Author Archives: Steve Alder

Healthcare Cyberattacks Costing $200K+ Rise 400% in a Year

Posted by Steve Alder

Over the 12 months from March 2024 to March 2025, almost half of healthcare organizations experienced at least one data incident, such as a ransomware attack, hacking incident, or phishing attack, according to the cybersecurity firm Netwrix. For its 2025 Cybersecurity Trends Report, Netwrix surveyed 2,150 IT professionals from 121 countries in March 2025 and compared the findings to previous surveys conducted in 2024, 2023, and 2020.

Healthcare has long been targeted by threat actors due to the high value of patient records, and the fact that healthcare organizations cannot tolerate disruption, as it puts patient safety at risk. The sector is extensively targeted by ransomware groups as there is a higher probability that the ransom will be paid to prevent the publication of stolen data and ensure a fast recovery. In the past 12 months, 48% of healthcare organizations experienced at least one security incident that required a dedicated response from the security team.

Across all sectors, the number of organizations reporting no impact from security incidents is rapidly reducing. In 2023, 45% of respondents said there was no impact from security incidents, whereas in 2025 the percentage had fallen to just 36%. In 2024, 60% of organizations reported suffering financial damage due to cyberattacks, and the percentage jumped to 75% in 2025. Across all sectors, the number of organizations reporting financial damage of at least $200,000 almost doubled from 7% in 2024 to 13% in 2025.

Netwrix reports that four times as many healthcare organizations suffered financial losses of at least $200,000 in 2025 as in 2024. In 2024, only 2% of healthcare organizations experienced cyberattack-related losses of more than $500,000, compared to 12% in 2025. The report confirms that healthcare faces the biggest financial impact from cyberattacks. In 2025, 6% of all industries suffered cyberattack-related financial losses of more than $500,000, compared to 12% in healthcare.

The Netwrix survey revealed that almost one-third of healthcare organizations experienced security incidents involving compromised user/admin accounts. Phishing remains the most prevalent threat, and attacks are becoming harder to identify due to attackers’ use of AI tools for their phishing and social engineering campaigns. 37% of healthcare respondents said AI-driven threats require stronger defenses.

“Research strongly suggests that attackers are ahead in AI adoption, which is pushing defenders into a reactive posture. Indeed, 37% of survey respondents say AI-driven threats forced them to adjust — that’s a direct reaction to the offensive use of AI by adversaries, “ explained Jeff Warren, Chief Product Officer, Netwrix. “At the same time, 30% haven’t even started AI implementation and are in “considering” mode, indicating a significant lag in adoption. It’s fair to say that attackers are moving faster with AI, and defenders are scrambling to catch up. This asymmetry is not new in cybersecurity, but AI appears to be accelerating it.”

In 2025, the top three threats in the cloud and on-premises were the same. Phishing was the most common cause of security incidents (76% cloud; 69% on-premises), followed by user/admin account compromise (46% cloud; 45% on-premises), and ransomware and other malware attacks (30% cloud; 31% on-premises).

“Ransomware attacks on premises are becoming less frequent, while the rate for cloud infrastructure remains steady,” explained Warren. “As businesses shift critical operations and sensitive data to the cloud, attackers increasingly see cloud workloads as high-value targets worth encrypting or exfiltrating for ransom. And it’s a numbers game, too. Some attackers don’t target the cloud per se; they target everything. As more infrastructure moves to the cloud, the odds of hitting a cloud tenant go up.”

The main challenges for security teams are understaffed IT and security departments, a lack of budget for data security initiatives, mistakes/negligence by business users, and a lack of cybersecurity expertise within the IT and security teams.  Unsurprisingly, given the staffing problems at many organizations, one of the main priorities is the automation of manual IT processes, and while AI tools can help in this regard, it is important to ensure that the tools are not granted excessive privileges and that there is proper governance.

As AI adoption by cybercriminals accelerates, organizations need to respond. Warren suggests that organizations should double down on the basics of zero-trust networking and ensure they are adequately protecting their identity infrastructure, improving resilience by adopting an identity-first approach to protect accounts and the sensitive data they can access.

