The Senate Health, Education, Labor, and Pensions (HELP) Committee has advanced the Health Care Cybersecurity and Resiliency Act, with a 22-1 vote in favor of the bill. The Health Care Cybersecurity and Resiliency Act was first introduced in November 2025, followed by a largely unchanged bill that was reintroduced in December 2025. As the name suggests, the bill seeks to introduce new cybersecurity requirements to strengthen healthcare cybersecurity.

Many of the bill’s requirements were included in the proposed update to the HIPAA Security Rule issued by the HHS’ Office for Civil Rights in the final days of the Biden administration. It remains to be seen whether the current administration will push ahead with the HIPAA Security Rule update, which has proven to be unpopular with health systems and provider associations.

The Health Care Cybersecurity and Resiliency Act was proposed by a bipartisan group of senators – HELP Committee Chair Sen. Bill Cassidy (R-LA), and Sens. Mark Warner (D-VA), Maggie Hassan (D-NH), and John Cornyn (R-TX), and could attract more support than the unpopular Security Rule update. The Health Care Cybersecurity and Resiliency Act calls for several cybersecurity measures similar to but not as extensive as those in the proposed HIPAA Security Rule update. They include new cybersecurity minimum standards for HIPAA-regulated entities, including multifactor authentication, data encryption, penetration testing, and regular security audits. The bill also requires changes to breach reporting requirements, such as requiring all regulated entities to report the number of individuals affected by a cybersecurity incident, and for the HHS to publish the corrective actions and recognized security practices applied by a regulated entity following a data breach.

Other requirements of the bill are greater coordination between the HHS and the Cybersecurity and Infrastructure Security Agency (CISA), the HHS to develop a cybersecurity incident response plan, the HHS to designate the Administration for Strategic Preparedness and Response as the Sector Risk Management Agency, and for enhanced recognition of security practices, including an annual report on how the HHS is complying with the requirements of the Consolidated Appropriations Act of 2021 with respect to the adoption of recognized security practices by HIPAA-regulated entities.

Much of the criticism of the proposed Security Rule update centered on the considerable burden it would place on healthcare providers and the cost of the required security changes, which would divert resources away from patient care. The Health Care Cybersecurity and Resiliency Act would provide financial assistance to under-resourced providers, including hospitals, cancer centers, rural health clinics, health facilities operated by the Indian Health Service, and academic health centers, to help them make the necessary improvements to cybersecurity. The bill also requires the HHS to issue guidance for rural entities and rural health clinics on best practices for cybersecurity breach prevention, resilience, and coordination with federal agencies.

While advancing past a HELP Committee vote is an important step, it remains to be seen whether the bill has sufficient strength to survive a House vote, make it to the President’s desk, and be signed into law.

The post Senate HELP Committee Advances Healthcare Cybersecurity Bill appeared first on The HIPAA Journal.

Faced with diminishing returns from their attacks, ransomware groups conducted attacks in greater volume in 2025 and increased their ransom demands. In 2025, the number of claimed attacks increased by 50% year-over-year to the highest ever level; however, ransomware payments decreased by 8% year-over-year to $820 million, down from $892 million in 2024 and $1,023 million in 2023, according to the blockchain analytics firm Chainalysis.

The analysis reveals that ransomware groups are having to work much harder due to fewer victims choosing to pay ransoms. In 2024, 64% of victims of ransomware attacks paid the ransom to recover their data, prevent a data leak, or both. In 2025, the percentage of victims paying ransoms fell to a record low of just 28%. In addition to conducting more attacks, ransom demands have increased. Chainalysis reports a 368% increase in median payment size, rising from $12,738 in 2024 to $59,556 in 2025.

Law enforcement operations appear to be having a positive effect, with ransom payments falling for two consecutive years. While there have been major operations targeting specific ransomware operations, law enforcement operations are increasingly targeting the infrastructure used by ransomware groups, such as bulletproof hosting providers and money laundering services. These services are used by financially-motivated threat actors and state-sponsored hacking groups alike, and targeting these services and imposing sanctions has increased the attack costs for threat actors.

