The US Healthcare Cyber Resilience Survey from EY and KLAS Research has revealed that more than 7 out of 10 healthcare organizations have experienced significant business disruption due to cyberattacks in the past two years.

The survey was conducted on 100 healthcare executives responsible for cybersecurity decisions within their organization. On average, organizations experienced an average of five different cyber threats in the past year, the most common of which was phishing, experienced by 77% of organizations. The next most commonly encountered threats were third-party breaches (74%), malware (62%), data breaches (47%), and ransomware (45%). Only 3% of respondents reported not experiencing any cyber threats in the past year.

These cyber incidents are having a considerable impact on patient care and business operations. 72% of respondents reported that their organization experienced a moderate to severe financial impact due to cyberattacks in the past two years, 60% reported a moderate to severe operational impact, and 59% reported a moderate to severe clinical impact.

In healthcare, cybersecurity is often viewed as a set of defensive measures to protect against cyber threats and ensure compliance, but cybersecurity should be elevated to an organizational priority. Cyberattacks have a significant impact on patient care and business operations, damaging the organization’s reputation and affecting its bottom line. Healthcare organizations that make cybersecurity an organizational priority find that it creates value and helps them deliver better outcomes.

Cybersecurity investment should be aligned with outcomes such as reduced downtime, improved patient safety, and financial stability, and the survey suggests that CISOs are getting better at communicating this to the C-suite. When the cost of cybersecurity investment is compared to the cost of an outage on patient care and revenue, funds are often provided. The survey suggests that the main challenge is not getting the company to invest in cybersecurity, but to sustain the financial commitment over time, especially when budgets tighten or priorities shift. It can be especially hard to maintain that commitment when, after investing in cybersecurity, the organization continues to experience moderate to severe cyber events.

“Cyber needs to be a shared responsibility across the organization and the health ecosystem,” explained EY and KLAS in the report. “In a time of tight budgets, cutting cyber investments can leave health organizations more vulnerable and ultimately lead to higher costs. Health executives must pivot from viewing cyber as a cost center to a strategic enabler of the business.”

The problem faced by many organizations is competing organizational priorities and tight budgets, which were cited as a problem by two-thirds of respondents. Other challenges affecting healthcare organizations include a rapidly changing threat landscape, AI-driven threats, third-party risk management, and the difficulty of recruiting and retaining cybersecurity talent.

One of the main takeaways from the report is the importance of viewing cybersecurity as more than a set of technical and administrative safeguards to achieve compliance. Cybersecurity needs to be viewed as a value creator that is as critical to the success of other business needs, be that improved patient outcomes, geographical expansion, or smart care models. “When cyber is integrated into care delivery and operational and business strategy, it becomes more than compliance. It serves as a catalyst for trust, transformation, long-term resilience, and care delivery that is future-proof,” suggest EY and KLAS.

The post Cybersecurity Should Be Viewed as a Strategic Enabler of the Business appeared first on The HIPAA Journal.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have issued new guidance for organizations to help them secure their on-premises Microsoft Exchange servers. The guidance document builds on the advice issued in August 2025 on mitigating a high-severity vulnerability in Microsoft Exchange Server – CVE-2025-53786 – that posed a significant risk to organizations with Microsoft Exchange hybrid-joined configurations.

The flaw could be exploited by an unauthenticated attacker to move laterally from an on-premises Exchange server to their Microsoft 365 cloud environment. While the vulnerability could only be exploited if an attacker first gained administrative access to the on-premises Exchange server, CISA was particularly concerned about how easy it was to escalate privileges and gain control of parts of the victim’s Microsoft 365 environment.

Cyber actors have been targeting on-premises Exchange servers in hybrid environments, and CISA is concerned about organizations using misconfigured or unprotected Microsoft Exchange servers, especially Exchange Server versions that have reached end-of-life. In such cases, there is a high risk of compromise. The guidance – Microsoft Exchange Server Security Best Practices – was developed by CISA and the NSA, with assistance provided by the Australian Cyber Security Centre and the Canadian Centre for Cyber Security (Cyber Centre). The document details proactive prevention measures and techniques for combating cyber threats and protecting sensitive data and communications.

“With the threat to Exchange servers remaining persistent, enforcing a prevention posture and adhering to these best practices is crucial for safeguarding our critical communication systems,” said Nick Andersen, Executive Assistant Director for the Cybersecurity Division (CSD) at CISA. “This guidance empowers organizations to proactively mitigate threats, protect enterprise assets, and ensure the resilience of their operations.