The post Healthcare Cyberattacks Costing $200K+ Rise 400% in a Year appeared first on The HIPAA Journal.

PHI Potentially Stolen in Phishing Attack on Superior Vision Service

Posted by Steve Alder

Superior Vision Service has announced that protected health information has been compromised in a phishing attack. People Encouraging People has fallen victim to a ransomware attack.

Superior Vision Service

Superior Vision Service, a vision insurance company and subsidiary of Versant Health, has announced a July 2025 security incident.  According to the September 26, 2025, notification letters, Superior Vision learned on July 11, 2025, that an employee had been tricked in a sophisticated phishing attack and disclosed their credentials to the attacker.  The employee responded to the phishing email on July 9, 2025, and the threat actor used the employee’s credentials to access their account. On July 11, 2025, the threat actor may have copied emails from the account that contained sensitive customer information.

The account was reviewed and found to contain full names, physical addresses, phone numbers, email addresses, dates of birth, genders, Social Security numbers, vision coverage election information, and employment information related to enrollment. Notification letters are now being sent to the affected individuals, who have been offered a complimentary 12-month membership to a three-bureau credit monitoring service. Superior Vision has also implemented additional safeguards to prevent similar data breaches in the future. State attorneys general have been notified about the breach, and the website of the Texas Attorney General indicates 3,161 Texas residents have been affected; however, it is unclear how many individuals have been affected in total.

People Encouraging People

People Encouraging People, a behavioral healthcare provider in Baltimore, Maryland, has experienced a ransomware attack that involved data theft and file encryption. The attack was identified on or around December 21, 2024. A forensic investigation was launched, which confirmed that the attacker had access to its network between December 18, 2024, and December 23, 2024, during which time files containing sensitive patient data were stolen. The file review confirmed that the stolen data included full names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account information, diagnosis information, medication information, and treatment information. The types of information involved vary from individual to individual.

People Encouraging People is unaware of any misuse of the stolen information; however, patients have been advised to remain vigilant against identity theft and fraud. Safeguards had been implemented to prevent unauthorized access to its computer network and patient data, and those safeguards are being reviewed and enhanced to prevent similar incidents in the future. The ransomware attack has been reported to the HHS’ Office for Civil Rights as involving the protected health information of 13,083 individuals.

The post PHI Potentially Stolen in Phishing Attack on Superior Vision Service appeared first on The HIPAA Journal.

Data Breaches Announced by Treasure Coast Hospice & Harbor

Posted by Steve Alder

Treasure Coast Hospice, a palliative care provider in Florida, and Harbor, a mental health and addiction treatment service provider in Ohio, have recently announced security incidents that have exposed patient data.

Health & Palliative Services of the Treasure Coast (Treasure Coast Hospice), Florida

Health & Palliative Services of the Treasure Coast, Inc. d/b/a Treasure Coast Hospice, a provider of palliative care and hospice services to residents of Martin, St. Lucie, and Okeechobee counties in Florida, has recently notified 13,234 individuals about a September 2024 security incident. On September 25, 2025, Treasure Coast Hospice was made aware of unusual activity within its email environment. A third-party cybersecurity firm was engaged to investigate the activity and confirmed unauthorized access to an email account that contained patient information.

The account was reviewed, and on July 15, 2025, the data mining process was completed, and it was confirmed that a range of information had been exposed and may have been accessed or copied. The types of information involved vary from individual to individual and may include names in combination with one or more of the following: date of birth, demographic information, Social Security number, driver’s license number, medical information, financial information, and health insurance information.

At the time of issuing notification letters, Treasure Coast Hospice was unaware of any misuse of the exposed information; however, as a precaution against identity theft and fraud, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. Treasure Coast Hospice said it strongly encourages the affected individuals to take advantage of the services being offered. Additional security measures have been implemented to harden email security, weekly security scans will be conducted, and additional training is being provided to its workforce.

Harbor, Ohio

Harbor, a mental health and substance use disorder treatment provider in Ohio, confirmed in a September 30, 2025, press release that an unauthorized third party breached its security defenses and gained access to its computer network. Suspicious activity was identified on August 1, 2025, and an investigation was launched to determine the nature and scope of the unauthorized activity.

