At a recent joint hearing by the Subcommittee on Border Security and Enforcement and the Subcommittee on Cybersecurity and Infrastructure Protection, a former FBI cyber chief called on the U.S. government to consider applying terrorism designations to ransomware actors who attack hospitals and other critical infrastructure entities that put lives or safety at risk.

Ransomware attacks on hospitals typically result in cancelled appointments and surgeries, and ambulances are often put on divert, causing emergency patients to travel further to alternative facilities. These delays to patient care put patient safety at risk, and studies have shown that mortality rates increase at hospitals following ransomware attacks. Ransomware actors conduct attacks on hospitals in the full knowledge that patient care is threatened, as it increases the probability of a ransom being paid.

The subcommittee members heard testimony from Cynthia Kaiser, the former deputy assistant director of the FBI’s Cyber Division from 2022 to 2025 and the current senior vice president of the Halcyon Ransomware Research Center. “When a ransomware gang encrypts a hospital’s systems and demands payment under threat of continued system lockout — knowing that patients are being diverted, that dialysis is being delayed, that surgery schedules are being canceled — I believe a serious legal argument exists that this conduct falls within [terrorism] definitions,” Kaiser said. “At minimum, it merits a formal, deliberate analysis by the Departments of State, Justice, and Treasury, who collectively hold designation authority under Executive Order 13224.”

Executive Order 13224 was signed by President Bush on September 23, 2001, following the 9/11 attacks on the World Trade Center. The purpose of the Executive Order was to disrupt the financial support network for terrorists and terrorist organizations, authorizing the U.S. government to designate and block the assets of foreign individuals and entities that commit, or pose a significant risk of committing, acts of terrorism.

By designating ransomware attacks on hospitals and other critical infrastructure entities as an act of terrorism, attacks would be classed as national security threats, and the government would have a much broader range of tools at its disposal than are currently available, making it easier to restrict financial transactions, freeze assets, and pursue charges against overseas ransomware actors. It would also allow the government to take diplomatic actions against countries – such as Russia – for harboring ransomware actors. Further, Kaiser argued that in the event of a ransomware attack resulting in the death of a patient, the government should be able to pursue murder or manslaughter charges, which may act as a powerful deterrent.

“Federal prosecutors should be empowered — and encouraged — to evaluate whether homicide charges are appropriate in cases where ransomware actors targeted hospitals, where deaths resulted, and where the actors demonstrated clear foreknowledge that their actions endangered life,” said Kaiser. “Those targeting healthcare, those who have caused documented deaths, those operating with impunity under the protection of hostile foreign governments — deserve to face consequences that match the gravity of what they have done.”

The post Former FBI Deputy Cyber Chief Calls for Terrorism Classification for Healthcare Ransomware Actors appeared first on The HIPAA Journal.

The Health Sector Coordinating Council (HSCC) Cybersecurity Working Group has issued a guidance document for healthcare organizations on managing third-party AI and AI-related supply chain risks. Healthcare organizations are increasingly reliant on AI-powered third-party tools and services, such as natural language processing engines embedded in electronic health records and AI-powered remote monitoring devices. These products provide critical functions for healthcare organizations, yet they introduce complex cybersecurity challenges that traditional risk management tools and models struggle to address.

Managing risk can be difficult, as AI tools are provided by third-party vendors whose security postures, governance practices, and model integrity are difficult to verify. Further, healthcare organizations often lack visibility into the full scope of the AI components incorporated into third-party products and services, which are often sourced through layered supply chains, including subcontractors, offshore development, and open source assets, explain HSCC co-leads Ed Gaudet, Censinet, and Samantha Jacques, McLaren Health.

The HSCC Cybersecurity Working Group developed the 109-page guide – Health Industry Third Party AI Risk and Supply Chain Transparency Guide – to help healthcare organizations understand and manage third-party AI supply chain risks. The guide draws from established cybersecurity frameworks such as the NIST AI Risk Management Framework and the joint HSCC-HHS Health Industry Cybersecurity Practices (HICP), and adapts cybersecurity best practices to reflect the modern realities of AI supply chains in healthcare. The guide has been developed to meet the needs of organizations of all sizes, regardless of their level of AI adoption. The guide can be followed in its entirety, or organizations can adopt the parts that work for their organization. The guide will help them to define accountability expectations and drive performance standards across their extended AI ecosystem.

