An automated, AI-driven analysis of the most widely used electronic medical records platform uncovered 38 previously unknown vulnerabilities, including two critical flaws with maximum CVSS severity scores of 10.0. The vulnerabilities were identified as part of a collaboration between AISLE, an autonomous, AI-native application security platform, and OpenEMR, an open source and U.S. government-certified platform, the purpose of which was to identify and remediate critical vulnerabilities in the platform before they could be exploited by malicious actors.

OpenEMR is used by more than 100,000 healthcare providers worldwide, and the platform serves more than 200 million patients globally. OpenEMR is free open source software with no licensing fees and relatively low operating costs, making it a popular choice for under-resourced healthcare providers. The platform is widely used in the United States.

The analysis by AISLE resulted in 39 GitHub Security Advisory (GHSA) vulnerabilities in Q1, 2026, including critical, high, and moderate severity vulnerabilities, with 38 of the 39 vulnerabilities receiving CVE designations. The two most serious vulnerabilities could potentially have been exploited to access and rewrite patient and provider data, compromise the full database, and achieve remote code execution on the server, allowing ePHI to be exfiltrated at scale. One of the maximum severity flaws could be exploited by a remote attacker with no authentication on any Internet-reachable OpenEMR instance.

The vulnerabilities identified by AISLE accounted for more than half of all OpenEMR Security vulnerabilities published on GitHub in Q1, 2026. “These disclosures reflect the growing threats that healthcare institutions face in the age of AI,” said Stanislav Fort, co-founder and chief scientist at AISLE. “Because human lives and identities are at stake, few issues are as critical as ensuring that medical codebases are secure. AISLE’s collaboration with OpenEMR shows that AI-driven analysis can help dedicated, lean teams defend vital systems and remain compliant.”

Threat actors are increasingly using AI to analyze code and identify exploitable vulnerabilities, so it is vital for defenders to also use AI to accelerate the discovery and remediation of vulnerabilities. Through the partnership with AISLE, the OpenEMR maintainers were able to fix the vulnerabilities before they could be exploited and have now begun a partnership with AISLE to secure the OpenEMR for years to come.

AISLE generated a repository-native fix proposal OpenEMR’s own abstractions, authorization patterns, and sanitization helpers for each of the 38 CVEs. AISLE produced the fix for one of the critical vulnerabilities, and for other critical flaws, OpenEMR maintainers adopted AISLE’s proposed remediation into the final fix. The OpenEMR maintainers now have access to AISLE’s AI-native AppSec platform, which allows them to automatically detect, triage, and fix software vulnerabilities. OpenEMR can now focus on hardening defenses without having to employ additional team members. In addition to using the platform to identify vulnerabilities in production code, OpenEMR is using the AISLE vulnerability analyzer to analyze code and identify security issues before they reach production.

The post AI Analysis Identifies 38 Flaws in OpenEMR Platform appeared first on The HIPAA Journal.

A study of security leaders from the healthcare and manufacturing industries found that while there is an almost universal desire to deploy modern microsegmentation, more than 90% of respondents said they had protected fewer than 80% of critical systems, despite almost half admitting to falling victim to lateral movement attacks in the past year. In healthcare, fewer than 6% of respondents said that their organization had implemented microsegmentation across 80% or more of their critical systems.

Microsegmentation is a cybersecurity technique that divides networks into small, distinct, and isolated zones to secure workloads, applications, or devices. Traditional network segmentation, such as Virtual Local Area Networks (VLANs), creates broad segmented zones, whereas microsegmentation applies security policies at the individual workload or application level. Microsegmentation allows organizations to implement East-West traffic control within their data center, rather than only North-South traffic controls for identifying traffic leaving the network. It provides deep visibility into network traffic flows, including which applications are communicating with each other.  Healthcare organizations can enable strict isolation and monitoring of systems that handle sensitive data such as protected health information (PHI), which can simplify HIPAA Security Rule compliance.

Microsegmentation protects internal workloads from applications without authorized access, and can be applied to on-premises and hybrid environments. It reduces the attack surface and greatly limits the potential for lateral movement. In the event of compromise, attackers are contained within a microsegment, limiting the harm they can cause and the data they can access.