The ransomware ecosystem has evolved, in part due to law enforcement operations and efforts by private sector companies targeting major players. There has been a shift from a handful of dominant strains to a much more fragmented ecosystem, with large numbers of smaller ransomware groups now operating, which find it easier to remain under the radar and avoid law enforcement takedowns. While the number of active ransomware and extortion groups varies across different analyses, there are thought to have been up to 85 distinct active ransomware groups in operation in 2025.

There has also been a change in the companies being targeted. Attacks on larger organizations can result in a bigger payday; however, the attacks need to be more sophisticated to breach defenses, and when attacks are successful, it can take longer for larger companies to pay the ransom. Ransomware groups appear to now favor small- to medium-sized organizations and are concentrating on conducting attacks in greater volume. While the ransom payments are much lower, attacks require less effort, and victims tend to pay up more quickly.

Another response to diminishing returns is more aggressive tactics, such as contacting patients, customers, and employees of an attacked organization directly. Some groups have abandoned data encryption altogether and are now solely focused on data theft and extortion. In some cases, these threat groups have analyzed the exfiltrated data to determine its sensitivity, which has allowed them to make highly specific threats about the consequences of a data leak.

“The ransomware narrative of 2025 cannot be told through revenue figures alone. While payments declined modestly, the scale, sophistication, and strategic impact of attacks continued to expand,” explained Chainalysis. “Organizations large and small — from global automakers to regional healthcare systems — faced extortion that disrupted operations, eroded trust, and faced systemic costs that far exceeded on-chain ransom totals.”

The post Ransom Demands Increase as Ransom Payments Fall to Record Low appeared first on The HIPAA Journal.

On average, businesses with 500 or more employees are losing an average of $19.5 million a year due to insider incidents, up 20% since 2023, according to the Cost of Insider Risks 2026 Report from DTEX, a provider of risk-adaptive security and behavioral intelligence. The highest insider costs were in the healthcare and pharmaceutical industries, which averaged $28.8 million in annual losses per company.

The report is based on independent research conducted by the Ponemon Institute on organizations in North America, EMEA, and Asia-Pacific with between 500 and 75,000 employees. The research includes interviews with 8,750 IT and IT security professionals in 354 organizations that experienced one or more material insider events. Organizations represented in the data experienced almost 7,500 insider incidents, with an average of 25 incidents per company.

DTEX breaks down insider incidents into three categories: malicious, non-malicious, and outsmarted. Malicious insider incidents include employees causing harm through espionage, sabotage, workplace violence, unauthorized disclosures, IP theft, and fraud. Non-malicious incidents include causing harm due to genuine mistakes, carelessness, or inattentiveness. The outsmarted category includes employees being reasonably outmaneuvered by an attack or adversary, such as a phishing attack.

Malicious insiders accounted for 27% of incidents ($4.7 million), and 20% of incidents ($4.5 million) were due to employees being outsmarted. By far the highest costs were due to non-malicious incidents caused by negligence. These incidents include careless mistakes that expose sensitive data and employees ignoring IT warnings. These incidents accounted for 53% ($10.3 million) of insider losses per company, up 17% year-over-year.

The increase in non-malicious insider losses has been driven by a rise in shadow AI incidents – the use of AI-based tools by employees without the knowledge or consent of IT departments. The other main losses due to negligence were the use of personal webmail and file-sharing sites.

Shadow AI-related incidents include employees uploading sensitive internal documents to AI tools such as ChatGPT, using AI notetakers that produce publicly accessible recordings and summaries containing sensitive information, and the use of AI browsers that enable access to malicious sites, AI-assisted torrenting, and NSFW content generation. The use of AI browsers and agents for performing tasks is also a major risk, as these tools are often granted access to corporate systems and bypass traditional controls and logging. While businesses can take action to prevent shadow AI use by blocking access to popular AI tools such as ChatGPT, in practice, it has little effect, as it just encourages employees to find other AI tools, which may carry even greater risks.

