Healthcare Cybersecurity

Feds Offer $10 Million Reward for Ransomware Administrator Who Attacked U.S. Healthcare Orgs

The U.S. Department of Justice has charged a Ukrainian serial ransomware criminal who is alleged to have been the administrator of multiple ransomware operations. Volodymyr Viktorovich Tymoshchuk, through online monikers including deadforz, Boba, msfv, and farnetwork, is alleged to have been the administrator of the LockerGaga, MegaCortex, and Nefilim ransomware operations between December 2018 and October 2021.

Tymoshchuk, along with his accomplices, conducted or played a key role in ransomware attacks on more than 250 victims in the United States between July 2019 and June 2020 using the LockerGaga and MegaCortex ransomware variants, as well as hundreds of victims worldwide. An international law enforcement operation targeting the LockerGoga and MegaCortex ransomware schemes in September 2022 obtained decryption keys, which were made available to victims via the No More Ransom Project. Many potential victims were able to prevent file encryption after receiving prompt notifications from law enforcement that their networks had been compromised.

Under the Nefilim ransomware scheme, Tymoshchuk and his accomplices claimed many more victims in the United States and worldwide between July 2020 and October 2021. Through those attacks, Tymoshchuk caused millions of dollars in losses due to disruption to business operations, damage to computer systems, and ransom payments. As administrator of the ransomware operations, Tymoshchuk recruited and provided access to the infrastructure and encryptor to conduct attacks.

One of the affiliates of the Nefilim ransomware operation was Ukrainian national Artem Stryzhak, who was arrested in Spain in June 2024 and extradited to the United States on April 30, 2025. Stryzhak has been charged with conspiracy to commit fraud and related activity. Stryzhak primarily targeted companies in the United States, Canada, or Australia that had annual revenues of over $100 million, although a Nefilim administrator encouraged him to target larger companies with more than $200 million in annual revenues. The Nefilim administrators allowed Stryzhak to keep 80% of any ransoms he generated, while they would retain 20%. Any victim who refused to pay had their stolen data leaked on the group’s Corporate Leaks websites.

Tymoshchuk has been charged with two counts of conspiracy to commit fraud and related activity in connection with computers, three counts of causing intentional damage to a protected computer, one count of unauthorized access to a protected computer, and one count of transmitting a threat to disclose confidential information. “Tymoshchuk is a serial ransomware criminal who targeted blue-chip American companies, health care institutions, and large foreign industrial firms, and threatened to leak their sensitive data online if they refused to pay,” said U.S. Attorney Joseph Nocella Jr. for the Eastern District of New York. “For a time, the defendant stayed ahead of law enforcement by deploying new strains of malicious software when his old ones were decrypted. Today’s charges reflect international coordination to unmask and charge a dangerous and pervasive ransomware actor who can no longer remain anonymous.”

The U.S. Department of State is offering up to $10 million as a reward for information leading to the location, arrest, or conviction of Tymoshchuk, plus a further $1 million reward for information that leads to convictions of other members of the LockerGaga, MegaCortex, and Nefilim ransomware groups. The rewards are offered under the Transnational Organized Crime (TOC) Rewards Program.

The post Feds Offer $10 Million Reward for Ransomware Administrator Who Attacked U.S. Healthcare Orgs appeared first on The HIPAA Journal.

Healthcare Industry Good at Preventing Serious Vulnerabilities but Lags in Remediation

Healthcare organizations are relatively unlikely to have serious cybersecurity vulnerabilities compared to other industry sectors, as they are generally good at prevention; however, when vulnerabilities are identified, healthcare lags other sectors when it comes to remediation. These are the findings from a recent analysis of penetration testing data and a survey of 500 U.S. security leaders by the Pentest-as-a-service (PTaaS) firm Cobalt. The findings are published in its State of Pentesting in Healthcare 2025 report.

Serious cybersecurity vulnerabilities are relatively rare in healthcare, with the industry ranking 6th out of the 13 industries represented in the data, with only 13.3% vulnerabilities identified through pentesting qualifying as serious. When penetration tests identify serious vulnerabilities, they need to be remediated promptly. As long as a vulnerability remains unaddressed, it can potentially be exploited by a threat actor.

The standard for measuring the time to perform a security action is the median time to resolve (MTTR), which, for serious vulnerabilities in healthcare, was 58 days. Healthcare ranked 11th out of 13th industries on MTTR. Cobalt plotted the frequency of serious vulnerabilities against the resolution rate in a scatterplot chart. Healthcare was the only industry in the struggling sector, with low prevalence but low resolution. The ideal is low prevalence and high resolution.

