Ransomware groups are conducting fewer attacks than a year ago, and are increasingly adopting a more targeted approach using stealthy tactics to achieve more impactful results, according to the 2025 Global Threat Landscape Report from the network detection and response (NDR) company ExtraHop.

Indiscriminate attacks are being dropped in favor of targeted, sophisticated attacks that allow ransomware actors to spend longer inside victims’ networks as they move undetected to achieve an extensive compromise before deploying their file-encrypting payloads. Attacks are designed to cause maximum damage and extensive downtime, which both increases the likelihood of a ransom being paid and allows them to obtain higher ransom payments. ExtraHop reports that in the space of a year, the average ransom demand has increased by more than one million dollars, from $2.5 million a year ago to $3.6 million, although ransom demands are higher for healthcare organizations and government entities. 70% of victims end up paying the ransom.

Last year, ExtraHop tracked an average of 8 incidents per organization compared to 5-6 incidents this year. Ransomware actors typically have access to victims’ networks for almost two weeks before they launch their attack, during which time sensitive data is exfiltrated. It typically takes victims more than two weeks to respond to a security alert and contain an attack, with the attacks causing an average downtime of around 37 hours.

Only 17% of attacks are detected during the reconnaissance phase, with 29% detected during initial access, but 30% of attacks are detected later on in the attack phase when file exfiltration has commenced (12%), data is encrypted (13%), or the ransom note is received (5%). While attacks are becoming increasingly sophisticated and harder to detect with traditional security tools, the initial access vectors have largely remained unchanged, with phishing and social engineering the most common means of infiltration. Phishing/social engineering was the infiltration method in 33.7% of attacks, software vulnerabilities were exploited in 19.4% of attacks, supply chain compromises were behind 13.4% of attacks, and software misconfigurations were exploited in 13% of attacks. ExtraHop has observed a marked increase in the use of compromised credentials for initial access, which were used in 12.2% of attacks. Legitimate credentials allow attackers to access networks, move laterally, and remain in networks undetected for extended periods, often escalating privileges to compromise more sensitive systems.

The biggest areas of cybersecurity risk for defenders were the public cloud (53.8%), third-party services and integrations (43.7%), and generative AI applications (41.87%). The main challenges faced by defenders were limited visibility into their entire environment (41%), insufficient staffing or a skills gap (35.5%), alert fatigue due to an overwhelming number of security alerts (34%), poorly integrated tools (34%), insufficient or manual SOC workflows (33%), insufficient budget and executive support (29%), and organizational silos (26%). The problem for many organizations is that they are grappling with a complex range of equally pressing obstacles.

ExtraHop’s advice is to first understand the full attack surface, which means knowing exactly what is in the network and where vulnerabilities exist. While it is important to have robust perimeter defenses, internal traffic must be monitored as attackers are increasingly able to penetrate defenses. Through effective monitoring, organizations can identify and block attacks before escalation, data theft, and encryption. While it is essential to understand what threat actors are doing today, it is important to keep abreast of evolving tactics to be prepared for what will happen tomorrow, including attackers’ use of emerging technologies.

The post Ransomware Groups’ Evolving Tactics Spur 44% Increase in Ransom Demands appeared first on The HIPAA Journal.

Cybersecurity firm Black Fog has released its Q3 2025 State of Ransomware Report, which shows ransomware attacks have increased by 36% compared to the same quarter in 2024. Each month in the quarter saw an increase in attacks compared to the corresponding month last year, with July the worst month with a 50% increase. Over the whole quarter, 270 ransomware attacks were reported, although Black Fog notes that the majority of attacks remain in the shadows and go unreported. In Q3, an estimated 1,510 ransomware attacks were not disclosed, which represents a 21% increase from the previous quarter.

Healthcare remains a key target for ransomware groups, with the sector experiencing 86 attacks, which represents 32% of all disclosed attacks – more than twice as many ransomware attacks as were disclosed by entities in the next most attacked sectors, government and technology, which each had 28 disclosed incidents. Black Fog reports that 85% of ransomware attacks are not reported, and taking those attacks into account, manufacturing was the hardest hit sector, accounting for 22% of the 1,510 undisclosed attacks, followed closely by the services sector. Even with the HIPAA reporting requirements, healthcare ranked 5^th for undisclosed incidents, which suggests that healthcare organizations are slow to investigate and report attacks. Law firms are increasingly being targeted, with the sector experiencing at least 79 attacks, the highest level since Black Fog started publishing ransomware reports in 2020.

