CISA Announces Rescheduled CIRCIA Virtual Town Hall Meetings

Posted by Steve Alder

The Cybersecurity and Infrastructure Security Agency (CISA) has announced a revised schedule of virtual town hall meetings for its Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) rulemaking.

CISA was affected by the failure of lawmakers to agree on funding for the Department of Homeland Security (DHS), which resulted in a 76-day partial shutdown that ended on April 30, 2026. The shutdown significantly reduced CISA’s operational capacity, with only 38% of its staff remaining on the job over that period. While CISA’s core cyber defense operations were maintained during the partial shutdown, CISA’s outreach activities were a casualty. The CIRCIA virtual town hall meetings initially scheduled for March and April 2026 had to be delayed.

The aim of CIRCIA is to help the government respond quickly to cyber threats and disseminate key information to critical infrastructure sectors in response to those threats. When a final rule is issued, CIRCIA will require critical infrastructure entities to rapidly report significant cybersecurity incidents and ransomware payments to CISA. Covered critical infrastructure entities will be required to notify CISA of any ransom payment within 24 hours and certain cyber incidents within 72 hours.

The rapid reporting required under CIRCIA will allow CISA to quickly deploy resources and provide emergency assistance; build a comprehensive, coordinated, and centralized approach to understanding cyber risks across different critical infrastructure sectors; and identify cyber trends and rapidly share threat intelligence with network defenders and warn potential victims about threats.

Ahead of the publication of a final rule, CISA is seeking stakeholder feedback on the requirements of the CIRCIA Notice of Proposed Rulemaking (NPRM). The aim is to ensure that national cybersecurity is strengthened while minimizing the compliance burden on critical infrastructure entities.

The special topics of interest that were due to be covered in the town hall meetings have not been changed; however, the schedule differs from the original proposal. CISA will be hosting four four-hour virtual town hall meetings, starting on June 15, 2026.

A general session will be hosted on June 15, 2026, followed by a June 16, 2026, virtual meeting for Group A critical infrastructure sectors. These will be followed by a general session on June 17, 2026, and a virtual meeting for Group B critical infrastructure sectors.

  • The Group A session is for the communications, dams, emergency services, food and agriculture, government facilities, healthcare and public health, transportation systems, and water and wastewater sectors.
  • The Group B session is for the chemical, commercial facilities, critical manufacturing, defense industrial base, energy, financial services, information technology, and nuclear reactors, materials, and waste sectors.

While initially tentatively scheduled for 13:30 a.m. to 3:30 p.m, they have since been moved to 4:30 p.m. to 8:30 p.m. Advance registration is required, and registration will close two business days before the meeting, although early registration is recommended. The sessions will be recorded, and transcripts will be published in the CISA docket for CIRCIA rulemaking.

“CISA is working to maximize the impact of CIRCIA to significantly improve our Nation’s cybersecurity posture. At the same time, CISA values the interest and concern our stakeholders have that CIRCIA will be implemented with minimal unnecessary burden to entities in critical infrastructure sectors,” said Nick Andersen, acting director, CISA. “CISA appreciates our stakeholders’ patience with waiting for our rescheduled town hall meetings to provide their critical input as we finalize this rule. As an agency built on collaboration and coordination, CISA is committed to hearing from the American people, critical infrastructure owners and operators, and other community members.”

The post CISA Announces Rescheduled CIRCIA Virtual Town Hall Meetings appeared first on The HIPAA Journal.

HIPAA Security Rule Training Requirements

Posted by Ian

The HIPAA Security Rule training requirements mandate HIPAA-Covered Entities and HIPAA Business Associates to provide workforce security awareness training that teaches staff how to protect electronic Protected Health Information, follow security policies, use approved safeguards, recognize cyber threats, report security incidents, avoid prohibited conduct, and document completion for compliance review.