The authoring agencies stress that the most effective defense against Microsoft Exchange threats is ensuring that Exchange is updated to the latest version and Cumulative Update (CU). If an unsupported version is still in use, it should be updated to a supported version. The only supported version for on-premises Exchange is Microsoft Exchange Server Subscription Edition (SE), as support ended for previous versions on October 14, 2025. Organizations should also ensure that Microsoft’s Emergency Mitigation Service is turned on, as it will automatically apply defensive rules, disable legacy protocols, and block specific patterns of malicious HTTP requests.

Organizations should maintain a regular patching cadence, applying the monthly security updates and hotfixes promptly, as well as the two CUs per year. CISA warns that threat actors usually develop exploits for Exchange vulnerabilities within a few days of patches being released. If immediate patching is not possible, organizations should implement Microsoft’s interim mitigations.

CISA recommends that organizations enforce a prevention posture to address Exchange threats. The guidance serves as a blueprint for strengthening security, and covers hardening authentication and access controls, enforcing strong encryption, implementing multifactor authentication, enforcing strict transport security configurations, adopting zero-trust security principles, and minimizing application attack surfaces. The guidance is focused on securing on-premises Exchange servers. Organizations with Exchange servers in hybrid environments should follow the advice in CISA’s August 2025 Emergency Directive.

The post CISA; NSA Issue Guidance on Hardening Microsoft Exchange Server Security appeared first on The HIPAA Journal.

Vulnerabilities have been identified in the Hospital Manager Backend Services, a hospital information management system from Vertikal Systems. One of the vulnerabilities is a high-severity flaw that can be remotely exploited in a low complexity attack to gain access to and disclose sensitive information.

The vulnerabilities affect Hospital Manager Backend Services prior to September 19, 2025. The vulnerabilities have been fixed in the September 19, 2025, release and future releases. Users should ensure that their product is up to date and should contact Vertikal Systems for assistance with fixing the flaws.

The most serious vulnerability is tracked as CVE-2025-54459 and has been assigned a CVSS v4 base score of 8.7 (CVSS v3.1 base score 7.5). The flaw is due to the product exposing sensitive information to an unauthorized control sphere. Hospital Manager Backend Services exposed the ASP.NET tracing endpoint /trace.axd without authentication, which means a remote attacker can obtain live request traces and sensitive information such as request metadata, session identifiers, authorization headers, server variables, and internal file paths.

The second flaw is tracked as CVE-2025-61959 and is a medium-severity vulnerability with a CVSS v4 base score of 6.9 (CVSS v3.1 base score: 5.3), due to the generation of error messages containing sensitive information.  Hospital Manager Backend Services returned verbose ASP.NET error pages for invalid WebResource.axd requests, disclosing framework and ASP.NET version information, stack traces, internal paths, and the insecure configuration ‘customErrors mode=”Off”‘, which could have facilitated reconnaissance by unauthenticated attackers.

The vulnerabilities were identified by Pundhapat Sichamnong of Vantage Point Security, who reported the flaws to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). In addition to using the latest version, it is recommended not to expose the product to the internet, to locate it behind a firewall, and if remote access is required, to use a secure method of access, such as a Virtual Private Network (VPN), ensuring the VPN is running the latest version of the software.

The post Vulnerabilities Identified in Vertikal Systems Hospital Information Management Solution appeared first on The HIPAA Journal.

The ransomware remediation firm Coveware has reported a growing divide in the ransomware landscape, with larger enterprises facing increasingly targeted, high-cost attacks, whereas attacks on mid-market companies continue to be conducted in volume. Ransomware groups conducting high-volume attacks appear to have found the sweet spot, as while the ransom payments they receive are much lower, the attacks are easier to conduct, and a higher percentage of victims pay up. Attacks on larger companies require more effort, although attacks are far more lucrative when a ransom is paid. Coveware reports that larger organizations are increasingly resisting paying ransoms, having realized that there are few payment benefits, but has warned that these targeted attacks are likely to increase due to falling ransom payments.

Across the board, there has been a sharp fall in both the average and median ransom payments from a 6-year high in Q2, 2025, to the lowest level since Q1, 2023. In Q3, 2025, the average ransom payment fell by 66% to $376,941, with the median ransom payment down 65% to $140,000. In Q1, 2019, 85% of victims of ransomware attacks chose to pay the ransom, compared to a historic low of 23% in Q3, 2025.

