Microsoft has issued an out-of-band security update to fix an actively exploited zero-day vulnerability in Microsoft Office. The vulnerability is tracked as CVE-2026-21509 and has a CVSS v3.1 base score of 7.8 out of 10. The vulnerability is due to reliance on untrusted inputs in a security decision in Microsoft Office, which could allow an unauthorized actor to bypass a security feature locally.

In order to exploit the vulnerability, user interaction is required. An attacker would need to send a specially crafted Microsoft Office file and convince the user to open it, such as via email, using social engineering techniques to trick the user into opening the file. The security bypass vulnerability affects multiple Microsoft Office versions, including Office 2021 and later, and Microsoft 365 Apps for Enterprise. Some of the affected Office versions are automatically protected via a server-side change, although in order to be protected, Office applications will need to be restarted.

Affected office versions that require an update to be applied are listed below, along with the update version that must be installed.

If the update cannot be installed immediately, Microsoft has recommended mitigations to reduce the risk of exploitation. Those mitigations are:

• Close all Office applications
• Create a backup of the Windows Registry – Creating a backup of the Registry is important, as incorrect Windows Registry changes can cause serious problems.
• Open the Registry Editor (Start Menu > type regedit > press enter)
• Locate the appropriate registry key, and add a subkey per Microsoft’s Security Advisory
  • A better explanation of the steps that should be taken has been published by Bleeping Computer
• Exit Registry Editor and start the Office application

Microsoft has not shared information about the extent to which the vulnerability is being exploited in the wild; however, since an out-of-band update has been published to fix the vulnerability, it should be assumed that the risk of exploitation is high, and the patch or mitigations should be applied as soon as possible.

The post Microsoft Issues Emergency Patch for Actively Exploited Office Vulnerability appeared first on The HIPAA Journal.

Your HIPAA Safe Harbor protection is only as strong as your ability to prove through documentation and consistent practice that your organization has implemented recognized security practices for at least 12 months, and cybersecurity training is one of the most visible ways regulators can see those practices operating in real life.

Healthcare organizations often ask a deceptively simple question after a breach, a complaint, or an OCR investigation begins: “Will our training help us?” Under the HIPAA Safe Harbor Law, the more precise question is: “Can we demonstrate that our security program, including workforce training, reflects recognized security practices, and that we’ve run it consistently for at least a year?”

That distinction matters because HIPAA Safe Harbor is not a “get out of jail free” card. It’s a legal instruction to the U.S. Department of Health and Human Services (HHS) to consider what you were already doing before an incident when deciding how hard to come down on you, especially when it comes to penalties, corrective action plans, and audits.

In other words: Safe Harbor doesn’t require perfection. It rewards proof of discipline and best practices.

What the HIPAA Safe Harbor Law Actually Does (and Doesn’t Do)

The HIPAA Safe Harbor Law is commonly referenced as HR 7898, an amendment to the HITECH Act passed by Congress in 2021. In plain terms, it gives HHS room to be more reasonable with organizations that can show they implemented and maintained recognized security practices before a security-related HIPAA incident.

What HIPAA Safe Harbor may influence includes:

• Civil monetary penalties (the size and severity of fines)

• Corrective action plans (how disruptive and extensive remediation requirements become)

• Audit burden (length and extent, including how invasive the process is)

What Safe Harbor does not do:

• It does not eliminate HIPAA obligations.

• It does not guarantee you won’t be fined.

• It does not excuse weak safeguards or missing documentation.

• It does not retroactively “fix” a program you can’t prove existed and functioned.

The entire premise is straightforward: if you’ve been taking recognized security seriously, and can demonstrate that, HHS can factor it into how they respond when something still goes wrong.

HR 7898 and the “Recognized Security Practices” Language you must Understand

HIPAA Safe Harbor is anchored in the concept of recognized security practices, and HR 7898 points directly to well-known cybersecurity references. The law includes the following text (emphasis added here only for readability):

“Standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the NIST Act, the approaches promulgated under section 405(d) of the 2015 Cybersecurity Act, and other programs that address cybersecurity and that are developed, recognized, or promulgated through regulations […] consistent with the HIPAA Security Rule.”

What that means in practice

This language is doing two things at once:

1. It recognizes established cybersecurity “programs” and frameworks (for example, NIST-related guidance and the 405(d) Health Industry Cybersecurity Practices approach).

2. It draws a boundary: whatever you adopt must be consistent with the HIPAA Security Rule and not a generic IT checklist that ignores how ePHI is created, accessed, transmitted, and stored in healthcare environments.

