The Federal Bureau of Investigation (FBI) has launched a campaign to improve the resilience of industry, government, and critical infrastructure against cyber intrusions. Operation Winter SHIELD (Securing Homeland Infrastructure by Enhancing Layered Defense) is tied to the National Cyber Strategy and the FBI Cyber Strategy, which views industry, government, and critical infrastructure as partners in detecting, confronting, and dismantling cyber threats.

“Our goal is simple: to move the needle on resilience across industry by helping organizations understand where adversaries are focused and what concrete steps they can take now (and build toward in the future) to make exploitation harder.” Operation Winter Shield provides a practical roadmap for securing information technology and operational technology environments, hardening defenses, and reducing the attack surface. The campaign has kicked off with 10 recommendations developed with domestic and international partners to improve defenses against current cyber threats. The recommendations reflect current adversary behavior and common security gaps identified in recent investigations of cyberattacks.

The ten recommendations cover high-impact measures for reducing cyber risk by improving resilience and reducing the attack surface. Over the following 10 weeks, the FBI will publish further information and guidance on these cybersecurity measures:

1. Adopt phishing-resistant authentication – Many data breaches start with credentials stolen in phishing attacks.
2. Implement a risk-based vulnerability management program – Threat actors often exploit known, unpatched vulnerabilities in operating systems, software, and firmware for initial access.
3. Track and retire end-of-life tech on a defined schedule – End-of-life software and devices are often targeted as they no longer receive security updates.
4. Manage third-party risk – Security is only as good as the weakest link, which is often the least-protected vendor with network or data access.
5. Protect and preserve security logs – Security logs are essential for detection, response, and attribution, and are often deleted by threat actors to hide their tracks.
6. Maintain offline immutable backups and test restoration – Resilience depends on backups and tested recovery.
7. Identify inventory and protect internet-facing systems and services – Eliminate any unnecessary exposure and reduce the attack surface.
8. Strengthen email authentication and malicious content protections – Email is one of the most common initial access vectors and must be adequately secured.
9. Reduce administrator privileges – Persistent administrative access enables rapid escalation when credentials are compromised.
10. Exercise incident response plans with all stakeholders – Testing the response plan will allow organizations to respond rapidly and reduce the impact of a successful compromise.

Source: Federal Bureau of Investigation.

The post FBI Urges Organziations to Take 10 Actions to Improve Cyber Resilience appeared first on The HIPAA Journal.

An audit of a large Southeastern hospital by the Department of Health and Human Services Office of Inspector General (HHS-OIG) identified security weaknesses in internet-facing applications, which could potentially be exploited by threat actors for initial access. Similar security weaknesses are likely to exist at many U.S. hospitals. The aim of the audit was to assess whether the hospital had implemented adequate cybersecurity controls to prevent and detect cyberattacks, if processes were in place to ensure the continuity of care in the event of a cyberattack, and whether sufficient measures had been implemented to protect Medicare enrollee data.

The audited hospital had more than 300 beds and was part of a network of providers who share patients’ protected health information for treatment, payment, and healthcare operations. The hospital had adopted the HITRUST Common Security Framework (CSF) version 9.4 as its main cybersecurity framework, used that framework for regulatory compliance and risk management, and had implemented physical, technical, and administrative safeguards as required by the HIPAA Rules.

HHS-OIG reviewed the hospital’s policies and procedures to assess its cybersecurity practices concerning data protection, data loss prevention, network management, and incident response, and interviewed appropriate staff members to gain further cybersecurity and risk mitigation insights. HHS-OIG conducted penetration tests and external vulnerability assessments on four of the hospital’s internet-facing applications.

The hospital had implemented cybersecurity controls to protect Medicare enrollee data and ensure the continuity of care in the event of a cyberattack, and the cybersecurity controls detected most of HHS-OIG’s simulated cyberattacks; however, weaknesses were found that allowed the HHS-OIG to capture login credentials and use them to access the account management web application, and a security weakness in its input validation controls allowed manipulation of the application.

