulnerability, the impact exploitation of the vulnerability will have, whether the vulnerability is being actively exploited or if a proof-of-concept(PoC) exploit is in the public domain, and therefore determine the likelihood of a vulnerability being exploited. After assessing each vulnerability, they can then effectively prioritize patching. Smaller healthcare organizations may struggle with assessing and prioritizing patching and the consequences of getting things wrong can be severe. Important updates may be missed, which leaves the door wide open for hackers.

A Decision Tree Method for Assessing and Remediating Software Vulnerabilities

Last week, the Cybersecurity and Infrastructure Security Agency (CISA) released guidance to help organizations prioritize patching and shared a Stakeholder-Specific Vulnerability Categorization (SSVC) vulnerability management methodology that can be adopted to ensure vulnerabilities are accurately assessed, allowing remediation efforts to be prioritized

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

CISA Executive Assistant Director (EAD) Eric Goldstein explained in a recent blog post that there are three key steps needed to advance the vulnerability management ecosystem. They are:

1) To introduce greater automation into vulnerability management.

2) To make it easier for organizations to understand whether a given product is impacted by a vulnerability through widespread adoption of the Vulnerability Exploitability eXchange (VEX).

3) To help organizations more effectively prioritize vulnerability management resources through the use of SSVC, including prioritizing vulnerabilities based on CISA’s Known Exploited Vulnerabilities (KEV) catalog.

The SSVC system was developed by CISA and the Software Engineering Institute (SEI) at Carnegie Mellon University, with CISA then developing its own custom version of the SSVC for assessing and addressing vulnerabilities that affect government and critical infrastructure organizations.

The SSVC can be used by organizations to assess vulnerabilities based on five values: The exploitation status (is it currently being exploited), the technical impact (how serious is the vulnerability), whether the vulnerability is automatable, the mission prevalence, and the public well-being impact. Vulnerabilities can then be categorized into one of four categories:

  • Track – No immediate action is required, but the vulnerability should be tracked and reassessed if further information becomes available, with the vulnerability updated within standard timeframes.
  • Track* – No immediate action is required, but there are characteristics that require closer monitoring for changes. These vulnerabilities should be remediated within standard time frames.
  • Attend – The vulnerability requires attention from the organization’s internal, supervisory-level individuals. Necessary actions include requesting assistance or information about the vulnerability and potentially publishing a notification internally and/or externally. The vulnerability needs to be remediated sooner than standard update timelines.
  • Act – The vulnerability requires attention from the organization’s internal, supervisory-level, and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability and publishing a notification either internally and/or externally. Internal groups would meet to determine the overall response and then execute agreed-upon actions, with the vulnerability remediated as soon as possible.

CISA recommends using the SVCC alongside CISA’s Known Exploited Vulnerabilities (KEV) Catalog, the Common Security Advisory Framework (CSAF) machine-readable security advisories, and the Vulnerability Exploitability eXchange (VEX). When these are all used together, the window cyber threat actors have to exploit networks will be significantly reduced.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist