Enhancing Cyber Resilience: Insights from the CISA Healthcare and Public Health Sector Risk and Vulnerability Assessment

**Executive summary:** CISA conducted a two-week Risk and Vulnerability Assessment of a large on-premises HPH organization; while external testing and phishing did not yield initial access, internal testing exploited weak credential hygiene, default credentials, misconfigured ADCS templates, disabled SMB signing, and an EternalBlue-vulnerable server to achieve domain compromise across multiple attack paths, leading to discovery of high-severity issues and recommended mitigations aligned to MITRE ATT&CK and CISA/NIST guidance.