Scope of HIPAA Security Rule Training

The HIPAA Security Rule applies to electronic Protected Health Information. Training must therefore focus on the confidentiality, integrity, and availability of electronic Protected Health Information and the workforce conduct needed to support those protections. The training obligation is not limited to clinicians, billing personnel, or staff with direct electronic health record access. A workforce member with no routine access to patient records can still create risk through an email account, a shared workstation, a personal device, a messaging platform, an unsafe Wi-Fi connection, or an interaction with a malicious message.

HIPAA-Covered Entities and HIPAA Business Associates must train employees, trainees, volunteers, temporary workers, contractors, managers, executives, and other workforce members under the organization’s direct control. The course content should be adjusted when roles create different exposures, but every workforce member should receive baseline instruction on security awareness and incident reporting.

Workforce Wide Security Awareness Training

The HIPAA Security Rule requires a security awareness and training program for all workforce members. The program should explain why the organization provides training, how the HIPAA Security Rule applies to workplace conduct, and how staff actions can prevent or create security incidents. The training should state that healthcare organizations are targeted because medical records can be used for medical identity theft, tax fraud, Medicare fraud, ransom demands, and resale. Staff should understand that attackers do not always need direct access to clinical systems at the start of an attack. A compromised email account, a stolen password, or malware installed through an unsafe device can create a path into systems that contain or connect to electronic Protected Health Information.

HIPAA Context for Security Training

HIPAA Security Rule training should include enough HIPAA Privacy Rule context for staff to understand what information is being protected and why certain safeguards exist. The HIPAA Privacy Rule governs permitted uses and disclosures of Protected Health Information. The HIPAA Security Rule requires safeguards for electronic Protected Health Information. The HIPAA Breach Notification Rule governs notification duties when a breach of unsecured Protected Health Information occurs.

Protected Health Information and Electronic Protected Health Information

Training should give staff a working understanding of Protected Health Information and electronic Protected Health Information. Protected Health Information includes information about an individual’s health condition, treatment, or payment for healthcare when it is linked to information that identifies the individual or could identify the individual. Electronic Protected Health Information is Protected Health Information in electronic form.

A precise explanation matters because staff can overprotect non Protected Health Information in ways that disrupt operations or underprotect Protected Health Information in ways that create impermissible disclosures. Identifiers alone do not always qualify as Protected Health Information. A name and email address can be outside HIPAA protection when maintained separately from health, treatment, or payment information. The same information can become Protected Health Information when maintained in a designated record set with clinical or payment data.

Training should address common mistakes involving email subject lines, document names, file names, contact lists, shared folders, calendar entries, and other fields that staff may assume are protected in the same way as a document body or record system. Staff should know when a data field is not approved for Protected Health Information and when an approved naming convention must be used.

HIPAA Violations and Data Breaches

Training should explain the distinction between a HIPAA violation and a data breach. A HIPAA violation occurs when a HIPAA standard or a security policy implemented for HIPAA compliance is violated. A data breach involves an impermissible acquisition, access, use, or disclosure of Protected Health Information that compromises the privacy or security of the information.

The distinction affects reporting, investigation, sanctions, and remediation. A staff member who connects an unauthorized personal device to a workplace network may violate a security policy even if no Protected Health Information is accessed. An employee who sends Protected Health Information to the wrong recipient may cause a breach through carelessness rather than through intentional misconduct.

Training should make clear that staff are not responsible for deciding whether an event is legally reportable. Their responsibility is to report suspected violations, unauthorized access, misdirected communications, malware activity, stolen devices, lost media, and other events through the organization’s approved reporting channel.

Physical Safeguards and Workstation Security

HIPAA Security Rule training should address physical safeguards that affect staff conduct. Some physical safeguards are managed by the organization through building controls, access cards, surveillance, visitor controls, locked areas, workstation placement, and device inventories. Workforce conduct still determines whether those controls work as designed. Staff should be trained to use assigned access cards, avoid sharing access credentials, prevent tailgating where policy requires controlled access, secure workstations in public or semi-public areas, and position screens to reduce unauthorized viewing. A workstation on wheels, shared printer, scanner, fax machine, copier, or other system accessory can expose information if left unattended or used without proper safeguards. The training should explain that system accessories can retain copies of scanned, printed, or transmitted files. Removing paper from a printer is not the only control. Staff must also follow approved procedures for shared devices and avoid unauthorized access to accessories that may store electronic Protected Health Information.

