Healthcare Cybersecurity

GAO: HHS Yet to Implement 82 Cybersecurity and IT Management Recommendations

The U.S. Government Accountability Office has written to Clark Minor, Chief Information Officer (CIO) of the U.S. Department of Health and Human Services, advising him about the current open cybersecurity and IT management recommendations that require his attention.

GAO is a non-partisan agency that works for Congress and provides support to ensure it meets its constitutional responsibilities and helps improve the performance and ensure the accountability of the federal government. GAO makes recommendations for improving the government’s performance in IT and related IT management functions, including recommendations for the HHS, yet many of those recommendations have yet to be implemented. In the letter, GAO explained that the HHS currently has 82 open recommendations involving high-risk cybersecurity and IT management issues.

GAO made the recommendations over several years, each relating to a GAO High-Risk area: Ensuring the Cybersecurity of the Nation or Improving IT Acquisitions and Management. Out of the 82 recommendations, at least 37 are considered sensitive, and one has been designated as a priority recommendation. GAO explained in the report that in order to secure the cybersecurity of the nation, the HHS needs to take additional steps to secure the records and information systems it uses to carry out its mission.

GAO had recommended that HHS establish a reasonable time frame for when it will be able to digitally accept access and consent forms from properly identity-proofed and authenticated individuals and post those forms on the department’s privacy program website. GAO has warned that until the recommendation is implemented, the HHS will not be able to adequately protect records from improper disclosure.

HHS’ Office for Civil Rights investigations into potential HIPAA violations have resulted in financial penalties for organizations that have failed to maintain logs of activity in information systems containing ePHI, yet it hasn’t fully implemented effective logging of its own systems, as directed by the Office of Management and Budget. “Until HHS implements this recommendation, there is increased risk that the department will not have complete information from logs on its systems to detect, investigate, and remediate cyber threats,” warned GAO. HHS has also not yet implemented the recommendation that it should improve its incident response guidance, implementation, and oversight.

In the Improving IT Acquisitions and Management category, GAO has recommended that HHS improve its management and tracking of IT resources. For instance, the HHS had previously provided a revised time frame for completing its covered Internet of Things (IoT) inventory, but has still not completed the inventory. GAO warned that there is an enormous array of disparate devices that may be considered part of IoT, and those devices connect to HHS information systems. Until HHS has a complete inventory, it lacks visibility into the IoT devices within its environment, which will hamper its ability to mitigate IoT cybersecurity risks.

HHS had made little progress developing a work plan that includes specific actions to show progress in developing a public health situational awareness and biosurveillance network. Doing so will help to ensure that the HHS has comprehensive capabilities to allow a rapid and efficient response to an infectious disease outbreak. GAO also stressed to the HHS CIO that there are also outstanding recommendations from the HHS Office of Inspector General in the areas of cybersecurity and IT acquisitions and management, including requirements under the Federal Information Security Modernization Act of 2014, which must also be resolved.

Minor only joined the HHS in February and has served as CIO since May 2025. The HHS said in that short time, Minor has made steady progress toward ensuring the highest level of security and performance across its systems.

The post GAO: HHS Yet to Implement 82 Cybersecurity and IT Management Recommendations appeared first on The HIPAA Journal.

What is the Best EMR for Small Practices in 2025?

Whether you are starting a new practice or looking to grow your existing business, choosing the right electronic medical record system (EMR) is key to improving revenues and profits. An EMR is more than a system for managing large data records. An EMR is an invaluable tool at the heart of your practice that facilitates many aspects of your practice’s operations, such as scheduling, payments, insurance billing, record requests, patient engagement, telehealth, patient follow-ups, and HIPAA compliance.

In addition to ensuring accurate patient records, an EMR is an invaluable tool for aiding decision-making, improving efficiency by streamlining documentation, and eliminating manual administrative tasks that inevitably impact revenue-generating activities and patient care. An EMR can significantly improve the patient experience by streamlining scheduling, providing patients with easy access to their health data to improve engagement, and facilitating communication, helping to improve satisfaction and attract new patients.

With an EMR that is the right fit for your practice, you can reduce the administration burden on clinicians and administrative staff and improve efficiency, allowing you to spend more time providing high-quality, personalized, value-based care.

An EMR Streamlines Operations and Improves Efficiency

An EMR improves efficiency, streamlines data management and billing processes, while helping ensure compliance with HIPAA and state laws, but it is vital to get the right EMR solution for your practice that meets your current needs and has the scalability to support your practice as it grows.

