The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has announced a new initiative aimed at improving critical infrastructure cyber resilience during geopolitical conflicts, and is urging critical infrastructure operators to improve their defenses against disruptive and destructive cyberattacks through proactive isolation and recovery planning. CISA warns that adversaries have already embedded themselves in critical systems and are positioning themselves to cripple operational technology in the event of a wider geopolitical conflict.

During geopolitical conflicts, critical infrastructure entities face an increased risk of cyberattacks, where nation-state actors may attempt to disrupt and destroy the operational technology running the United States. Attacks may target healthcare providers to disrupt patient care, telecommunications infrastructure to damage phone and internet services, food production facilities, and energy and wastewater entities. At all times, critical infrastructure entities must continue to deliver crucial services to Americans. They must therefore isolate vital systems from harm, continue operating them in an isolated state, and be able to rapidly recover any systems that are successfully compromised.

The initiative, dubbed CI Fortify, is aimed at boosting public health and safety, critical defense infrastructure, national security, and ensuring the continuity of the economy. CISA explains that critical infrastructure operators must assume that, in the event of a conflict scenario, third-party connections such as telecommunications, vendors, service providers, upstream dependencies, and the internet are likely to be unreliable, and threat actors will have access to certain parts of the operational technology network.

Operators must plan for such scenarios and improve resilience through isolation and incident recovery practices. Isolation involves proactively disconnecting operational technology systems from third-party business networks to prevent operational technology cyber impacts and sustain essential operations in a degraded communications environment. Processes need to continue to ensure service delivery in the event of an incident, rather than being forced to completely shut down.

Critical infrastructure operators should identify critical customers and set a service delivery target based on their needs, determine vital operational technology and supporting infrastructure to meet their targets in isolation, and update business continuity plans and engineering processes to ensure safe operations while isolated, which could be weeks or even months. They should track CISA and Sector Risk Management Agency (SRMA) guidance to know when to isolate. For healthcare and public health organizations, the Department of Health and Human Services is the designated Sector Risk Management Agency (SRMA), with those duties handled by the Administration for Strategic Preparedness through the Office of Critical Infrastructure Protection.

For recovery, it is essential to ensure that systems are documented, critical files are backed up, and procedures are practiced for replacing critical systems and transitioning to manual processes in the event of systems or components being rendered inoperable. It is also vital to address communications dependencies for recovery, such as licensing servers or business network connections.  “Regardless of the source for any disruption, these emergency planning efforts will leave operators with more resilient infrastructure that is easier to defend and keep running,” explained CISA. CISA has set up a webpage with further information and resources to help critical infrastructure entities isolate systems and enable recovery.

This week, the Joint Commission and AHA announced a new Cyber Resilience Readiness Program for hospitals and health systems to ensure they can sustain clinical operations during cyberattacks that disrupt critical information technology systems. The program dovetails with CISA’s CI Fortify initiative, according to John Riggi, AHA national advisor for cybersecurity and risk.

The post CISA Launches Initiative to Improve Critical Infrastructure Resilience During Geopolitical Conflicts appeared first on The HIPAA Journal.

Healthcare organizations are exposing a vast amount of patient data by failing to implement even basic security measures for DICOM servers, according to a recent Trend Micro TrendAI analysis. TrendAI identified thousands of internet-facing DICOM servers belonging to hundreds of entities. The lack of security protections puts patient privacy at risk and gives hackers the opening they need for lateral movement and ransomware attacks.

Medical images generated from X-rays, MRI, CT, and ultrasound scans are captured, stored, processed, transmitted, and viewed using the Digital Imaging and Communications in Medicine (DICOM) standard. Work on a standard for communicating medical imaging information started in the early 80s and culminated in the DICOM standard. DICOM defines a file format for medical images and a network protocol for communicating those images between different devices and systems, including equipment such as scanners, workstations, and printers, software, network hardware, and Picture Archiving and Communication Systems (PACS). DICOM enables interoperability across devices and systems, regardless of manufacturer.

DICOM files contain medical imaging data; however, the metadata includes a substantial volume of protected health information, such as full names, dates of birth, and medical record numbers, and sometimes other sensitive data such as Social Security numbers and other patient identifiers. The metadata may also include information such as the referring physician’s name, the reading radiologist, why the test was ordered, diagnosis codes, and procedure information, while the images themselves can reveal sensitive health conditions.

