Thanksgiving weekend is just a few days away, and while many healthcare employees will be enjoying time off work, it will be a particularly busy time for cybercriminals. Many hacking and ransomware attacks occur over Thanksgiving weekend when staffing levels are lower, and fewer eyes are monitoring for indicators of compromise.

The high level of ransomware attacks during holiday periods has recently been confirmed by the cybersecurity firm Semperis, which reports that in the United States, 56% of ransomware attacks occur on a weekend or holiday, and 47% of ransomware attacks on healthcare organizations occur during these times when staffing levels are reduced.

“Threat actors continue to take advantage of reduced cybersecurity staffing on holidays and weekends to launch ransomware attacks. Vigilance during these times is more critical than ever because the persistence and patience attackers have can lead to long-lasting business disruptions,” said Chris Inglis, the first U.S. National Cyber Director and Semperis Strategic Advisor.

The Semperis 2025 Ransomware Holiday Risk Report is based on an analysis of responses to a detailed global ransomware survey of 1,500 IT and security professionals conducted in the first half of the year by Censuswide. The survey suggests that ransomware groups research their targets and time their attacks to coincide with material corporate events such as mergers, acquisitions, IPOs, and layoffs, and exploit the organizational disruption and reduced security focus during these events. “Organizations are under intense pressure to sustain operations while transforming their form and protocols during an IPO or merger, and cannot afford downtime, making them more likely to pay quickly to restore operations,” said Inglis. “During these times, it is critical to remain vigilant and situationally aware that bad actors may be lurking, looking to plant ransomware.”

In healthcare, 96% of organizations maintain a security operations center, with 80% managing it in-house and 20% outsourcing to a third-party vendor. During weekends and holiday periods, 73% of healthcare organizations reduce their SOC staffing levels by 50% or more, and 5% of organizations said they eliminate their SOC staffing entirely on weekends and holidays. The main reasons given for reducing or eliminating staffing levels were to improve work/life balance (63%), because the organization was closed during holidays and weekends (43%), and 36% of respondents said they did not expect an attack to take place.

Smaller organizations were the most likely to cut or eliminate SOC staffing levels on weekends and during holiday periods because they thought they would be unlikely to be attacked. While reducing staffing levels to give employees weekends and holidays off is all well and good, there is no time off for hackers. If internal staffing levels are to be reduced, there must be adequate monitoring, staff on call, or a third-party vendor providing cover.

There has been a marked increase in organizations bringing their SOC in-house, which is up 28 percentage points from last year, which has coincided with a 30% percentage point increase in below 50% staffing levels during holidays and weekends to maintain a better work/life balance. The reason for the shift in bringing SOCs in-house was not explored in the study, but there could be several factors at play.

“Being able to see what’s happening might enable organizations to pivot and adapt faster based on changing operations, business needs, and regulatory reporting requirements,” Courtney Guss, Semperis Director of Crisis Management, said. “The ROI of outsourcing also seems to be shifting as AI begins to handle some Tier 1 work, leaving the more complex work for SOC analysts.”

The survey also probed respondents on their identity infrastructure and the methods used for protection. The majority (90%) scan for vulnerabilities, although only 38% have vulnerability remediation procedures, and only 63% automate recovery. Concerningly, 10% of respondents said they do not have an identity threat detection and response strategy.

One of the most effective ways to defend against ransomware attacks is by tightening identity systems, most commonly Active Directory, Entra ID, and Okta,” former Australian Prime Minister Malcolm Turnbull said. “These are the digital keys that determine who can access what within an organization. In nearly every major ransomware incident, weak or compromised credentials have been the initial entry point. Strengthening identity systems is therefore not just good practice but a critical line of defense.

The post Threat Actors Time Attacks to Coincide with Periods of Reduced Vigilance appeared first on The HIPAA Journal.

The Health Sector Coordinating Council (HSCC) has published updated Model Contract Language for MedTech Cybersecurity to help healthcare delivery organizations (HDOs) and medical device manufacturers (MDMs) address the challenge of ensuring the cybersecurity of medical devices.

Medical devices can introduce cybersecurity risks that must be managed and reduced to a reasonable and appropriate level to comply with the HIPAA Security Rule. The devices must also meet the safety and effectiveness requirements of the Food and Drug Administration (FDA), which include cybersecurity for the entire life cycle of the devices.