HHS-OIG sent 2,171 phishing emails, but only the last 500 were blocked. A total of 108 users clicked the link in the email (6% click rate), and one user entered their login credentials in the HHS-OIG phishing website. The captured login credentials allowed HHS-OIG to access the account, although it did not appear to contain patient information. Once the web application was accessed, HHS-OIG was able to view the user’s devices associated with the account, as well as a list with options to deactivate multifactor authentication and add/remove devices from the account. If it were a real cyberattack, a threat actor could use the access for a more extensive compromise. HHS-OIG said strong user identification and authentication (UIA) controls for the account management web application had not been implemented; however, the click rate and login rate were relatively low, therefore, no recommendations were made regarding its anti-phishing controls.

Another internet-facing application was found to lack strong input validation controls, which made the application vulnerable to an injection attack. An attacker could inject malicious code into weak input fields, alter commands sent to the website, and access sensitive data or manipulate the system. While the hospital had conducted vulnerability scans and third-party penetration tests, the vulnerability failed to be identified. Further, the web application did not have a web application firewall for filtering, monitoring, and blocking malicious web traffic, such as injection attacks.

HHS-OIG made four recommendations: Implement strong user identification and authentication controls for the account management web application; periodically assess and update user identification and authentication controls across all systems; assess all web applications to determine if an automated technical solution, such as a web application firewall, is required; and utilize a wider array of testing tools for identifying vulnerabilities in applications, such as dynamic application testing tools, static application testing tools, and manual, interactive testing.

HHS-OIG did not name the audited hospital due to the risk that it could be targeted by threat actors. Further audits of this nature will be conducted on other healthcare providers to determine whether similar security issues exist and if there are any opportunities for the HHS to improve guidance and outreach to help hospitals improve their security controls.

“This report highlights the need for healthcare organizations to adapt their security programs to reflect a fundamental shift: sensitive data now resides not just in on-prem, internal apps, but also in web-based SaaS applications,” Russell Spitler, CEO of Nudge Security, told the HIPAA Journal. “Traditional network-focused security controls cannot adequately protect cloud applications where data flows across organizational boundaries. This makes identity security controls—particularly MFA and SSO—essential for protecting this dynamic attack surface.”

Spitler suggests “healthcare organizations should take a systematic approach that prioritizes comprehensive visibility and strong authentication controls across their entire application ecosystem.” Key steps recommended by Spitler include:

• Conducting a comprehensive inventory of all SaaS and web applications to understand the full picture of the organization’s attack surface
• Prioritizing MFA implementation for applications with privileged access or sensitive data, starting with internet-facing systems
• Deploying SSO solutions that can enforce MFA centrally while improving user experience and reducing password-related security risks
• Using conditional access policies that require MFA for any access from outside the corporate network or from unmanaged devices
• Regularly testing authentication controls through penetration testing and phishing simulations, as HHS OIG did in this audit

The post HHS-OIG Identifies Web Application Security Weaknesses at Large U.S. Hospital appeared first on The HIPAA Journal.

Insider threats are one of the leading causes of data breaches in healthcare, more so than in many other industry sectors. A 2018 study by Verizon found insider incidents outnumbered incidents involving external parties, with 56% of healthcare data breaches due to insiders and 43% due to external actors. A study by the cybersecurity firm Metomic found that the percentage of healthcare organizations reporting no insider incidents has declined from 34% in 2019 to 24% in 2024.

Insider incidents can stem from a lack of knowledge about HIPAA or disregard for patient privacy, such as when healthcare employees snoop on medical records. Negligent insiders can easily expose patient data by failing to follow the organization’s policies and procedures, and malicious insiders steal patient information for financial gain or revenge. Copying patient information to take to a new practice or employer is also common.

Due to the high risk of insider threats in healthcare and other critical infrastructure sectors, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging critical infrastructure organizations to take decisive action against insider threats, and has published a new resource specifically developed for critical infrastructure organizations and state, local, tribal, and territorial (SLTT) governments to help them assemble a multi-disciplinary insider threat management team. The guidance includes proven strategies for proactively preventing, detecting, mitigating, and responding to insider threats.

Insiders have institutional knowledge and legitimate access rights, allowing them to easily access and steal sensitive data, and detecting insider breaches can be a challenge. Insider incidents can cause significant harm to healthcare organizations, including reputational damage, revenue loss, and harm to people and key assets. “Whether driven by intent or accident, insider threats pose one of the most serious risks to organizational security and resilience- demanding proactive measures to detect, prevent, and respond,” explained CISA.