The study was conducted on 352 healthcare and manufacturing security leaders by Omdia, on behalf of the network segmentation specialists Elisity. The survey revealed 99% of respondents were implementing or planning to implement microsegmentation, with 57% of respondents ranking microsegmentation as their main initiative to prevent lateral movement; however, they were slow to fully implement it. Only 9% of respondents had implemented it across 80% or more of critical systems, and just 6% in healthcare. While Microsegmentation ranked first among planned priorities, it ranked close to the bottom 24% among currently deployed zero-trust architectures.

There have been challenges with implementing microsegmentation in the past; however, modern identity-based microsegmentation is a different beast, as it requires no agents, no hardware changes, and no VLAN recognition. Instead, the policy is enforced directly on network switches. “Microsegmentation has matured, but many organizations still carry the scars of earlier, complex approaches. What’s changed is the architecture. Identity-based microsegmentation lets teams enforce precise policy on the switches they already run, so security becomes an enabler rather than a gate,” James Winebrenner, CEO, Elisity, said.

Most organizations still rely on VLANs, ACLs, and agent-based tools, which require constant rework and leave East-West exposure wide open, and progress with implementation has been slow. First-generation tools built around network location rather than identity have slowed real progress to a crawl, as agent-based and firewall-centric designs couldn’t uniformly cover IT, IoT, OT, or IoMT. According to Elisity, “These approaches had outdated or unsupported software (56%), high maintenance costs and hardware limitations (50%), and frequent failures or performance issues (43%).”

There have been challenges implementing microsegmentation in healthcare, especially with integrating SIEM, EDR, and SOAR. Respondents said visiting clinicians (74%) and clinical staff (72%) require the most granular policy attention, given the mix of managed and unmanaged devices moving through clinical environments. Many respondents lacked awareness of the ease and speed at which modern identity-based solutions can be deployed. Only 22% of respondents had hands-on experience of implementing microsegmentation, and most teams were still running legacy methods.

There is a clear desire to implement microsegmentation, and awareness of modern-identity-based microsegmentation is improving. “Our data shows the shift is on. Enterprises intend to deploy microsegmentation, and many now see modern solutions as easier and more effective,” said Hollie Hennessy, Principal Analyst, Omdia, who points out that with modern solutions, the timeline for implementation has shortened from years to weeks.

The post Healthcare Organizations Struggling to Implement Primary Method of Blocking Lateral Movement appeared first on The HIPAA Journal.

At a recent joint hearing by the Subcommittee on Border Security and Enforcement and the Subcommittee on Cybersecurity and Infrastructure Protection, a former FBI cyber chief called on the U.S. government to consider applying terrorism designations to ransomware actors who attack hospitals and other critical infrastructure entities that put lives or safety at risk.

Ransomware attacks on hospitals typically result in cancelled appointments and surgeries, and ambulances are often put on divert, causing emergency patients to travel further to alternative facilities. These delays to patient care put patient safety at risk, and studies have shown that mortality rates increase at hospitals following ransomware attacks. Ransomware actors conduct attacks on hospitals in the full knowledge that patient care is threatened, as it increases the probability of a ransom being paid.

The subcommittee members heard testimony from Cynthia Kaiser, the former deputy assistant director of the FBI’s Cyber Division from 2022 to 2025 and the current senior vice president of the Halcyon Ransomware Research Center. “When a ransomware gang encrypts a hospital’s systems and demands payment under threat of continued system lockout — knowing that patients are being diverted, that dialysis is being delayed, that surgery schedules are being canceled — I believe a serious legal argument exists that this conduct falls within [terrorism] definitions,” Kaiser said. “At minimum, it merits a formal, deliberate analysis by the Departments of State, Justice, and Treasury, who collectively hold designation authority under Executive Order 13224.”

Executive Order 13224 was signed by President Bush on September 23, 2001, following the 9/11 attacks on the World Trade Center. The purpose of the Executive Order was to disrupt the financial support network for terrorists and terrorist organizations, authorizing the U.S. government to designate and block the assets of foreign individuals and entities that commit, or pose a significant risk of committing, acts of terrorism.