AI adoption has greatly accelerated; however, visibility and governance have failed to keep pace. Employees are using AI tools to improve productivity, but their behaviors are routinely exposing sensitive data. DTEX found that organizations routinely lacked insight into the AI tools that were being used by employees, the data that was entered into these tools, and the length of time that AI-generated artifacts remained accessible.

The interviews highlighted considerable concern around AI, with almost three-quarters (73%) of interviewed IT staff believing AI is creating invisible data exfiltration paths, and 44% believe malicious use of AI agents significantly or moderately increases the risk of data theft. Fewer than one in five respondents (18%) said they have fully integrated AI governance into their insider risk programs.

The report shows there has been an increase in the adoption of defensive AI, with 42% of organizations confirming that they have incorporated defensive AI into their insider risk management programs, and 71% of respondents believe behavioral intelligence is essential for combating insider incidents.

While the cost of insider incidents has grown, DTEX reports that a record low has been set for time to contain an incident. The latest report shows the average time to contain an incident has fallen from 86 days in 2023 to 67 days in 2025. The survey also shows a significant ROI on mature insider risk management programs, which allow organizations to prevent at least 7 insider incidents a year, saving them an average of $8.6 million in avoided breach costs.

“The results show real and meaningful progress at organizations with comprehensive and disciplined insider risk programs. Mature programs combined with modern tooling are clearly helping to prevent incidents before they occur. At the same time, the cost of insider risk continues to rise as their impact becomes more severe,” said DTEX CEO Marshall Heilman. “That contrast creates a powerful opportunity as AI becomes embedded across the workforce. Today, too few organizations classify AI agents as equivalent to human insiders, even as those agents operate with delegated authority, persistence, and reach. As a result, insider risk management and AI agent security are quickly converging. The same behavioral visibility and accountability that protect against insider risk must extend to AI systems. Organizations that apply those lessons will be better positioned to scale AI securely without sacrificing resilience in 2026 and beyond.”

The post Soaring Insider Breach Costs Driven by Shadow AI Use appeared first on The HIPAA Journal.

North Korean state-sponsored hackers are targeting U.S. healthcare organizations and non-profits and deploying Medusa ransomware, according to a joint investigation by Symantec and the Carbon Black Threat Hunter Team.

A wave of recent attacks has been linked to the Lazarus Group, an umbrella term covering multiple cyber threat actors linked to the Reconnaissance General Bureau (RGB) of the North Korean government. The Lazarus Group engages in attacks for espionage purposes, as well as disruptive and destructive attacks on targets primarily in South Korea, but also engages in financially motivated campaigns, often targeting organizations in the United States.

Medusa emerged in 2023 as a ransomware-as-a-service (RaaS) operation, which is believed to be run by a cybercrime group called Spearwing. Affiliates are recruited to conduct attacks using the Medusa encryptor and infrastructure in exchange for a percentage of any ransom payments they generate. Medusa actors engage in double extortion, stealing and encrypting data. A ransom must be paid to obtain the decryption keys and to prevent the leaking or sale of stolen data. Medusa often auctions off stolen data if the ransom is not paid, leaking data that has not been sold.

While North Korean state-sponsored hackers are known to have used Maui and Play ransomware in their financially motivated attacks, Symantec and Carbon Black Threat Hunter Team uncovered evidence that the Lazarus Group has started using Medusa in its ransomware campaigns. They identified an attack on a target in the Middle East, plus four attacks on healthcare organizations and non-profits in the United States since November 2025. U.S. victims include a non-profit mental health service provider and an educational facility for autistic children. Since November 2025, when the first Medusa ransomware attacks were attributed to the Lazarus Group, the average ransom demand is $260,000.