Data theft almost always occurs with ransomware attacks, with some groups now abandoning encryption altogether. Black Fog reports that a new record was set in Q3 for data exfiltration, with 96% of attacks involving data theft. As reported by the Identity Theft Resource Center this month in its Q3 analysis of compromises, almost three-quarters (71%) of victim notifications do not mention the root cause of the attack, such as whether ransomware was used, which puts victims at a great risk of identity theft and fraud. Black Fog identified 449 victim listings on ransomware groups’ dark web data leak sites in Q3, 2025, with an average of 527.65 GB exfiltrated per victim. Black Fog CEO, Darren Williams, recommends that organizations should be more proactive at detecting the signs of data exfiltration by looking for unusual patterns in outbound traffic, anomalous MFA behaviors, and sudden file movement, as by the time files are encrypted, the damage from an attack is often irreversible.

The Qilin ransomware group retained its position as the most prolific ransomware group with 20 disclosed attacks (7%) and 242 undisclosed attacks (16%). INC Ransom ranked second with 18 (7%) disclosed attacks and 111 (7%) undisclosed attacks. Akira remains a highly active group with 139 (9%) undisclosed attacks. In Q3, a further 18 ransomware groups emerged, bringing the total number of active groups engaging in double extortion up to 80.

One notable newcomer is the Devman ransomware group, which has conducted 19 attacks in just a few months. The group stands out due to the high number of attacks for a new group, together with exorbitant ransom demands, including a $93 million ransom demand in the attack on the Chinese real estate firm, Shimao Group, which ranks as the largest ransom demand of the year.

“As ransomware volumes show a continued upward trend, the best option for organizations is to make it as hard as possible for cybercriminals to take advantage of them. That means protecting data so that they have no leverage for extortion and, critically, no incentive to return,” suggests Williams. That means improving monitoring and encrypting stored data.

The post Cybersecurity Firm Reports 36% YOY Increase in Ransomware Attacks appeared first on The HIPAA Journal.

The latest data from the Identity Theft Resource Center (ITRC) has confirmed that system compromises and data breaches are still being reported in high numbers, although there has been a slight reduction in incidents compared to the previous quarter. In Q2 2025, ITRC tracked 913 compromise incidents, plus a further 835 incidents in Q3. So far this year, ITRC has tracked 2,563 compromises, resulting in almost 202 million victim notices.

Given the high number of data compromises in each quarter this year, 2025 looks likely to be a record-breaking year, with only a further 640 compromises required in the last quarter of the year to set a new record.  While compromises are up, the number of victim notices sent so far is down considerably from last year’s record-breaking total due to a reduction in mega data breaches. That said, there have been some sizeable data breaches this year.

In the first half of the year, five of the top ten biggest data breaches involved protected health information, with the data breaches at Yale New Haven Health System, Episource, and Blue Shield of California affecting more than 15.6 million patients. In Q3, while the biggest data breach was at TransUnion, involving 4.46 million victim notices, the next four largest data breaches occurred at healthcare organizations: the ransomware attack on the kidney dialysis provider DaVita (2,689,826 victims), and the cyberattacks on Anne Arundel Dermatology (1,905,000 victims), Radiology Associates of Richmond (1,419,091 victims), and Absolute Dental Group (1,223,635 victims).

Out of the 835 compromises in Q3, there were 749 confirmed data breaches involving 23,053,451 victim notices. Out of those data breaches, 691 were cyberattacks (22,985,802 victims), 46 were due to system and human error (62,297 victims), 33 breaches/exposures were supply chain attacks (3,793,381 victims), and 19 were due to physical attacks (5,352 victims). The highest number of data compromises occurred in the financial services sector (188 compromises), followed by healthcare (149 compromises), professional services (114 compromises), manufacturing (76 compromises), and education (45 compromises).

