CISA; NSA Issue Guidance on Hardening Microsoft Exchange Server Security

Posted by Steve Alder

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have issued new guidance for organizations to help them secure their on-premises Microsoft Exchange servers. The guidance document builds on the advice issued in August 2025 on mitigating a high-severity vulnerability in Microsoft Exchange Server – CVE-2025-53786 – that posed a significant risk to organizations with Microsoft Exchange hybrid-joined configurations.

The flaw could be exploited by an unauthenticated attacker to move laterally from an on-premises Exchange server to their Microsoft 365 cloud environment. While the vulnerability could only be exploited if an attacker first gained administrative access to the on-premises Exchange server, CISA was particularly concerned about how easy it was to escalate privileges and gain control of parts of the victim’s Microsoft 365 environment.

Cyber actors have been targeting on-premises Exchange servers in hybrid environments, and CISA is concerned about organizations using misconfigured or unprotected Microsoft Exchange servers, especially Exchange Server versions that have reached end-of-life. In such cases, there is a high risk of compromise. The guidance – Microsoft Exchange Server Security Best Practices – was developed by CISA and the NSA, with assistance provided by the Australian Cyber Security Centre and the Canadian Centre for Cyber Security (Cyber Centre). The document details proactive prevention measures and techniques for combating cyber threats and protecting sensitive data and communications.

“With the threat to Exchange servers remaining persistent, enforcing a prevention posture and adhering to these best practices is crucial for safeguarding our critical communication systems,” said Nick Andersen, Executive Assistant Director for the Cybersecurity Division (CSD) at CISA. “This guidance empowers organizations to proactively mitigate threats, protect enterprise assets, and ensure the resilience of their operations.

The authoring agencies stress that the most effective defense against Microsoft Exchange threats is ensuring that Exchange is updated to the latest version and Cumulative Update (CU). If an unsupported version is still in use, it should be updated to a supported version. The only supported version for on-premises Exchange is Microsoft Exchange Server Subscription Edition (SE), as support ended for previous versions on October 14, 2025. Organizations should also ensure that Microsoft’s Emergency Mitigation Service is turned on, as it will automatically apply defensive rules, disable legacy protocols, and block specific patterns of malicious HTTP requests.

Organizations should maintain a regular patching cadence, applying the monthly security updates and hotfixes promptly, as well as the two CUs per year. CISA warns that threat actors usually develop exploits for Exchange vulnerabilities within a few days of patches being released. If immediate patching is not possible, organizations should implement Microsoft’s interim mitigations.

CISA recommends that organizations enforce a prevention posture to address Exchange threats. The guidance serves as a blueprint for strengthening security, and covers hardening authentication and access controls, enforcing strong encryption, implementing multifactor authentication, enforcing strict transport security configurations, adopting zero-trust security principles, and minimizing application attack surfaces. The guidance is focused on securing on-premises Exchange servers. Organizations with Exchange servers in hybrid environments should follow the advice in CISA’s August 2025 Emergency Directive.

The post CISA; NSA Issue Guidance on Hardening Microsoft Exchange Server Security appeared first on The HIPAA Journal.

Vulnerabilities Identified in Vertikal Systems Hospital Information Management Solution

Posted by Steve Alder

Vulnerabilities have been identified in the Hospital Manager Backend Services, a hospital information management system from Vertikal Systems. One of the vulnerabilities is a high-severity flaw that can be remotely exploited in a low complexity attack to gain access to and disclose sensitive information.

The vulnerabilities affect Hospital Manager Backend Services prior to September 19, 2025. The vulnerabilities have been fixed in the September 19, 2025, release and future releases. Users should ensure that their product is up to date and should contact Vertikal Systems for assistance with fixing the flaws.

The most serious vulnerability is tracked as CVE-2025-54459 and has been assigned a CVSS v4 base score of 8.7 (CVSS v3.1 base score 7.5). The flaw is due to the product exposing sensitive information to an unauthorized control sphere. Hospital Manager Backend Services exposed the ASP.NET tracing endpoint /trace.axd without authentication, which means a remote attacker can obtain live request traces and sensitive information such as request metadata, session identifiers, authorization headers, server variables, and internal file paths.

The second flaw is tracked as CVE-2025-61959 and is a medium-severity vulnerability with a CVSS v4 base score of 6.9 (CVSS v3.1 base score: 5.3), due to the generation of error messages containing sensitive information.  Hospital Manager Backend Services returned verbose ASP.NET error pages for invalid WebResource.axd requests, disclosing framework and ASP.NET version information, stack traces, internal paths, and the insecure configuration ‘customErrors mode=”Off”‘, which could have facilitated reconnaissance by unauthenticated attackers.