By designating ransomware attacks on hospitals and other critical infrastructure entities as an act of terrorism, attacks would be classed as national security threats, and the government would have a much broader range of tools at its disposal than are currently available, making it easier to restrict financial transactions, freeze assets, and pursue charges against overseas ransomware actors. It would also allow the government to take diplomatic actions against countries – such as Russia – for harboring ransomware actors. Further, Kaiser argued that in the event of a ransomware attack resulting in the death of a patient, the government should be able to pursue murder or manslaughter charges, which may act as a powerful deterrent.

“Federal prosecutors should be empowered — and encouraged — to evaluate whether homicide charges are appropriate in cases where ransomware actors targeted hospitals, where deaths resulted, and where the actors demonstrated clear foreknowledge that their actions endangered life,” said Kaiser. “Those targeting healthcare, those who have caused documented deaths, those operating with impunity under the protection of hostile foreign governments — deserve to face consequences that match the gravity of what they have done.”

The post Former FBI Deputy Cyber Chief Calls for Terrorism Classification for Healthcare Ransomware Actors appeared first on The HIPAA Journal.

The Health Sector Coordinating Council (HSCC) Cybersecurity Working Group has issued a guidance document for healthcare organizations on managing third-party AI and AI-related supply chain risks. Healthcare organizations are increasingly reliant on AI-powered third-party tools and services, such as natural language processing engines embedded in electronic health records and AI-powered remote monitoring devices. These products provide critical functions for healthcare organizations, yet they introduce complex cybersecurity challenges that traditional risk management tools and models struggle to address.

Managing risk can be difficult, as AI tools are provided by third-party vendors whose security postures, governance practices, and model integrity are difficult to verify. Further, healthcare organizations often lack visibility into the full scope of the AI components incorporated into third-party products and services, which are often sourced through layered supply chains, including subcontractors, offshore development, and open source assets, explain HSCC co-leads Ed Gaudet, Censinet, and Samantha Jacques, McLaren Health.

The HSCC Cybersecurity Working Group developed the 109-page guide – Health Industry Third Party AI Risk and Supply Chain Transparency Guide – to help healthcare organizations understand and manage third-party AI supply chain risks. The guide draws from established cybersecurity frameworks such as the NIST AI Risk Management Framework and the joint HSCC-HHS Health Industry Cybersecurity Practices (HICP), and adapts cybersecurity best practices to reflect the modern realities of AI supply chains in healthcare. The guide has been developed to meet the needs of organizations of all sizes, regardless of their level of AI adoption. The guide can be followed in its entirety, or organizations can adopt the parts that work for their organization. The guide will help them to define accountability expectations and drive performance standards across their extended AI ecosystem.

The guide provides risk managers, compliance teams, and procurement officers with scalable tools to identify and manage AI-specific risks such as hidden dependencies and cascading failure points, and address the growing gaps in discovery and disclosure processes that make AI supply chain risk so challenging to manage. HSCC encourages healthcare organizations to distribute the guidance to senior business and technical leaders and their teams, recommending that they incorporate the best practices in the guide and evaluate their own third-party and supply chain risk management practices against the best practices outlined in the document. In addition to the guide, HSCC has published a living AI Cyber Glossary reference document for establishing consistent governance-ready definitions for artificial intelligence terminology for the healthcare sector. The AI Cyber Glossary is intended to serve as the terminological foundation for all current and future HSCC AI Task Group guidance materials.

The post HSCC Issues Guidance for Healthcare Organizations on Managing Third Party AI Risks appeared first on The HIPAA Journal.

In 2025, another unwanted record was set for losses to cybercrime, with almost $21 billion in reported losses, beating the previous record of $16.6 in losses set in 2024 by 26%, according to the Federal Bureau of Investigation (FBI) Internet Crime Report 2025. The report was compiled based on complaints filed with the FBI’s Internet Crime Complaint Center (IC3), which topped 1 million for the first time, increasing from 859,000 complaints in 2024. This is the 25^th year that the FBI has released its annual report, which started with a few thousand complaints filed per month to an average of almost 3,000 complaints per day in 2025.