The trend of withholding details of the attack vector in breach notices is continuing to grow, with 71% of victim notices in Q3 missing that information, up from 69% in the first half of the year. The attack vector can help victims of the breach gauge the level of risk they face. Failing to state the exact cause of the breach can place victims at an increased risk of identity theft and fraud. The advice from ITRC, given the frequency at which cyberattacks and data breaches now occur, is to place a credit freeze with each of the three main credit reporting agencies (Experian, Equifax & TransUnion), regardless of whether personal data has been compromised. In addition, it is important to practice good cyber hygiene, set unique 12+ character passphrases on all accounts, and ensure that multi-factor authentication is activated wherever possible.

The post ITRC: 23 Million Individuals Affected by Data Breaches in Q3, 2025 appeared first on The HIPAA Journal.

The latest data from the Identity Theft Resource Center (ITRC) has confirmed that system compromises and data breaches are still being reported in high numbers, although there has been a slight reduction in incidents compared to the previous quarter. In Q2 2025, ITRC tracked 913 compromise incidents, plus a further 835 incidents in Q3. So far this year, ITRC has tracked 2,563 compromises, resulting in almost 202 million victim notices.

Given the high number of data compromises in each quarter this year, 2025 looks likely to be a record-breaking year, with only a further 640 compromises required in the last quarter of the year to set a new record.  While compromises are up, the number of victim notices sent so far is down considerably from last year’s record-breaking total due to a reduction in mega data breaches. That said, there have been some sizeable data breaches this year.

In the first half of the year, five of the top ten biggest data breaches involved protected health information, with the data breaches at Yale New Haven Health System, Episource, and Blue Shield of California affecting more than 15.6 million patients. In Q3, while the biggest data breach was at TransUnion, involving 4.46 million victim notices, the next four largest data breaches occurred at healthcare organizations: the ransomware attack on the kidney dialysis provider DaVita (2,689,826 victims), and the cyberattacks on Anne Arundel Dermatology (1,905,000 victims), Radiology Associates of Richmond (1,419,091 victims), and Absolute Dental Group (1,223,635 victims).

Out of the 835 compromises in Q3, there were 749 confirmed data breaches involving 23,053,451 victim notices. Out of those data breaches, 691 were cyberattacks (22,985,802 victims), 46 were due to system and human error (62,297 victims), 33 breaches/exposures were supply chain attacks (3,793,381 victims), and 19 were due to physical attacks (5,352 victims). The highest number of data compromises occurred in the financial services sector (188 compromises), followed by healthcare (149 compromises), professional services (114 compromises), manufacturing (76 compromises), and education (45 compromises).

The trend of withholding details of the attack vector in breach notices is continuing to grow, with 71% of victim notices in Q3 missing that information, up from 69% in the first half of the year. The attack vector can help victims of the breach gauge the level of risk they face. Failing to state the exact cause of the breach can place victims at an increased risk of identity theft and fraud. The advice from ITRC, given the frequency at which cyberattacks and data breaches now occur, is to place a credit freeze with each of the three main credit reporting agencies (Experian, Equifax & TransUnion), regardless of whether personal data has been compromised. In addition, it is important to practice good cyber hygiene, set unique 12+ character passphrases on all accounts, and ensure that multi-factor authentication is activated wherever possible.

The post ITRC: 23 Million Individuals Affected by Data Breaches in Q3, 2025 appeared first on The HIPAA Journal.

A recent survey of U.S. healthcare IT and cybersecurity professionals found that 93% of the surveyed organizations had experienced at least one cyberattack in the past 12 months, and 72% of those reported that the attacks caused disruption to patient care. The negative impacts were typically delayed intake, increased hospital stays, and increased complications from medical procedures, with 29% of respondents reporting an increase in mortality rate. The problem is getting worse, as last year, 69% of healthcare organizations said cyberattacks had negatively impacted patient care.

The survey was conducted by the Ponemon Institute on behalf of cybersecurity firm Proofpoint on 677 healthcare IT and cybersecurity professionals in the United States. The findings are published in Proofpoint’s report: The 2025 Study on Cyber Insecurity in Healthcare, which looks specifically at the effectiveness of reducing human-targeted cybersecurity risks in the healthcare industry and the cost and impact of cyberattacks on patient safety and care.