There is a myriad of EMRs to choose from, and while Epic and Oracle Cerner are the most commonly used enterprise EMRs, they require a significant investment and are not well-suited for solo providers and small independent practices, as they prioritize operational scale and standardization.

EMRs for small practices are more affordable, easier to use, and offer far greater flexibility, often providing scope for customization to support specialty-specific workflows and value-based individualized care. The best EMR for small practices will allow you to streamline practice operations while meeting your regulatory obligations under HIPAA, EPCS, and other federal and state regulations, allowing you to concentrate on providing the highest quality patient care.

With the right EMR, you will be able to significantly reduce time-consuming administrative tasks, improve clinical accuracy, and deliver a better patient experience, helping you to reduce the churn rate and win more business.

Choosing an EMR for Small Practices

Cost is naturally a key consideration for small practices. Setting up a new practice costs hundreds of thousands of dollars, after which there are likely to be considerable budgetary constraints. You naturally need to get good value for money and a significant return on your investment, but it is important to look past the cost of licenses and initial setup costs, which include data migration if you are changing EMRs. There are often ongoing monthly expenses, add-on costs for integrations and improving core EMR functionality, limited logins, and locked-in insurance billing partners and other vendors.

If you are starting out and have a handful of clients, what works initially may not be sustainable over time. Transitioning to a new EMR when you outgrow your current platform can be time-consuming and costly, with data migration headaches and a long learning curve, which will inevitably negatively impact operations until the staff gets up to speed.

It is therefore important to choose an EMR for small practices that has comprehensive features, supports extensive integrations, with workflow automation allowing for efficient practice management. The solution should incorporate business features, including billing and analytics, while supporting telehealth, electronic prescriptions, and compliance, with scalability to support the changing needs of your practice. The support options should not be overlooked, as if you experience any technical problems or require customizations, assistance should be provided quickly to allow you to rapidly resolve your issues.

A free EMR may seem like the best choice if you have a limited budget and competing priorities. While initially you could save hundreds or thousands of dollars, you may end up paying more in the long term due to limited functionality, a lack of live customer support.  You will generally only get basic features, and the core components generally do not extend to billing, comprehensive reporting, and analytics. Free EMRs are generally only free up to a point and often require an upgrade to a full or premium package to get more than the basic EMR functions. There are also security and compliance risks associated with free EMRs, many of which are open source.

If you have a clear vision for your practice and your area of specialization, a free EMR may be a good choice, but the lack of flexibility can be limiting, and the money saved on capital outlay could be lost – and more. There are, however, excellent low-cost EMRs for small practices with extensive functionality and comprehensive integrations to meet your current and future needs, that are easy to use and support individualized care.

Security and Compliance

Two areas that should not be overlooked are security and compliance. Security needs to be built into the core of the design, as the EMR contains the crown jewels of your business, and hackers are actively targeting small practices. Free EMRs are typically open source, which means the code is available to anyone to inspect, but that doesn’t mean that it has been thoroughly inspected, nor that there is an active community looking at the code to identify security weaknesses. Data leakage and security vulnerabilities can prove extremely costly.

While small practices were once able to fly under the radar, regulators are taking a keen interest in HIPAA compliance at small medical practices. The HHS’ Office for Civil Rights (OCR) has an enforcement initiative on patient access, and in recent years, many financial penalties have been imposed on small providers for noncompliance. The HHS is also cracking down on information blocking, so it is vital that your EMR provides an easy-to-use patient portal and supports seamless health data exchange.

The Best EMRs for Small Practices

The best EMRs for small practices strike a good balance between cost and functionality, providing the functions to meet your operational needs, scalability to grow with your practice, and support to resolve technical or usability issues quickly, without hidden costs.

The best EMRs for small practices streamline operations, allowing you to improve patient engagement, reduce the burden of compliance, and have flexibility and support customizations to meet your unique needs. To save you time in your search, the HIPAA Journal has assessed EMRs for small practices to help you find the best EMR to meet your practice’s needs.

OptiMantra is the Best EMR for Small Practices

In our opinion, OptiMantra is the best EMR for sole providers and small independent primary care, functional medicine, mental health, and aesthetics-focused practices due to a comprehensive range of features and integrations, excellent customer support, scalability, and scope for customization. The platform provides excellent value for money with one of the lowest monthly costs, and many features included with the license that other platforms provide only as paid add-on features.