So if you want HIPAA Safe Harbor to matter, your story has to be coherent:

• Your security framework (the “recognized practices”)

• Your policies and controls (how those practices are implemented)

• Your training program (how your workforce is taught to execute those practices)

• Your records (how you prove it happened consistently over time)

Why Cybersecurity Training is a Safe Harbor Pressure Point

Training is not the whole Safe Harbor equation but it’s one of the easiest places for regulators to test whether your security program is real.

Policies can be beautifully written and still meaningless. Controls can exist and still be bypassed. But training forces you to answer uncomfortable questions, such as:

• Did staff understand how to recognize common attacks (like phishing and social engineering)?

• Were they taught how to handle passwords, devices, email, and messaging safely?

• Did they know how to report a suspected security incident—immediately?

• Did you reinforce and update training as threats and workflows changed?

• Can you produce documentation that shows training was delivered, completed, tested, and refreshed?

If your organization can produce training materials, completion records, quiz results, and updated modules that align with your program, it becomes concrete evidence that recognized practices were not just “adopted on paper,” but implemented across your workforce.

The real question: is Your Training “good enough” for HIPAA Safe Harbor?

To be “good enough” in a Safe Harbor sense, training must do more than satisfy a checkbox. It needs to be:

1) Healthcare-specific, not generic

Safe Harbor is about practices consistent with the HIPAA Security Rule. Generic corporate security training often misses the realities of healthcare workflows—shared workstations, high-urgency communication, patient-facing operations, and the constant movement of sensitive data across systems and people.

2) Outcome-driven and behavior-focused

The goal isn’t to make employees recite definitions. It’s to reduce risk by changing day-to-day behavior: how people click, reply, forward, store, share, verify, escalate, and report.

3) Mapped to your recognized security practices

If you claim alignment with recognized practices, your training should visibly reinforce them. A regulator should be able to see the connection between what your program says and what your workforce is taught to do.

4) Consistent for at least 12 months (and provable)

Safe Harbor looks backward. If you can’t show continuity—onboarding, refreshers, updates, and participation evidence—you lose the main benefit the law offers.

5) Documented like you expect to be investigated

A “good” training program can still fail the Safe Harbor test if you can’t produce records quickly and cleanly. In enforcement, absence of documentation is often treated as absence of action.

What Healthcare Cybersecurity should Encompass to Provide HIPAA Safe Harbor

This section is based exclusively on the training content referenced and describes what a healthcare-focused cybersecurity program for employees should include if you want training to meaningfully support HIPAA Safe Harbor. Healthcare cybersecurity training should be designed to teach staff to recognize threats and handle health records securely, and it should be grounded in HIPAA and real healthcare workflows. The objective is to reduce the likelihood of data breaches caused by employees by building practical habits, personal responsibility, and repeatable behaviors.

Practical, risk-reducing behaviors employees must learn

Training should cover practical behaviors that directly reduce cyber risk, including:

• Passwords

• Email and messaging security

• Resisting social engineering

• Careful use of USB devices and removable media

It should also teach employees how attackers actually get in and how to stop them, focusing on the real causes of breaches such as phishing, weak credentials, unsafe device use, and slow reporting.

Early incident recognition and first-response actions

A healthcare cybersecurity program must help staff recognize when “something looks wrong” and understand what to do immediately. This includes:

• Early attack incident recognition

• How to respond to suspected attacks

• Clear guidance on recognizing and reporting security incidents

Case-based learning that motivates real behavior change

Effective training should include real-world, relatable healthcare examples and case-based consequences that explain:

• Why security best practices matter for healthcare records

• The difference between a HIPAA violation and a data breach

• The negative consequences of healthcare cybersecurity failures for patients, healthcare organizations, and employees

Clear emphasis on employee responsibility

The training should emphasize that security responsibilities are personal and that every employee plays a direct role in protecting medical data by:

• Following proper procedures

• Securing physical devices

• Remaining alert to suspicious activity

It should also explain the consequences of HIPAA violations and data breaches.

Physical safeguards that protect medical records

Healthcare cybersecurity should explicitly include physical safeguards, teaching how medical records can be exposed through physical technology and how to prevent that, including:

• Securing workstations

• Properly managing personal devices

• Safely handling removable media

The objective is to protect patient information when using physical technology and maintain the confidentiality and integrity of medical records.

The core healthcare cyberthreats your workforce must be trained on

Training should teach the most common ways medical records can be hacked and how to prevent breaches, including:

• Phishing

• Password security

• Social engineering

• Email and messaging security

• Social media security

A HIPAA Safe Harbor Readiness Checklist for your Healthcare Cybersecurity Training

If you want an honest answer to “Is our cybersecurity training good enough for HIPAA Safe Harbor protection?”, pressure-test it with questions like these:

• Can we show 12+ months of consistent cybersecurity training activity?