The purpose of the DICOM standard is to allow easy viewing, storage, exchange, and transmission of medical images; however, there are also security features to protect against unauthorized access. The problem is that those security features are not being fully utilized, and in many cases, are not being used at all. Using Shodan.io scanning data, the TrendAI team identified 3,627 DICOM medical imaging servers in more than 100 countries that were directly accessible via the public internet, the largest percentage of which (33%) were in the United States (1,189 servers). While the exposed servers were often PACS or workstations, the TrendAI team points out that they often serve as gateways to medical imaging modalities such as MRI systems, X-Ray equipment, CT and PET-CT scanners, and mammography units. While the analysis did not identify any of those medical devices, it is reasonable to assume that the exposed servers communicate with those devices.

The analysis was conducted using Shodan scanning data from November to December 2025, which revealed that many DICOM servers have minimal or no security controls. TrendAI found that only 0.14% of exposed DICOM servers use TLS encryption, which prevents eavesdropping and man-in-the-middle attacks. DICOM servers should only accept connections from known, trusted sources; however, 99.56% of exposed servers accepted connections without AE Title validation, suggesting AE Title validation was not being enforced. Across the exposed servers, 334 organizations could be identified. They included 231 healthcare organizations such as hospitals, clinics, laboratories, and imaging and radiology centers.

The best practice is to ensure that DICOM servers are on isolated networks with firewalls restricting access; however, the fact that 3,627 servers were exposed to the internet shows that even this basic security control is not being implemented. Further, an analysis of software versions found that many had significant patch deficiencies, including unpatched critical vulnerabilities such as CVE-2019-1010228, CVE-2022-2119, CVE-2022-2120, and CVE-2025-0896. The TrendAI team also found that 44% of servers cluster into groups running identical software, which means that one vulnerability can be exploited on hundreds of targets. The scant protections put patient privacy at risk, potentially allowing extensive data theft, image manipulation, lateral movement, and ransomware attacks.

“Security must be treated as a fundamental requirement rather than an optional enhancement. The tools exist; they simply need to be used,” suggests TrendAI. “Healthcare organizations, cloud providers, and DICOM software vendors all share responsibility for addressing this exposure. Until they do, patient data remains at risk, clinical systems remain vulnerable, and the healthcare sector remains an attractive target for malicious actors.”

The post Healthcare Organizations Exposing Patient Data Via Poorly Secured DICOM Servers appeared first on The HIPAA Journal.

Joint Commission and the American Hospital Association (AHA) have partnered to create a new Cyber Resilience Readiness program for hospitals and health systems to help them sustain safe clinical operations during cyber-related technology outages.

Hacking and ransomware attacks have skyrocketed in recent years. According to the Federal Bureau of Investigation (FBI), healthcare and public health was the most targeted sector in 2025, experiencing 642 hacking incidents, including 460 ransomware attacks and 182 data breaches. Currently, the HHS’ Office for Civil Rights breach portal shows 765 data breaches affecting 500 or more individuals were reported in 2025, the highest number ever reported in a single year. These incidents often result in prolonged periods of digital darkness, where systems are offline, and healthcare organizations are forced to resort to manual processes for recording patient information. During those periods, hospitals and health systems must ensure continuity of care and maintain patient safety, even without access to critical technologies.

To counter the threat to patient safety and care from cyber incidents, extreme weather events, and other natural disasters, Joint Commission and AHA partnered to create a new Cyber Resilience Readiness (CRR) Program for healthcare organizations. The program was developed in partnership with several healthcare organizations and is a first-of-its-kind program to help hospitals and health systems strengthen their ability to sustain safe clinical operations during technology outages caused by cyber events and natural disasters.

While many cybersecurity approaches are focused on rapidly restoring IT systems, the CRR emphasizes real-world operational readiness and patient safety impacts. The CRR was informed by the lessons learned from actual ransomware attacks and other cyber events that have affected hospitals across the United States. “The goal is to help hospitals and health systems move from awareness to readiness, and from readiness to resilience, ultimately enabling organizations to move beyond assessment to practical, operational improvement,” according to Joint Commission and the AHA.