The guide provides risk managers, compliance teams, and procurement officers with scalable tools to identify and manage AI-specific risks such as hidden dependencies and cascading failure points, and address the growing gaps in discovery and disclosure processes that make AI supply chain risk so challenging to manage. HSCC encourages healthcare organizations to distribute the guidance to senior business and technical leaders and their teams, recommending that they incorporate the best practices in the guide and evaluate their own third-party and supply chain risk management practices against the best practices outlined in the document. In addition to the guide, HSCC has published a living AI Cyber Glossary reference document for establishing consistent governance-ready definitions for artificial intelligence terminology for the healthcare sector. The AI Cyber Glossary is intended to serve as the terminological foundation for all current and future HSCC AI Task Group guidance materials.

The post HSCC Issues Guidance for Healthcare Organizations on Managing Third Party AI Risks appeared first on The HIPAA Journal.

In 2025, another unwanted record was set for losses to cybercrime, with almost $21 billion in reported losses, beating the previous record of $16.6 in losses set in 2024 by 26%, according to the Federal Bureau of Investigation (FBI) Internet Crime Report 2025. The report was compiled based on complaints filed with the FBI’s Internet Crime Complaint Center (IC3), which topped 1 million for the first time, increasing from 859,000 complaints in 2024. This is the 25^th year that the FBI has released its annual report, which started with a few thousand complaints filed per month to an average of almost 3,000 complaints per day in 2025.

The increase in losses was largely driven by an increase in losses to investment fraud ($8,648,617,756), which was the largest cause of losses in 2025, followed by business email compromise – BEC – ($3,046,598,558) and tech support scams ($2,134,675,818).

Source: FBI Internet Crime Complaint Report 2025

In terms of complaint volume, phishing topped the list (191,561 complaints), followed by extortion (89,129 complaints), investment fraud (72,984 complaints), and personal data breaches (67,456), with non-payment/non-delivery rounding out the top 5 (56,478 complaints). Cyber-enabled fraud was present in 453,000 complaints, accounting for $17.7 billion in total losses. In 2025, 181,565 complaints related to cryptocurrency, and 22,364 related to AI-related incidents, with the latter involving $893 million in losses.

IC3 received 3,611 complaints related to ransomware, resulting in more than $32 million in losses. Those losses do not include losses due to business disruptions, equipment, or third-party remediation costs. Ransomware attacks were among the top cyber threats reported by critical infrastructure entities. The biggest ransomware threats in terms of complaint volume were Akira, Qilin, INC Ransom/Lynx/Sinobi, BianLian, and Play. Across all 16 critical infrastructure sectors, the healthcare and public health sector experienced the highest number of cyber threats, including 182 data breaches and 460 ransomware attacks, ahead of critical manufacturing, financial services, information technology, and the government.

The FBI said it has upgraded its efforts to prevent cybercrime, including blocking attacks, notifying victims, and freezing stolen funds. In January, the FBI launched its Operation Winter Shield, which explained some of the most important steps that businesses can take to improve their defenses against cyber threats and block cyberattacks. The FBI also launched Operation Level Up, a proactive approach to identify and alert victims of cryptocurrency investment fraud. The FBI reports that out of the 3,780 victims the agency notified last year, 78% were unaware that they were being scammed. Last year, the FBI also initiated approximately 3,900 Financial Fraud Kill Chain (FFKC) interventions, and was able to block a significant number of fraudulent transactions, freezing more than $679 million in fraudulent transfers, achieving a 58% success rate, and a 65% success rate for its FFKC Actions in healthcare.

The post 2025 Losses to Cybercrime Exceeded $20 Billion appeared first on The HIPAA Journal.

Two critical vulnerabilities have been identified in Progress Software’s ShareFile service. The flaws could potentially be chained by an unauthenticated remote attacker to make configuration changes and achieve remote code execution.

While there have been no known cases of the vulnerabilities being exploited in the wild to date, vulnerabilities in file sharing software are actively targeted by threat actors, so attempted exploitation is likely. In 2023, a zero-day vulnerability in Progress Software’s MOVEit file transfer software was mass exploited by the Clop ransomware group, which claimed hundreds of victims worldwide. To a lesser extent, vulnerabilities in Fortra’s GoAnywhere, Accellion FTA, and Cleo MFT were also mass exploited. Users are therefore encouraged to apply the security updates promptly to prevent exploitation.

The vulnerabilities affect ShareFile Storage Zones Controller v5 version deployments for customer-managed zones and include an authentication bypass flaw tracked as CVE-2026-2699 and a remote code execution flaw tracked as CVE-2026-2701.