When cybercriminals started conducting ransomware attacks, the focus was on file encryption, whereas double extortion tactics are now the norm, with data stolen prior to file encryption. While data can often be recovered from backups, the threat of publication of the data is often enough to see the ransom paid, in an effort to minimize reputation damage from an attack. According to Coveware, 76% of all attacks in Q3, 2025, involved data theft. There has been a growing trend of data theft-focused attacks, with some groups abandoning data encryption altogether. While extortion-only attacks are generally faster and stealthier, Coveware reports that data exfiltration attacks without encryption only have a ransom payment rate of 19% – a record low. That suggests that victims do not believe paying the ransom will result in their data being deleted.

The most common attack vectors frequently change, with phishing and social engineering the most common method of initial access in Q3, 2024, whereas in Q3, 2025, there was a sharp increase in remote access compromise, with phishing/social engineering dropping to around 18% of attacks, almost on a par with the exploitation of software vulnerabilities. Remote access compromise was behind almost 50% of attacks in Q3. Coveware reports that the distinction between different intrusion types is becoming increasingly blurred, such as remote access and social engineering. For example, attacks impersonating SaaS support teams or abusing helpdesk processes trick individuals into providing remote access. “The modern intrusion no longer begins with a simple phishing email or an unpatched VPN. It starts with a convergence of identity, trust, and access across both people and platforms,” explained Coveware.

The two most active ransomware groups in Q3 – Akira (34%0 and Qilin (10%) – are both focused on high-volume attacks that yield relatively low rewards. While a logical response to fewer victims paying a ransom is to conduct even more attacks, Coveware believes it is more likely to trigger more targeted attacks on companies that have the means to pay large ransoms. As security postures have improved, attacks are becoming harder to pull off. One potential consequence is that attackers will focus once again on targeting employees to trick them into providing access, as well as recruiting insiders. Coveware has identified several attacks where employees have been bribed into providing remote access. In one case, the Medusa ransomware group attempted to recruit an employee of a large organization. Medusa promised to pay the employee 15% of any ransom generated if network access through the employee’s computer was provided.

While healthcare remains a lucrative target for ransomware groups, only 9.7% of attacks involving Coveware’s services affected healthcare organizations, putting the industry in joint second place with software services. Professional services was the most commonly attacked sector in Q3, accounting for 17.5% of attacks.

The post Only 23% of Ransomware Victims Pay the Ransom appeared first on The HIPAA Journal.

Ransomware groups are conducting fewer attacks than a year ago, and are increasingly adopting a more targeted approach using stealthy tactics to achieve more impactful results, according to the 2025 Global Threat Landscape Report from the network detection and response (NDR) company ExtraHop.

Indiscriminate attacks are being dropped in favor of targeted, sophisticated attacks that allow ransomware actors to spend longer inside victims’ networks as they move undetected to achieve an extensive compromise before deploying their file-encrypting payloads. Attacks are designed to cause maximum damage and extensive downtime, which both increases the likelihood of a ransom being paid and allows them to obtain higher ransom payments. ExtraHop reports that in the space of a year, the average ransom demand has increased by more than one million dollars, from $2.5 million a year ago to $3.6 million, although ransom demands are higher for healthcare organizations and government entities. 70% of victims end up paying the ransom.

Last year, ExtraHop tracked an average of 8 incidents per organization compared to 5-6 incidents this year. Ransomware actors typically have access to victims’ networks for almost two weeks before they launch their attack, during which time sensitive data is exfiltrated. It typically takes victims more than two weeks to respond to a security alert and contain an attack, with the attacks causing an average downtime of around 37 hours.

Only 17% of attacks are detected during the reconnaissance phase, with 29% detected during initial access, but 30% of attacks are detected later on in the attack phase when file exfiltration has commenced (12%), data is encrypted (13%), or the ransom note is received (5%). While attacks are becoming increasingly sophisticated and harder to detect with traditional security tools, the initial access vectors have largely remained unchanged, with phishing and social engineering the most common means of infiltration. Phishing/social engineering was the infiltration method in 33.7% of attacks, software vulnerabilities were exploited in 19.4% of attacks, supply chain compromises were behind 13.4% of attacks, and software misconfigurations were exploited in 13% of attacks. ExtraHop has observed a marked increase in the use of compromised credentials for initial access, which were used in 12.2% of attacks. Legitimate credentials allow attackers to access networks, move laterally, and remain in networks undetected for extended periods, often escalating privileges to compromise more sensitive systems.

The biggest areas of cybersecurity risk for defenders were the public cloud (53.8%), third-party services and integrations (43.7%), and generative AI applications (41.87%). The main challenges faced by defenders were limited visibility into their entire environment (41%), insufficient staffing or a skills gap (35.5%), alert fatigue due to an overwhelming number of security alerts (34%), poorly integrated tools (34%), insufficient or manual SOC workflows (33%), insufficient budget and executive support (29%), and organizational silos (26%). The problem for many organizations is that they are grappling with a complex range of equally pressing obstacles.