The CRR program is centered on a structured, free-to-complete self-assessment tool for evaluating the current ability to maintain safe care during technology outages, with a focus on maintaining clinical workflows, operational response, leadership coordination, and staff preparedness. The self-assessment tool familiarizes hospitals and health systems with the questions they need to ask and what they need to prepare for. Should they so wish, their assessments can be submitted for expert review for a fee, and they will receive a set of top-line recommendations on how any identified vulnerabilities can be addressed. Joint Commission also plans to develop a new certification pathway to allow organizations to demonstrate strong clinical continuity and cyber resilience capabilities.

“Digital disruption poses a direct and growing threat to patient safety and clinical care,” said Jonathan B. Perlin, MD, PhD, president and CEO of Joint Commission. “As cyber criminals become increasingly sophisticated, advanced, and creative, so too must our efforts to thwart the risks – but we are not talking about cyberattacks alone. It is about how to continue operations under any scenario where technology systems might be down for any period of time. Hospitals and healthcare organizations need practical tools to evaluate and strengthen their approach to withstanding these incidents. The new Cyber Resilience Readiness program is designed to help healthcare organizations focus on what matters most: maintaining safe, quality patient care and clinical operations at all times.”

The post New Cyber Resilience Readiness Program Developed by Joint Commission; AHA appeared first on The HIPAA Journal.

Progress Software has issued a warning to customers about a critical authentication bypass vulnerability within the MOVEit Automation application. MOVEit Automation is a managed file transfer (MFT) that serves as a central automation orchestrator for scheduling and managing file transfer between different systems, including on-premises servers, cloud storage, and third-party partners.

Remotely exploitable vulnerabilities in Internet-facing MFT applications are targeted by threat actors. Certain threat groups such as Cl0p have actively targeted enterprise-grade MFTs, mass exploiting the vulnerabilities in attacks on dozens and, in some cases, thousands of users.

The critical authentication bypass vulnerability has a CVSS v3.1 base score of 9.8 out of 10 and is tracked as CVE-2026-4670 and can be exploited by a remote attacker with no privileges in a low-complexity attack. The vulnerability affects MOVEit Automation versions prior to 2025.1.5, 2025.0.9, and 2024.1.8.

A second high-severity privilege escalation vulnerability has also been identified. The flaw, tracked as CVE-2026-5174, is due to improper input validation and has a CVSS v3.1 base score of 8.8, and affects MOVEit Automation versions from 2025.1.0 before 2025.1.5, from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, and versions prior to 2024.0.0. The flaw can be exploited in a low complexity attack without privileges or user interaction.

Exploitation of these vulnerabilities could lead to unauthorized access to the application, and an attacker could gain administrative control and exfiltrate sensitive data. Progress Software has fixed both vulnerabilities in the latest version of the software, and users are advised to install the latest version as soon as possible to prevent exploitation. Progress Software said the only way to remediate the vulnerabilities is to upgrade to a patched release using the full installer. That will require the software to shut down to complete the upgrade.

There are around 1,440 internet-connected devices running vulnerable MOVEit Automation versions, according to a Shodan search, some of which are used by state and local government agencies. Given the extent to which vulnerabilities in MFT solutions are targeted, exploitation is highly likely, although at the time of the announcement, Progress Software had not identified any exploitation in the wild.

The post Urgent Action Required by MOVEit Automation Users appeared first on The HIPAA Journal.

Healthcare organizations are increasingly concerned about medical device security and for good reason – attacks targeting or impacting medical devices are increasing, and those attacks are negatively impacting patient care. Adoption of AI-enabled and AI-assisted medical devices is increasing, despite serious concerns about the cybersecurity risks associated with the devices, and legacy devices continue to be used past end-of-support, despite those devices containing known and unpatched vulnerabilities.

According to a recent survey by RunSafe Security, conducted on 551 healthcare professionals involved in device purchasing decisions in the U.S., UK, and Germany, healthcare organizations are getting better at reducing medical device security risks, although the underlying risks remain significant, and in many cases are increasing in severity and impact. When questioned about medical device cybersecurity, 59% of respondents said they are extremely or very concerned about a cybersecurity incident impacting medical devices, with almost one-quarter reporting that such an attack has already occurred. 80% of respondents who experienced a cyberattack reported that it had a moderate or significant impact on patient care, up from 75% last year.