While the MTTR is a standard measure in security, it can be somewhat misleading, as it is only based on the vulnerabilities that are actually resolved. Cobalt reports that 52% of pentest findings are never resolved. Therefore, to obtain a complete picture, it is also necessary to look at the survival half-life, which is the time taken to resolve 50% of identified vulnerabilities. Having an MTTR of 20 days is excellent, but much less so if half of all serious vulnerabilities are never resolved.

The data show healthcare to be the third-worst industry for half-life score, with a half-life of 244 days, compared to the leading sector, transportation, which has a half-life of 43 days. Education performed worst, with a half-life of 283 days, ahead of hospitality on 270 days. Cobalt notes that the healthcare sector is generally good at prioritizing vulnerability remediation, with the most critical issues usually fixed on time. Almost 40% of healthcare service level agreements (SLAs) require serious vulnerabilities in business-critical assets to be fully resolved within three days, while a further 40% of SLAs require those vulnerabilities to be resolved within 14 days.

Most practices meet the deadlines, with 43% resolving critical findings in one to three days, 37% resolving issues in four to seven days, and 14% resolving issues within eight to fourteen days, although it is common for backlogs to grow in less urgent areas. Healthcare is a heavily regulated industry, with data security requirements under HIPAA. The HIPAA Security Rule requires a risk analysis to be conducted to identify all risks and vulnerabilities to electronic protected health information, which explains, to a certain extent, why there is a low prevalence of serious vulnerabilities. There are also risk management requirements under HIPAA, which are reflected in the data, as 94% of healthcare organizations resolve business-critical issues in less than two weeks.

The slow rates of resolution of vulnerabilities in general and the poor half-life score in healthcare are likely due to a range of factors, such as the continued use of legacy systems, which create technology roadblocks, along with resource constraints. Cobalt also suggests there may be divisions between the departments ordering pentests and the teams implementing fixes, and less mature teams may struggle with the complexity of remediations.

The survey revealed the biggest security concerns in healthcare to be GenAI (71%), third-party software (48%), and exploited vulnerabilities (40%), with the top attack vectors being third-party software (68%), AI-enabled features (45%), and phishing/malware (32%). Given the high level of concern about third-party software, Cobalt recommends that healthcare providers require their vendors to provide comprehensive pentesting reports before procurement. Cobalt also recommends integrating pentesting into the development lifecycle, proactively testing for AI and genAI vulnerabilities, adopting a programmatic approach to offensive security, and conducting regular red team exercises to test real-world detection and response capabilities.

The post Healthcare Industry Good at Preventing Serious Vulnerabilities but Lags in Remediation appeared first on The HIPAA Journal.

Report Reveals Worrying Abuses of Agentic AI by Cybercriminals

Cybercriminals have been abusing agentic AI to perform sophisticated cyberattacks at scale, incorporating AI tools throughout all stages of their operations. Agentic AI tools have significantly lowered the bar for hackers, allowing individuals with few technical skills to conduct complex attacks that would otherwise require extensive training over several years and a team of operators.

A new threat intelligence report from Anthropic highlights the extent to which its own language model (LLM) and AI assistant, Claude, has been abused, even with sophisticated safety and security measures in place to protect against misuse. The cybercriminal schemes identified by Anthropic have targeted businesses around the world, including U.S. healthcare providers.

Examples of misuses of Claude code include:

  • A campaign allowing large-scale theft of data from healthcare providers, emergency services, religious institutions, and the government
  • A large-scale fraudulent employment scheme conducted by a North Korean threat actor to secure jobs at Western companies
  • The creation and subsequent sale of ransomware by a cybercriminal with only basic coding skills.

Agentic AI tools can be used to create and automate complex cybercriminal campaigns, requiring little to no coding or technical skills, other than the ability to write prompts to the AI tools. These tools can be embedded into all stages of operations, which Anthropic calls “vibe hacking,” taking its name from vibe coding, where developers instruct agentic AI tools to write the code, while they just guide, experiment, and refine the AI output. Anthropic says vibe hacking marks a concerning evolution in AI-assisted cybercrime.