The increase in losses was largely driven by an increase in losses to investment fraud ($8,648,617,756), which was the largest cause of losses in 2025, followed by business email compromise – BEC – ($3,046,598,558) and tech support scams ($2,134,675,818).

Source: FBI Internet Crime Complaint Report 2025

In terms of complaint volume, phishing topped the list (191,561 complaints), followed by extortion (89,129 complaints), investment fraud (72,984 complaints), and personal data breaches (67,456), with non-payment/non-delivery rounding out the top 5 (56,478 complaints). Cyber-enabled fraud was present in 453,000 complaints, accounting for $17.7 billion in total losses. In 2025, 181,565 complaints related to cryptocurrency, and 22,364 related to AI-related incidents, with the latter involving $893 million in losses.

IC3 received 3,611 complaints related to ransomware, resulting in more than $32 million in losses. Those losses do not include losses due to business disruptions, equipment, or third-party remediation costs. Ransomware attacks were among the top cyber threats reported by critical infrastructure entities. The biggest ransomware threats in terms of complaint volume were Akira, Qilin, INC Ransom/Lynx/Sinobi, BianLian, and Play. Across all 16 critical infrastructure sectors, the healthcare and public health sector experienced the highest number of cyber threats, including 182 data breaches and 460 ransomware attacks, ahead of critical manufacturing, financial services, information technology, and the government.

The FBI said it has upgraded its efforts to prevent cybercrime, including blocking attacks, notifying victims, and freezing stolen funds. In January, the FBI launched its Operation Winter Shield, which explained some of the most important steps that businesses can take to improve their defenses against cyber threats and block cyberattacks. The FBI also launched Operation Level Up, a proactive approach to identify and alert victims of cryptocurrency investment fraud. The FBI reports that out of the 3,780 victims the agency notified last year, 78% were unaware that they were being scammed. Last year, the FBI also initiated approximately 3,900 Financial Fraud Kill Chain (FFKC) interventions, and was able to block a significant number of fraudulent transactions, freezing more than $679 million in fraudulent transfers, achieving a 58% success rate, and a 65% success rate for its FFKC Actions in healthcare.

The post 2025 Losses to Cybercrime Exceeded $20 Billion appeared first on The HIPAA Journal.

Two critical vulnerabilities have been identified in Progress Software’s ShareFile service. The flaws could potentially be chained by an unauthenticated remote attacker to make configuration changes and achieve remote code execution.

While there have been no known cases of the vulnerabilities being exploited in the wild to date, vulnerabilities in file sharing software are actively targeted by threat actors, so attempted exploitation is likely. In 2023, a zero-day vulnerability in Progress Software’s MOVEit file transfer software was mass exploited by the Clop ransomware group, which claimed hundreds of victims worldwide. To a lesser extent, vulnerabilities in Fortra’s GoAnywhere, Accellion FTA, and Cleo MFT were also mass exploited. Users are therefore encouraged to apply the security updates promptly to prevent exploitation.

The vulnerabilities affect ShareFile Storage Zones Controller v5 version deployments for customer-managed zones and include an authentication bypass flaw tracked as CVE-2026-2699 and a remote code execution flaw tracked as CVE-2026-2701.

According to Progress Software’s security alert, “These vulnerabilities allow an unauthenticated remote attacker to access on-prem storage zones controller’s configuration pages, potentially leading to changes in system configuration and remote code execution.” The authentication bypass flaw has a CVSS v3.1 base score of 9.8, and the RCE flaw has a CVSS base score of 9.1.

The vulnerabilities affect versions 0 through 5.12.3 and have been patched in version 5.12.4. The vulnerabilities do not exist in any v6 versions. Progress Software strongly recommends upgrading to a patched version of V6 as soon as possible to prevent exploitation. Any users of unsupported versions should ensure they upgrade to a supported and fixed version as soon as possible.

The vulnerabilities were identified by security researchers Sonny and Piotr Bazydlo of watchTowr, who reported them to Progress Software. According to Shadow Server, there are 334 Unique IPs associated with ShareFile in the United States.