Hackers may not specifically target medical devices, but they are often impacted by a cyberattack, and the downtime is often significant. Most commonly, an attack results in between 5 and 12 hours of downtime (39% of respondents), with 37% reporting downtime of between 1 and 4 hours. Downtime can be significantly longer, however, with 11% of respondents reporting downtime of between 13 and 24 hours, and 5% reported downtime of more than 3 days.

The most commonly affected systems were electronic medical records (35% of organizations), patient monitoring devices (23%), lab and diagnostic equipment (1%), networked surgical equipment (10%), and medical imaging systems (8%). The survey revealed threat actors are increasingly adapting to the remote access footprint to connected devices, with 38% of respondents reporting incidents involving remote access exploitation. RunSafe Security warns that organizations that have not implemented network segmentation, access controls, or runtime protections are particularly exposed.

Healthcare organizations continue to use legacy devices that cannot easily be replaced and cannot be patched. 28% of respondents said they operate legacy medical devices that are past the end-of-support, and 44% of respondents admitted running end-of-support devices with known, unpatched vulnerabilities. 38% of respondents said they have devices that they are occasionally or frequently unable to patch, and 42% of legacy device users said between 10% and 25% of those devices are running on an unsupported operating system. Those devices are spread throughout critical care environments, including general inpatient wards, emergency departments, outpatient and ambulatory settings, intensive care settings, and operating rooms and procedure suites. The most common reasons for their continued use were no acceptable replacements (38%), budget constraints (36%), regulatory or approval constraints (34%), a lack of vendor upgrade path (24%), or the risk of continued use having not been formally accepted by leadership (17%).

Adoption of AI-enabled and AI-assisted medical devices is growing fast, with 57% of respondents currently using those devices, although 80% of respondents expressed at least a moderate concern about the cybersecurity risks that they introduce, such as model manipulation, data poisoning, and adversarial inputs. According to RunSafe Security, adoption of AI-enabled and AI-assisted medical devices and systems is outpacing confidence in the ability to mitigate cybersecurity risks associated with the devices.

The survey has identified some positives. Healthcare organizations are taking medical device security seriously, with 85% of respondents including basic or detailed cybersecurity requirements in their RFPs, up from 83% last year, and 56% of respondents have rejected a device due to cybersecurity concerns. Almost all respondents understand the importance of an SBOM, with 81% of respondents rating SBOMs as either important or essential for medical devices. Regulation is also increasingly important, as 79% of respondents said FDA cybersecurity guidance or EU MDR requirements have had a meaningful influence on their procurement processes, up from 73% last year. To address the problem of medical devices that have reached end-of-support and cannot be replaced, runtime protection serves as a critical compensating control, with 82% of respondents saying they have widely deployed or are piloting runtime exploit protection.

While genuine progress has been made in improving medical device security, attacks on medical devices are more frequent than they were twelve months ago, and the impact on patient care when incidents occur has worsened. “The lesson of the past year is not that investment and attention are failing but that the risk is moving at least as fast as the response. Closing that gap will require more than procurement rigor and budget growth. It will require security built into devices before they reach clinical environments, as well as the ability to protect devices already in place that cannot be replaced. That is where the industry’s work remains,” wrote RunSafe Security in the report.

The post Frequency and Severity of Hacks of Medical Devices Increasing appeared first on The HIPAA Journal.

An automated, AI-driven analysis of the most widely used electronic medical records platform uncovered 38 previously unknown vulnerabilities, including two critical flaws with maximum CVSS severity scores of 10.0. The vulnerabilities were identified as part of a collaboration between AISLE, an autonomous, AI-native application security platform, and OpenEMR, an open source and U.S. government-certified platform, the purpose of which was to identify and remediate critical vulnerabilities in the platform before they could be exploited by malicious actors.

OpenEMR is used by more than 100,000 healthcare providers worldwide, and the platform serves more than 200 million patients globally. OpenEMR is free open source software with no licensing fees and relatively low operating costs, making it a popular choice for under-resourced healthcare providers. The platform is widely used in the United States.