One such vibe hacking campaign targeted healthcare providers, the emergency services, government entities, and religious institutions. Agentic AI tools were embedded into all stages of the operation, including profiling victims, automating reconnaissance, harvesting credentials, penetrating networks, and analyzing stolen data. Anthropic’s analysis revealed that the threat actor allowed Claude to make tactical and strategic decisions, including determining the types of data to exfiltrate from victims and the creation of psychologically targeted extortion demands.

Claude was used to analyze the victim’s financial records to determine how much to demand as a ransom payment to prevent the publication of the stolen data, and also to generate ransom notes to be displayed on the victims’ devices. Anthropic believes that this campaign used AI to an unprecedented degree. The campaign was developed and conducted in a short time frame and involved scaled data extortion of multiple international targets, potentially hitting at least 17 distinct organizations, resulting in ransom payments that exceeded $500,000 in some cases.

The North Korean campaign used Claude to create elaborate false identities with convincing professional backgrounds to secure employment positions at U.S. Fortune 500 technology companies, and also to complete the necessary technical and coding assessments to secure employment and technical work duties once hired. The ransomware campaign involved the development of several ransomware variants without any coding skills. The ransomware had advanced evasion capabilities, encryption, and anti-recovery mechanisms. In addition to creating ransomware, the threat actor used Claude to market and distribute variants that were sold on Internet forums for $400 to $1,200.

Anthropic has been transparent about these abuses of its AI tools to contribute to the work of the broader AI safety and security community and help industry, government, and the wider research community strengthen defenses against the abuse of AI systems. Anthropic is far from alone, as other agentic AI tools have also been abused and tricked into producing output that violates operational rules that have been implemented to prevent abuse.

After detecting these operations, the associated accounts were immediately banned, and an automated screening tool has now been developed to help discover unauthorized activity quickly and prevent similar abuses in the future. Anthropic warns that the use of AI tools for offensive purposes creates a significant challenge for defenders, as campaigns can be created to adapt to defensive measures such as malware detection systems in real time. “We expect attacks like this to become more common as AI-assisted coding reduces the technical expertise required for cybercrime,” warned Anthropic.

The post Report Reveals Worrying Abuses of Agentic AI by Cybercriminals appeared first on The HIPAA Journal.

CISA Seeks Feedback on Updated Software Bill of Materials Guidance

One of the biggest security headaches in healthcare is managing third-party risk. Healthcare organizations can implement extensive security measures to protect their internal networks and sensitive data, only for a security flaw in a medical device or third-party software solution to be exploited, circumventing their security protections.

While patches can be applied to address known vulnerabilities, software and firmware may contain third-party components and dependencies. Since there may be little visibility into those components and dependencies, risks are impossible to mitigate effectively.

To improve visibility and help with risk management, all medical devices should be provided with a Software Bill of Materials (SBOM), which is a formal, machine-readable inventory of all software components and dependencies used in a medical device. The Food and Drug Administration (FDA) now requires SBOMs to be provided with premarket submissions of medical devices, to help ensure cybersecurity for the whole lifecycle of the device.

The Cybersecurity and Infrastructure Security Agency (CISA) is pushing for SBOMs to be included with software to improve transparency and supply chain security. CISA has previously published SBOM guidance, which has now been updated to reflect the current state of maturity in software transparency.

“SBOMs provide a detailed inventory of software components, enabling organizations to identify vulnerabilities, assess risk, and make informed decisions about the software they use and deploy,” explained CISA. “As adoption of SBOMs has grown across the public and private sectors, so too has the need for machine-processable formats that support scalable implementation and integration into broader cybersecurity practices.”

While the guidance  – 2025 Minimum Elements for a Software Bill of Materials (SBOM) – is primarily intended for federal agencies, CISA is encouraging other entities to use the guidance to help them understand what they can expect from vendors’ SBOMs. The update includes new SBOM data fields, the name of the tool used to create the SBOM, the software’s cryptographic hash, and several revisions. Public comment is sought on the new draft guidance until October 3, 2025, allowing individuals to share their knowledge for incorporation into the guidance ahead of the release of the final version.

The post CISA Seeks Feedback on Updated Software Bill of Materials Guidance appeared first on The HIPAA Journal.

Vulnerability Identified in FujiFilm Synapse Mobility Medical Image Viewer

A medium-severity privilege escalation vulnerability has been identified in FujiFilm Healthcare Americas Synapse Mobility medical image viewing software that could be exploited to bypass authentication and access sensitive data.