The vulnerabilities were identified by Pundhapat Sichamnong of Vantage Point Security, who reported the flaws to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). In addition to using the latest version, it is recommended not to expose the product to the internet, to locate it behind a firewall, and if remote access is required, to use a secure method of access, such as a Virtual Private Network (VPN), ensuring the VPN is running the latest version of the software.

The post Vulnerabilities Identified in Vertikal Systems Hospital Information Management Solution appeared first on The HIPAA Journal.

George E. Weems & Virba Hospitals Announce Data Breaches

Posted by Steve Alder

Data security incidents have recently been announced by George E. Weems Memorial Hospital in Florida, Vibra Hospital of Sacramento in California, the California-based plastic surgeon Michael R. Schwartz, MD, and the California-based biopharmaceutical company Travere Therapeutics.

George E. Weems Memorial Hospital

On October 20, 2025, George E. Weems Memorial Hospital in Apalachicola, Florida, started mailing notification letters to patients affected by a recent security incident involving unauthorized access to two employee email accounts. The intrusion was detected on May 12, 2025, and the investigation confirmed that the email accounts were subject to unauthorized access from May 6, 2025, to May 12, 2025.

The email accounts were reviewed, and on September 22, 2025, the hospital learned that the accounts contained patients’ protected health information, including names, addresses, phone numbers, email addresses, Social Security numbers, driver’s license numbers, account information, patient ID numbers, diagnoses and medical histories, provider names, dates of service, and health insurance information.

No evidence was found to indicate that any of the exposed information has been or will be misused, but as a precaution, individuals whose Social Security numbers were exposed have been offered complimentary credit monitoring services. George E. Weems Memorial Hospital said it had taken many precautions to protect the privacy of patient information and will continue to review and enhance its measures to ensure privacy and security. The HHS’ Office for Civil Rights data breach portal is not currently showing the breach, so it is unclear how many individuals have been affected.

Vibra Hospital of Sacramento

On October 3, 2025, Vibra Hospital of Sacramento in California started notifying patients about a security incident involving unauthorized access to six employee email accounts. Suspicious activity was identified within certain email accounts on or around March 13, 2025. Assisted by third-party cybersecurity experts, Vibra Hospital determined that the email accounts were accessed by an unauthorized third party from March 11, 2025, to March 22, 2025.

The review of the affected accounts was completed on August 4, 2025, when it was confirmed that protected health information had been exposed. The types of data involved vary from individual to individual and may have included names in combination with addresses, birth dates, Social Security numbers, dates of service, diagnoses, treatment information, physician/facility names, Medicare/Medicaid numbers, patient account numbers, and/or financial account numbers.

No evidence was found to indicate any misuse of the exposed data. The affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their financial accounts, free credit reports, and explanation of benefits statements, and as a precaution against data misuse, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. Vibra Hospital has also taken steps to improve email security to prevent similar incidents in the future.

Michael R. Schwartz, MD, FACS

Michael R. Schwartz, MD, FACS, a plastic surgeon based in Westlake Village, California, has recently disclosed a security incident that involved unauthorized access to patient information.  The intrusion was identified on or around August 25, 2025, and it was later confirmed that an unauthorized third party had remote access to a single computer from January 20, 2025, to August 26, 2025.

The review revealed that the threat actor may have accessed patients’ personal and protected health information, including names, addresses, email addresses, phone numbers, Social Security numbers, medical record numbers, and patient photographs. As a precaution, all office computers and servers have been replaced, security controls have been strengthened, and additional data security training has been provided to the workforce. The affected individuals have also been offered 12 months of complimentary identity theft protection services.  The HHS’ Office for Civil Rights data breach portal is not currently showing the breach, so it is unclear how many individuals have been affected.

Travere Therapeutics

The San Diego, CA-based biopharmaceutical company, Travere Therapeutics, has recently notified the Massachusetts Attorney General about a recent security incident in which sensitive patient data may have been stolen. The notification letter does not include details of the incident, such as when it was detected, how long the unauthorized access lasted, or how many individuals have been affected, only that the information potentially compromised in the incident included names, addresses, phone numbers, email addresses, and Social Security numbers. The affected individuals have been offered complimentary credit monitoring services for 24 months.

The post George E. Weems & Virba Hospitals Announce Data Breaches appeared first on The HIPAA Journal.