The cybersecurity of medical devices is a shared responsibility between the HDO and the MDM; however, historically, cybersecurity accountability has been inconsistently reconciled in the purchase contract negotiation process due to factors such as uneven MDM capabilities and investment in cybersecurity controls, and varying cybersecurity expectations among HDOs.

If there are ambiguities in cybersecurity responsibilities due to the contract language – or a failure to clearly state in contracts the responsibilities of each party with respect to cybersecurity – it is likely to result in downstream disputes, insufficient security, and potential patient safety issues.

“In today’s partnership between HDOs and MDMs, cybersecurity requirements are often unclear, resulting in a lack of understanding and prioritization of cybersecurity best practices. For HDOs and MDMs alike, this leads to an investment in security controls that are not always aligned between stakeholders,” explained HSCC.

The HSCC Cybersecurity Working Group (CWG) formed the Model Contract Language Task Group in 2020 to help address these issues. The Working Group consists of 50 representatives from HDOs, MDMs, group purchasing organizations, and security and compliance specialists. After two years of deliberations, the Task Group published the first version of the Model Contract Language in 2022, which serves as a neutral framework for the contractual cybersecurity relationships between HDOs and MDMs.

The aim of the Model Contract Language is to help HDOs protect themselves and their patients from cybersecurity threats by establishing and maintaining appropriate security contract terms and commitments from MDMs concerning their products, services, and solutions. Version 1 has been downloaded more than 1,500 times from the HSCC CWG website since its publication.

In 18 months after publication, users submitted almost 100 comments to HSCC. The Task Group reconvened last year to review the feedback and has now incorporated many of the recommendations in Version 2, which it is hoped will simplify the contracting process, making it more predictable and less costly and time-consuming.

The main improvements made in Version 2 are revisions and expansions to align with the changed regulatory environment; updates to reflect increasing security maturity and better alignment with expectations between stakeholders; resolution of unclear separation in areas where terms describe shared responsibilities; and simplification of the language to improve clarity and structure to help speed up contract negotiations.

HSCC says the Model Contract Language can be used as a standalone agreement with an MDM, or as an addendum to a Business Associate Agreement (BAA), Master Service Agreement (MSA), or Request for Proposal (RFP). The document can serve as a template that can be tailored to meet the specific compliance needs of each HDO.

The post HSCC Updates Model Contract Language Framework for HDOs & MDMs appeared first on The HIPAA Journal.

A critical vulnerability in Oracle Identity Manager is under active exploitation, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). CISA has instructed all federal civilian executive branch agencies to ensure the vulnerability is patched by December 12, 2025, and strongly recommends that all users apply the available patches as soon as possible.

The remote code execution vulnerability can be easily exploited by an unauthenticated remote attacker via HTTP.  Successful exploitation would allow an attacker to execute arbitrary code on vulnerable systems, leading to a full takeover of Oracle Identity Manager. The vulnerability is tracked as CVE-2025-61757 and has a CVSS severity score of 9.8 out of 10.  The vulnerability is due to missing authentication for a critical function in the REST WebServices component of Oracle Fusion Middleware. The vulnerability can be exploited to trick a security filter into treating protected endpoints as publicly accessible, allowing access to a script that can be abused to run malicious code.

The vulnerability was identified by Searchlight Cyber researchers Adam Kues and Shubham Shahflow, who reported the vulnerability to Oracle. The researchers identified the flaw while investigating a security incident that exploited an older vulnerability, CVE-2021-35587. The researchers report that, in contrast to some of the previously identified vulnerabilities in Oracle Access Manager, this flaw is somewhat trivial and is easily exploitable by threat actors.

The vulnerability affects the supported versions 12.2.1.4.0 and 14.1.2.1.0. Oracle released patches to fix the vulnerability in its batch of October 2025 security updates. Any users who have yet to download and install the patches should do so immediately to prevent exploitation, as the researchers have now released all the necessary information to exploit the flaw.

While it is unclear how widely the vulnerability is being exploited, it is likely to be a prime target for ransomware groups. Some evidence has been found to suggest that the flaw has been exploited since August 30, 2025, potentially by an advanced persistent threat actor.

The post Critical Flaw in Oracle Identity Manager Under Active Exploitation appeared first on The HIPAA Journal.