OptiMantra is an all-in-one solution with a comprehensive suite of functions, including charting, scheduling, e-prescribing, billing, video chat for telehealth, and an integrated lab network for bloodwork and tests. The platform includes a HIPAA-compliant patient portal with email and text reminders to improve engagement and reduce no-shows, and an extensive library of forms, including MSQ, symptom surveys, mental health questionnaires, and email, text, and fax templates.

OptiMantra offers a full suite of clinical, billing, point of sale, digital, and cloud integrations, ensuring seamless integration with the most commonly used third-party service providers. The platform streamlines small practice operations, allows charting on the go through tablet and mobile-friendly interfaces, helping practices improve efficiency and concentrate on patient care. OptiMantra also reports that clinics see an average 37% increase in revenue in the first year of using the platform, and if you ever decide to change platforms, there is no tie-in other than a month’s notice.

OptiMantra is rated highly by users, with a 5/5 score on G2 and a 4.8/5 score on Capterra, and is universally praised for customer support, with responses typically received within an hour, earning OptiMantra a 2025 Best Customer Support software badge from Gartner-owned Software Advice.  OptiMantra is also highly responsive to suggestions and rapidly implements tweaks to improve usability in response to customer requests.

While we feel OptiMantra is the best EMR for small practices for features, flexibility, cost-effectiveness, and customer service, other platforms are worthy of consideration.

AdvancedMD is a Comprehensive All-in-one Solution with Strong Revenue Management Features

AdvancedMD is an all-in-one cloud-based EMR system aimed at small practices, although those at the larger end of the category. The platform includes a suite of features for independent medical practices, including mental health, physical therapy, and medical healthcare organizations, and has integrated scheduling, charting, billing, claims, e-prescribing, and telehealth capabilities, with a good patient portal and patient messaging feature for improving engagement.

The platform offers excellent stability and accessibility, and robust security for HIPAA Security Rule compliance, including multi-factor authentication. AdvancedMD has an excellent scheduling system, a good patient portal, and impressive revenue management features, making it an ideal choice for practices with their one in-house billing teams.

While the platform has extensive features to support single physicians and small practices, with excellent scalability to support practices as they grow, there are more cost-effective choices due to high set-up fees. Due to the high initial cost, users typically do not tend to see a return on their investment for 14 months, and the system generally takes around 2 months to fully implement. Once set up, the platform is easy to use and navigate, with well-functioning modules that are intuitive and a great choice for compliance, with a comprehensive audit trail with all actions time and date stamped.

AdvancedMD has a 3.6/5 rating on Capterra and a 3.6/5 rating on G2 and is praised for its customizable features and the ability to tailor workflows to specific practice needs, and while the platform is reliable with excellent uptime, it is prone to lag times during busy periods, and customer service and issue resolution are often subject to delays. Overall, the platform is a good choice for larger practices and medical groups.

Practice Fusion is a Good Low-Cost Choice Providing Basic EMR Functionality

Practice Fusion is a solid choice for practices with restrictive budgets, especially for new sole provider practices and small practices with 3 or fewer signing staff. Practice Fusion is an entry-level cloud-based EMR system that initially provided free-to-use basic functionality, although it has now moved to a subscription-only service with a 14-day free trial.

Set up is straightforward, and the platform is intuitive and easy to use, without a steep learning curve. The platform has basic reporting and scheduling capabilities, web-based charting and e-prescribing, and lab, imaging, and billing services, and a good patient portal.

Practice Fusion provides online and telephone support, although it has no dedicated customer service representatives for users, and response times can be slow, sometimes taking days rather than hours to resolve issues.

The platform has a 3.8/5 rating on G2 and a 3.7/5 rating on Capterra, with users praising the platform for ease of use, its lab and imaging integrations, and web-based charting and e-prescribing. There is a lack of integrations and interoperability, although improvements are continuously being made to integrate with other portals and improve patient record importing, and extend integrations with vendors. Users report some system stability issues, with occasional downtime due to crashes.

For single providers and practices with 3 or fewer signing staff, Practice Fusion is a good choice due to ease-of-use, solid core functions, a good patient portal, and lab, imaging, and billing capabilities. A free trial is strongly recommended, as there is a minimum tie-in of 12 months for subscriptions with no early cancellation.

The post What is the Best EMR for Small Practices in 2025? appeared first on The HIPAA Journal.