A Lazarus subgroup known as Stonefly (aka Andrael) is believed to be one of the groups involved in the attacks. Stonefly has previously focused on espionage attacks on high-value targets; however, for the past five years, the group has engaged in ransomware attacks, often against hospitals and other healthcare providers. The U.S. Department of Justice has indicted a suspected member of the group, the North Korean Rim Jong Hyok, on charges related to ransomware attacks on U.S. healthcare providers. Rim is alleged to be linked to the RGB and, along with other members of the group, is thought to be involved in ransomware attacks to raise funds for the group’s espionage activities.

Symantec and the Carbon Black Threat Hunter Team have not been able to attribute the attacks to any specific subgroup of Lazarus, but have found sufficient evidence confirming that Lazarus is behind the attacks. Symantec and Carbon Black have tracked more than 366 ransomware attacks involving the Medusa encryptor, although the group has claimed attacks on more than 500 organizations, including more than 40 healthcare organizations. Symantec and Carbon Black have shared indicators of compromise (IoCs) associated with the attacks, along with the range of tools used by the Lazarus group in its current ransomware campaigns.

The post North Korean Hackers Using Medusa Ransomware in Attacks on U.S. Healthcare Sector appeared first on The HIPAA Journal.

There has been a sharp increase in data-only extortion incidents, with ransomware gangs increasingly opting not to encrypt files, instead simply breaching networks, exfiltrating sensitive data, and demanding a ransom payment to prevent the data from being leaked or sold.

Ransomware started to become popular with threat actors in the early to mid-2010s. Attacks involved breaching networks and using robust encryption to prevent data access. The emergence of untraceable cryptocurrencies helped fuel an explosion in ransomware attacks. In the mid-2010s, encryption alone proved to be sufficient, with the majority of victims opting to pay to recover their data. By 2020, double extortionbecame more prevalent, where data is stolen prior to file encryption. A ransom payment is required to obtain the decryption keys and prevent the publication or sale of stolen data. Double extortion fast became the norm, with the majority of ransomware attacks involving data theft and extortion.

The rapid rise in ransomware attacks forced organizations to address their data backup policies. While attacks may involve deletion or encryption of backups, victims are now much more likely to have offline backup copies of critical data that they can use to recover from the encryption with minimal data loss. It is often the threat of sale or leaking of exfiltrated data that is the primary reason for paying a ransom, as organizations seek to limit reputational damage.

Data encryption increases the chances of detection, attacks take longer, and fewer victims are paying ransoms to recover encrypted data. Threat actors understand that the reputational harm caused by data leaks is often enough, and some groups have abandoned encryption altogether. For example, PEAR (Pure Extortion and Ransom), a newly formed threat group that emerged in 2025, has exclusively adopted data-only extortion, as has the Silent Ransom group.

The recently published Arctic Wolf 2026 Threat Report confirms that ransomware attacks continue to be lucrative for threat actors. Ransomware attacks accounted for 44% ofArctic Wolf’s incident response (IR) cases from November 2024 to November 2025, exactly the same percentage as the previous reporting period. While there have been significant law enforcement operations targeting the most prolific ransomware groups – LockBit, ALPHV/BlackCat, and BlackSuit – those actions have had little effect on reducing the volume of attacks, and have simply shifted the ransomware ecosystem. There has been a proliferation of smaller groups, and some groups have stepped up attack volume to fill the vacuum.

Arctic Wolf’s report highlights the growing trend of data extortion-only attacks, which increased elevenfold between November 2024 and November 2025.  Data extortion-only attacks increased from 2% of Arctic Wolf’s IR cases in the previous reporting period to 22% in the current reporting period. “We’re seeing a clear pivot in attacker behavior. As organizations improve their ability to recover from encryption events, some threat actors are skipping ransomware altogether and moving straight to data theft and extortion,” said Kerri Shafer-Page, VP of Incident Response, Arctic Wolf. “From an incident response perspective, this shift fundamentally changes how impact is assessed and managed.”

Arctic Wolf said the increase in data extortion-only attacks shows that threat groups are willing and able to evolve when needed, and attributes the rise in attacks to organizations being better prepared and able to recover quickly from traditional encryption events. Arctic Wolf reports that ransomware actors are maturing their affiliate ecosystems and are now operating very much like business enterprises, with structured affiliate programs, tiered revenue models, and operational support to attract and retain a broader pool of cybercriminals.