The investigation determined that an unauthorized third party had access to its computer network between July 25, 2025, and August 1, 2025, during which time files were exfiltrated from its network. The types of information in the files vary from individual to individual, and may include names, addresses, birth dates, Social Security numbers, driver’s license numbers/state identification numbers, diagnoses, treatment information, clinical information, financial account information, and health insurance information.  Harbor is reviewing its security policies and procedures and will take steps to improve privacy and security. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

The post Data Breaches Announced by Treasure Coast Hospice & Harbor appeared first on The HIPAA Journal.

Florida Medication Management Provider Discloses 150K-record Data Breach

Posted by Steve Alder

Outcomes One, a Florida-based business associate of health plans, has disclosed a phishing incident that has affected almost 150,000 individuals. Emergency Responders Health Center in Idaho has experienced an email breach affecting more than 1,500 individuals.

Outcomes One, Inc., Florida

Outcomes One, Inc., a Florida-based provider of medication therapy management and medication adherence technology solutions to health plans, is notifying 149,094 individuals about a recent email security incident. An employee identified unusual activity in his Outcomes One email account on July 1, 2025, and reported it to the security team. The email account was immediately secured, and an investigation was launched to determine the cause of the activity. The investigation confirmed that the breach was limited to a single employee email account, which had been accessed by an unauthorized third party following a response to a phishing email. Outcomes One said the attack was identified and remediated within an hour.

The account was reviewed and found to contain names in combination with one or more of the following: demographic information, health insurance information, medication information, and medical provider names. The breach notice provided to the California Attorney General indicates the affected individuals had Aetna Health Insurance plans. Outcomes One has provided additional training for the workforce to help with phishing email identification, and additional safeguards have been implemented to reduce the risk of similar breaches in the future.

Emergency Responders Health Center

Emergency Responders Health Center in Boise, Idaho (EHRC), has recently disclosed an email security incident. Unusual activity was identified in an employee’s email account on April 11, 2025. The account was secured, and an investigation was launched to determine the nature and scope of the activity. Assisted by third-party cybersecurity experts, EHRC determined that several email accounts had been accessed by an unauthorized third party. All email accounts have now been secured.

EHRC published a substitute breach notice on its website on July 23, 2025; however, at the time, the investigation and review of the affected accounts were ongoing, so it was not possible to state how many individuals had been affected or the types of information involved. The list of affected individuals was finalized on September 16, 2025, when it was confirmed that a total of 1,528 individuals had been affected, including 526 residents of Washington state. The exposed information included names, dates of birth, driver’s license numbers, Social Security Numbers, medical information, and health insurance information.

Notification letters started to be mailed to the affected individuals on September 26, 2025. To date, EHRC has not identified any misuse of the impacted data, but as a precaution, has offered the affected individuals a complimentary 12-month membership to a credit monitoring and identity theft protection service. EHRC said several steps have been taken to prevent similar breaches in the future. Staff members have received additional security training, user credentials have been changed, and monitoring has been enhanced.

The post Florida Medication Management Provider Discloses 150K-record Data Breach appeared first on The HIPAA Journal.

SSM Health Agrees to Settle MyChart Patient Portal Tracking Lawsuit

Posted by Steve Alder

Individuals who used SSM Health’s MyChart patient portal when tracking tools were active are entitled to claim a cash payment and a 12-month membership to a digital privacy and identity protection service to compensate them for having their personal and health data disclosed to third parties such as Meta and Google.

The settlement resolves all claims in the lawsuit, Jane Doe v. SSM Health Care Corporation, d/b/a SSM Health, which was filed in the Circuit Court for the City of St. Louis in the State of Missouri on December 5, 2022. The lawsuit alleged that SSM Health added Meta Pixel and other third-party tracking technologies on its MyChart patient portal, which collected and transmitted protected health information to third-party tracking vendors, including their status as patients, their physicians, health conditions, treatments, facilities visited, and other sensitive data, without their knowledge or consent.

