CISA launches critical infrastructure cyber resilience initiative

The Cybersecurity and Infrastructure Security Agency has launched a new initiative, CI Fortify, aimed at helping critical infrastructure entities maintain continuity of key services during a cyberattack. CISA urged critical infrastructure organizations, such as healthcare organizations, to develop isolation and recovery capabilities immediately, if they have not already.

CISA described CI Fortify as "an allied initiative bolstering public health and safety, defense critical infrastructure, continuity of the economy, and national security by ensuring operators are prepared to sustain essential operations during a geopolitical conflict."

The initiative consists of a new CISA webpage that serves as the home base for the agency's guidance on strengthening critical infrastructure resilience. CISA said it plans to update the page with more detailed guidance on enabling recovery and isolating systems -- the key emergency planning objectives that can mitigate threats in the near term.

CISA also said it is committed to performing targeted assessments to identify barriers to isolation and recovery and support the development of these capabilities.

CISA defined isolation as "proactively disconnecting from third-party dependencies and operating without reliable telecommunications, internet vendors, service providers, and upstream dependencies."

Bolstering isolation capabilities involves identifying critical customers and setting a service delivery target, determining vital supporting infrastructure to meet the target in isolation and updating business continuity plans, CISA said. The agency also recommended tracking CISA and Sector Risk Management Agency guidance to know when to isolate.

HHS is the designated SRMA for the healthcare and public health sector. HHS' Administration for Strategic Preparedness executes SRMA duties for the sector through its Office of Critical Infrastructure Protection.

CISA's definition of recovery includes "documenting systems, backing up critical files, and practicing the replacement of systems or the transition to manual in case isolation fails and components are rendered inoperable," the agency stated.

Additionally, recovery includes addressing communication dependencies. It requires a collaborative approach in which operators discuss recovery plans and protocols with their vendors and managed service providers to understand their operational dependencies.

"Regardless of the source for any disruption, these emergency planning efforts will leave operators with more resilient infrastructure that is easier to defend and keep running," CISA stated, stressing that emergency planning can prevent further unauthorized access and reduce recovery time and costs.

In healthcare, cyber resilience is crucial to maintaining patient safety amid a cyberattack. Leaders are increasingly recognizing the value of proactive versus reactive security measures.

For example, Joint Commission and the American Hospital Association recently launched the Cyber Resilience Readiness program, which includes a free self-assessment tool that allows healthcare organizations to test their current ability to provide care during cyber-related technology outages.

These initiatives can help healthcare organizations and their critical partners handle cyberattacks while maintaining quality patient care.

Jill Hughes has covered health tech news since 2021.