Out of the 93% of organizations that experienced a cyberattack, 43 attacks were experienced on average, up from 40 last year. The survey showed that 96% of healthcare organizations experienced at least two incidents involving data loss or exfiltration of patient data, with the majority of respondents reporting that those incidents had a negative impact on patient care.

“Patient safety is inseparable from cyber safety,” said Ryan Witt, vice president of industry solutions at Proofpoint. “This year’s report highlights a stark reality: Cyber threats aren’t just IT issues, they’re clinical risks. When care is delayed, disrupted, or compromised due to a cyberattack, patient outcomes are impacted, and lives are potentially put at risk.”

The report is based on four categories of cyberattacks: cloud/account compromises, supply chain attacks, ransomware attacks, and business email compromise (BEC)/spoofing/impersonation incidents. Supply chain attacks had the biggest impact on patient care, with 87% of victims of supply chain attacks reporting negative impacts such as delayed procedures, poorer outcomes, and increased complications.

When asked about the cost of the single most expensive cyberattack, the answers ranged from $10,000 to more than $25 million, with an average cost of $3.9 million, down from the 2024 average of $4.7 million. The biggest cost was operational disruption, which cost an average of $1,210,172, down 17.6% from last year. Idle time and lost productivity fell by 13.7% year-over-year to an average of $858,832. The average cost of correcting the impact on patient care fell by 21.5% to $853,272, the cost of damage to IT assets and infrastructure fell by 13.8% to $711,060, and the cost of remediation and technical support activities fell by 28.6% to $507,491.

There has been a significant increase in ransomware incidents, which rose from 60% in 2024. While costs are down overall, the cost of ransomware attacks increased from an average of $1.1 million in 2024 to $1.2 million in 2025. The percentage of victims paying the ransom has continued to fall, with 33% of victims choosing to pay compared to 36% last year.

The adoption of AI for security and migration of data to the cloud were the most common protective strategies adopted by healthcare organizations. The survey revealed that 75% of healthcare organizations have or plan to move clinical applications to the cloud, and 30% of respondents use AI for security. The respondents who have adopted AI for security claim the tools are very effective, although 60% said they struggle to protect sensitive data used by AI systems, and the adoption of AI tools is being hampered by interoperability issues and data accuracy problems.

Human error was a key factor in data loss/data exfiltration incidents, with 35% of respondents reporting that data loss was caused by employees not following policies. One-quarter reported data due to privilege access abuse, and one-quarter said it was due to an employee sending PHI to an incorrect recipient. The human factor in cyberattacks is an area being addressed by 76% of organizations. Out of those, 63% said they have regular training and security awareness programs, 51% are monitoring the actions of employees, and 47% are conducting phishing simulations.

“This report underscores the urgent need for healthcare organizations to adopt a human-centric cybersecurity approach—one that not only protects systems and data but also preserves the continuity and quality of care,” said Witt. You can view/download the report here.

The post 72% of Healthcare Orgs Report Disruption to Patient Care Due to Cyberattacks appeared first on The HIPAA Journal.

A zero-day vulnerability in Oracle E-Business Suite is under active exploitation by the Cl0p ransomware group. The vulnerability is tracked as CVE-2025-61882 and has a CVSS base score of 9.8 out of 10. The flaw is present in the BI Publisher Integration component of Oracle’s Concurrent Processing product within the Oracle E-Business suite, and can be exploited remotely by an unauthenticated attacker, leading to remote code execution. The vulnerability can be exploited by an unauthenticated attacker with network access via HTTP and will allow Oracle Concurrent Processing to be compromised.

Google’s Threat Intelligence Group and Mandiant first warned about attacks exploiting the vulnerability on October 2, 2025, when organizations started reporting that they had received demands for payment from the Cl0p threat group. Oracle published a security advisory about the vulnerability on October 4, 2025, and released a patch to fix the flaw. CrowdStrike believes with moderate confidence that a threat group tracked as Graceful Spider is mass exploiting the vulnerability.