The vulnerability is tracked as CVE-2025-54551 and affects all versions of Fujifilm Healthcare Americas Synapse Mobility prior to version 8.2 (Versions 8.0, 8.0.1, 8.0.2, 8.1, 8.1.1). The vulnerability is remotely exploitable in a low complexity attack and can allow an attacker to escalate privileges and access data that they do not have permission to view. Authenticated user interaction is required to exploit the vulnerability.

The vulnerability is due to external control of a Web parameter and can be exploited by altering the parameters of the search function, thereby providing results beyond the intended design of role-based access controls. The vulnerability has been assigned a CVSS v4 base score of 5.3 and a CVSS v3.1 base score of 4.3.

Fujifilm Healthcare Americas has fixed the vulnerability in version 8.2 and later versions and has released patches for versions 8.0 to 8.1.1. Users are encouraged to upgrade to the latest version of the software and ensure that patches are applied before the end-of-support date. If the version in use is past the end-of-support date, users should ensure they update to a supported version.

If an immediate upgrade is not possible, administrators should consider disabling the search function in the configurator settings until the software can be updated. This can be achieved by unchecking the “Allow plain text accession number” checkbox in the security section of the admin interface. This will limit the site to use of the product only via the SecureURL feature.

The post Vulnerability Identified in FujiFilm Synapse Mobility Medical Image Viewer appeared first on The HIPAA Journal.

Warnings Issued About RCE Vulnerabilities in FortiSIEM & N-able N-central

Warnings have been issued about a critical vulnerability in Fortinet FortiSIEM with publicly available exploit code and two actively exploited vulnerabilities in N-able N-central.

FortiSIEM

FortiSIEM is a central security information and event management (SIEM) solution that is used by network defenders for logging, network telemetry, and security incident alerts. FortiSIEM is commonly used by large enterprises, healthcare providers, and government entities. Fortinet has issued a warning about a command injection flaw that can be exploited remotely by an unauthenticated attacker, for which exploit code exists in the wild. As such, it is essential to patch promptly to fix the vulnerability before it can be exploited.

The vulnerability, CVE-2025-25256, is a critical flaw affecting FortiSIEM versions 5.4 to 7.3 and has a CVSS base score of 9.8 out of 10. Successful exploitation of the flaw would allow an unauthenticated attacker to remotely execute code or commands via crafted CLI requests. Fortinet did not state whether the vulnerability has already been exploited, only that functional exploit code was found in the wild.

Fortinet has fixed the vulnerability in the following versions:

  • FortiSIEM 7.3.2
  • FortiSIEM 7.2.6
  • FortiSIEM 7.1.8
  • FortiSIEM 7.0.4
  • FortiSIEM 6.7.10

Users of FortiSIEM versions 5.4 to 6.6 should ensure that they upgrade to a supported version that is patched against the vulnerability. If it is not possible to update to a patched version, Fortinet has suggested a workaround, which involves limiting access to the phMonitor on port 7900.

N-able N-central

N-able N-central is a remote monitoring and management (RMM) solution, commonly used by managed service providers (MSPs) to manage and maintain devices on their clients’ networks. Two vulnerabilities have been identified that are under active exploitation.

The vulnerabilities are tracked as CVE-2025-8875 – an insecure deserialization vulnerability that could allow command execution, and CVE-2025-8876 – a command injection vulnerability due to improper sanitization of user input. No CVSS scores have currently been issued for the vulnerabilities; however, CISA warns that both are under active exploitation. N-able explained in a security alert that the vulnerabilities require authentication to exploit.

N-able has released patches to fix the vulnerabilities, and customers are urged to update to version 2025.3.1 as soon as possible. The fixed version was released on August 13, 2025, and further information about the vulnerabilities will be released by N-able in three weeks, to give customers time to update to a fixed version.

The post Warnings Issued About RCE Vulnerabilities in FortiSIEM & N-able N-central appeared first on The HIPAA Journal.

Remotely Exploitable Critical Vulnerability Identified in Santesoft Sante PACS Server

Five vulnerabilities have been identified in the Santesoft Sante PACS Server medical image archiving and communication system, including a critical vulnerability that allows credentials to be intercepted.

The vulnerabilities affect all versions of Sante PACS Server prior to 4.2.3 and have been patched in version 4.2.3 and later versions. The three most serious vulnerabilities can be exploited remotely by an attacker in a low complexity attack. Successful exploitation of the vulnerabilities could allow an attacker to create arbitrary files, obtain sensitive data, steal users’ session cookies, and cause a denial-of-service condition.