A critical vulnerability has been identified in Emerson Appleton UPSMON-PRO, monitoring and power management software for uninterruptible power supplies. The software is used by healthcare and public health sector organizations to ensure power is maintained for essential equipment.

The vulnerability was identified by security researcher Kimiya, working with the Trend Micro Zero Day Initiative, who reported the issue to the Cybersecurity and Infrastructure Security Agency (CISA). The stack-based buffer overflow vulnerability is tracked as CVE-2024-3871 and has been assigned a CVSS v3.1 base score of 9.3 (CVSS v4 9.8). The vulnerability can be exploited by sending a specially crafted UDP packet to the default UDP port 2601, which can cause an overflow of the buffer stack, overwriting critical memory locations.

Successful exploitation of the vulnerability could allow an unauthorized individual to execute arbitrary code with SYSTEM privileges if the UPSMONProService service communication is not properly validated.

The vulnerability affects Appleton UPSMON-PRO versions 2.6 and earlier. Emerson has warned that the affected versions have reached end-of-life, so patches are not being released to fix the vulnerability. Any user who has yet to replace the affected UPSMON-PRO version with an actively supported UPS monitoring solution should do so as soon as possible.

While there is no patch, there are recommended mitigations to reduce the potential for exploitation. Users should block UDP port 2601 at the firewall level for all UPSMON-PRO installations, UPS monitoring networks should be isolated from general corporate networks, network-level packet filtering should reject oversized UDP packets to port 2601, and UPSMON-ProSer.exe should be monitored for server crashes as potential indicators of exploitation attempts.

CISA recommends ensuring that Emerson Appleton UPSMON-PRO is not accessible from the Internet, and if remote access is required, to ensure that secure methods are used to connect remotely, such as virtual private networks running the most up-to-date software version.

The post Critical Vulnerability Identified in Emerson Appleton UPSMON-PRO appeared first on The HIPAA Journal.

Several cybersecurity firms have tracked a surge in ransomware attacks in Q3, 2025, as groups such as Akira, Qilin, and Inc Ransom have stepped up their attacks. According to Beazley Security, a subsidiary of Beazley Insurance, those three groups accounted for 65% of all ransomware attacks in the quarter. Akira had a surge in attacks, conducting 39% of all attacks in the quarter, over 20% more than the second most active group, Qilin, with 18%, and Inc Ransom with 8%.

The Beazley Security Quarterly Threat Report for Q3, 2025, shows an 11% increase in additions to dark web data leak sites compared to Q2, 2025. The biggest increase in attacks came in August, which accounted for 26% of all publicly disclosed attacks in the past six months, with high levels of ransomware activity continuing in September, which accounted for 19% of all disclosed ransomware attacks in the previous six months.

While attacks are up overall, there has not been much change in the rate of attacks on the healthcare sector, which has remained fairly constant, accounting for 12% of attacks in Q2, 2025, and 11% of attacks in Q3, making it the 4^th most targeted sector. In Q3, there was a significant increase in attacks targeting the business services sector, which accounted for 28% of attacks, up from 19% in Q2. Professional services & associations was the second most targeted sector, accounting for 18% of attacks in Q3.

Beazley identified some interesting attack trends, including the continuing preference for using compromised credentials for initial access, most commonly compromised credentials for publicly accessible VPN solutions. Compromised VPN credentials were the initial access vector in 48% of attacks in Q3, up from 38% in Q2, 2025, with external services the next most common attack vector, accounting for 23% of attacks.

Compromised credentials for remote desktop services took third spot, followed by supply chain attacks and social engineering, with each of those attack vectors accounting for around 6% of all attacks in the quarter. While the top three attack vectors remain the same as in Q2, 2025, there was an increase in exploits of vulnerabilities in external services, which overtook compromised credentials to take second spot. The supply of valid credentials primarily comes from infostealer campaigns, and while there was a significant law enforcement action – Operation ENDGAME – targeting Lumma Stealer infrastructure, there was a subsequent spike in Rhadamanthys information activity, indicating the strong demand for credentials.

Akira typically targets VPNs for initial access, and in Q3, most attacks involved credential stuffing and brute force attempts to guess weak passwords, demonstrating the importance of implementing and enforcing password policies and ensuring that multifactor authentication is used. Any accounts that cannot be protected by MFA should have compensating controls. Akira also targeted vulnerabilities in SonicWall devices, where organizations were slow to patch vulnerabilities.