Application Security and Approved Systems

Staff should understand that applications used to create, receive, maintain, or transmit Protected Health Information are configured to support compliance. Access permissions, timeout settings, logging, alerts, encryption settings, and user roles can be weakened when staff bypass configuration controls or use unapproved tools. Training should prohibit attempts to change application settings without authorization. Staff should not install unapproved applications, browser extensions, plug-ins, file transfer tools, or communication services for work involving Protected Health Information. A convenient workaround can defeat access permissions, introduce malware, or transfer information into systems that have not been assessed for HIPAA compliance. Training should also address security pop ups, authentication prompts, and system warnings. Staff should not ignore alerts, approve prompts they did not initiate, or continue using a system after a warning indicates possible compromise.

Personal Devices and Wi-Fi Use

Personal device training should state that staff may create, store, send, receive, or discuss Protected Health Information on personal devices only when authorized by the organization. Authorization should depend on policy, device controls, permitted use cases, security review, and applicable agreements with service providers. The training should cover personal phones, tablets, laptops, voice applications, messaging applications, cloud storage, camera use, home computers, and personal email accounts. Staff should not assume that a familiar tool is permitted for healthcare communication. A consumer service may lack required administrative controls, retention features, access controls, audit functions, or contractual support for HIPAA compliance. Training should address Wi-Fi risks. Staff should not connect personal devices to organizational Wi-Fi without permission. Approved devices used for work should avoid unsafe external networks. Home networks, public networks, hotel networks, and shared networks can expose credentials or traffic when configured poorly or attacked through man in the middle techniques.

Removable Media and Device Disposal

Removable media training should cover USB drives, external hard drives, memory cards, peripheral devices, mobile phones, and any storage device that can retain Protected Health Information or introduce malicious software. Staff should never connect an abandoned USB drive to a workplace computer. They should not use personal USB drives for work without authorization, scanning, and security controls required by policy. They should not move Protected Health Information to removable media unless the workflow is approved and the required safeguards are in place. The training should explain that deleting a file from a USB drive does not reliably remove the underlying content. Media containing Protected Health Information must be sanitized, destroyed, returned, encrypted, or disposed of through approved procedures. The same concept applies to phones, scanners, printers, and other devices with internal storage.

Password Security and User Accountability

Password security training should connect password rules to user accountability. Unique usernames and passwords allow systems to identify users, track activity, maintain audit trails, and investigate access to electronic Protected Health Information. Staff should be trained to use only assigned credentials, keep passwords confidential, avoid password sharing, avoid use of another person’s account, and log out when a session ends. Waiting for automatic logout can leave systems exposed. Sharing a password can cause another person’s activity to be attributed to the wrong user and can obstruct incident investigations. Training should address password managers where the organization permits them. Staff should use only approved password management tools and should not place Protected Health Information in notes fields. Browser password storage should be prohibited where it does not meet organizational security requirements.

Staff should also know how to respond to suspected compromise. If passwords are assigned by the organization, the responsible department should be notified so the password can be changed and access attempts can be monitored. If staff reuse or adapt work passwords for personal accounts, those accounts may also require password changes after compromise.

Malicious Software and Ransomware

Training should explain how malicious software reaches healthcare systems. Malware can arrive through email attachments, phishing links, infected websites, unapproved applications, unsafe USB drives, compromised personal devices, and fraudulent software updates.

Staff should be trained to recognize suspicious attachments, unexpected downloads, altered login screens, unusual system behavior, browser warnings, repeated crashes, file encryption messages, and requests to enable macros or disable security controls. They should know how to stop work safely, report the event, and avoid investigative actions outside their assigned role.