Arctic Wolf also reports a prominent trend of diversification of ransomware-as-a-service (RaaS) offerings, where, in addition to a percentage of any ransom payments, affiliates are offered data extortion and access monetization, allowing them to profit from stolen data and compromised credentials without having to encrypt files with ransomware. For the time being, at least, Arctic Wolf has not observed any significant increase in activity from groups with these offerings. What has had an immediate impact is groups absorbing affiliates from other RaaS programs, such as Qilin, which recruited affiliates from the RansomHub operation when it shut down, and rapidly accelerated attacks and became the most prolific threat group.

Aside from ransomware, Business Email Compromise (BEC) continues to be favored by hackers, accounting for 26% of Arctic Wolf’s IR cases, although the targets were primarily finance and legal firms, rather than healthcare organizations. While phishing is the leading initial access vector for BEC attacks, other hacking incidents mostly involved attacks on remote access tools, remote monitoring and management software, and VPNs. These access vectors were used in around two-thirds of non-BEC IR cases, up from 24% three years ago. The exploitation of vulnerabilities has fallen from 26% of IR cases in the previous reporting period to just 11% in the current reporting period.

The post Data Shows Elevenfold Increase in Data-only Extortion Attacks appeared first on The HIPAA Journal.

A new record was set for ransomware attacks last year, with disclosed ransomware attacks increasing by 49% year-over-year to a record-high of 1,174 attacks, according to Black Fog’s 2025 State of Ransomware Report. There was also a 37% year-over-year increase in undisclosed attacks, with 7,079 victims added to dark web data leak sites in 2025. The figures indicate that globally, 86% of ransomware attacks are not disclosed by victims.

Data theft almost always occurs with ransomware attacks. In 2025, 96% of attacks involved data exfiltration prior to file encryption, which results in greater organizational harm. Data exfiltration has contributed to the significant increase in breach costs, as data theft results in greater reputational harm and increased regulatory exposure. In 2025, the average cost of a data breach was $4.44 million globally, and $7.42 million for healthcare data breaches. Healthcare retained its position as the sector most targeted by ransomware groups in 2025, accounting for 22% of disclosed attacks. All sectors experienced an increase in attacks in 2025, apart from education, which saw a 13% year-over-year decrease in attacks.

The breakup of large ransomware groups has led to a fragmentation of the ransomware ecosystem, and the number of active ransomware groups continued to increase in 2025. Black Fog tracked 130 different ransomware groups in 2025, of which 52 were new groups that emerged in 2025, a 9% increase from 2024. Several groups that emerged in 2025 have disproportionately targeted the healthcare sector, including Sinobi, Insomnia, and Devman. Devman issued the largest ever ransom demand of $91 million in 2025 for its attack on China’s real estate development company Shimao Group Holdings. World Leaks, widely believed to be a rebrand of Hunters International, has also claimed several healthcare victims, as have all of the top three most prolific and dangerous ransomware groups of the year: Qilin, Akira & Play.

There was a surge in activity by the most prolific ransomware group – Qilin – in 2025, which claimed a total of 1,115 disclosed and undisclosed attacks. Qilin was behind two of the most impactful healthcare ransomware attacks of the year – ApolloMD and Covenant Health. The ransomware attack on ApolloMD was detected in May 2025, yet it took until February 2026 to confirm that the protected health information of more than 626,500 patients was compromised.

The attack on Covenant Health also occurred in May 2025. Initial access was gained on May 18, 2025, and, as was the case with the attack on ApolloMD, sensitive data was rapidly identified and exfiltrated. The Covenant Health attack was detected on May 26, 2025, when the affected systems were shut down to contain the incident. Disruption continued into June, and the attack was initially disclosed a month later, although the initial breach report suggested that the protected health information of just 7,864 individuals was compromised in the incident. As the investigation progressed, it became clear that data theft was far more extensive. In December 2025, when the investigation concluded, Covenant Health confirmed that 478,188 patients had been affected.