According to Progress Software’s security alert, “These vulnerabilities allow an unauthenticated remote attacker to access on-prem storage zones controller’s configuration pages, potentially leading to changes in system configuration and remote code execution.” The authentication bypass flaw has a CVSS v3.1 base score of 9.8, and the RCE flaw has a CVSS base score of 9.1.

The vulnerabilities affect versions 0 through 5.12.3 and have been patched in version 5.12.4. The vulnerabilities do not exist in any v6 versions. Progress Software strongly recommends upgrading to a patched version of V6 as soon as possible to prevent exploitation. Any users of unsupported versions should ensure they upgrade to a supported and fixed version as soon as possible.

The vulnerabilities were identified by security researchers Sonny and Piotr Bazydlo of watchTowr, who reported them to Progress Software. According to Shadow Server, there are 334 Unique IPs associated with ShareFile in the United States.

The post Critical Flaws Identified in Progress Software ShareFile Service appeared first on The HIPAA Journal.

Cybersecurity researchers warn that there could potentially be mass exploitation of a critical flaw in Citrix NetScaler products on a scale similar to the CitrixBleed vulnerability in 2023, which was exploited by ransomware groups. Earlier this week, Citrix disclosed a critical vulnerability affecting its NetScaler ADC and NetScaler Gateway application-delivery products. The vulnerability is an input validation flaw that could allow an attacker to leak sensitive information.

The vulnerability occurs in NetScaler ADC and NetScaler Gateway when configured as a SAML IdP, leading to memory overread. The vulnerability is tracked as CVE-2026-3055 and has a CVSS v4 severity score of 9.3. The vulnerability affects the following NetScaler products, but only when the appliance is configured as a SAML identity provider (IdP):

• NetScaler ADC and NetScaler Gateway 1 BEFORE 14.1-66.59
• NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-62.23
• NetScaler ADC FIPS and NDcPP BEFORE 13.1-37.262

Citrix has released updated software versions to fix the vulnerability, and all customers are advised to prioritize remediation of this vulnerability due to the high risk of exploitation. NetScaler devices are constantly targeted by threat actors, and the vulnerability is certain to be targeted when a proof-of-concept exploit is released.

This is not the only vulnerability to be disclosed by Citrix this week. Citrix also disclosed a race condition flaw – CVE-2026-4368 – that affects  NetScaler ADC and NetScaler Gateway 14.1-66.54, when the appliance is configured as either a gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or a AAA virtual server. The vulnerability is rated high severity, with a CVSS base score of 7.7. Action should be taken to mitigate the vulnerability for customer-managed instances. The vulnerability has been fixed in version 14.1-60.58. Further information on the flaws can be found in the Citrix security bulletin.

March 31, 2026, Update: The vulnerability is being actively exploited, though the scale of the exploitation remains unclear. CISA has added the vulnerability to its Known Exploited Vulnerability (KEV) Catalog on March 30, 2026, and has ordered all federal civilian branch agencies to ensure the vulnerability is patched by April 2, 2026. All network defenders, including those in the private sector, have been advised to prioritize patching the vulnerability and ensure it is mitigated as soon as possible.

The post Urgent Action Required to Fix Actively Exploited Critical Citrix NetScaler Vulnerability appeared first on The HIPAA Journal.

Healthcare has retained its position as the industry most targeted by cyber actors, an unwanted accolade that the sector has held for more than a decade, and in 2025, healthcare had the highest average ransom payments, averaging $1,154,245, according to the recently published BakerHostetler 2026 Data Security Incident Response Report. The report is based on more than 1,250 data security incidents that the law firm was engaged in last year.

BakerHostetler has been publishing annual breach reports for 12 years, and in each of those years, healthcare accounted for more cyber incidents than any other industry. In 2025, healthcare – which includes biotech and pharma – accounted for 27%, with finance/insurance in second spot, accounting for 18% of incidents. While healthcare data breaches remain high – more than 700 last year – 2025 was the second consecutive year where breaches impacting 500 or more individuals declined, albeit only slightly.

Last year saw some threat actors issue astronomical ransom demands, the highest of which was $98 million, more than double the highest ransom demand in 2024 ($40 million). The largest ransom paid was $5.65 million, down from more than $20 million in 2024. Ransom payments increased in 2025, from an average payment of $501,338 in 2024 to $682,702, although average payments in healthcare were 69% higher.