Ransomware deserves specific attention because it can make health information unavailable during patient care. Training should explain that the risk is not limited to privacy. A ransomware attack can delay treatment, disrupt scheduling, limit access to medication information, interfere with diagnostics, and require downtime procedures.

Phishing and Social Engineering

HIPAA Security Rule training should cover phishing because email remains a common route for credential theft, malware delivery, payment diversion, and unauthorized system access. Healthcare phishing examples should reflect actual work patterns rather than generic consumer scams. Staff should be trained to recognize broad phishing campaigns, targeted spear phishing, credential reset scams, fake document sharing notices, vendor invoice fraud, patient themed messages, delivery notifications, and business email compromise. They should verify unusual requests through approved channels and report suspicious messages promptly. Social engineering training should extend beyond email. Attackers may use phone calls, text messages, social media, in-person contact, or messaging platforms. They may impersonate IT personnel, managers, vendors, patients, or other trusted contacts. Training should provide a verification process rather than relying on staff intuition.

Email Messaging and Social Media

Training should address safe use of email, messaging services, and social media. Staff should use only approved email systems for work communications and should follow encryption procedures when sending Protected Health Information. Recipient names, addresses, attachments, and distribution lists should be checked before sending. Email subject lines require separate instruction because they may be visible in logs, notifications, previews, filters, and inbox screens. Staff should not place Protected Health Information in subject lines unless the organization has approved a specific controlled workflow. The same caution applies to document names, file names, shared folder names, and contact list notes.

Messaging services require authorization before they are used for Protected Health Information. A platform that advertises HIPAA support is not automatically approved for staff use. The organization must assess the service, configure it properly, address contractual requirements, and set use limitations. Social media training should prohibit posting Protected Health Information, confirming patient status, responding publicly with treatment information, sharing workplace images that contain patient information, or posting details that could identify a patient without using a name. A rare diagnosis, appointment date, room number, image background, or comment on a patient’s public post can create an impermissible disclosure.

Workforce Responsibility and Prohibited Conduct

Training should address conduct that causes recurring HIPAA Security Rule problems. Staff may create risk through over-eagerness, carelessness, negligence, curiosity, convenience, or improper attempts to help a patient or coworker. Unauthorized access to patient records should be covered plainly. Staff may not access records for coworkers, family members, neighbors, public figures, or any person unless the access is permitted by their role and work assignment. Snooping is a security and privacy violation even when the information is not disclosed further. Training should also address unsafe workarounds. Sending Protected Health Information to a personal email account, photographing a screen, storing files on a personal device, using an unapproved messaging app, sharing credentials to speed up a task, or bypassing a configured workflow can violate security policies and expose electronic Protected Health Information.

Security Incident Recognition and Reporting

A compliant training program should explain how staff recognize and report security incidents. A security incident can involve attempted or successful unauthorized access, use, disclosure, modification, destruction, or interference with information systems. Training should cover brute force password attempts, account lockouts, suspicious login notifications, malicious emails, malware indicators, lost devices, stolen devices, missing media, misdirected emails, unauthorized access, suspicious calls, and unexpected system behavior. The reporting process should be specific to the organization. Staff need to know the channel, the expected timing, the information to provide, and the actions to avoid. They should not attempt forensic investigation, delete evidence, contact an attacker, conceal an error, or delay reporting while trying to determine whether harm occurred.

Internal Workplace Sanctions and Consequences

HIPAA Security Rule training should explain that regulated organizations apply sanctions when workforce members fail to comply with security policies and procedures. Sanctions can apply even when no data breach occurs. Training should address conduct that may lead to discipline, including password sharing, unauthorized record access, use of unapproved devices, failure to report incidents, improper disposal of media, unauthorized disclosure, use of unapproved applications, and repeated failure to follow procedures. The consequences can affect patients, organizations, and staff. Patients can experience treatment delays, medical identity theft, corrupted records, financial harm, and privacy loss. Organizations can face operational disruption, investigation costs, notification duties, remediation costs, system downtime, and enforcement exposure. Staff can face retraining, written warnings, termination, licensing consequences, exclusion risks, criminal referral, or other action depending on the facts.