“Insider threats remain one of the most serious challenges to organizational security because they can erode trust and disrupt critical operations,” said Acting CISA Director Dr. Madhu Gottumukkala. “CISA is committed to helping organizations confront this risk head-on by delivering practical strategies, expert guidance, and actionable resources that empower leaders to act decisively — building resilient, multi-disciplinary teams, fostering accountability, and safeguarding the systems Americans rely on every day.”

Combating insider threats requires an insider threat mitigation program that includes physical security, cybersecurity, personnel awareness, and partnerships with the community, and assembling a multi-disciplinary insider threat management team is a critical part of that process. The threat management team should oversee the insider threat management program, monitor for potential threats, and act quickly to mitigate the consequences of negligent and malicious insider actions. With an effective insider threat management team in place, organizations can reduce the damage and frequency of insider threat incidents.

A threat management team will be far more effective than any one individual, with teams able to be scaled and adjusted in scope and capability as the organization matures and evolves. Having a range of insider threat subject matter experts will allow the organization to obtain varied perspectives and generate more accurate and holistic threat assessments. Team members should include threat analysts, general counsel, human resources, the CISO, CSO, as well as external parties, including investigators, law enforcement, and medical or mental health counselors.

In the guidance, CISA offers a framework consisting of four stages – Plan, Organize, Execute, and Maintain (POEM). The Plan stage allows the organization to structure and scope the role of the threat management team. The Organize phase involves the team guiding employee awareness, creating a culture of reporting, and providing the necessary support to relevant departments to identify potential insider threat activity. The Execute phase involves upholding the insider threat mitigation program, and the Maintain phase is concerned with developing the threat management team to ensure it remains effective over time.

“Insider threats can disrupt operations, compromise safety, and cause reputational damage without warning. Organizations with mature insider threat programs are more resilient to disruptions, should they occur. People are the first and best line of defense against malicious insider threats, and organizations should act now to safeguard their people and assets,” said CISA Executive Assistant Director for Infrastructure Security Steve Casapulla.

The post CISA Issues Guidance for Proactively Defending Against Insider Threats appeared first on The HIPAA Journal.

An unwanted new record was set in 2025 for data compromises, which increased by 4% from the record-breaking total in 2024, according to the Identity Theft Resource Center (ITRC). The ITRC is a non-profit organization dedicated to helping victims of data breaches, scams, and identity theft. ITRC also offers education to help consumers protect themselves against identity theft and fraud. ITRC tracks data compromises, which include data breaches, data leaks, and accidental exposures of sensitive consumer data.

The record total of 3,332 data compromises in a year represents a 79% increase in just five years, and the third successive year when more than 3,000 data compromises have been identified. While the historic high is concerning, there is at least some good news, as the number of individuals affected by data compromises has fallen sharply to the lowest annual total since 2014. Across the 3,332 data compromises, 278.8 million individuals were affected, down from 2024’s shockingly high total of 1.36 billion. The relatively low total is due to a lack of mega data breaches, which have been a regular feature over the past few years.

An ITRC poll of 1,000 U.S. consumers revealed 80% received at least one breach notice in the past year, and two-fifths received between three and five different notices. Out of the individuals who received a notice about a data breach, 88% said they experienced one or more negative consequences, such as an account takeover, an increase in spam emails and phishing attempts, or mental health issues.

Worryingly, the frequency with which data breach notices are being received is leading to breach fatigue. Out of the people who did nothing after receiving a notice, 48.3% said they had breach fatigue from so many notices, 46.1% said they had feelings of helplessness because they felt they couldn’t do anything about it, 41.6% said they did nothing because they felt from the language of the notification that the breach was not serious to warrant any action, and 36% said they didn’t trust the notice and thought it was a scam.

Out of the 3,332 data compromises, 2,928 were data breaches, involving 232,726,796 victim notices, 24 were data exposures involving 527,894 victim notices, and there were 366 unknown compromises, involving 1,584,024 victim notices. Four of the data compromises involved previously compromised data. The largest confirmed data compromises of the year (based on victim notices) occurred at PowerSchool (71.9 million), AT&T (44 million), Aflac (22.7 million), Prosper Funding (17.6 million), and Conduent Business Services. The number of individuals affected by the Conduent data breach has yet to be confirmed, but it was a massive data breach, affecting 14.7 million individuals in Texas alone.