• Do we have clean documentation: materials, completion records, quiz/test evidence, certificates, and updates?

• Is training healthcare-specific and clearly connected to protecting medical records and ePHI?

• Does it teach practical behaviors (not just rules) across cyber and physical safeguards?

• Does it teach recognition + response for suspected attacks and reporting expectations?

• Can we demonstrate that training reflects our policies and technical controls, not generic advice?

• If OCR asked for evidence tomorrow, could we produce it quickly, completely, and confidently?

If any of those answers are shaky, the issue isn’t just training quality, it’s Safe Harbor credibility.

HIPAA Safe Harbor Protection

HIPAA Safe Harbor protection is less about claiming you followed a framework and more about proving your organization operationalized recognized security practices over time and workforce cybersecurity training is one of the clearest ways to demonstrate that operational reality. If your training is generic, sporadic, poorly tracked, or disconnected from how your organization actually protects ePHI, it’s unlikely to carry meaningful Safe Harbor weight when it matters most.

The post Is your Cybersecurity Training Good Enough to Give You HIPAA Safe Harbor Law Protection? appeared first on The HIPAA Journal.

The HIPAA Safe Harbor Law rewards organizations that can prove they have implemented recognized security practices over time, and healthcare focused cybersecurity training plays an important part in showing that those practices are understood and used by the workforce rather than only written in policy documents.

What is HIPAA Safe Harbor and Where Does Training Fit in?

The HIPAA Safe Harbor Law, added to the HITECH Act in 2021, tells the Department of Health and Human Services to consider whether a HIPAA Covered Entity or HIPAA Business Associate had recognized security practices in place for at least twelve months before a security related HIPAA incident. If those practices can be demonstrated, HHS may reduce penalties, shorten audits, or take a more favorable view of remedial actions.

Recognized security practices often come from frameworks such as NIST cybersecurity standards or sector specific guidance, but those frameworks only work when people follow them in daily work. Healthcare focused cybersecurity training connects those high level practices to real behavior by explaining how policies, technical safeguards, and incident processes apply to specific roles and workflows. Without practical workforce training, even a well chosen framework can remain a checklist instead of a living practice.

Cybersecurity Training as Proof of Implemented Security Practices

Safe Harbor is not about having a perfect security program. It is about being able to show that recognized security practices were implemented and used consistently over time. Healthcare focused cybersecurity training is one of the clearest ways to demonstrate that. When an organization can produce training materials, completion records, quiz results, and updated modules that reflect its chosen security practices, it provides concrete evidence that security expectations have been communicated, explained, and reinforced with staff.

During an investigation, regulators may ask how staff were taught to recognize phishing, handle passwords, secure devices, use email and messaging safely, or report suspected security incidents. A strong cybersecurity training program allows the organization to show that these topics were covered in onboarding, revisited in refresher training, and updated as threats and systems changed. That level of documentation supports the claim that recognized security practices were not only adopted on paper but actively implemented across the workforce.

How Healthcare Focused Cybersecurity Training Should Work

To support Safe Harbor, cybersecurity training should be specific to healthcare and grounded in HIPAA, not a generic office security module. The Cybersecurity Training for Healthcare Employees from The HIPAA Journal is a good model for this type of program. It teaches staff to recognize threats and handle health records securely in the context of the HIPAA Security Rule and HIPAA Privacy Rule, with a clear focus on protecting medical records.

The curriculum covers practical cyber risk reducing behaviors, such as safer passwords, secure messaging, resisting social engineering, and careful use of USB devices. It teaches early attack incident recognition and how to respond when something looks wrong, so staff know what to do in the first minutes of a suspected attack. It also uses case based examples that show the real consequences of cyberattacks for patients, healthcare organizations, and employees, which helps motivate better habits.

A strong healthcare cybersecurity course also addresses physical safeguards. It explains how workstations, personal devices, and removable media can expose medical records and how to prevent that through secure workstation use, proper handling of personal devices, and safe management of USBs and other media. On the cyber side, it covers the most common threats that lead to healthcare breaches, including phishing, weak credentials, social engineering, insecure email and messaging, and risky social media behavior. The goal is to equip staff with knowledge and habits that directly reduce the chance of a data breach.

From a delivery point of view, training should be easy for staff to complete and easy for compliance teams to track. A user friendly learning management system, self paced lessons that can be paused and resumed around shifts, short randomized tests that reinforce learning, and automatic certificates all support consistent rollout. Admin dashboards that show learner progress make it easier to keep everyone current and to produce reports when needed.