Graceful Spider is a Russia-linked threat group known to conduct attacks with the Cl0p group. The vulnerability has been exploited in the wild since at least August 9, 2025, and a proof-of-concept exploit for the vulnerability has been published by the threat group Scattered LAPSUS$ Hunters. The threat intelligence firm WatchTowr has confirmed that the PoC exploit is real. Since valid exploit code is in the public domain, it is possible that multiple threat groups are now exploiting the vulnerability. WatchTowr reports that the exploit chain involves five separate bugs to achieve pre-authentication remote code execution, including some that were patched by Oracle in its July 2025 Critical Patch Update. WatchTowr explained that the exploit demonstrates a high level of skill and effort.

The vulnerability affects Oracle E-Business Suite versions 12.2.3 to 12.2.14, and may also exist in older, unsupported versions. Any organization that has Oracle E-Business Suite exposed to the internet is at risk, and given that the mass exploitation attempts have been ongoing for more than a month, there is a risk that the vulnerability has already been exploited and that the Cl0p group has yet to reach out to demand payment. According to the cybersecurity firm Resecurity, Cl0p has been reaching out to victims via compromised business email accounts and newly registered accounts.

Users of Oracle E-Business Suite should follow the advice in the Oracle security alert and ensure that they upgrade to a supported version and install the latest update. The update requires Oracle’s October 2023 Critical Patch Update to be applied before the patch for the CVE-2025-61882 vulnerability is applied. After applying the patch, Oracle E-Business Suite users should look for indicators of compromise to determine if the vulnerability has already been exploited. The IoCs have been shared in the above-linked Oracle security alert.

The post Cl0p Mass Exploiting Zero-day Vulnerability in Oracle E-Business Suite appeared first on The HIPAA Journal.

A critical vulnerability in Fortra’s GoAnywhere MFT secure web-based file transfer tool is being actively exploited in Medusa ransomware attacks. According to Microsoft’s Threat Intelligence Team, the vulnerability is being exploited by a threat group it tracks as Storm-1175, which is known for deploying Medusa ransomware after exploiting vulnerabilities in public-facing applications.

The zero-day deserialization vulnerability is tracked as CVE-2025-10035 and has a maximum CVSS base score of 10. According to Fortra, a threat actor with a validly forged license response signature could deserialize an arbitrary actor-controlled object. Successful exploitation of the flaw can result in command injection without authorization, which can potentially lead to remote code execution. Fortra issued a security advisory about the flaw on September 18, 2025, and explained that the vulnerability affects the GoAnywhere MFT’s License Servlet Admin Console version 7.8.3 and prior versions. The vulnerability has been fixed in version 7.8.4 and the Sustain release 7.6.3.

Microsoft detected attacks exploiting the vulnerability at multiple organizations on September 11, 2025, although the threat intelligence company watchTowr believes that attacks started on September 10, 2025, more than a week before Fortra issued its security alert. Microsoft has observed Storm-1175 dropping remote monitoring and management (RMM) tools such as SimpleHelp and MeshAgent for persistence, and in some cases, creating .jsp files within GoAnywhere MFT directories.

The group establishes persistence, sets up secure C2 communications, and deploys additional tools and malware payloads to facilitate network discovery and lateral movement. The latter is achieved using mstsc.exe. The group identifies and exfiltrates sensitive data and has used Rclone for data exfiltration in at least one attack. After data exfiltration, the group deploys Medusa ransomware to encrypt files.

All users are advised to immediately ensure that the GoAnywhere Admin Console is not exposed to the Internet and to update GoAnywhere to the latest version. Since the vulnerability has been exploited since at least September 11, 2025, patching alone is not sufficient. After updating the software, users should investigate for signs of compromise. “Customers are advised to monitor their Admin Audit logs for suspicious activity and the log files for errors containing SignedObject.getObject: If this string is present in an exception stack trace (similar to the following), then the instance was likely affected by this vulnerability,” explained Fortra in its security alert.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerability Catalog on September 29, 2025, and requires all federal civilian agencies to implement Fortra’s mitigations by October 20, 2025.

The post Critical GoAnywhere Vulnerability Exploited in Medusa Ransomware Attacks appeared first on The HIPAA Journal.