Akira was the second-most active group, claiming a total of 776 victims in 2025, with the third most active group – Play – accounting for 405 ransomware attacks. Black Fog identified the emergence of large-scale, AI-enabled attacks last year, when a ransomware group hijacked Anthropic’s Claude model to autonomously perform reconnaissance, exploitation, and data theft – the first time that an AI-led ransomware campaign has been identified.

“The global impact of ransomware across 2025 has been unprecedented. From high street chains to hospitals, ransomware doesn’t respect borders, the size of organization, or the sector you’re in. It’s brought vital services, established companies – and the smaller partners who depend on them – to a grinding halt,” Dr Darren Williams, Founder and CEO of BlackFog said. “The disruption they cause is only part of the story. Attackers aren’t just breaking in – they’re intent on stealing data to power extortion. By weaponizing AI they can outpace defenders at a new scale and use stealthy targeted techniques to slip past traditional security measures. Putting protections in place to close these gaps and prevent data exfiltration has to take priority as attackers focus on targeting organizations’ most sensitive information.”

The post Healthcare Remains the Sector Most Targeted by Ransomware Groups as Attacks Increase 49% YOY appeared first on The HIPAA Journal.

The Federal Bureau of Investigation (FBI) has launched a campaign to improve the resilience of industry, government, and critical infrastructure against cyber intrusions. Operation Winter SHIELD (Securing Homeland Infrastructure by Enhancing Layered Defense) is tied to the National Cyber Strategy and the FBI Cyber Strategy, which views industry, government, and critical infrastructure as partners in detecting, confronting, and dismantling cyber threats.

“Our goal is simple: to move the needle on resilience across industry by helping organizations understand where adversaries are focused and what concrete steps they can take now (and build toward in the future) to make exploitation harder.” Operation Winter Shield provides a practical roadmap for securing information technology and operational technology environments, hardening defenses, and reducing the attack surface. The campaign has kicked off with 10 recommendations developed with domestic and international partners to improve defenses against current cyber threats. The recommendations reflect current adversary behavior and common security gaps identified in recent investigations of cyberattacks.

The ten recommendations cover high-impact measures for reducing cyber risk by improving resilience and reducing the attack surface. Over the following 10 weeks, the FBI will publish further information and guidance on these cybersecurity measures:

1. Adopt phishing-resistant authentication – Many data breaches start with credentials stolen in phishing attacks.
2. Implement a risk-based vulnerability management program – Threat actors often exploit known, unpatched vulnerabilities in operating systems, software, and firmware for initial access.
3. Track and retire end-of-life tech on a defined schedule – End-of-life software and devices are often targeted as they no longer receive security updates.
4. Manage third-party risk – Security is only as good as the weakest link, which is often the least-protected vendor with network or data access.
5. Protect and preserve security logs – Security logs are essential for detection, response, and attribution, and are often deleted by threat actors to hide their tracks.
6. Maintain offline immutable backups and test restoration – Resilience depends on backups and tested recovery.
7. Identify inventory and protect internet-facing systems and services – Eliminate any unnecessary exposure and reduce the attack surface.
8. Strengthen email authentication and malicious content protections – Email is one of the most common initial access vectors and must be adequately secured.
9. Reduce administrator privileges – Persistent administrative access enables rapid escalation when credentials are compromised.
10. Exercise incident response plans with all stakeholders – Testing the response plan will allow organizations to respond rapidly and reduce the impact of a successful compromise.

Source: Federal Bureau of Investigation.

The post FBI Urges Organziations to Take 10 Actions to Improve Cyber Resilience appeared first on The HIPAA Journal.

An audit of a large Southeastern hospital by the Department of Health and Human Services Office of Inspector General (HHS-OIG) identified security weaknesses in internet-facing applications, which could potentially be exploited by threat actors for initial access. Similar security weaknesses are likely to exist at many U.S. hospitals. The aim of the audit was to assess whether the hospital had implemented adequate cybersecurity controls to prevent and detect cyberattacks, if processes were in place to ensure the continuity of care in the event of a cyberattack, and whether sufficient measures had been implemented to protect Medicare enrollee data.