Tracking tools are used extensively across the internet and track user activity on websites. The data collected by these tools can be used for advertising and marketing purposes. In healthcare, if these tools are used on authenticated web pages such as patient portals, they can collect sensitive health data and transmit that information to technology vendors. Such disclosures violate HIPAA unless a business associate agreement is obtained or valid HIPAA authorizations.

The plaintiff alleged that SSM Health’s use of these tools amounted to negligence. The lawsuit also asserted claims of invasion of privacy – intrusion upon seclusion, breach of implied contract, breach of fiduciary duty, unjust enrichment, and a violation of the Illinois Consumer Fraud and Deceptive Practices Act. SSM Health denies all claims and contentions in the lawsuit and maintains there was no wrongdoing; however, a settlement was agreed to bring the litigation to an end to avoid the costs, risks, and uncertainty of a jury trial. Class counsel and the plaintiff believe the settlement is fair.

Under the terms of the settlement, users who logged into the SSM Health MyChart patient portal between July 6, 2020, and February 10, 2023, when tracking tools were installed, are entitled to claim a 12-month membership to the CyEx Privacy Shield Pro service, which provides dark web monitoring, data broker opt-out, and identity protection services. In addition, class members may submit a claim for a cash payment of $31.50.

The settlement has received preliminary approval from the court, and the final fairness hearing is scheduled for November 21, 2025. Individuals wishing to opt out of or exclude themselves from the settlement have until October 27, 2025, to do so, and claims must be submitted by November 25, 2025. Further information can be found on the settlement website: https://ssmhealthdatasettlement.com/

The post SSM Health Agrees to Settle MyChart Patient Portal Tracking Lawsuit appeared first on The HIPAA Journal.

Delaware Rehab Facilities Settle Social Media and Breach Notification HIPAA Violations

Posted by Steve Alder

A $182,000 settlement has been agreed between the HHS’ Office for Civil Rights and five Delaware healthcare providers to resolve alleged violations of the HIPAA Privacy and HIPAA Breach Notification Rules. The settlement concerns the posting of patients’ protected health information (PHI) on social media without first obtaining HIPAA-compliant authorizations to use PHI for a purpose not expressly permitted by the HIPAA Privacy Rule, then failing to notify individuals about the impermissible use and disclosure.

Cadia Healthcare is a provider of rehabilitation, skilled nursing, and long-term care services at five facilities in Delaware. Those facilities are Cadia Rehabilitation Broadmeadow in Middletown, Cadia Rehabilitation Renaissance in Millsboro, Cadia Rehabilitation Capital in Dover, and Cadia Rehabilitation Pike Creek and Cadia Rehabilitation Silverside in Wilmington, collectively referred to as the Cadia Healthcare Facilities (Cadia).

Each of the Cadia facilities is a HIPAA-covered entity that is required to comply with the HIPAA Rules. OCR launched an investigation after receiving a complaint on September 20, 2021, about an alleged impermissible disclosure of PHI online.  The complainant alleged that Cadia had used their photograph, name, and information about their condition, treatment, and recovery in an online post but had not obtained authorization to use the information for that purpose.

OCR’s investigation substantiated the allegation and determined that a Cadia employee had posted the patient’s PHI to Cadia’s social media page as part of a success story; however, a signed authorization form had not been obtained prior to that use and disclosure. Under HIPAA, PHI cannot be posted online on websites or social media pages unless a HIPAA-compliant authorization has been obtained from an individual in advance.

OCR notified Cadia about the allegations and the findings of the investigation, and Cadia removed the post and notified the patient that the success story had been removed. OCR also identified other patients whose treatment had been included in a series of success stories. As of February 22, 2022, Cadia had created and posted success stories containing the PHI of 150 patients without obtaining valid HIPAA authorizations. According to OCR, Cadia shut down the success story program in March 2022, but failed to issue notifications to the affected individuals, as required by the HIPAA Breach Notification Rule.