Sen. Wyden Urges FTC to Take Action Against Microsoft for “Gross Cybersecurity Negligence”

Senator Ron Wyden (D-OR) has written to Andrew Ferguson, Chair of the Federal Trade Commission (FTC), requesting the FTC investigate Microsoft and hold it responsible for “gross cybersecurity negligence,” which Sen. Wyden believes has contributed to the barrage of ransomware attacks on critical infrastructure entities.

In the letter, Sen. Wyden cites figures from a February 2025 report published by the Director of National Intelligence (DNI) indicating more than 5,000 ransomware attacks in 2024, a 15% increase from 2024, and a 103% increase from 2022. Around half of the victims of those attacks are located in the United States. Those attacks have caused enormous harm to healthcare providers, put patient care at risk, and pose a continuing threat to national security.

Sen. Wyden believes Microsoft is at fault for many of these attacks because of its de facto monopoly on operating systems, combined with dangerous software engineering decisions that have made the Windows operating system vulnerable to ransomware attacks. Sen. Wyden explained that Microsoft chooses the security measures enabled by default in the Windows operating system, and while any user can alter the settings, many do not, as they are unaware of the risks associated with the default security settings.

Cybersecurity Vulnerability Exploited in Ascension Ransomware Attack

Sen Wyden used the 2024 hack of Ascension, one of the largest health systems in the United States, as an example of how easy it is for ransomware groups to breach the networks of critical infrastructure entities. The ransomware group gained access to privileged accounts on Ascension’s Active Directory Server using a privilege escalation technique called kerberoasting, after an Ascension contractor clicked a malicious link in a Bing search result on an Ascension laptop and inadvertently downloaded malware.

The malware provided the attacker with initial access, they moved laterally, and gained administrative privileges to the Microsoft Active Directory Server. The attacker exfiltrated data, then used ransomware to encrypt files. The electronic protected health information of 5.6 million patients was compromised in the attack. The attack was made possible due to a long-standing post-exploitation vulnerability.

Kerberoasting is an attack technique that exploits Microsoft’s continued support for an insecure encryption technology – RC4 – from the 1980s. Microsoft is well aware of the risk from kerberoasting, and how it can be exploited to obtain Active Directory credentials. For more than a decade, cybersecurity experts have warned of the dangers of kerberoasting, yet no action has been taken by Microsoft to mitigate the threat, even though more secure methods of encryption are supported by Windows.

The Advanced Encryption Standard (AES) is vastly superior to RC4, is supported by Windows, and recommended by the U.S. government, yet Microsoft does not use AES by default in Windows. The result of that software engineering decision is that hackers with access to a corporate network can exploit the weaknesses in RC4 encryption technology to crack administrators’ privileged accounts.

Sen. Wyden said Microsoft has stated that the risk can be mitigated by setting long passwords of 14 or more characters, yet Microsoft does not require passwords of that length to be set for privileged accounts by default. Sen. Wyden wrote to Microsoft in July 2024, warning about the threat of kerberoasting, and in October 2024, Microsoft published a blog post warning about the vulnerability and how the threat can be mitigated. Microsoft also promised to issue a software update to fix the issue. Almost a year on, and no fix has been forthcoming. Also in October 2024, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning that Iranian hackers were using the kerberoasting technique to attack U.S. organizations.

Despite the technique being used by threat actors, the warning was added to an obscure part of its website and was not promoted. Rather than issue a prominent and easy-to-read warning as requested by Sen. Wyden, the blog post was highly technical in nature. As a result, many companies may not have seen the post or acted on the advice, leaving their crown jewels – Active Directory credentials – at risk.

FTC Action Required to Force Microsoft to Provide Secure Software by Default

Kerberoasting is just one technique that can be used to exploit vulnerabilities. Sen. Wyden provided further examples of Microsoft’s cybersecurity failures that have been exploited by nation-state actors to attack Microsoft customers, including attacks by China in 2023 and, more recently, the vulnerability in Microsoft SharePoint that was mass exploited by hackers linked to the Chinese government this year.

“There is one company benefiting from this status quo: Microsoft itself. Instead of delivering secure software to its customers, Microsoft has built a multibillion-dollar secondary business selling cybersecurity add-on services to those organizations that can afford it,” Sen. Wyden wrote in the letter. “At this point, Microsoft has become like an arsonist selling firefighting services to their victims. And yet government agencies, companies, and nonprofits like Ascension have no choice but to continue to use the company’s software, even after they are hacked, because of Microsoft’s near-monopoly over enterprise IT.”