ExtraHop’s advice is to first understand the full attack surface, which means knowing exactly what is in the network and where vulnerabilities exist. While it is important to have robust perimeter defenses, internal traffic must be monitored as attackers are increasingly able to penetrate defenses. Through effective monitoring, organizations can identify and block attacks before escalation, data theft, and encryption. While it is essential to understand what threat actors are doing today, it is important to keep abreast of evolving tactics to be prepared for what will happen tomorrow, including attackers’ use of emerging technologies.

The post Ransomware Groups’ Evolving Tactics Spur 44% Increase in Ransom Demands appeared first on The HIPAA Journal.

Cybersecurity firm Black Fog has released its Q3 2025 State of Ransomware Report, which shows ransomware attacks have increased by 36% compared to the same quarter in 2024. Each month in the quarter saw an increase in attacks compared to the corresponding month last year, with July the worst month with a 50% increase. Over the whole quarter, 270 ransomware attacks were reported, although Black Fog notes that the majority of attacks remain in the shadows and go unreported. In Q3, an estimated 1,510 ransomware attacks were not disclosed, which represents a 21% increase from the previous quarter.

Healthcare remains a key target for ransomware groups, with the sector experiencing 86 attacks, which represents 32% of all disclosed attacks – more than twice as many ransomware attacks as were disclosed by entities in the next most attacked sectors, government and technology, which each had 28 disclosed incidents. Black Fog reports that 85% of ransomware attacks are not reported, and taking those attacks into account, manufacturing was the hardest hit sector, accounting for 22% of the 1,510 undisclosed attacks, followed closely by the services sector. Even with the HIPAA reporting requirements, healthcare ranked 5^th for undisclosed incidents, which suggests that healthcare organizations are slow to investigate and report attacks. Law firms are increasingly being targeted, with the sector experiencing at least 79 attacks, the highest level since Black Fog started publishing ransomware reports in 2020.

Data theft almost always occurs with ransomware attacks, with some groups now abandoning encryption altogether. Black Fog reports that a new record was set in Q3 for data exfiltration, with 96% of attacks involving data theft. As reported by the Identity Theft Resource Center this month in its Q3 analysis of compromises, almost three-quarters (71%) of victim notifications do not mention the root cause of the attack, such as whether ransomware was used, which puts victims at a great risk of identity theft and fraud. Black Fog identified 449 victim listings on ransomware groups’ dark web data leak sites in Q3, 2025, with an average of 527.65 GB exfiltrated per victim. Black Fog CEO, Darren Williams, recommends that organizations should be more proactive at detecting the signs of data exfiltration by looking for unusual patterns in outbound traffic, anomalous MFA behaviors, and sudden file movement, as by the time files are encrypted, the damage from an attack is often irreversible.

The Qilin ransomware group retained its position as the most prolific ransomware group with 20 disclosed attacks (7%) and 242 undisclosed attacks (16%). INC Ransom ranked second with 18 (7%) disclosed attacks and 111 (7%) undisclosed attacks. Akira remains a highly active group with 139 (9%) undisclosed attacks. In Q3, a further 18 ransomware groups emerged, bringing the total number of active groups engaging in double extortion up to 80.

One notable newcomer is the Devman ransomware group, which has conducted 19 attacks in just a few months. The group stands out due to the high number of attacks for a new group, together with exorbitant ransom demands, including a $93 million ransom demand in the attack on the Chinese real estate firm, Shimao Group, which ranks as the largest ransom demand of the year.

“As ransomware volumes show a continued upward trend, the best option for organizations is to make it as hard as possible for cybercriminals to take advantage of them. That means protecting data so that they have no leverage for extortion and, critically, no incentive to return,” suggests Williams. That means improving monitoring and encrypting stored data.

The post Cybersecurity Firm Reports 36% YOY Increase in Ransomware Attacks appeared first on The HIPAA Journal.

The latest data from the Identity Theft Resource Center (ITRC) has confirmed that system compromises and data breaches are still being reported in high numbers, although there has been a slight reduction in incidents compared to the previous quarter. In Q2 2025, ITRC tracked 913 compromise incidents, plus a further 835 incidents in Q3. So far this year, ITRC has tracked 2,563 compromises, resulting in almost 202 million victim notices.

Given the high number of data compromises in each quarter this year, 2025 looks likely to be a record-breaking year, with only a further 640 compromises required in the last quarter of the year to set a new record.  While compromises are up, the number of victim notices sent so far is down considerably from last year’s record-breaking total due to a reduction in mega data breaches. That said, there have been some sizeable data breaches this year.