BakerHostetler’s analysis revealed threat actors are spending less time in networks, with the dwell time falling from 36 days in 2023 to just 22 days in 2025. As defenders have got better at detecting intrusions, threat actors have had to adapt and are spending less time snooping to find data of interest. Linked to this is a growing trend of encryption being abandoned in some attacks, with some threat groups opting to solely conduct extortion only attacks. These are faster and quieter, with less chance of discovery before the attackers have achieved their aims, although in some attacks, the exfiltration of data is what tipped off victims to the attack, forcing the attackers to abandon encryption.

In 2025, across all industry sectors, 34% of victims of ransomware attacks paid the ransom, but there was a notable shift in the reason for payment last year. In 2024, 43% of victims of ransomware attacks paid the ransom to obtain a decryptor, with 34% paying to prevent the publication of stolen data. Those figures were reversed in 2025, with 31% of victims paying to obtain the decryptor, 43% paid to prevent the publication of stolen data, and 26% paid to recover data and prevent a data leak. Out of all extortion/ransomware incidents, 64% resulted in data theft requiring notices to individuals.

The Qilin ransomware group stepped up its attacks in 2025, having recruited affiliates from other ransomware operations, although Akira took top spot, based on the number of incidents BakerHostetler was engaged to assist with. Lynx/Inc ransom took third spot followed by Clop in 4^th, and the now defunct RansomHub in 5^th. The law enforcement operations against the LockBit ransomware group have clearly been effective, as BakerHostetler reports that for the first time in the past 5 years, LockBit was not in the top five most active ransomware groups.

This year’s report includes a spotlight on the healthcare sector. Out of all healthcare incidents that BakerHostetler was engaged in, 35% were attributed to vendors, which remain an Achilles heel in the industry. Vendor incidents were among the largest data breaches, such as the data breach at Conduent that affected more than 10 million individuals, the 5 million+ data breach at Episource, and the data breach at Oracle Health (Cerner). The number of individuals affected by the latter has not been disclosed, but is certainly in the millions.

While announcements were made about 21 resolution agreements in 2025, only 12 of the settlements/notices of final determination had 2025 dates. Out of those 12, seven resolved alleged HIPAA violations at business associates, as OCR demonstrated it is taking a keen interest in HIPAA compliance by vendors.

BakerHostetler suggests that fewer penalties are likely to be imposed this year, as OCR may opt for providing more efficient technical assistance; however, state attorneys general may well fill the gap as they exercise their authority to penalize healthcare organziations over breaches of the protected health information of state residents.

BakerHostetler predicts that state actions are likely to increase, as states are increasing staffing in their data privacy units. The expected focus will be data breach incident investigation, data awareness and data minimization, more robust protections for sensitive data, and greater incident investigation transparency, and with Congress yet to pass federal data privacy legislation, more states will implement their own privacy legislation.

The post BakerHostetler: Healthcare Remains Most Targeted Sector with Extortion-Only Attacks on the Rise appeared first on The HIPAA Journal.

A high-severity vulnerability has been identified in Grassroots DICOM that could be exploited by a remote threat actor to trigger a denial-of-service condition.  The vulnerability, tracked as CVE-2026-3650, is a memory leak issue that has been assigned a CVSS v3.1 severity score of 7.5.

Grassroots DICOM is a C++ library for DICOM medical images that comes with a scanner implementation capable of quickly scanning hundreds of DICOM files for attributes. Grassroots DICOM is used by healthcare and public health sector organizations worldwide, including in the United States.

The vulnerability affects Grassroots DICOM (GDCM) version 3.2.2 and occurs when parsing malformed DICOM files with non-standard VR types in file meta information. If an attacker sends a specially crafted file, when that file is parsed, it leads to vast memory allocations and resource depletion, triggering a denial of service condition. A maliciously crafted file could fill the heap in a single read operation without properly releasing it.

The vulnerability was identified by Volodymyr Bihunenko, Mykyta Mudryi, and Markiian Chaklosh of ARIMLABS, who reported it to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which contacted the maintainer of Grassroots DICOM; however, the maintainer failed to respond to requests by CISA to mitigate the vulnerability.

While there is currently no fix to remediate the vulnerability, CISA has suggested recommended practices to reduce the potential for exploitation. They involve ensuring that the Grassroots DICOM is not exposed to the internet, that control system networks are located behind firewalls and are isolated from business networks, and if remote access is required, that secure methods are used to connect, such as Virtual Private Networks (VPNs), ensuring that the VPN is running the latest software version.