Sen. Wyden believes that the FTC should take action to hold Microsoft to account, and if no action is taken, Microsoft is likely to continue to deliver dangerous, insecure software to critical infrastructure entities and the government, and further attacks are inevitable.

The post Sen. Wyden Urges FTC to Take Action Against Microsoft for “Gross Cybersecurity Negligence” appeared first on The HIPAA Journal.

Feds Offer $10 Million Reward for Ransomware Administrator Who Attacked U.S. Healthcare Orgs

The U.S. Department of Justice has charged a Ukrainian serial ransomware criminal who is alleged to have been the administrator of multiple ransomware operations. Volodymyr Viktorovich Tymoshchuk, through online monikers including deadforz, Boba, msfv, and farnetwork, is alleged to have been the administrator of the LockerGaga, MegaCortex, and Nefilim ransomware operations between December 2018 and October 2021.

Tymoshchuk, along with his accomplices, conducted or played a key role in ransomware attacks on more than 250 victims in the United States between July 2019 and June 2020 using the LockerGaga and MegaCortex ransomware variants, as well as hundreds of victims worldwide. An international law enforcement operation targeting the LockerGoga and MegaCortex ransomware schemes in September 2022 obtained decryption keys, which were made available to victims via the No More Ransom Project. Many potential victims were able to prevent file encryption after receiving prompt notifications from law enforcement that their networks had been compromised.

Under the Nefilim ransomware scheme, Tymoshchuk and his accomplices claimed many more victims in the United States and worldwide between July 2020 and October 2021. Through those attacks, Tymoshchuk caused millions of dollars in losses due to disruption to business operations, damage to computer systems, and ransom payments. As administrator of the ransomware operations, Tymoshchuk recruited and provided access to the infrastructure and encryptor to conduct attacks.

One of the affiliates of the Nefilim ransomware operation was Ukrainian national Artem Stryzhak, who was arrested in Spain in June 2024 and extradited to the United States on April 30, 2025. Stryzhak has been charged with conspiracy to commit fraud and related activity. Stryzhak primarily targeted companies in the United States, Canada, or Australia that had annual revenues of over $100 million, although a Nefilim administrator encouraged him to target larger companies with more than $200 million in annual revenues. The Nefilim administrators allowed Stryzhak to keep 80% of any ransoms he generated, while they would retain 20%. Any victim who refused to pay had their stolen data leaked on the group’s Corporate Leaks websites.

Tymoshchuk has been charged with two counts of conspiracy to commit fraud and related activity in connection with computers, three counts of causing intentional damage to a protected computer, one count of unauthorized access to a protected computer, and one count of transmitting a threat to disclose confidential information. “Tymoshchuk is a serial ransomware criminal who targeted blue-chip American companies, health care institutions, and large foreign industrial firms, and threatened to leak their sensitive data online if they refused to pay,” said U.S. Attorney Joseph Nocella Jr. for the Eastern District of New York. “For a time, the defendant stayed ahead of law enforcement by deploying new strains of malicious software when his old ones were decrypted. Today’s charges reflect international coordination to unmask and charge a dangerous and pervasive ransomware actor who can no longer remain anonymous.”

The U.S. Department of State is offering up to $10 million as a reward for information leading to the location, arrest, or conviction of Tymoshchuk, plus a further $1 million reward for information that leads to convictions of other members of the LockerGaga, MegaCortex, and Nefilim ransomware groups. The rewards are offered under the Transnational Organized Crime (TOC) Rewards Program.

The post Feds Offer $10 Million Reward for Ransomware Administrator Who Attacked U.S. Healthcare Orgs appeared first on The HIPAA Journal.

Healthcare Industry Good at Preventing Serious Vulnerabilities but Lags in Remediation

Healthcare organizations are relatively unlikely to have serious cybersecurity vulnerabilities compared to other industry sectors, as they are generally good at prevention; however, when vulnerabilities are identified, healthcare lags other sectors when it comes to remediation. These are the findings from a recent analysis of penetration testing data and a survey of 500 U.S. security leaders by the Pentest-as-a-service (PTaaS) firm Cobalt. The findings are published in its State of Pentesting in Healthcare 2025 report.