Qilin likewise targeted VPNs using brute force tactics to exploit weak passwords, and also abused valid compromised credentials. INC Ransom also appears to favor compromised valid credentials, gaining access to victims’ environments via VPNs and remote desktop services.

While accounting for a relatively small number of attacks, Beazley warns that several attacks started with downloads of trojanized software installers, including popular productivity and administrative tools such as PDF editors.  Ransomware actors use SEO poisoning to get their malicious download sites appearing at the top of the search engine results, along with malicious adverts (malvertising) that direct users to malicious sites.

Executing the downloaded installer may install the desired software, but it also installs malware. This technique was a common initial access vector in Rhysida ransomware attacks that Beazley investigated. Beazley suggests that organizations should consider security tools such as web filters for protecting against these attack vectors, and should ensure that they cover these techniques in organizational security awareness training programs.

The post Compromised VPN Credentials Leading Attack Vector in Ransomware Campaigns appeared first on The HIPAA Journal.

Patches have been released to fix a critical OS command injection vulnerability affecting Fortinet web application firewalls. The FortiWeb zero-day vulnerability is rated medium-severity with a CVSS score of 6.7 out of 10; however, the vulnerability is being actively exploited in the wild.

The vulnerability, tracked as CVE-2025-58034, can only be exploited by an authenticated attacker, hence the relatively low CVSS score, but the vulnerability can be exploited in a low-complexity attack and will allow the attacker to execute unauthorized code on the underlying system. The vulnerability can be exploited via specially crafted HTTP requests or CLI commands. The vulnerability was identified by Jason McFadyen of Trend Micro’s Trend Research team and is due to improper neutralization of special elements in an OS command.

The vulnerability affects multiple FortWeb versions:

This is the second vulnerability in FortiWeb to be identified and patched recently. Last week, Fortinet announced that a critical path traversal vulnerability in FortiWeb, tracked as CVE-2025-64446 (CVSS v3.1 9.4), received a silent patch on October 28, 2025. The vulnerability can be exploited by an unauthenticated attacker to execute administrative commands on the system via specially crafted HTTP or HTTPS requests.

The vulnerability affects versions 8.0.2 through 8.0.1 and versions 7.6.0 through 7.6.4. The vulnerability was fixed in version 8.0.2 and above, and version 7.6.5 and above. Defused reports that there has been active exploitation of the vulnerability, although that has yet to be confirmed by Fortinet. It is unclear why a security advisory about the flaw was not released at the time the patch was released.

The post Fortinet Patches Actively Exploited FortiWeb Zero Day Flaw appeared first on The HIPAA Journal.

Cyber threat actors had a busy October, with attack volume up 2% month-over-month and 5% year-over-year. In October, organizations experienced an average of 1,938 cyberattacks per week, according to the latest data from cybersecurity firm Check Point.

While attacks are up across all sectors, there was a 15% year-over-year fall in attacks on the health and medical sector, with 2,094 reported attacks in October. The biggest increases were seen in the agriculture (+71%) and information technology sectors (+48%). Education was the most targeted sector with 4,470 attacks, up 5% from October 2024. Latin America experienced the highest number of attacks, with attacks up 16% from October 2024, but the biggest increase was seen in North America, with an average of 1,464 attacks per week, up 18% from October 2024.

Check Point reports that the rise in attacks was fueled by the growing sophistication of ransomware, with attacks dramatically increasing in October. Check Point tracked 801 reported attacks in October, which is a 48% increase compared to September. While Latin America experiences more attacks than any other region, North America was the main target of ransomware groups, accounting for 62% of incidents, ahead of Europe with 19% of attack volume. In October, 57% of reported victims were in the United States, and there was a 56.8% increase in attacks compared to September.

Qilin was the most active ransomware group, accounting for 22.7% of attacks in October. The group has evolved into a sophisticated ransomware-as-a-service organization, attracting new affiliates due to its extensive affiliate support. Akira took second spot with 8.7% of attacks, and the recently emerged Sinobi ransomware group took third spot with 7.8% of attacks.

While all three groups attack healthcare organizations, the healthcare sector appears to be a key focus of the Sinobi group. Sinobi is a ransomware-as-a-service group with a professional structure, highly skilled internal operators, and a team of carefully vetted affiliates. Sinobi primarily targets mid- to large-sized organizations, primarily in the United States and allied countries.