Over the 12 months from March 2024 to March 2025, almost half of healthcare organizations experienced at least one data incident, such as a ransomware attack, hacking incident, or phishing attack, according to the cybersecurity firm Netwrix. For its 2025 Cybersecurity Trends Report, Netwrix surveyed 2,150 IT professionals from 121 countries in March 2025 and compared the findings to previous surveys conducted in 2024, 2023, and 2020.

Healthcare has long been targeted by threat actors due to the high value of patient records, and the fact that healthcare organizations cannot tolerate disruption, as it puts patient safety at risk. The sector is extensively targeted by ransomware groups as there is a higher probability that the ransom will be paid to prevent the publication of stolen data and ensure a fast recovery. In the past 12 months, 48% of healthcare organizations experienced at least one security incident that required a dedicated response from the security team.

Across all sectors, the number of organizations reporting no impact from security incidents is rapidly reducing. In 2023, 45% of respondents said there was no impact from security incidents, whereas in 2025 the percentage had fallen to just 36%. In 2024, 60% of organizations reported suffering financial damage due to cyberattacks, and the percentage jumped to 75% in 2025. Across all sectors, the number of organizations reporting financial damage of at least $200,000 almost doubled from 7% in 2024 to 13% in 2025.

Netwrix reports that four times as many healthcare organizations suffered financial losses of at least $200,000 in 2025 as in 2024. In 2024, only 2% of healthcare organizations experienced cyberattack-related losses of more than $500,000, compared to 12% in 2025. The report confirms that healthcare faces the biggest financial impact from cyberattacks. In 2025, 6% of all industries suffered cyberattack-related financial losses of more than $500,000, compared to 12% in healthcare.

The Netwrix survey revealed that almost one-third of healthcare organizations experienced security incidents involving compromised user/admin accounts. Phishing remains the most prevalent threat, and attacks are becoming harder to identify due to attackers’ use of AI tools for their phishing and social engineering campaigns. 37% of healthcare respondents said AI-driven threats require stronger defenses.

“Research strongly suggests that attackers are ahead in AI adoption, which is pushing defenders into a reactive posture. Indeed, 37% of survey respondents say AI-driven threats forced them to adjust — that’s a direct reaction to the offensive use of AI by adversaries, “ explained Jeff Warren, Chief Product Officer, Netwrix. “At the same time, 30% haven’t even started AI implementation and are in “considering” mode, indicating a significant lag in adoption. It’s fair to say that attackers are moving faster with AI, and defenders are scrambling to catch up. This asymmetry is not new in cybersecurity, but AI appears to be accelerating it.”

In 2025, the top three threats in the cloud and on-premises were the same. Phishing was the most common cause of security incidents (76% cloud; 69% on-premises), followed by user/admin account compromise (46% cloud; 45% on-premises), and ransomware and other malware attacks (30% cloud; 31% on-premises).

“Ransomware attacks on premises are becoming less frequent, while the rate for cloud infrastructure remains steady,” explained Warren. “As businesses shift critical operations and sensitive data to the cloud, attackers increasingly see cloud workloads as high-value targets worth encrypting or exfiltrating for ransom. And it’s a numbers game, too. Some attackers don’t target the cloud per se; they target everything. As more infrastructure moves to the cloud, the odds of hitting a cloud tenant go up.”

The main challenges for security teams are understaffed IT and security departments, a lack of budget for data security initiatives, mistakes/negligence by business users, and a lack of cybersecurity expertise within the IT and security teams.  Unsurprisingly, given the staffing problems at many organizations, one of the main priorities is the automation of manual IT processes, and while AI tools can help in this regard, it is important to ensure that the tools are not granted excessive privileges and that there is proper governance.

As AI adoption by cybercriminals accelerates, organizations need to respond. Warren suggests that organizations should double down on the basics of zero-trust networking and ensure they are adequately protecting their identity infrastructure, improving resilience by adopting an identity-first approach to protect accounts and the sensitive data they can access.

The post Healthcare Cyberattacks Costing $200K+ Rise 400% in a Year appeared first on The HIPAA Journal.