Serious cybersecurity vulnerabilities are relatively rare in healthcare, with the industry ranking 6th out of the 13 industries represented in the data, with only 13.3% vulnerabilities identified through pentesting qualifying as serious. When penetration tests identify serious vulnerabilities, they need to be remediated promptly. As long as a vulnerability remains unaddressed, it can potentially be exploited by a threat actor.

The standard for measuring the time to perform a security action is the median time to resolve (MTTR), which, for serious vulnerabilities in healthcare, was 58 days. Healthcare ranked 11th out of 13th industries on MTTR. Cobalt plotted the frequency of serious vulnerabilities against the resolution rate in a scatterplot chart. Healthcare was the only industry in the struggling sector, with low prevalence but low resolution. The ideal is low prevalence and high resolution.

While the MTTR is a standard measure in security, it can be somewhat misleading, as it is only based on the vulnerabilities that are actually resolved. Cobalt reports that 52% of pentest findings are never resolved. Therefore, to obtain a complete picture, it is also necessary to look at the survival half-life, which is the time taken to resolve 50% of identified vulnerabilities. Having an MTTR of 20 days is excellent, but much less so if half of all serious vulnerabilities are never resolved.

The data show healthcare to be the third-worst industry for half-life score, with a half-life of 244 days, compared to the leading sector, transportation, which has a half-life of 43 days. Education performed worst, with a half-life of 283 days, ahead of hospitality on 270 days. Cobalt notes that the healthcare sector is generally good at prioritizing vulnerability remediation, with the most critical issues usually fixed on time. Almost 40% of healthcare service level agreements (SLAs) require serious vulnerabilities in business-critical assets to be fully resolved within three days, while a further 40% of SLAs require those vulnerabilities to be resolved within 14 days.

Most practices meet the deadlines, with 43% resolving critical findings in one to three days, 37% resolving issues in four to seven days, and 14% resolving issues within eight to fourteen days, although it is common for backlogs to grow in less urgent areas. Healthcare is a heavily regulated industry, with data security requirements under HIPAA. The HIPAA Security Rule requires a risk analysis to be conducted to identify all risks and vulnerabilities to electronic protected health information, which explains, to a certain extent, why there is a low prevalence of serious vulnerabilities. There are also risk management requirements under HIPAA, which are reflected in the data, as 94% of healthcare organizations resolve business-critical issues in less than two weeks.

The slow rates of resolution of vulnerabilities in general and the poor half-life score in healthcare are likely due to a range of factors, such as the continued use of legacy systems, which create technology roadblocks, along with resource constraints. Cobalt also suggests there may be divisions between the departments ordering pentests and the teams implementing fixes, and less mature teams may struggle with the complexity of remediations.

The survey revealed the biggest security concerns in healthcare to be GenAI (71%), third-party software (48%), and exploited vulnerabilities (40%), with the top attack vectors being third-party software (68%), AI-enabled features (45%), and phishing/malware (32%). Given the high level of concern about third-party software, Cobalt recommends that healthcare providers require their vendors to provide comprehensive pentesting reports before procurement. Cobalt also recommends integrating pentesting into the development lifecycle, proactively testing for AI and genAI vulnerabilities, adopting a programmatic approach to offensive security, and conducting regular red team exercises to test real-world detection and response capabilities.

The post Healthcare Industry Good at Preventing Serious Vulnerabilities but Lags in Remediation appeared first on The HIPAA Journal.

Report Reveals Worrying Abuses of Agentic AI by Cybercriminals

Cybercriminals have been abusing agentic AI to perform sophisticated cyberattacks at scale, incorporating AI tools throughout all stages of their operations. Agentic AI tools have significantly lowered the bar for hackers, allowing individuals with few technical skills to conduct complex attacks that would otherwise require extensive training over several years and a team of operators.

A new threat intelligence report from Anthropic highlights the extent to which its own language model (LLM) and AI assistant, Claude, has been abused, even with sophisticated safety and security measures in place to protect against misuse. The cybercriminal schemes identified by Anthropic have targeted businesses around the world, including U.S. healthcare providers.

Examples of misuses of Claude code include:

  • A campaign allowing large-scale theft of data from healthcare providers, emergency services, religious institutions, and the government
  • A large-scale fraudulent employment scheme conducted by a North Korean threat actor to secure jobs at Western companies
  • The creation and subsequent sale of ransomware by a cybercriminal with only basic coding skills.