The analysis by AISLE resulted in 39 GitHub Security Advisory (GHSA) vulnerabilities in Q1, 2026, including critical, high, and moderate severity vulnerabilities, with 38 of the 39 vulnerabilities receiving CVE designations. The two most serious vulnerabilities could potentially have been exploited to access and rewrite patient and provider data, compromise the full database, and achieve remote code execution on the server, allowing ePHI to be exfiltrated at scale. One of the maximum severity flaws could be exploited by a remote attacker with no authentication on any Internet-reachable OpenEMR instance.

The vulnerabilities identified by AISLE accounted for more than half of all OpenEMR Security vulnerabilities published on GitHub in Q1, 2026. “These disclosures reflect the growing threats that healthcare institutions face in the age of AI,” said Stanislav Fort, co-founder and chief scientist at AISLE. “Because human lives and identities are at stake, few issues are as critical as ensuring that medical codebases are secure. AISLE’s collaboration with OpenEMR shows that AI-driven analysis can help dedicated, lean teams defend vital systems and remain compliant.”

Threat actors are increasingly using AI to analyze code and identify exploitable vulnerabilities, so it is vital for defenders to also use AI to accelerate the discovery and remediation of vulnerabilities. Through the partnership with AISLE, the OpenEMR maintainers were able to fix the vulnerabilities before they could be exploited and have now begun a partnership with AISLE to secure the OpenEMR for years to come.

AISLE generated a repository-native fix proposal OpenEMR’s own abstractions, authorization patterns, and sanitization helpers for each of the 38 CVEs. AISLE produced the fix for one of the critical vulnerabilities, and for other critical flaws, OpenEMR maintainers adopted AISLE’s proposed remediation into the final fix. The OpenEMR maintainers now have access to AISLE’s AI-native AppSec platform, which allows them to automatically detect, triage, and fix software vulnerabilities. OpenEMR can now focus on hardening defenses without having to employ additional team members. In addition to using the platform to identify vulnerabilities in production code, OpenEMR is using the AISLE vulnerability analyzer to analyze code and identify security issues before they reach production.

The post AI Analysis Identifies 38 Flaws in OpenEMR Platform appeared first on The HIPAA Journal.

A study of security leaders from the healthcare and manufacturing industries found that while there is an almost universal desire to deploy modern microsegmentation, more than 90% of respondents said they had protected fewer than 80% of critical systems, despite almost half admitting to falling victim to lateral movement attacks in the past year. In healthcare, fewer than 6% of respondents said that their organization had implemented microsegmentation across 80% or more of their critical systems.

Microsegmentation is a cybersecurity technique that divides networks into small, distinct, and isolated zones to secure workloads, applications, or devices. Traditional network segmentation, such as Virtual Local Area Networks (VLANs), creates broad segmented zones, whereas microsegmentation applies security policies at the individual workload or application level. Microsegmentation allows organizations to implement East-West traffic control within their data center, rather than only North-South traffic controls for identifying traffic leaving the network. It provides deep visibility into network traffic flows, including which applications are communicating with each other.  Healthcare organizations can enable strict isolation and monitoring of systems that handle sensitive data such as protected health information (PHI), which can simplify HIPAA Security Rule compliance.

Microsegmentation protects internal workloads from applications without authorized access, and can be applied to on-premises and hybrid environments. It reduces the attack surface and greatly limits the potential for lateral movement. In the event of compromise, attackers are contained within a microsegment, limiting the harm they can cause and the data they can access.

The study was conducted on 352 healthcare and manufacturing security leaders by Omdia, on behalf of the network segmentation specialists Elisity. The survey revealed 99% of respondents were implementing or planning to implement microsegmentation, with 57% of respondents ranking microsegmentation as their main initiative to prevent lateral movement; however, they were slow to fully implement it. Only 9% of respondents had implemented it across 80% or more of critical systems, and just 6% in healthcare. While Microsegmentation ranked first among planned priorities, it ranked close to the bottom 24% among currently deployed zero-trust architectures.

There have been challenges with implementing microsegmentation in the past; however, modern identity-based microsegmentation is a different beast, as it requires no agents, no hardware changes, and no VLAN recognition. Instead, the policy is enforced directly on network switches. “Microsegmentation has matured, but many organizations still carry the scars of earlier, complex approaches. What’s changed is the architecture. Identity-based microsegmentation lets teams enforce precise policy on the switches they already run, so security becomes an enabler rather than a gate,” James Winebrenner, CEO, Elisity, said.