The audited hospital had more than 300 beds and was part of a network of providers who share patients’ protected health information for treatment, payment, and healthcare operations. The hospital had adopted the HITRUST Common Security Framework (CSF) version 9.4 as its main cybersecurity framework, used that framework for regulatory compliance and risk management, and had implemented physical, technical, and administrative safeguards as required by the HIPAA Rules.

HHS-OIG reviewed the hospital’s policies and procedures to assess its cybersecurity practices concerning data protection, data loss prevention, network management, and incident response, and interviewed appropriate staff members to gain further cybersecurity and risk mitigation insights. HHS-OIG conducted penetration tests and external vulnerability assessments on four of the hospital’s internet-facing applications.

The hospital had implemented cybersecurity controls to protect Medicare enrollee data and ensure the continuity of care in the event of a cyberattack, and the cybersecurity controls detected most of HHS-OIG’s simulated cyberattacks; however, weaknesses were found that allowed the HHS-OIG to capture login credentials and use them to access the account management web application, and a security weakness in its input validation controls allowed manipulation of the application.

HHS-OIG sent 2,171 phishing emails, but only the last 500 were blocked. A total of 108 users clicked the link in the email (6% click rate), and one user entered their login credentials in the HHS-OIG phishing website. The captured login credentials allowed HHS-OIG to access the account, although it did not appear to contain patient information. Once the web application was accessed, HHS-OIG was able to view the user’s devices associated with the account, as well as a list with options to deactivate multifactor authentication and add/remove devices from the account. If it were a real cyberattack, a threat actor could use the access for a more extensive compromise. HHS-OIG said strong user identification and authentication (UIA) controls for the account management web application had not been implemented; however, the click rate and login rate were relatively low, therefore, no recommendations were made regarding its anti-phishing controls.

Another internet-facing application was found to lack strong input validation controls, which made the application vulnerable to an injection attack. An attacker could inject malicious code into weak input fields, alter commands sent to the website, and access sensitive data or manipulate the system. While the hospital had conducted vulnerability scans and third-party penetration tests, the vulnerability failed to be identified. Further, the web application did not have a web application firewall for filtering, monitoring, and blocking malicious web traffic, such as injection attacks.

HHS-OIG made four recommendations: Implement strong user identification and authentication controls for the account management web application; periodically assess and update user identification and authentication controls across all systems; assess all web applications to determine if an automated technical solution, such as a web application firewall, is required; and utilize a wider array of testing tools for identifying vulnerabilities in applications, such as dynamic application testing tools, static application testing tools, and manual, interactive testing.

HHS-OIG did not name the audited hospital due to the risk that it could be targeted by threat actors. Further audits of this nature will be conducted on other healthcare providers to determine whether similar security issues exist and if there are any opportunities for the HHS to improve guidance and outreach to help hospitals improve their security controls.

“This report highlights the need for healthcare organizations to adapt their security programs to reflect a fundamental shift: sensitive data now resides not just in on-prem, internal apps, but also in web-based SaaS applications,” Russell Spitler, CEO of Nudge Security, told the HIPAA Journal. “Traditional network-focused security controls cannot adequately protect cloud applications where data flows across organizational boundaries. This makes identity security controls—particularly MFA and SSO—essential for protecting this dynamic attack surface.”

Spitler suggests “healthcare organizations should take a systematic approach that prioritizes comprehensive visibility and strong authentication controls across their entire application ecosystem.” Key steps recommended by Spitler include:

• Conducting a comprehensive inventory of all SaaS and web applications to understand the full picture of the organization’s attack surface
• Prioritizing MFA implementation for applications with privileged access or sensitive data, starting with internet-facing systems
• Deploying SSO solutions that can enforce MFA centrally while improving user experience and reducing password-related security risks
• Using conditional access policies that require MFA for any access from outside the corporate network or from unmanaged devices
• Regularly testing authentication controls through penetration testing and phishing simulations, as HHS OIG did in this audit

The post HHS-OIG Identifies Web Application Security Weaknesses at Large U.S. Hospital appeared first on The HIPAA Journal.