Agentic AI tools can be used to create and automate complex cybercriminal campaigns, requiring little to no coding or technical skills, other than the ability to write prompts to the AI tools. These tools can be embedded into all stages of operations, which Anthropic calls “vibe hacking,” taking its name from vibe coding, where developers instruct agentic AI tools to write the code, while they just guide, experiment, and refine the AI output. Anthropic says vibe hacking marks a concerning evolution in AI-assisted cybercrime.

One such vibe hacking campaign targeted healthcare providers, the emergency services, government entities, and religious institutions. Agentic AI tools were embedded into all stages of the operation, including profiling victims, automating reconnaissance, harvesting credentials, penetrating networks, and analyzing stolen data. Anthropic’s analysis revealed that the threat actor allowed Claude to make tactical and strategic decisions, including determining the types of data to exfiltrate from victims and the creation of psychologically targeted extortion demands.

Claude was used to analyze the victim’s financial records to determine how much to demand as a ransom payment to prevent the publication of the stolen data, and also to generate ransom notes to be displayed on the victims’ devices. Anthropic believes that this campaign used AI to an unprecedented degree. The campaign was developed and conducted in a short time frame and involved scaled data extortion of multiple international targets, potentially hitting at least 17 distinct organizations, resulting in ransom payments that exceeded $500,000 in some cases.

The North Korean campaign used Claude to create elaborate false identities with convincing professional backgrounds to secure employment positions at U.S. Fortune 500 technology companies, and also to complete the necessary technical and coding assessments to secure employment and technical work duties once hired. The ransomware campaign involved the development of several ransomware variants without any coding skills. The ransomware had advanced evasion capabilities, encryption, and anti-recovery mechanisms. In addition to creating ransomware, the threat actor used Claude to market and distribute variants that were sold on Internet forums for $400 to $1,200.

Anthropic has been transparent about these abuses of its AI tools to contribute to the work of the broader AI safety and security community and help industry, government, and the wider research community strengthen defenses against the abuse of AI systems. Anthropic is far from alone, as other agentic AI tools have also been abused and tricked into producing output that violates operational rules that have been implemented to prevent abuse.

After detecting these operations, the associated accounts were immediately banned, and an automated screening tool has now been developed to help discover unauthorized activity quickly and prevent similar abuses in the future. Anthropic warns that the use of AI tools for offensive purposes creates a significant challenge for defenders, as campaigns can be created to adapt to defensive measures such as malware detection systems in real time. “We expect attacks like this to become more common as AI-assisted coding reduces the technical expertise required for cybercrime,” warned Anthropic.

The post Report Reveals Worrying Abuses of Agentic AI by Cybercriminals appeared first on The HIPAA Journal.

CISA Seeks Feedback on Updated Software Bill of Materials Guidance

One of the biggest security headaches in healthcare is managing third-party risk. Healthcare organizations can implement extensive security measures to protect their internal networks and sensitive data, only for a security flaw in a medical device or third-party software solution to be exploited, circumventing their security protections.

While patches can be applied to address known vulnerabilities, software and firmware may contain third-party components and dependencies. Since there may be little visibility into those components and dependencies, risks are impossible to mitigate effectively.

To improve visibility and help with risk management, all medical devices should be provided with a Software Bill of Materials (SBOM), which is a formal, machine-readable inventory of all software components and dependencies used in a medical device. The Food and Drug Administration (FDA) now requires SBOMs to be provided with premarket submissions of medical devices, to help ensure cybersecurity for the whole lifecycle of the device.

The Cybersecurity and Infrastructure Security Agency (CISA) is pushing for SBOMs to be included with software to improve transparency and supply chain security. CISA has previously published SBOM guidance, which has now been updated to reflect the current state of maturity in software transparency.

“SBOMs provide a detailed inventory of software components, enabling organizations to identify vulnerabilities, assess risk, and make informed decisions about the software they use and deploy,” explained CISA. “As adoption of SBOMs has grown across the public and private sectors, so too has the need for machine-processable formats that support scalable implementation and integration into broader cybersecurity practices.”

While the guidance  – 2025 Minimum Elements for a Software Bill of Materials (SBOM) – is primarily intended for federal agencies, CISA is encouraging other entities to use the guidance to help them understand what they can expect from vendors’ SBOMs. The update includes new SBOM data fields, the name of the tool used to create the SBOM, the software’s cryptographic hash, and several revisions. Public comment is sought on the new draft guidance until October 3, 2025, allowing individuals to share their knowledge for incorporation into the guidance ahead of the release of the final version.