In the first half of the year, five of the top ten biggest data breaches involved protected health information, with the data breaches at Yale New Haven Health System, Episource, and Blue Shield of California affecting more than 15.6 million patients. In Q3, while the biggest data breach was at TransUnion, involving 4.46 million victim notices, the next four largest data breaches occurred at healthcare organizations: the ransomware attack on the kidney dialysis provider DaVita (2,689,826 victims), and the cyberattacks on Anne Arundel Dermatology (1,905,000 victims), Radiology Associates of Richmond (1,419,091 victims), and Absolute Dental Group (1,223,635 victims).

Out of the 835 compromises in Q3, there were 749 confirmed data breaches involving 23,053,451 victim notices. Out of those data breaches, 691 were cyberattacks (22,985,802 victims), 46 were due to system and human error (62,297 victims), 33 breaches/exposures were supply chain attacks (3,793,381 victims), and 19 were due to physical attacks (5,352 victims). The highest number of data compromises occurred in the financial services sector (188 compromises), followed by healthcare (149 compromises), professional services (114 compromises), manufacturing (76 compromises), and education (45 compromises).

The trend of withholding details of the attack vector in breach notices is continuing to grow, with 71% of victim notices in Q3 missing that information, up from 69% in the first half of the year. The attack vector can help victims of the breach gauge the level of risk they face. Failing to state the exact cause of the breach can place victims at an increased risk of identity theft and fraud. The advice from ITRC, given the frequency at which cyberattacks and data breaches now occur, is to place a credit freeze with each of the three main credit reporting agencies (Experian, Equifax & TransUnion), regardless of whether personal data has been compromised. In addition, it is important to practice good cyber hygiene, set unique 12+ character passphrases on all accounts, and ensure that multi-factor authentication is activated wherever possible.

The post ITRC: 23 Million Individuals Affected by Data Breaches in Q3, 2025 appeared first on The HIPAA Journal.

The latest data from the Identity Theft Resource Center (ITRC) has confirmed that system compromises and data breaches are still being reported in high numbers, although there has been a slight reduction in incidents compared to the previous quarter. In Q2 2025, ITRC tracked 913 compromise incidents, plus a further 835 incidents in Q3. So far this year, ITRC has tracked 2,563 compromises, resulting in almost 202 million victim notices.

Given the high number of data compromises in each quarter this year, 2025 looks likely to be a record-breaking year, with only a further 640 compromises required in the last quarter of the year to set a new record.  While compromises are up, the number of victim notices sent so far is down considerably from last year’s record-breaking total due to a reduction in mega data breaches. That said, there have been some sizeable data breaches this year.

In the first half of the year, five of the top ten biggest data breaches involved protected health information, with the data breaches at Yale New Haven Health System, Episource, and Blue Shield of California affecting more than 15.6 million patients. In Q3, while the biggest data breach was at TransUnion, involving 4.46 million victim notices, the next four largest data breaches occurred at healthcare organizations: the ransomware attack on the kidney dialysis provider DaVita (2,689,826 victims), and the cyberattacks on Anne Arundel Dermatology (1,905,000 victims), Radiology Associates of Richmond (1,419,091 victims), and Absolute Dental Group (1,223,635 victims).

Out of the 835 compromises in Q3, there were 749 confirmed data breaches involving 23,053,451 victim notices. Out of those data breaches, 691 were cyberattacks (22,985,802 victims), 46 were due to system and human error (62,297 victims), 33 breaches/exposures were supply chain attacks (3,793,381 victims), and 19 were due to physical attacks (5,352 victims). The highest number of data compromises occurred in the financial services sector (188 compromises), followed by healthcare (149 compromises), professional services (114 compromises), manufacturing (76 compromises), and education (45 compromises).

The trend of withholding details of the attack vector in breach notices is continuing to grow, with 71% of victim notices in Q3 missing that information, up from 69% in the first half of the year. The attack vector can help victims of the breach gauge the level of risk they face. Failing to state the exact cause of the breach can place victims at an increased risk of identity theft and fraud. The advice from ITRC, given the frequency at which cyberattacks and data breaches now occur, is to place a credit freeze with each of the three main credit reporting agencies (Experian, Equifax & TransUnion), regardless of whether personal data has been compromised. In addition, it is important to practice good cyber hygiene, set unique 12+ character passphrases on all accounts, and ensure that multi-factor authentication is activated wherever possible.

The post ITRC: 23 Million Individuals Affected by Data Breaches in Q3, 2025 appeared first on The HIPAA Journal.