Sinobi claims on its dark web data leak site to have attacked East Jefferson General Hospital, Greater Mental Health of New York, Johnson Regional Medical Center, Judson Center, Middlesex Endodontics, Newmark Healthcare Services, Phoenix Village Dental, Queens Counseling for Change, South Atlanta Medical Clinic, and Watsonville Community Hospital since the group emerged in mid-2025.

Check Point also cautioned about the expanding risks associated with generative AI (GenAI) as enterprise use of GenAI tools continues to grow. One of the biggest threats is the exposure of sensitive data. Check Point reports that in October, 1 out of every 44 GenAI prompts submitted through business networks posed a high risk of sensitive data leakage, something that is especially concerning in healthcare due to the risk of exposure of protected health information.

Check Point reports that 87% of organizations that use GenAI tools regularly experience this type of sensitive data exposure, and many organizations are unaware of the risk. While workers use authorized and managed GenAI tools, on average, 11 different GenAI tools are used by organizations each month, most of which are likely to be unsupervised.

“As ransomware groups evolve and GenAI risks proliferate, organizations must strengthen their threat prevention, data security, and AI governance strategies to stay ahead of adversaries,” suggests Check Point.

The post Cyberattack Volume Increases Fueled by 48% YOY Increase in Ransomware Attacks appeared first on The HIPAA Journal.

In Q1, 2026, the Health Sector Coordinating Council (HSCC) plans to publish AI cybersecurity guidelines for the healthcare sector. Last week, the HSCC Cybersecurity Working Group (CWG) published previews of the cybersecurity guidance ahead of the full release next year.

Artificial intelligence has tremendous potential in healthcare; however, it introduces cybersecurity risks that must be managed and reduced to a reasonable level. To better prepare the health sector, the HSCC CWG established an AI Cybersecurity Task Force in October 2024, consisting of individuals from 115 healthcare organizations across the spectrum. The Cybersecurity Task Group has considered the complexity and the associated risks of AI technology in clinical, administrative, and financial health sector applications, and divided the identified AI issues into five manageable workstreams of discrete functional risk areas:

• Education and enablement
• Cyber operations & defense
• Governance
• Secure by design
• Third-party AI risk and supply chain transparency

Significant progress has been made across all workstreams, and in January, guidance will be published covering each of these areas. The guidelines will include best practices for healthcare organizations to adopt, and while not legally binding, they will help the sector effectively manage and reduce AI cybersecurity risks.

Ahead of the release, HSCC CWG published one-page summaries for each of these workstreams detailing the objectives, key focus areas, and deliverables in each area. HSCC CWG has also published a foundational document that describes the most important AI terms that healthcare organizations need to be aware of.

The education and enablement workstream covers the common terms and language used throughout the guidance to familiarize users with the use of AI in their functional environments and help them better understand risk and apply control activities.

The cyber operations and defense workstream provides practical playbooks for preparing for, detecting, responding to, and recovering from AI cyber incidents. That includes identifying requirements for conducting optimized AI-specific cybersecurity operations, defining AI-driven threat intelligence processes with appropriate safeguards to support clinical workflows, establishing operational guardrails for AI technologies beyond LLMs, including predictive machine learning systems and embedded device AI, and establishing clear governance and accountability.

The governance workstream provides a comprehensive framework that can be used by healthcare organizations of all sizes to manage the cybersecurity risks in their own clinical environments and ensure that AI is used securely and responsibly. The objective of the secure by design workstream is to define and develop secure-by-design principles specifically for AI-enabled medical devices, including practical guidance and tools to empower manufacturers and stakeholders to ensure the cybersecurity of AI-enabled medical devices throughout the entire product lifecycle.

Third-party AI risks and supply chain transparency aims to strengthen security, trust, and resilience through the enhancement of visibility and transparency of third-party tools, establishing oversight and governance polices, and standardizing processes for procurement, vetting, and lifecycle management.

The guidance will help to improve awareness and understanding of critical risk areas and provides a roadmap for implementing new AI technologies while ensuring safety and responsible use.

The post HSCC Publishes Preview of Health Sector AI Cybersecurity Risk Guidance appeared first on The HIPAA Journal.