The post CISA Seeks Feedback on Updated Software Bill of Materials Guidance appeared first on The HIPAA Journal.

Vulnerability Identified in FujiFilm Synapse Mobility Medical Image Viewer

A medium-severity privilege escalation vulnerability has been identified in FujiFilm Healthcare Americas Synapse Mobility medical image viewing software that could be exploited to bypass authentication and access sensitive data.

The vulnerability is tracked as CVE-2025-54551 and affects all versions of Fujifilm Healthcare Americas Synapse Mobility prior to version 8.2 (Versions 8.0, 8.0.1, 8.0.2, 8.1, 8.1.1). The vulnerability is remotely exploitable in a low complexity attack and can allow an attacker to escalate privileges and access data that they do not have permission to view. Authenticated user interaction is required to exploit the vulnerability.

The vulnerability is due to external control of a Web parameter and can be exploited by altering the parameters of the search function, thereby providing results beyond the intended design of role-based access controls. The vulnerability has been assigned a CVSS v4 base score of 5.3 and a CVSS v3.1 base score of 4.3.

Fujifilm Healthcare Americas has fixed the vulnerability in version 8.2 and later versions and has released patches for versions 8.0 to 8.1.1. Users are encouraged to upgrade to the latest version of the software and ensure that patches are applied before the end-of-support date. If the version in use is past the end-of-support date, users should ensure they update to a supported version.

If an immediate upgrade is not possible, administrators should consider disabling the search function in the configurator settings until the software can be updated. This can be achieved by unchecking the “Allow plain text accession number” checkbox in the security section of the admin interface. This will limit the site to use of the product only via the SecureURL feature.

The post Vulnerability Identified in FujiFilm Synapse Mobility Medical Image Viewer appeared first on The HIPAA Journal.

Warnings Issued About RCE Vulnerabilities in FortiSIEM & N-able N-central

Warnings have been issued about a critical vulnerability in Fortinet FortiSIEM with publicly available exploit code and two actively exploited vulnerabilities in N-able N-central.

FortiSIEM

FortiSIEM is a central security information and event management (SIEM) solution that is used by network defenders for logging, network telemetry, and security incident alerts. FortiSIEM is commonly used by large enterprises, healthcare providers, and government entities. Fortinet has issued a warning about a command injection flaw that can be exploited remotely by an unauthenticated attacker, for which exploit code exists in the wild. As such, it is essential to patch promptly to fix the vulnerability before it can be exploited.

The vulnerability, CVE-2025-25256, is a critical flaw affecting FortiSIEM versions 5.4 to 7.3 and has a CVSS base score of 9.8 out of 10. Successful exploitation of the flaw would allow an unauthenticated attacker to remotely execute code or commands via crafted CLI requests. Fortinet did not state whether the vulnerability has already been exploited, only that functional exploit code was found in the wild.

Fortinet has fixed the vulnerability in the following versions:

  • FortiSIEM 7.3.2
  • FortiSIEM 7.2.6
  • FortiSIEM 7.1.8
  • FortiSIEM 7.0.4
  • FortiSIEM 6.7.10

Users of FortiSIEM versions 5.4 to 6.6 should ensure that they upgrade to a supported version that is patched against the vulnerability. If it is not possible to update to a patched version, Fortinet has suggested a workaround, which involves limiting access to the phMonitor on port 7900.

N-able N-central

N-able N-central is a remote monitoring and management (RMM) solution, commonly used by managed service providers (MSPs) to manage and maintain devices on their clients’ networks. Two vulnerabilities have been identified that are under active exploitation.

The vulnerabilities are tracked as CVE-2025-8875 – an insecure deserialization vulnerability that could allow command execution, and CVE-2025-8876 – a command injection vulnerability due to improper sanitization of user input. No CVSS scores have currently been issued for the vulnerabilities; however, CISA warns that both are under active exploitation. N-able explained in a security alert that the vulnerabilities require authentication to exploit.

N-able has released patches to fix the vulnerabilities, and customers are urged to update to version 2025.3.1 as soon as possible. The fixed version was released on August 13, 2025, and further information about the vulnerabilities will be released by N-able in three weeks, to give customers time to update to a fixed version.

The post Warnings Issued About RCE Vulnerabilities in FortiSIEM & N-able N-central appeared first on The HIPAA Journal.