“The internet and social media are important business development tools.  But before disclosing PHI through social media or public-facing websites, covered entities and business associates should ensure that the HIPAA Privacy Rule permits the disclosure,” said OCR Director Paula M. Stannard. “Generally, a valid, written HIPAA authorization from an individual is necessary before a covered entity or business associate can post that individual’s PHI in a website testimonial or through a social media campaign.”

In April 2025, OCR entered into a settlement agreement with Cadia to resolve the alleged violations of the HIPAA Rules.  The alleged violations related to two Privacy Rule and one Breach Notification Rule provisions:

  • 45 C.F.R. § 164.530(c) – The failure to implement appropriate administrative, technical, and physical safeguards to protect the privacy of PHI and reasonably safeguard PHI from any intentional or unintentional use or disclosure.
  • 45 C.F.R. § 164.502(a) – The impermissible use or disclosure of PHI
  • 45 C.F.R. § 164.404(a) – The failure to issue timely breach notifications

In addition to paying the financial penalty, the settlement agreement includes a corrective action plan (CAP). Cadia will be monitored for compliance with the CAP for 2 years. The corrective action plan requires Cadia to review and revise, as necessary, its policies and procedures to ensure compliance with the HIPAA Rules. Those policies and procedures must be distributed to the workforce, and HIPAA training must be provided to workforce members. Policies and procedures must be reviewed at least annually and updated as necessary to ensure continued HIPAA compliance. Cadia is also required to issue breach notifications concerning the impermissible disclosures of PHI under the success story program.

Notifications have already been issued, and the Cadia websites currently display a notice about the privacy violations. Cadia confirmed that it had policies and procedures in place requiring patients to sign a written consent form prior to using their information in its success story program. “On February 22, 2022, we learned that one or more of these success stories may have been posted without a valid consent form on file for the patient highlighted in the story. We promptly launched an investigation, removed all success stories from our social media pages, and on March 2, 2022, eliminated the success story program in its entirety,” explained Cadia in its substitute breach notice. “Because we deleted all success stories in 2022, we were unable to definitively determine all individuals who participated in the success story program. Accordingly, out of an abundance of caution, we are notifying individuals who may have participated and for whom we could not locate a valid consent form.”

This is the 20th HIPAA penalty to be imposed by OCR to resolve violations of the HIPAA Rules so far in 2025, making it one of the most active years of HIPAA enforcement. So far this year, OCR has collected more than $8.2 million in civil monetary penalties and settlements.

OCR Penalties to Resolve HIPAA violations - 20107-2025

OCR HIPAA fines and settlements 2017-2025

The post Delaware Rehab Facilities Settle Social Media and Breach Notification HIPAA Violations appeared first on The HIPAA Journal.

Hospitals Settle EMTALA Violations After Failing to Screen and Treat Patients With Emergency Mental Health Conditions

Posted by Steve Alder

The Department of Health and Human Services Office for Inspector General (HHS-OIG) has announced two settlements with healthcare providers to resolve alleged violations of the Emergency Medical Treatment and Labor Act (EMTALA) due to the failure to provide adequate medical screening examinations and stabilizing treatment to patients with emergency mental health complaints.

EMTALA requires Medicare-participating hospitals to provide a medical screening examination to anyone seeking treatment for a potential emergency medical condition, regardless of their ability to pay. Stabilizing treatment must be provided to the patient, or the patient may be transferred to another facility if the hospital is unable to provide stabilizing treatment within its capabilities.

North Carolina Baptist Hospital (NCBH) was investigated by HHS-OIG and was found to have violated EMTALA on two occasions in August 2021. A patient presented at the Emergency Department requesting a psychiatric evaluation, a psychotropic medication refill, and complained of back pain at an 8/10 level. The patient was triaged and found to have abnormal vital signs. Around four hours later, NCHB’s records showed that the patient left the facility without being seen. Two days later, the patient returned to the ED two days after jumping off a bridge and being hit by a truck, and later died from the injuries.