HIPAA Security Rule Training Frequency and Retraining

The HIPAA Security Rule does not set one fixed annual training interval that applies to every organization in every circumstance. Training should occur when workforce members join the organization, when their duties change, when they receive access to systems containing electronic Protected Health Information, when policies change, when systems change, when incident patterns show a training gap, and when risk analysis identifies workforce behavior as a risk factor.

Annual refresher training is a common compliance practice because it creates a predictable cycle and supports workforce accountability. Higher risk roles may need more frequent or more detailed training. Remote workers, managers, billing teams, clinical staff, IT personnel, and employees with broad system access may need training matched to their duties.

Retraining should follow preventable errors, audit findings, repeated policy violations, phishing simulation failures, or incidents involving staff conduct. Remedial training should be documented in the same manner as initial and refresher training.

Training Documentation and OCR Audit Readiness

HIPAA Security Rule training should be documented in a retrievable format. Records should identify who received training, when training occurred, what content was assigned, what version of the content was used, whether the workforce member completed the training, and whether any acknowledgement or assessment was required. Training documentation should also capture refresher training, remedial training, role based training, security reminders, and policy acknowledgements where those items form part of the security awareness program. Records should be retained under the organization’s HIPAA documentation retention policy. Documentation should support compliance review without requiring reconstruction from memory. A training administrator should be able to produce completion records, course descriptions, assignment criteria, completion dates, and relevant reports for the workforce members being reviewed.

CyberSecurity Training for Healthcare Employees

Healthcare organizations that do not have an internal training ream should consider using online training from The HIPAA Journal when they need consistent, healthcare specific cybersecurity training for workforce members. The HIPAA Journal Cybersecurity Training for Healthcare Employees course is a suitable training option for both HIPAA-Covered Entities and HIPAA Business Associates that need staff to understand HIPAA Security Rule workforce responsibilities in the context of real healthcare risks.

The course addresses the subject areas a healthcare workforce needs for security awareness, including HIPAA basics, the HIPAA Privacy Rule, the HIPAA Security Rule, the HIPAA Breach Notification Rule, Protected Health Information, physical safeguards, personal devices, removable media, password security, phishing, social engineering, email, messaging, social media, unencrypted data fields, technical safeguards, security responsibility, incident reporting, sanctions, consequences, and case studies.

The post HIPAA Security Rule Training Requirements appeared first on The HIPAA Journal.

Healthcare Orgs Lack Confidence in Ability to Defend Against an AI-incited Identity Breach

Posted by Steve Alder

Healthcare organizations have embraced AI and are using AI agents to perform a range of functions, including handling IT support desk tickets, automating software workloads, authenticating data exchanges, and performing various security tasks. While there are clear benefits to be gained from using AI agents in healthcare, each new AI agent is a potential entry point for attackers, and a successful compromise could result in a devastating attack.

Each AI agent is given permissions to carry out its functions, and when AI agents are used to perform security functions, those permissions can be significant. Any attack that succeeds in compromising an AI agent will see the attacker gain those same permissions. For instance, an AI identity on a local machine may have access to the password manager, browser sessions, Secure Shell, and encryption keys. An AI agent could disclose admin credentials to an attacker, leading to a crippling attack with significant data theft.

To learn about AI deployments and integrations and how they are affecting identity security, the cybersecurity firm Semperis commissioned Censuswide to conduct a survey of 1,100 IT and IT security professionals across several industries, including healthcare. The survey confirmed that AI agents are being extensively deployed, which pose significant risks to identity infrastructure. Three-quarters of healthcare respondents believe that there will be AI-driven attacks on identity infrastructure, 69% believe that AI attackers will use identity systems to target their infrastructure, but only one-quarter of respondents think that they would be able to fully recover if an AI agent exposed administrative credentials.