Most organizations still rely on VLANs, ACLs, and agent-based tools, which require constant rework and leave East-West exposure wide open, and progress with implementation has been slow. First-generation tools built around network location rather than identity have slowed real progress to a crawl, as agent-based and firewall-centric designs couldn’t uniformly cover IT, IoT, OT, or IoMT. According to Elisity, “These approaches had outdated or unsupported software (56%), high maintenance costs and hardware limitations (50%), and frequent failures or performance issues (43%).”

There have been challenges implementing microsegmentation in healthcare, especially with integrating SIEM, EDR, and SOAR. Respondents said visiting clinicians (74%) and clinical staff (72%) require the most granular policy attention, given the mix of managed and unmanaged devices moving through clinical environments. Many respondents lacked awareness of the ease and speed at which modern identity-based solutions can be deployed. Only 22% of respondents had hands-on experience of implementing microsegmentation, and most teams were still running legacy methods.

There is a clear desire to implement microsegmentation, and awareness of modern-identity-based microsegmentation is improving. “Our data shows the shift is on. Enterprises intend to deploy microsegmentation, and many now see modern solutions as easier and more effective,” said Hollie Hennessy, Principal Analyst, Omdia, who points out that with modern solutions, the timeline for implementation has shortened from years to weeks.

The post Healthcare Organizations Struggling to Implement Primary Method of Blocking Lateral Movement appeared first on The HIPAA Journal.

At a recent joint hearing by the Subcommittee on Border Security and Enforcement and the Subcommittee on Cybersecurity and Infrastructure Protection, a former FBI cyber chief called on the U.S. government to consider applying terrorism designations to ransomware actors who attack hospitals and other critical infrastructure entities that put lives or safety at risk.

Ransomware attacks on hospitals typically result in cancelled appointments and surgeries, and ambulances are often put on divert, causing emergency patients to travel further to alternative facilities. These delays to patient care put patient safety at risk, and studies have shown that mortality rates increase at hospitals following ransomware attacks. Ransomware actors conduct attacks on hospitals in the full knowledge that patient care is threatened, as it increases the probability of a ransom being paid.

The subcommittee members heard testimony from Cynthia Kaiser, the former deputy assistant director of the FBI’s Cyber Division from 2022 to 2025 and the current senior vice president of the Halcyon Ransomware Research Center. “When a ransomware gang encrypts a hospital’s systems and demands payment under threat of continued system lockout — knowing that patients are being diverted, that dialysis is being delayed, that surgery schedules are being canceled — I believe a serious legal argument exists that this conduct falls within [terrorism] definitions,” Kaiser said. “At minimum, it merits a formal, deliberate analysis by the Departments of State, Justice, and Treasury, who collectively hold designation authority under Executive Order 13224.”

Executive Order 13224 was signed by President Bush on September 23, 2001, following the 9/11 attacks on the World Trade Center. The purpose of the Executive Order was to disrupt the financial support network for terrorists and terrorist organizations, authorizing the U.S. government to designate and block the assets of foreign individuals and entities that commit, or pose a significant risk of committing, acts of terrorism.

By designating ransomware attacks on hospitals and other critical infrastructure entities as an act of terrorism, attacks would be classed as national security threats, and the government would have a much broader range of tools at its disposal than are currently available, making it easier to restrict financial transactions, freeze assets, and pursue charges against overseas ransomware actors. It would also allow the government to take diplomatic actions against countries – such as Russia – for harboring ransomware actors. Further, Kaiser argued that in the event of a ransomware attack resulting in the death of a patient, the government should be able to pursue murder or manslaughter charges, which may act as a powerful deterrent.

“Federal prosecutors should be empowered — and encouraged — to evaluate whether homicide charges are appropriate in cases where ransomware actors targeted hospitals, where deaths resulted, and where the actors demonstrated clear foreknowledge that their actions endangered life,” said Kaiser. “Those targeting healthcare, those who have caused documented deaths, those operating with impunity under the protection of hostile foreign governments — deserve to face consequences that match the gravity of what they have done.”

The post Former FBI Deputy Cyber Chief Calls for Terrorism Classification for Healthcare Ransomware Actors appeared first on The HIPAA Journal.