The same month, a patient with a history of schizoaffective disorder, bipolar disorder, and depression presented to the hospital with psychological issues, having arrived by ambulance due to a psychiatric disturbance. In the ED, the patient experienced auditory hallucinations and made bizarre, illogical statements. The patient was given intravenous fluids and was discharged home the following day, without having been given a detailed psychiatric evaluation. At the time of discharge, the patient refused to leave and claimed she could not walk or see. After speaking with a doctor, she was given a bus token and was escorted off the premises by a security guard. After her mother called the hospital to inquire about her whereabouts, the patient was found in a hospital robe at a bus stop. Around one week later, the patient was involuntarily committed to a psychiatric facility.  NCBH settled the alleged EMTALA violations and paid a $200,000 financial penalty.

Swedish American Hospital (SAH) in Rockford, Illinois, was investigated over an alleged EMTALA violation in 2024 when a patient was not provided with appropriate medical screening after presenting at the hospital’s Emergency Department, complaining of suicidal ideation. The previous day, SAH referred the patient to a mental health professional at an outpatient facility, who signed a petition for involuntary admission. The patient presented at the hospital with the petition; however, the patient did not receive an appropriate medical screening examination, was not provided with stabilizing treatment, and was discharged two hours after presenting at the hospital.  SAH settled the alleged violation with HHS-OIG and paid a $100,000 financial penalty.

The post Hospitals Settle EMTALA Violations After Failing to Screen and Treat Patients With Emergency Mental Health Conditions appeared first on The HIPAA Journal.

Hospital Sisters Health System Settles Class Action Data Breach Lawsuit for $7.6 Million

Posted by Steve Alder

A class action lawsuit against Hospital Sisters Health System has been settled for $7.6 million. The lawsuit relates to an August 2023 cyberattack that affected approximately 883,000 individuals. The cyberattack caused an outage of computer systems, phone lines, and websites, and its MyChart and MyPrevea applications were taken offline for several days, leaving the health system unable to take payments. The investigation confirmed that the threat actor accessed systems containing patient and employee information between August 16, 2023, and August 27, 2023, and potentially exfiltrated data. Notification letters started to be mailed to the affected individuals on October 26, 2023.

Several class action lawsuits were filed against Hospital Sisters Health System in response to the data breach. Since they had overlapping claims and were based on the same facts, the lawsuits were consolidated into a single action – In re Hospital Sisters Health System Data Breach Litigation, in the Circuit Court of the Seventh Judicial Circuit of the State of Illinois, Sangamon County, Chancery Division.

The lawsuit alleged that Hospital Sisters Health System was negligent because it failed to implement reasonable and appropriate security measures to protect its network and patient and employee data from unauthorized access, and had those measures been implemented, the data breach could have been prevented. Hospital Sisters Health System denies all claims asserted in the lawsuit and denies all allegations of wrongdoing and liability. Class counsel and the plaintiffs believe that the legal claims asserted in the lawsuit have merit.

After assessing the strengths and weaknesses of the case, the plaintiffs and defendants moved to settle the litigation to avoid the burden, expense, risk, and uncertainty of continued litigation. Class counsel and the plaintiffs believe that the settlement is fair and provides substantial benefits for the settlement class. Under the terms of the settlement, all class members are entitled to enroll in financial data monitoring services for two years. The CyEx Financial Shield package includes fraud and identity monitoring, including monitoring for unauthorized financial transactions and compromised bank and financial account numbers. Class members will also benefit from a $1 million financial fraud insurance policy.

Class members are also eligible to claim one of two cash benefits. They may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach, up to a maximum of $5,000 per class member.  Alternatively, they can submit a claim for a pro rata cash payment, which will be paid after attorneys’ fees, expenses, settlement administration costs, class representative awards, financial data monitoring costs, and claims have been paid.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for December 4, 2025. Class members wishing to object to the settlement or exclude themselves must do so by November 14, 2025, and the deadline for submitting a claim is November 14, 2025.

The post Hospital Sisters Health System Settles Class Action Data Breach Lawsuit for $7.6 Million appeared first on The HIPAA Journal.