The post High Severity Vulnerability Identified in Grassroots DICOM appeared first on The HIPAA Journal.

A class 2 recall has been issued by the U.S. Food and Drug Administration (FDA) for certain GE HealthCare Centricity medical imaging products due to a vulnerability that could potentially be exploited by an unauthorized individual to manipulate data or impact system availability. Centricity Universal Viewer is a device that displays medical images such as mammograms and data from various imaging sources. The vulnerability affects the following Centricity Universal Viewer software versions:

• Versions 5.0 SP6 through UV 5.0 SP7.1
• Versions 6.0 through 6.0 Sp10.4.1
• Versions 7.0 through 7.0 Sp2.0.1

The recall was issued as the vulnerability may cause temporary or medically reversible adverse health consequences, but where the probability of serious adverse health consequences is remote. The vulnerability is due to user login credentials being exposed on the local client workstation. As such, an unauthorized individual could obtain the credentials and potentially impact system availability and/or manipulate data; however, the potential for exploitation is limited, as direct physical access to the local workstation is required.

There have been no known cases of exploitation of the vulnerability nor any known unauthorized access to patient data, according to GE Healthcare. The vulnerability was discovered by GE Healthcare during routine testing, and the company is working on a permanent fix. GE HealthCare has issued instructions for customers to follow to allow them to continue using their devices until the fix is issued.

According to the FDA’s recall notice, in order to continue using the affected products, users must ensure that appropriate security controls are implemented, as stated in the product manuals. Network account authentication should be implemented by using Active Directory/LDAP services for user management. If network authentication is not possible, users should contact GE Healthcare to request temporary steps to mitigate the issue.

The post FDA Issues Recall Notice for GE HealthCare Centricity Universal Viewer appeared first on The HIPAA Journal.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging U.S. organizations to strengthen administrative controls for the Intune endpoint management tool, following the Iran-linked cyberattack on the medical technology company Stryker. The Stryker cyberattack was conducted by a threat actor called Handala – a hacktivist group with links to Iran’s Ministry of Intelligence and Security.

Handala claimed to have exfiltrated 50 terabytes of data in the attack, before wiping data. Handala has claimed that it managed to delete 12 Petabytes of data in the attack from 200,000 devices. Wiper malware was not required, as Handala used the built-in wipe command in the Intune cloud-based endpoint management tool to wipe Windows devices, including mobile phones and laptops.  According to Bleeping Computer, a source familiar with the incident claimed that Handala compromised an administrator account and created a new Global Administrator account, which was used to wipe the data.

At the time of writing, the military action against Iran is continuing, and Iran has issued threats of retaliation. In addition to a military response, retaliation is also likely to include further cyberattacks on U.S. companies. “CISA is aware of malicious cyber activity targeting endpoint management systems of U.S. organizations based on the March 11, 2026, cyberattack against U.S.-based medical technology firm Stryker Corporation, which affected their Microsoft environment,” explained CISA in its March 18, 2026, alert. Consequently, CISA is recommending that organizations take steps to harden their endpoint management system configurations by following Microsoft’s recommendations.

The three main actions to take to harden Intune involve adopting a least-privilege approach for admin roles, assigning only the necessary permissions for day-to-day operations through Microsoft’s Intune role-based access control (RBAC). Organizations are advised to enforce phishing-resistant multifactor authentication and privileged access hygiene, including using Microsoft Entra ID capabilities to block unauthorized access to privileged actions in Microsoft Intune. Microsoft also recommends configuring access policies to require multiple admin approvals. Policies should be set up that require approval from a second administrative account in order to make changes to sensitive or high-impact actions, such as wiping devices, applications, scripts, RBAC, and configurations.

According to the Palo Alto Networks Unit 42 team, there has been an increase in cyberattacks related to the war with Iran, including data wiping attacks and data theft. While the attack on Stryker involved misuse of Intune to wipe data, Iran-linked threat groups commonly use wiper malware in their offensive cyber operations. The Unit 42 team has observed Iran-nexus hacking groups and hacktivist groups increasing wiper attacks and spear phishing attacks. In addition to hardening Intune security, organizations should ensure that they patch promptly, have robust data backup systems in place, and have a tested disaster recovery and business continuity plan for data wiping attacks.

The post CISA Advises U.S. Organziations to Harden Microsoft Intune Following Stryker Data Wiping Attack appeared first on The HIPAA Journal.