  • CVE-2025-54156 – A critical vulnerability that can be exploited by a remote attacker to steal credentials. The vulnerability is due to Sante PACS Server sending credential information in cleartext. The vulnerability has been assigned a CVSS v4 score of 9.1 (CVSS v3.1: 7.4).
  • CVE-2025-53948 – A high-severity vulnerability that can be exploited by a remote attacker to crash the main thread by sending a specially crafted HL7 message, triggering a denial-of-service condition. The server would require a manual restart. The vulnerability has been assigned a CVSS v4 score of 8.7 (CVSS v3.1: 7.5)
  • CVE-2025-0572 – A medium-severity vulnerability that can be exploited by a remote attacker to create arbitrary DCM files on vulnerable versions of Sante PACS Server. The vulnerability is due to improper limitation of a pathname to a restricted directory. The vulnerability has been assigned a CVSS v4 score of 5.3 (CVSS v3.1: 4.3)
  • CVE-2025-54759 – A medium-severity cross-site scripting vulnerability in Sante PACS Server, which could be exploited by an attacker by injecting malicious HTML code, redirecting a user to a malicious web page to steal the user’s cookie. The vulnerability has been assigned a CVSS v4 score of 5.1 (CVSS v3.1: 6.1).
  • CVE-2025-54862 – A medium-severity cross-site scripting vulnerability in the Sante PACS Server web portal, which could similarly be exploited by an attacker to direct a user to a malicious HTML page to steal the user’s cookie. The vulnerability has been assigned a CVSS v4 score of 4.8 (CVSS v3.1: 5.4).

The vulnerabilities were identified by Chizuru Toyama of TXOne Networks, who reported them to CISA. At present, there have been no known instances of exploitation in the wild; however, users are advised to update Santesoft Sante PACS Server to the latest version as soon as possible.

It is also recommended to avoid exposing Santesoft Sante PACS Server to the Internet. If remote access is required, use secure methods for access, such as a Virtual Private Network (VPN), ensuring it is kept up to date and running the latest version.

The post Remotely Exploitable Critical Vulnerability Identified in Santesoft Sante PACS Server appeared first on The HIPAA Journal.

Warning Issued About High-severity Flaw Affecting Microsoft Exchange Hybrid Deployments

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Microsoft have issued warnings about a high-severity flaw affecting Exchange hybrid deployments that could allow an attacker to escalate privileges in Exchange Online cloud environments undetected, potentially impacting the identity integrity of an organization’s Exchange Online service.

The vulnerability is tracked as CVE-2025-53786 and affects hybrid-joined configurations of Exchange Server 2016, Exchange Server 2019, and Microsoft Exchange Server Subscription Edition. The vulnerability has a CVSS v3.1 severity score of 8.0 and is due to improper authentication. The vulnerability can be exploited by an attacker with administrative access to an on-premise Microsoft Exchange server.

In hybrid Exchange deployments, the on-premise Exchange Server and Exchange Online share the same service principal, which is used for authentication between the on-premise and cloud environments. If an attacker controls the on-premise Exchange server, they can potentially manipulate trusted tokens or API calls. Exchange Online will accept these as legitimate since the on-premise Exchange Server is implicitly trusted. Since actions originating from the on-premise Exchange Server do not always generate logs of malicious activity, audits of Exchange Online may not identify security breaches that originated in the on-premise Exchange Server.

At the time of the alert, no exploitation of the flaw has been observed in the wild; however, exploitation is considered “more likely”, so organizations with vulnerable hybrid Microsoft Exchange environments should ensure they follow Microsoft’s mitigation guidance:

Exchange hybrid users should review the Exchange Server Security Changes for Hybrid Deployments guidance to determine if their deployments are potentially affected and if there is a Cumulative Update available.

Microsoft April 2025 Exchange Server Hotfix Updates should be applied to the on-premise Exchange server, and Microsoft’s guidance on deploying a dedicated Exchange hybrid app should be followed.

Any organization using Exchange hybrid, or that has previously configured Exchange hybrid but no longer uses it, should review Microsoft’s Service Principal Clean-Up Mode, which includes guidance for resetting the service principal’s keyCredentials. When these steps have been completed, Microsoft Exchange Health Checker should be run to determine if any further actions are required.

Organizations with public-facing versions of Exchange Server or SharePoint Server that have reached end-of-life or end-of-service should be disconnected from the public Internet, and use should be discontinued.