Cybersecurity Awareness Month 2025: Building a Cyber Strong America

Posted by Steve Alder

October is Cybersecurity Awareness Month – a global initiative that aims to educate the public and businesses about the importance of cybersecurity and protecting against cyber threats to systems and data.  The initiative is led by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), and this year’s theme is “Building a Cyber Strong America. The main focus this year is improving cybersecurity at the government entities and small and medium-sized businesses that operate and maintain the nation’s critical infrastructure, as well as the myriad of vendors and suppliers that support or are connected to critical infrastructure.

Cybersecurity Awareness Month 2025 - CISA

CISA is issuing a call to action to all critical infrastructure entities and vendors that support those entities to take steps to improve cybersecurity, starting with four essential steps to improve baseline security:

  • Avoid phishing
  • Use strong passwords
  • Require multifactor authentication
  • Update business software

Phishing is the initial access vector in many cyberattacks, providing threat actors with the credentials they need to access internal systems and data and conduct a comprehensive attack on the organization.  According to the cybersecurity firm SentinelOne, phishing attacks have increased by 1,265%, with that increase driven by the growth of GenAI. These attacks target employees and trick them into disclosing credentials, opening malicious email attachments, or clicking links that direct them to malicious sites where malware is downloaded. While technical defenses such as spam filters can reduce the number of threats that reach employees, it is vital to train the workforce on how to recognize and report suspicious emails.

A system is only as secure as the password used to protect it, so it is essential that passwords are used that are difficult to guess and are resistant to automated brute force attempts. According to Hive Systems, even a password consisting of 10 random numbers could be cracked in less than a day, compared to 803,000 years for a 10-character password consisting of numbers, upper and lower case letters, and special characters. Strong passwords should be mandatory for all users.

Even strong passwords are not sufficient by themselves, as while they may be difficult to brute force, they can be obtained by threat actors through phishing, for example. Multifactor authentication adds an additional layer of protection, ensuring that a password alone is not sufficient to access accounts, systems, and devices. Implementing multifactor authentication will significantly improve security, and where possible, phishing-resistant multifactor authentication should be implemented.

Threat actors target vulnerabilities in software and operating systems and exploit them to gain access to the networks of critical infrastructure entities and their vendors.  All business software and operating systems should be kept up to date, with patches and security updates applied promptly to fix vulnerabilities before they can be exploited. After completing these four essential steps to improve baseline security, the next step is to level up defenses through additional actions, such as implementing logging on all systems. Logs should be monitored for anomalous activity, including hacking incidents and insider threats.

Ransomware is one of the biggest threats, especially in healthcare. These attacks lock victims out of systems and prevent access to critical data, causing massive disruption to business operations. It is therefore essential to ensure that all critical information is backed up securely, as this will allow a fast recovery in the event of an attack. In addition to making multiple backups and securing one copy off-site, backups should be checked to ensure that file recovery is possible. A backup plan should also be developed to reach the recovery point in the shortest possible time frame.

Data encryption is another key protection to safeguard data at rest and in transit. If a threat actor gains access to files, the data cannot be viewed. Threat information sharing is also a key part of building a strong cyber America. By informing CISA about cyberattacks and sharing pertinent information, CISA can take steps to warn others and help them avoid similar threats.

Healthcare organizations should also consider implementing the cybersecurity performance goals (CPGs) developed by the Department of Health and Human Services in collaboration with CISA. The CPGs set a floor of safeguards that will help prevent successful cyberattacks, and the enhanced CPGs help healthcare organizations mature their cybersecurity capabilities. The 2025 HIPAA Journal Annual Survey indicated a lack of awareness of these important CPGs.

“Critical infrastructure – whether in the hands of state and local entities, private businesses, or supply chain partners – is the backbone of our daily lives,” said Acting CISA Director Madhu Gottumukkala. “Whenever it’s disrupted, the effects ripple through communities across America. That’s why this year CISA is prioritizing the security and resilience of small and medium businesses, and state, local, tribal, and territorial government (SLTT) that facilitate the systems and services [that] sustain us every day. This includes things like clean water, secure transportation, quality healthcare, secure financial transactions, rapid communications, and more. Together, we must make resilience routine so America stays safe, strong, and secure.”

The post Cybersecurity Awareness Month 2025: Building a Cyber Strong America appeared first on The HIPAA Journal.