Aligning Healthcare Cybersecurity Training with Recognized Security Practices

For healthcare focused cybersecurity training to support Safe Harbor, it needs to line up with the organization’s recognized security practices. If you use a particular framework to guide your security program, you can map training topics to its key areas. For example, modules on phishing, passwords, device security, social engineering, and secure messaging can be linked to the access control, awareness, and incident response parts of your framework.

Training should also reflect your own policies and technical controls. If you require multi factor authentication, have rules about remote access, or restrict certain communication tools, those details should appear in your training scenarios and examples. This alignment makes it easier to show that the recognized security practices described in policy are being reinforced in workforce education.

The Role of  Training Documentation and Regular Updates

The HIPAA Safe Harbor Law looks at whether recognized security practices were in place over the previous twelve months. That means organizations need more than a one time security course. They need a pattern of regular, documented cybersecurity training and updates that match the evolving threat landscape.

This pattern usually includes onboarding training for new hires, so they learn from the start how to protect medical records and recognize cyberthreats. It then continues with refresher training that revisits key risks such as phishing and unsafe device use, adds new topics as threats change, and reminds staff how to report incidents. After an incident, audit finding, or near miss, targeted remediation training can close specific gaps that have been identified.

For Safe Harbor, the documentation around this training is just as important as the content. Records that show when courses were updated, which staff completed which modules, and how they performed on assessments help demonstrate that the organization is maintaining its security posture over time, rather than reacting only when something goes wrong.

Training as part of a Culture of Recognized Security Best Practices

Recognized security practices are not only about tools and written procedures. They also depend on a culture where staff understand their responsibilities and feel able to raise concerns. Healthcare focused cybersecurity training supports that culture by making expectations clear, explaining why security practices matter for patient safety and privacy, and giving staff simple steps to take when they see a suspicious email, device issue, or unusual system behavior.

When training encourages questions and emphasizes prompt reporting of security incidents, it helps organizations detect problems earlier and limit damage. This proactive, open approach strengthens overall compliance and supports Safe Harbor arguments that the organization was acting in good faith to prevent and reduce the impact of breaches, even if an attacker still succeeds.

Using Cybersecurity Training Strategically for Safe Harbor

To use healthcare focused cybersecurity training effectively in the context of HIPAA Safe Harbor, organizations can:

• Focus training on the real environment that healthcare staff work in
• Focus training on protecting medical records
• Align training content with recognized security practices and HIPAA requirements
• Use a structured curriculum that covers cyberthreats, physical safeguards, employee responsibilities, and real attack scenarios
• Deliver training through a system that supports self paced learning, testing, certificates, and clear reporting
• Maintain organized records of course versions, delivery dates, completion rates, and assessment results
• Update training based on new cybersecurity risks and changes in technology and attacker tactics

Taken together, these steps help show that cybersecurity training is not an isolated task but a central part of implementing and sustaining recognized security practices. In the event of a security related HIPAA incident, this combination of aligned content, regular delivery, and strong documentation can support Safe Harbor considerations, potentially reducing penalties and audit burdens while still driving real improvements in cybersecurity and protection of electronic protected health information.

The post What is HIPAA Safe Harbor and how does Cybersecurity Training help? appeared first on The HIPAA Journal.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) data breach portal shows that patients’ protected health information is being exposed and stolen at an unprecedented rate. From 2021 to 2024, more than 700 large healthcare data breaches were reported each year, and each of those data breaches affected at least 500 individuals, with an average breach size of 203,892 individuals. In those four years alone, the protected health information of more than 595 million individuals was compromised.

Hackers have been targeting the healthcare and public health sector with increasing frequency, and hacking and other IT incidents now account for the bulk of the reported healthcare data breaches. Email accounts are accessed, networks are compromised, and in almost all cases, healthcare data is stolen by unauthorized individuals. While unauthorized third parties are the ones that access the data, when you delve into the root cause of the breach, it is often the actions of a healthcare employee or an employee of a business associate that caused the data breach.

Healthcare employees are the weakest link in cybersecurity and are targeted by cybercriminals directly, although in many cases, the actions of employees leave a digital door open for cybercriminals walk straight through. Carelessness, employee errors, poor judgment, and a lack of knowledge or understanding of good cyber hygiene result in serious patient privacy violations and costly data breaches. The most common mistakes made by employees usually result in relatively small privacy breaches; however, even these small incidents can cause considerable damage to a healthcare organization’s reputation, and the HHS’ Office for Civil Rights has imposed many fines on HIPAA-regulated entities for data breaches resulting from employee mistakes.