Microsoft is encouraging customers to migrate to its Exchange Hybrid app as soon as possible to enhance the security of their hybrid environments, and said, “Starting in August 2025, we will begin temporarily blocking Exchange Web Services traffic using the Exchange Online shared service principal” to accelerate adoption of the dedicated Exchange hybrid app.

The post Warning Issued About High-severity Flaw Affecting Microsoft Exchange Hybrid Deployments appeared first on The HIPAA Journal.

More Than Half of Healthcare Orgs Attacked with Ransomware Last Year

A new report from the cybersecurity firm Semperis suggests ransomware attacks have decreased year-over-year, albeit only slightly. The ransomware risk report indicates healthcare is still a major target for ransomware gangs, with 77% of healthcare organizations targeted with ransomware in the past 12 months. 53% of those attacks were successful.

The report is based on a Censuswide survey of 1,500 IT and security professionals across multiple sectors. While attacks are down slightly, 60% of attacked healthcare organizations report suffering multiple attacks. In 30% of cases, they were attacked more than once in the same month, 35% were attacked in the same week, 14% were attacked multiple times on the same day, and 12% faced simultaneous attacks.

A general trend in recent years, as reported by several firms, is fewer victims of ransomware attacks paying ransoms, although across all industry sectors in the U.S., 81% attacked companies paid the ransom, an increase from last year. Ransom payment was far less common in healthcare. According to Semperis, 53% of healthcare victims paid a ransom to either prevent the publication of stolen data, obtain decryption keys, or both. The ransom paid was less than $500,000 for 55% of companies, 39% paid between $500,000 and $1 million, and 5% paid more than $1 million.

The lower rate of ransom payment in healthcare may be due to genuine concerns that the attackers will not be true to their word. The ransomware attack on Change Healthcare last year made that clear. A $22 million ransom was paid to the BlackCat ransomware group to delete the stolen data; however, after pulling an exit scam, the affiliate behind the attack retained a copy of the data and attempted extortion a second time through a different group, RansomHub. Further, law enforcement operations against LockBit found the group lied about data deletion. Copies of stolen data were found on servers after the ransom was paid. Payment of a ransom is also no guarantee that data can be recovered. On average, 15% of companies that paid the ransom did not receive usable decryption keys, and a further 3% found that their data had been published or misused even when payment was made.

Ransomware groups have been observed adopting more aggressive tactics to increase pressure on victims. Falling profits have prompted some groups to start contacting patients of an attacked healthcare provider directly to increase pressure and get the ransom paid, or in some cases, patients have been extorted. Ransomware groups have threatened to file complaints with regulators, such as the Securities and Exchange Commission (SEC). According to Semperis, 47% of attacks involved threats of regulatory complaints, and 41% of attacks on healthcare organizations. In 62% of healthcare attacks, the threat actor threatened to release private or proprietary data. There is also a growing trend of physical threats against staff members, which occurred in 40% of attacks across all sectors, and 31% of attacks on healthcare organizations.

“With the introduction of generative AI and the fast development of agentic AI attacks, creating more advanced tools with more destructive impact is easier, so threat actors no longer need a lot of money and resources to create those tools,” said Yossi Rachman, Semperis Director of Security Research. “As a result, even a drop in ransom payments will not necessarily stop attack groups from proliferating and conducting more effective and frequent attacks.”

Semperis found that organizations are getting better at detecting and blocking attacks, but when attacks occur, they can cause considerable harm. For 53% of healthcare victims, recovery took from a day to a week, with 31% of attacked healthcare organizations taking between one week and one month to fully return to normal operations. The main business disruptions were data loss/compromise, reputational damage, and job losses. In one attack this year, a healthcare provider permanently closed the business after a ransomware attack.

The biggest challenges faced in healthcare were the frequency and sophistication of threats, attacks on identity systems, and regulatory compliance. 78% of victims said attacks compromised their identity infrastructure, yet only 61% maintained a dedicated AD-specific backup system. Semperis strongly advises companies to implement technology to protect IAM infrastructure, since this is the #1 target. It is also important to document, train, and test to improve the response to a ransomware attack, as an attack is almost inevitable.

“Train for the day you are attacked,” advises Rachman. “See that everybody knows exactly what they should do, which systems, processes, and tools need to be involved, and do that every six months.” Further, when cybersecurity has been improved, it is necessary to evaluate the security of partners and supply chain vendors, as even with excellent security, supply chain vulnerabilities could easily be exploited.

The post More Than Half of Healthcare Orgs Attacked with Ransomware Last Year appeared first on The HIPAA Journal.