The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has announced a new initiative aimed at improving critical infrastructure cyber resilience during geopolitical conflicts, and is urging critical infrastructure operators to improve their defenses against disruptive and destructive cyberattacks through proactive isolation and recovery planning. CISA warns that adversaries have already embedded themselves in critical systems and are positioning themselves to cripple operational technology in the event of a wider geopolitical conflict.

During geopolitical conflicts, critical infrastructure entities face an increased risk of cyberattacks, where nation-state actors may attempt to disrupt and destroy the operational technology running the United States. Attacks may target healthcare providers to disrupt patient care, telecommunications infrastructure to damage phone and internet services, food production facilities, and energy and wastewater entities. At all times, critical infrastructure entities must continue to deliver crucial services to Americans. They must therefore isolate vital systems from harm, continue operating them in an isolated state, and be able to rapidly recover any systems that are successfully compromised.

The initiative, dubbed CI Fortify, is aimed at boosting public health and safety, critical defense infrastructure, national security, and ensuring the continuity of the economy. CISA explains that critical infrastructure operators must assume that, in the event of a conflict scenario, third-party connections such as telecommunications, vendors, service providers, upstream dependencies, and the internet are likely to be unreliable, and threat actors will have access to certain parts of the operational technology network.

Operators must plan for such scenarios and improve resilience through isolation and incident recovery practices. Isolation involves proactively disconnecting operational technology systems from third-party business networks to prevent operational technology cyber impacts and sustain essential operations in a degraded communications environment. Processes need to continue to ensure service delivery in the event of an incident, rather than being forced to completely shut down.

Critical infrastructure operators should identify critical customers and set a service delivery target based on their needs, determine vital operational technology and supporting infrastructure to meet their targets in isolation, and update business continuity plans and engineering processes to ensure safe operations while isolated, which could be weeks or even months. They should track CISA and Sector Risk Management Agency (SRMA) guidance to know when to isolate. For healthcare and public health organizations, the Department of Health and Human Services is the designated Sector Risk Management Agency (SRMA), with those duties handled by the Administration for Strategic Preparedness through the Office of Critical Infrastructure Protection.

For recovery, it is essential to ensure that systems are documented, critical files are backed up, and procedures are practiced for replacing critical systems and transitioning to manual processes in the event of systems or components being rendered inoperable. It is also vital to address communications dependencies for recovery, such as licensing servers or business network connections.  “Regardless of the source for any disruption, these emergency planning efforts will leave operators with more resilient infrastructure that is easier to defend and keep running,” explained CISA. CISA has set up a webpage with further information and resources to help critical infrastructure entities isolate systems and enable recovery.

This week, the Joint Commission and AHA announced a new Cyber Resilience Readiness Program for hospitals and health systems to ensure they can sustain clinical operations during cyberattacks that disrupt critical information technology systems. The program dovetails with CISA’s CI Fortify initiative, according to John Riggi, AHA national advisor for cybersecurity and risk.

The post CISA Launches Initiative to Improve Critical Infrastructure Resilience During Geopolitical Conflicts appeared first on The HIPAA Journal.

Healthcare organizations are exposing a vast amount of patient data by failing to implement even basic security measures for DICOM servers, according to a recent Trend Micro TrendAI analysis. TrendAI identified thousands of internet-facing DICOM servers belonging to hundreds of entities. The lack of security protections puts patient privacy at risk and gives hackers the opening they need for lateral movement and ransomware attacks.

Medical images generated from X-rays, MRI, CT, and ultrasound scans are captured, stored, processed, transmitted, and viewed using the Digital Imaging and Communications in Medicine (DICOM) standard. Work on a standard for communicating medical imaging information started in the early 80s and culminated in the DICOM standard. DICOM defines a file format for medical images and a network protocol for communicating those images between different devices and systems, including equipment such as scanners, workstations, and printers, software, network hardware, and Picture Archiving and Communication Systems (PACS). DICOM enables interoperability across devices and systems, regardless of manufacturer.

DICOM files contain medical imaging data; however, the metadata includes a substantial volume of protected health information, such as full names, dates of birth, and medical record numbers, and sometimes other sensitive data such as Social Security numbers and other patient identifiers. The metadata may also include information such as the referring physician’s name, the reading radiologist, why the test was ordered, diagnosis codes, and procedure information, while the images themselves can reveal sensitive health conditions.

The purpose of the DICOM standard is to allow easy viewing, storage, exchange, and transmission of medical images; however, there are also security features to protect against unauthorized access. The problem is that those security features are not being fully utilized, and in many cases, are not being used at all. Using Shodan.io scanning data, the TrendAI team identified 3,627 DICOM medical imaging servers in more than 100 countries that were directly accessible via the public internet, the largest percentage of which (33%) were in the United States (1,189 servers). While the exposed servers were often PACS or workstations, the TrendAI team points out that they often serve as gateways to medical imaging modalities such as MRI systems, X-Ray equipment, CT and PET-CT scanners, and mammography units. While the analysis did not identify any of those medical devices, it is reasonable to assume that the exposed servers communicate with those devices.

The analysis was conducted using Shodan scanning data from November to December 2025, which revealed that many DICOM servers have minimal or no security controls. TrendAI found that only 0.14% of exposed DICOM servers use TLS encryption, which prevents eavesdropping and man-in-the-middle attacks. DICOM servers should only accept connections from known, trusted sources; however, 99.56% of exposed servers accepted connections without AE Title validation, suggesting AE Title validation was not being enforced. Across the exposed servers, 334 organizations could be identified. They included 231 healthcare organizations such as hospitals, clinics, laboratories, and imaging and radiology centers.

The best practice is to ensure that DICOM servers are on isolated networks with firewalls restricting access; however, the fact that 3,627 servers were exposed to the internet shows that even this basic security control is not being implemented. Further, an analysis of software versions found that many had significant patch deficiencies, including unpatched critical vulnerabilities such as CVE-2019-1010228, CVE-2022-2119, CVE-2022-2120, and CVE-2025-0896. The TrendAI team also found that 44% of servers cluster into groups running identical software, which means that one vulnerability can be exploited on hundreds of targets. The scant protections put patient privacy at risk, potentially allowing extensive data theft, image manipulation, lateral movement, and ransomware attacks.

“Security must be treated as a fundamental requirement rather than an optional enhancement. The tools exist; they simply need to be used,” suggests TrendAI. “Healthcare organizations, cloud providers, and DICOM software vendors all share responsibility for addressing this exposure. Until they do, patient data remains at risk, clinical systems remain vulnerable, and the healthcare sector remains an attractive target for malicious actors.”

The post Healthcare Organizations Exposing Patient Data Via Poorly Secured DICOM Servers appeared first on The HIPAA Journal.