October is Cybersecurity Awareness Month – a global initiative that aims to educate the public and businesses about the importance of cybersecurity and protecting against cyber threats to systems and data.  The initiative is led by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), and this year’s theme is “Building a Cyber Strong America. The main focus this year is improving cybersecurity at the government entities and small and medium-sized businesses that operate and maintain the nation’s critical infrastructure, as well as the myriad of vendors and suppliers that support or are connected to critical infrastructure.

CISA is issuing a call to action to all critical infrastructure entities and vendors that support those entities to take steps to improve cybersecurity, starting with four essential steps to improve baseline security:

• Avoid phishing
• Use strong passwords
• Require multifactor authentication
• Update business software

Phishing is the initial access vector in many cyberattacks, providing threat actors with the credentials they need to access internal systems and data and conduct a comprehensive attack on the organization.  According to the cybersecurity firm SentinelOne, phishing attacks have increased by 1,265%, with that increase driven by the growth of GenAI. These attacks target employees and trick them into disclosing credentials, opening malicious email attachments, or clicking links that direct them to malicious sites where malware is downloaded. While technical defenses such as spam filters can reduce the number of threats that reach employees, it is vital to train the workforce on how to recognize and report suspicious emails.

A system is only as secure as the password used to protect it, so it is essential that passwords are used that are difficult to guess and are resistant to automated brute force attempts. According to Hive Systems, even a password consisting of 10 random numbers could be cracked in less than a day, compared to 803,000 years for a 10-character password consisting of numbers, upper and lower case letters, and special characters. Strong passwords should be mandatory for all users.

Even strong passwords are not sufficient by themselves, as while they may be difficult to brute force, they can be obtained by threat actors through phishing, for example. Multifactor authentication adds an additional layer of protection, ensuring that a password alone is not sufficient to access accounts, systems, and devices. Implementing multifactor authentication will significantly improve security, and where possible, phishing-resistant multifactor authentication should be implemented.

Threat actors target vulnerabilities in software and operating systems and exploit them to gain access to the networks of critical infrastructure entities and their vendors.  All business software and operating systems should be kept up to date, with patches and security updates applied promptly to fix vulnerabilities before they can be exploited. After completing these four essential steps to improve baseline security, the next step is to level up defenses through additional actions, such as implementing logging on all systems. Logs should be monitored for anomalous activity, including hacking incidents and insider threats.

Ransomware is one of the biggest threats, especially in healthcare. These attacks lock victims out of systems and prevent access to critical data, causing massive disruption to business operations. It is therefore essential to ensure that all critical information is backed up securely, as this will allow a fast recovery in the event of an attack. In addition to making multiple backups and securing one copy off-site, backups should be checked to ensure that file recovery is possible. A backup plan should also be developed to reach the recovery point in the shortest possible time frame.

Data encryption is another key protection to safeguard data at rest and in transit. If a threat actor gains access to files, the data cannot be viewed. Threat information sharing is also a key part of building a strong cyber America. By informing CISA about cyberattacks and sharing pertinent information, CISA can take steps to warn others and help them avoid similar threats.

Healthcare organizations should also consider implementing the cybersecurity performance goals (CPGs) developed by the Department of Health and Human Services in collaboration with CISA. The CPGs set a floor of safeguards that will help prevent successful cyberattacks, and the enhanced CPGs help healthcare organizations mature their cybersecurity capabilities. The 2025 HIPAA Journal Annual Survey indicated a lack of awareness of these important CPGs.

“Critical infrastructure – whether in the hands of state and local entities, private businesses, or supply chain partners – is the backbone of our daily lives,” said Acting CISA Director Madhu Gottumukkala. “Whenever it’s disrupted, the effects ripple through communities across America. That’s why this year CISA is prioritizing the security and resilience of small and medium businesses, and state, local, tribal, and territorial government (SLTT) that facilitate the systems and services [that] sustain us every day. This includes things like clean water, secure transportation, quality healthcare, secure financial transactions, rapid communications, and more. Together, we must make resilience routine so America stays safe, strong, and secure.”

The post Cybersecurity Awareness Month 2025: Building a Cyber Strong America appeared first on The HIPAA Journal.