Financial services remained the most targeted sector, with 739 confirmed data compromises, and the healthcare sector took second spot, with 534 confirmed compromises, down slightly from 2024’s 537 compromises. Professional services was the third most targeted sector with 478 compromises, followed by manufacturing (299) and education (188).

ITRC draws attention to a five-year trend of threat actors increasingly targeting static identifiers, which facilitate long-term fraud. Social Security numbers were involved in two-thirds of data breach reports in 2025, with one-third involving either bank accounts or driver’s license numbers. Between 2021 and 2025, the number of compromises involving Social Security numbers almost doubled, driver’s license data breaches increased by 139% over the same period, and bank account information breaches increased by 168%.

ITRC warns of the increasing risk from supply chain data breaches, which in the space of a year almost doubled from 660 affected entities in 2024 to 1,251 affected entities in 2025, despite the number of attacks only increasing by one year-over-year. From 2021 to 2025, supply chain breaches doubled and now account for 30% of all breaches involving at least one third party.

For several years, ITRC has highlighted the growing trend of breached entities failing to provide consumers with adequate information about a data breach, preventing them from making an informed decision about the amount of risk they face from their data being exposed. For instance, a healthcare provider states in a breach notice that there has been a data incident involving protected health information, which was potentially subject to unauthorized access, when the reality is that a ransomware group has not only exfiltrated their data, but also posted the data on the dark web, where it can be downloaded free of charge by anyone.

ITRC said that in 2020, almost 100% of data breach notifications provided the root cause of the data breach in their notices, whereas in 2025, only 30% did. In the space of a year, the percentage of notices withholding the attack vector details increased from 65% in 2024 to 70% in 2025. “Businesses should prioritize transparency over liability mitigation,” urged James Lee, ITRC president.

The post U.S. Data Compromises Hit Record High in 2025 appeared first on The HIPAA Journal.

The threat from ransomware is greater than ever, according to a new report from GuidePoint Security. The cybersecurity firm recorded a 58% year-over-year increase in victims, making 2025 the most active year ever reported by GuidePoint Security. In 2025, GuidePoint Security tracked 2,287 unique victims in Q4, 2025 alone – the largest number of victims in any quarter tracked by the GuidePoint Research and Intelligence Team (GRIT). December was the most active month in terms of claimed victims, which increased 42% year-over-year to 814 attacks. On average, 145 new victims were added to dark web data leak sites every week in 2025, with the year ending with 7,515 claimed victims.

Law enforcement operations have targeted the most active groups, and there have been notable successes; however, they have had little effect on the number of victims, which continues to increase. Rather than the ransomware-as-a-service (RaaS) landscape being dominated by one or two major actors, law enforcement operations have helped create a highly fragmented ecosystem, with smaller groups conducting attacks in high volume, using repeatable operations. In 2025, GRIT tracked 124 distinct named ransomware groups – a 46% increase from 2024 and the highest number of groups ever recorded in a single year.

While ransomware attacks are conducted globally, as in previous years, ransomware actors are primarily focused on the United States, where 55% of attacks were conducted last year, followed by Canada, which accounted for 4.5% of attacks. The manufacturing sector was the most heavily targeted, accounting for 14% of attacks, followed by the technology sector (9%), and retail/wholesale (7%). Healthcare ranked in fourth spot, with more than 500 victims in 2025.

Qilin, the most prolific RaaS group in 2025, disproportionately targets the healthcare sector. The group, which emerged in June 2024, is based in Eastern Europe and is thought to be a rebrand of the Agenda ransomware group. In 2024, the group added 154 victims to its dark web data leak site, increasing that tally by 578% to 1,044 victims in 2025, most likely by increasing its number of affiliates, many of whom are thought to have previously worked with the RansomHub group that shut down operations in April 2025. The large number of affiliates, each with their own specialties, means the group uses diverse tactics in its attacks. To put the volume of attacks into perspective, in 2025, Qilin conducted more attacks than LockBit did at its peak.