The post Critical Flaws Identified in Progress Software ShareFile Service appeared first on The HIPAA Journal.

Cybersecurity researchers warn that there could potentially be mass exploitation of a critical flaw in Citrix NetScaler products on a scale similar to the CitrixBleed vulnerability in 2023, which was exploited by ransomware groups. Earlier this week, Citrix disclosed a critical vulnerability affecting its NetScaler ADC and NetScaler Gateway application-delivery products. The vulnerability is an input validation flaw that could allow an attacker to leak sensitive information.

The vulnerability occurs in NetScaler ADC and NetScaler Gateway when configured as a SAML IdP, leading to memory overread. The vulnerability is tracked as CVE-2026-3055 and has a CVSS v4 severity score of 9.3. The vulnerability affects the following NetScaler products, but only when the appliance is configured as a SAML identity provider (IdP):

• NetScaler ADC and NetScaler Gateway 1 BEFORE 14.1-66.59
• NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-62.23
• NetScaler ADC FIPS and NDcPP BEFORE 13.1-37.262

Citrix has released updated software versions to fix the vulnerability, and all customers are advised to prioritize remediation of this vulnerability due to the high risk of exploitation. NetScaler devices are constantly targeted by threat actors, and the vulnerability is certain to be targeted when a proof-of-concept exploit is released.

This is not the only vulnerability to be disclosed by Citrix this week. Citrix also disclosed a race condition flaw – CVE-2026-4368 – that affects  NetScaler ADC and NetScaler Gateway 14.1-66.54, when the appliance is configured as either a gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or a AAA virtual server. The vulnerability is rated high severity, with a CVSS base score of 7.7. Action should be taken to mitigate the vulnerability for customer-managed instances. The vulnerability has been fixed in version 14.1-60.58. Further information on the flaws can be found in the Citrix security bulletin.

March 31, 2026, Update: The vulnerability is being actively exploited, though the scale of the exploitation remains unclear. CISA has added the vulnerability to its Known Exploited Vulnerability (KEV) Catalog on March 30, 2026, and has ordered all federal civilian branch agencies to ensure the vulnerability is patched by April 2, 2026. All network defenders, including those in the private sector, have been advised to prioritize patching the vulnerability and ensure it is mitigated as soon as possible.

The post Urgent Action Required to Fix Actively Exploited Critical Citrix NetScaler Vulnerability appeared first on The HIPAA Journal.

Healthcare has retained its position as the industry most targeted by cyber actors, an unwanted accolade that the sector has held for more than a decade, and in 2025, healthcare had the highest average ransom payments, averaging $1,154,245, according to the recently published BakerHostetler 2026 Data Security Incident Response Report. The report is based on more than 1,250 data security incidents that the law firm was engaged in last year.

BakerHostetler has been publishing annual breach reports for 12 years, and in each of those years, healthcare accounted for more cyber incidents than any other industry. In 2025, healthcare – which includes biotech and pharma – accounted for 27%, with finance/insurance in second spot, accounting for 18% of incidents. While healthcare data breaches remain high – more than 700 last year – 2025 was the second consecutive year where breaches impacting 500 or more individuals declined, albeit only slightly.

Last year saw some threat actors issue astronomical ransom demands, the highest of which was $98 million, more than double the highest ransom demand in 2024 ($40 million). The largest ransom paid was $5.65 million, down from more than $20 million in 2024. Ransom payments increased in 2025, from an average payment of $501,338 in 2024 to $682,702, although average payments in healthcare were 69% higher.

BakerHostetler’s analysis revealed threat actors are spending less time in networks, with the dwell time falling from 36 days in 2023 to just 22 days in 2025. As defenders have got better at detecting intrusions, threat actors have had to adapt and are spending less time snooping to find data of interest. Linked to this is a growing trend of encryption being abandoned in some attacks, with some threat groups opting to solely conduct extortion only attacks. These are faster and quieter, with less chance of discovery before the attackers have achieved their aims, although in some attacks, the exfiltration of data is what tipped off victims to the attack, forcing the attackers to abandon encryption.