Insider threats are one of the leading causes of data breaches in healthcare, more so than in many other industry sectors. A 2018 study by Verizon found insider incidents outnumbered incidents involving external parties, with 56% of healthcare data breaches due to insiders and 43% due to external actors. A study by the cybersecurity firm Metomic found that the percentage of healthcare organizations reporting no insider incidents has declined from 34% in 2019 to 24% in 2024.

Insider incidents can stem from a lack of knowledge about HIPAA or disregard for patient privacy, such as when healthcare employees snoop on medical records. Negligent insiders can easily expose patient data by failing to follow the organization’s policies and procedures, and malicious insiders steal patient information for financial gain or revenge. Copying patient information to take to a new practice or employer is also common.

Due to the high risk of insider threats in healthcare and other critical infrastructure sectors, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging critical infrastructure organizations to take decisive action against insider threats, and has published a new resource specifically developed for critical infrastructure organizations and state, local, tribal, and territorial (SLTT) governments to help them assemble a multi-disciplinary insider threat management team. The guidance includes proven strategies for proactively preventing, detecting, mitigating, and responding to insider threats.

Insiders have institutional knowledge and legitimate access rights, allowing them to easily access and steal sensitive data, and detecting insider breaches can be a challenge. Insider incidents can cause significant harm to healthcare organizations, including reputational damage, revenue loss, and harm to people and key assets. “Whether driven by intent or accident, insider threats pose one of the most serious risks to organizational security and resilience- demanding proactive measures to detect, prevent, and respond,” explained CISA.

“Insider threats remain one of the most serious challenges to organizational security because they can erode trust and disrupt critical operations,” said Acting CISA Director Dr. Madhu Gottumukkala. “CISA is committed to helping organizations confront this risk head-on by delivering practical strategies, expert guidance, and actionable resources that empower leaders to act decisively — building resilient, multi-disciplinary teams, fostering accountability, and safeguarding the systems Americans rely on every day.”

Combating insider threats requires an insider threat mitigation program that includes physical security, cybersecurity, personnel awareness, and partnerships with the community, and assembling a multi-disciplinary insider threat management team is a critical part of that process. The threat management team should oversee the insider threat management program, monitor for potential threats, and act quickly to mitigate the consequences of negligent and malicious insider actions. With an effective insider threat management team in place, organizations can reduce the damage and frequency of insider threat incidents.

A threat management team will be far more effective than any one individual, with teams able to be scaled and adjusted in scope and capability as the organization matures and evolves. Having a range of insider threat subject matter experts will allow the organization to obtain varied perspectives and generate more accurate and holistic threat assessments. Team members should include threat analysts, general counsel, human resources, the CISO, CSO, as well as external parties, including investigators, law enforcement, and medical or mental health counselors.

In the guidance, CISA offers a framework consisting of four stages – Plan, Organize, Execute, and Maintain (POEM). The Plan stage allows the organization to structure and scope the role of the threat management team. The Organize phase involves the team guiding employee awareness, creating a culture of reporting, and providing the necessary support to relevant departments to identify potential insider threat activity. The Execute phase involves upholding the insider threat mitigation program, and the Maintain phase is concerned with developing the threat management team to ensure it remains effective over time.

“Insider threats can disrupt operations, compromise safety, and cause reputational damage without warning. Organizations with mature insider threat programs are more resilient to disruptions, should they occur. People are the first and best line of defense against malicious insider threats, and organizations should act now to safeguard their people and assets,” said CISA Executive Assistant Director for Infrastructure Security Steve Casapulla.

The post CISA Issues Guidance for Proactively Defending Against Insider Threats appeared first on The HIPAA Journal.