Qilin has claimed more healthcare victims than any other ransomware group, one of the most notable of which was UK pathology lab Synnovis. That single attack has reportedly caused more than $40 million in losses. The group is expected to continue as the most dominant group in 2026, although expanding operations to such an extent will make it a target for law enforcement. INC Ransom was the second biggest threat to healthcare organizations in 2025, followed by SafePay. While SafePay has been observed targeting small to mid-sized organizations, the group claimed responsibility for the ransomware attack on Conduent Business Services, which recently confirmed that 14.7 million individuals in Texas alone had their data compromised in the attack.

A relatively new ransomware group called Sinobi has conducted several attacks on healthcare organizations since it emerged in mid-2025. The group picked up the pace in Q4, adding 149 victims to its data leak site. GRIT notes that such a significant increase in tempo just a few months after forming is indicative of an established rather than an emerging or developing RaaS group, indicating the group may be a rebrand or at least has some highly experienced affiliates. In 2026, Sinobi is expected to pose a significant threat to the healthcare sector. LockBit has also returned since the law enforcement disruption in 2024, adding 106 new victims to its data leak site in December. LockBit similarly has no qualms about attacking the healthcare sector and is likely to be a significant threat in 2026.

There is growing evidence that ransomware groups are incorporating AI into their operations, most commonly for social engineering to overcome language barriers, personalize social engineering, and craft contextually appropriate lures that bypass traditional detection methods. They are also thought to have adopted AI to analyze the vast amounts of data they exfiltrate in their attacks to identify high-value data and determine appropriate ransom demands. While there are fears of AI-powered attacks, that has yet to be observed, with threat actors using AI to augment existing capabilities, rather than create fully autonomous and AI-coded malware, although both could become accessible enough for broader adoption in 2026.

“The year 2026 will likely see continued convergence of criminal innovation and AI capabilities, demanding that defenders adopt equally sophisticated technologies and intelligence-led approaches,” concluded GRIT. “The organizations best positioned to withstand this evolution will be those that prioritize rapid detection and response, implement comprehensive identity and access controls, and integrate AI-powered defenses as essential components of their security architecture rather than experimental additions.”

The post Ransomware Attacks Increased by 58% in 2025 appeared first on The HIPAA Journal.

Mirion Medical has issued patches to fix five high-severity vulnerabilities in its EC2 Software NMIS BioDose software. Successful exploitation of the vulnerabilities could allow an attacker to gain unauthorized access to the application, modify program executables, access sensitive information, and potentially remotely execute code.

Mirion Medical EC2 Software NMIS BioDose is tracking software used by healthcare providers to keep track of inventory, doses, patient information, and billing. The vulnerabilities affect software versions prior to v23.0. Users have been urged to update to v23.0 or later versions to prevent the vulnerabilities from being exploited. Users with an active support contract can update to the latest version via the software. At the time of issuing the updated version, there had been no known exploitation of the vulnerabilities in the wild.

CVE-2025-64298 – CVSS v3.1: 8.4 | CVSS v4: 8.6

NMIS/BioDose V22.02 and previous version installations where the embedded Microsoft SQL Server Express is used are exposed in the Windows share accessed by clients in networked installs. The directory has insecure directory paths by default, allowing access to the SQL Server database and configurations, which may contain sensitive data.

CVE-2025-61940 – CVSS v3.1: 8.3 | CVSS v4: 8.7

NMIS/BioDose V22.02 and previous versions rely on a common SQL Server user account to access data in the database, and while users must supply a password in the client software, the underlying database connection always has access. An option has been added to use Windows user authentication with the database to restrict the database connection.

CVE-2025-62575 – CVSS v3.1: 8.3 | CVSS v4: 8.7

NMIS/BioDose V22.02 and previous versions rely on a Microsoft SQL Server database. The SQL user account – nmdbuser – and other created accounts have the sysadmin role, which could lead to remote code execution through the use of certain built-in stored procedures.

CVE-2025-64642 – CVSS v3.1: 8.0 | CVSS v4: 7.1

In NMIS/BioDose V22.02 and previous versions, installation directory paths have insecure file permissions by default. In certain deployments, this can allow users to modify program executables and libraries.

CVE-2025-64778 – CVSS v3.1: 7.3 | CVSS v4: 8.4

NMIS/BioDose software V22.02 and previous versions have executable binaries with plaintext hard-coded passwords, which could be exploited to gain unauthorized access to the application and database.

The post High Severity Vulnerabilities Patched in Mirion Medical EC2 Software NMIS BioDose appeared first on The HIPAA Journal.