In 2025, across all industry sectors, 34% of victims of ransomware attacks paid the ransom, but there was a notable shift in the reason for payment last year. In 2024, 43% of victims of ransomware attacks paid the ransom to obtain a decryptor, with 34% paying to prevent the publication of stolen data. Those figures were reversed in 2025, with 31% of victims paying to obtain the decryptor, 43% paid to prevent the publication of stolen data, and 26% paid to recover data and prevent a data leak. Out of all extortion/ransomware incidents, 64% resulted in data theft requiring notices to individuals.

The Qilin ransomware group stepped up its attacks in 2025, having recruited affiliates from other ransomware operations, although Akira took top spot, based on the number of incidents BakerHostetler was engaged to assist with. Lynx/Inc ransom took third spot followed by Clop in 4^th, and the now defunct RansomHub in 5^th. The law enforcement operations against the LockBit ransomware group have clearly been effective, as BakerHostetler reports that for the first time in the past 5 years, LockBit was not in the top five most active ransomware groups.

This year’s report includes a spotlight on the healthcare sector. Out of all healthcare incidents that BakerHostetler was engaged in, 35% were attributed to vendors, which remain an Achilles heel in the industry. Vendor incidents were among the largest data breaches, such as the data breach at Conduent that affected more than 10 million individuals, the 5 million+ data breach at Episource, and the data breach at Oracle Health (Cerner). The number of individuals affected by the latter has not been disclosed, but is certainly in the millions.

While announcements were made about 21 resolution agreements in 2025, only 12 of the settlements/notices of final determination had 2025 dates. Out of those 12, seven resolved alleged HIPAA violations at business associates, as OCR demonstrated it is taking a keen interest in HIPAA compliance by vendors.

BakerHostetler suggests that fewer penalties are likely to be imposed this year, as OCR may opt for providing more efficient technical assistance; however, state attorneys general may well fill the gap as they exercise their authority to penalize healthcare organziations over breaches of the protected health information of state residents.

BakerHostetler predicts that state actions are likely to increase, as states are increasing staffing in their data privacy units. The expected focus will be data breach incident investigation, data awareness and data minimization, more robust protections for sensitive data, and greater incident investigation transparency, and with Congress yet to pass federal data privacy legislation, more states will implement their own privacy legislation.

The post BakerHostetler: Healthcare Remains Most Targeted Sector with Extortion-Only Attacks on the Rise appeared first on The HIPAA Journal.

A high-severity vulnerability has been identified in Grassroots DICOM that could be exploited by a remote threat actor to trigger a denial-of-service condition.  The vulnerability, tracked as CVE-2026-3650, is a memory leak issue that has been assigned a CVSS v3.1 severity score of 7.5.

Grassroots DICOM is a C++ library for DICOM medical images that comes with a scanner implementation capable of quickly scanning hundreds of DICOM files for attributes. Grassroots DICOM is used by healthcare and public health sector organizations worldwide, including in the United States.

The vulnerability affects Grassroots DICOM (GDCM) version 3.2.2 and occurs when parsing malformed DICOM files with non-standard VR types in file meta information. If an attacker sends a specially crafted file, when that file is parsed, it leads to vast memory allocations and resource depletion, triggering a denial of service condition. A maliciously crafted file could fill the heap in a single read operation without properly releasing it.

The vulnerability was identified by Volodymyr Bihunenko, Mykyta Mudryi, and Markiian Chaklosh of ARIMLABS, who reported it to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which contacted the maintainer of Grassroots DICOM; however, the maintainer failed to respond to requests by CISA to mitigate the vulnerability.

While there is currently no fix to remediate the vulnerability, CISA has suggested recommended practices to reduce the potential for exploitation. They involve ensuring that the Grassroots DICOM is not exposed to the internet, that control system networks are located behind firewalls and are isolated from business networks, and if remote access is required, that secure methods are used to connect, such as Virtual Private Networks (VPNs), ensuring that the VPN is running the latest software version.

The post High Severity Vulnerability Identified in Grassroots DICOM appeared first on The HIPAA Journal.