On average, more than one-third of the healthcare workforce has at least one AI agent installed on a local machine that has permissions to access Secure Shell and encryption keys, and one in three healthcare respondents said they are using AI agents to handle security-related tasks, with 60% of respondents anticipating deploying AI agents for security tasks in the next 12 months.

According to Semperis, AI agents should be treated as non-human identities (NHIs) in the identity fabric; however, only 66% of respondents said AI identities were registered, authenticated, and authorized within the organization, and of those that do, almost half (48%) register, authenticate, and authorize them separately from human identities. While organizations may be applying security best practices such as the principle of least privilege for human identities, that is not always the case with AI identities, which are often overpermissioned.

“AI support agents are often overpermissioned in ways that may have unintended consequences — such as ‘helpfully’ reconfiguring security settings or granting access that can lock entire teams out of their identity systems or punch holes in corporate VPNs,” explained Semperis. As deployment of AI agents increases, so does the risk. Since AI agents often have the ability to do anything, it is vital to implement disciplined controls. While sufficient controls may not yet have been implemented, 90% of respondents said AI identity governance is a top security priority for the organization.

Semperis stresses that security controls need to be implemented to reduce risk, such as applying the principle of least privilege to AI identities, designating identity infrastructure, implementing backup and recovery controls, and segregating agent and human trust boundaries where appropriate. Organizations need to work on the assumption that AI identities will eventually be compromised, so they must therefore need to plan for that eventuality and ensure that they have the policies and procedures in place to allow them to rapidly respond and make a quick and full recovery.

“What’s striking isn’t just how quickly AI is being integrated into identity systems but how unprepared many organizations are to recover when things go wrong,” explained Grace Cassy, Partner, Ten Eleven Ventures. “Introducing AI at the identity layer offers operational advantages, but it must be accompanied by guardrails, observability, and recovery readiness. It’s a new dimension of an old question, really: Are you resilient enough to respond in the event of critical disruption?”

The Semperis State of Identity Security in the AI Era Report can be downloaded here.

The post Healthcare Orgs Lack Confidence in Ability to Defend Against an AI-incited Identity Breach appeared first on The HIPAA Journal.

Lakeview Health Systems Settles Class Action Data Breach Lawsuit

Posted by Steve Alder

A settlement has been negotiated to resolve a class action lawsuit against Lakeview Health Systems LLC. The lawsuit stemmed from a January 2024 cyberattack that exposed the personal and protected health information of 10,772 individuals. Hackers breached its network and accessed and potentially obtained files containing names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account numbers, patient IDs, diagnoses, treatment information, prescription information, and health insurance information.

Shortly after being notified about the breach, some of the affected individuals filed lawsuits against Lakeview Health, alleging negligence for failing to adequately protect sensitive data stored on its network. The plaintiffs claimed the data breach could have been and should have been prevented. Lakeview Health maintains that there was no wrongdoing and is no liability.

The lawsuits made similar claims and were consolidated – Skov et al., v. Lakeview Health Systems, L.L.C – in the Circuit Court of Duval County, Florida. The lawsuit is pending; however, the defendants and the plaintiffs agreed to settle the lawsuit to avoid the costs, risks, disruptions, and uncertainties from continuing with the litigation.

The defendant has agreed to pay attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the class representatives. Class members may submit a claim for reimbursement of documented, unreimbursed ordinary losses due to the data breach up to a maximum of $2,000 per class member and reimbursement of up to $5,000 in extraordinary losses. A claim may also be submitted for up to 4 hours of lost time at $20 per hour, and one year of credit monitoring services. If none of those options are claimed, class members may claim a one-time cash payment of $50.

The deadline for objection and exclusion is July 23, 2026. Claims must be submitted by August 24, 2026, and the final fairness hearing has been scheduled for October 8, 2026.

The post Lakeview Health Systems Settles Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.