Employee-Related Cyberattacks & Data Breaches

Various studies have confirmed the risk posed by employees. For example, Verizon found that 70% of healthcare data breaches are caused by insiders, a considerable increase from the 39% of breaches in 2021 that were attributed to healthcare employees. A HIMSS survey made it clear that employees are the biggest vulnerability in healthcare, and another revealed that 65% of healthcare employees are taking security shortcuts that are putting patient data at risk, with employees’ poor cyber hygiene a persistent threat.

Listed below is a selection of the many healthcare data breaches caused by employee mistakes, carelessness, and poor security practices over the past five years. These attacks have resulted in the theft of millions of patient records, lawsuits, and HIPAA violation penalties.

Responses to Phishing Emails and Social Engineering Attacks

Employees falling for phishing emails led to $600K fine for a California health care network

Phishing campaign tricks 53 Los Angeles County employees into providing cybercriminals with access to their email accounts

Employee responds to malicious email and exposes 108K individuals’ PHI

Eleven Aveanna Healthcare employees divulge their credentials to cybercriminals in a phishing campaign

Illinois Department of Human Services employees fall for phishing emails, exposing the PHI of 1.1 million patients

Screen Actors Guild – American Federation of Television and Radio Artists sued after an employee responded to a phishing email

$200,000 penalty after a skilled nursing facility employee responds to a phishing email and exposes 14,500 individuals’ PHI

23 L.A. County employees duped by phishing emails and disclosed credentials

OCR imposes its first financial penalty in response to a phishing attack on healthcare employees

Henry Ford Health employees tricked by phishing emails, exposing 168,000 patient records

Office of the Attorney General of Massachusetts fines home health agency $425K for phishing attack, citing insufficient security awareness training

An EyeMed Vision Care employee’s response to a malicious email exposed 2.1 million individuals’ PHI and led to a $4.5 million fine

BJC Healthcare settles data breach lawsuit stemming from three employees responding to phishing emails

Salinas Valley Memorial Healthcare System employees respond to phishing emails and expose patients’ data – the healthcare provider was fined $340,000 over the breach

Employee Malware Downloads Provide Access to Hackers

“Honest mistake” by an Ascension Health employee led to a ransomware attack and a 5.6 million-record data breach. The employee downloaded a malicious file from the internet and executed it, inadvertently executing malware

Summit Pathology and Summit Pathology Laboratories employee opened a malware-infected email attachment

A Behavioral Health Network employee downloaded malware that prevented access to patient data

An employee’s accidental malware download allowed a ransomware group to encrypt files

Employees’ Poor Cyber Hygiene and Bad Cybersecurity Practices 

Healthcare workers routinely expose patient data to ChatGPT, Google Gemini, and via Google Drive and Microsoft OneDrive

An email error by an employee of The Queen’s Health Systems in Hawaii results in the impermissible disclosure of thousands of patients’ PHI

A Bassett Healthcare Network physician was discovered to have transmitted patient data to unauthorized individuals and saved patient data on a personal storage device

An email error by an employee of Campbell County Health has resulted in the impermissible disclosure of the protected health information of patients

Misconfigurations and Carelessly Exposing Patient Data

Password protection was not added to a DM Clinical Research database containing 1.6 million clinical trial records

A New Jersey health technology company employee exposed 86,000 records online

A Gargle database containing approximately 2.7 million patient profiles and 8.8 million appointment records was exposed online due to an employee error

Employee error results in impermissible disclosure of Winter Haven Hospital patients’ data

Employee error results in the exposure of 12 million medical laboratory records

Employee misconfigures patient database, exposing 3.1 million patients’ records. The database was subsequently deleted by the destructive Meow bot

Business associate employee misconfigures server, exposing Fairchild Medical Center patients’ data

University of Washington Medicine sued after an employee misconfigures server, exposing 974,000 patients’ PHI

An Indiana Department of Health employee misconfigures COVID-19 contact tracing database, exposing the data of 750,000 individuals

Failure to configure authentication exposes 1 billion records of CVS website searches

Department of Veterans Affairs contractor misconfigures database, exposing sensitive records of 200,000 military veterans

An employee misconfigures a County of Kings Public Health Department web server, exposing 16,590 patient records

Employee fails to secure AWS S3 bucket, exposing breast cancer patients’ data and medical images

Misconfigured CorrectCare web server exposes PHI of hundreds of thousands of inmates

A Washington D.C. health insurance exchange’s 56K-record data breach was the result of human error

Failure to configure access controls results in the exposure of the COVID vaccination statuses of 500,000 VA employees

The post Staff are the Weakest Link in HIPAA Cybersecurity appeared first on The HIPAA Journal.