Cybersecurity strategies
The healthcare sector faces a variety of cyberthreats, but experts are constantly working to provide organizations with reliable cybersecurity strategies to address them. Learn about the latest tactics for tackling cyber risk, with efforts led by security practitioners, federal agencies and leading cybersecurity companies.
Top Stories
-
News
20 Nov 2024
HHS has not adopted all GAO cybersecurity recommendations
GAO said that it is still waiting on HHS to implement several cybersecurity recommendations laid out for the department in various GAO reports. Continue Reading
-
Feature
18 Nov 2024
Mitigating risk as healthcare supply chain attacks prevail
A focus on cyber resilience is essential for mitigating the risk of healthcare supply chain attacks, which have the potential to cause widespread disruptions. Continue Reading
-
Definition
18 Nov 2024
What is a whaling attack (whaling phishing)?
A whaling attack, also known as 'whaling phishing' or a 'whaling phishing attack,' is a specific type of phishing attack that targets high-profile employees, such as the chief executive officer (CEO) or chief financial officer, to steal sensitive information from a company. Continue Reading
-
News
05 Nov 2024
Using psychology to defend against phishing attacks
A healthy dose of judicious skepticism is crucial to preventing phishing attacks, said David Fine, supervisory special agent at the FBI, during a presentation at a HIMSS event. Continue Reading
-
Podcast
04 Nov 2024
Understanding new NY hospital cybersecurity regulations
Recently enacted New York State general hospital cybersecurity requirements could be a sign of what's to come for the healthcare sector as a whole. Continue Reading
-
News
01 Nov 2024
Healthcare CISOs discuss the role's challenges at HIMSS event
During a panel session at the HIMSS Healthcare Cybersecurity Forum, healthcare CISOs discussed top challenges and strategies for success in the role. Continue Reading
-
News
25 Oct 2024
HHS, NIST conference: OCR identifies top priority areas
Updating the HIPAA Security Rule is one of OCR's current top priorities, OCR Director Melanie Fontes Rainer said during an HHS/NIST conference on safeguarding health information. Continue Reading
-
News
23 Oct 2024
HHS, NIST conference: Collaboration is key in healthcare cyber
HHS Deputy Secretary Andrea Palm emphasized the role of collaboration in tackling healthcare cybersecurity challenges at a conference held in Washington. Continue Reading
-
Feature
18 Oct 2024
Navigating cyber insurance coverage as threats evolve
The evolving cyberthreat landscape makes cyber insurance coverage decisions difficult for underwriters and healthcare organizations alike. Continue Reading
-
Feature
09 Oct 2024
Exploring today's top rural healthcare cybersecurity challenges
Financial troubles and an ongoing cyber workforce shortage are some of the factors contributing to persisting rural healthcare cybersecurity challenges. Continue Reading
-
Podcast
23 Sep 2024
Implementing cyber hygiene best practices in healthcare
Applying best practices for cyber hygiene and employee security training can help healthcare organizations effectively mitigate cyber-risk. Continue Reading
-
Tip
04 Sep 2024
Microsoft Purview Audit helps IT flush out bad behavior
The auditing tool gives enterprises a way to find problems by examining logs from Microsoft 365 cloud services, such as Exchange Online, to see what actions were taken and where. Continue Reading
-
Feature
22 Aug 2024
Understanding NIST's post-quantum cryptography standards
NIST encouraged organizations to implement its three post-quantum cryptography standards to prepare for the emergence of powerful quantum computers that could threaten security. Continue Reading
-
Feature
31 Jul 2024
What health IT pros can learn from the CrowdStrike outage
Following the CrowdStrike outage, experts recommended that health IT security practitioners focus on building resilience and tackling third-party risk. Continue Reading
-
News
25 Jul 2024
HHS reorganizes for coordination across health data policy
The HHS reorganization aims to improve coordination for strategy and policy across health data, cybersecurity, AI and technology as digital health transformation progresses. Continue Reading
-
News
23 Jul 2024
OIG audit: HHS secretary must improve cloud security controls
HHS-OIG auditors recommended that the HHS Office of the Secretary address gaps in its cloud security controls to better safeguard its cloud information systems. Continue Reading
-
News
08 Jul 2024
HC3 warns sector of critical MOVEit cybersecurity vulnerabilities
Healthcare organizations should prioritize patching two critical cybersecurity vulnerabilities found in Progress Software’s MOVEit managed file transfer platform. Continue Reading
-
News
01 Jul 2024
HHS, FBI warn healthcare sector of social engineering scheme
Threat actors have been using phishing schemes to steal login credentials and divert automated clearinghouse payments, HHS and the FBI warned in a joint cybersecurity advisory. Continue Reading
-
News
25 Jun 2024
Third-party data breaches continue to disproportionately affect healthcare
More than a third of third-party data breaches in 2023 affected healthcare organizations, surpassing all other sectors, SecurityScorecard research shows. Continue Reading
-
News
25 Jun 2024
CMS ends advance payment program from Change Healthcare cyberattack
On July 12, CMS will stop providing accelerated and advance payments to Medicare providers and suppliers affected by the Change Healthcare cyberattack. Continue Reading
-
News
20 Jun 2024
Ascension hospitals make progress in ransomware attack recovery
Ascension diverted ambulances and activated downtime procedures in response to a cyberattack that began on May 8. Continue Reading
-
Answer
18 Jun 2024
Understanding barriers to cyber resilience in healthcare
Cyber resilience is essential to ensure swift response and recovery from a cybersecurity incident, but it is a constant challenge for healthcare organizations. Continue Reading
-
News
13 Jun 2024
Microsoft, Google offer cybersecurity resources for rural hospitals
Microsoft and Google will provide free or discounted cybersecurity services to rural hospitals to bolster prevention efforts. Continue Reading
-
Feature
12 Jun 2024
Breaking Down the NIST Cybersecurity Framework, How It Applies to Healthcare
Healthcare organizations can strengthen their overall security postures by using the NIST Cybersecurity Framework's collection of standards and best practices. Continue Reading
-
News
10 Jun 2024
FBI urges LockBit ransomware victims to come forward
At a conference in Boston, the FBI Cyber Division’s assistant director urged LockBit ransomware victims to contact IC3 to obtain a decryption key. Continue Reading
-
News
06 Jun 2024
HC3 alerts hospitals of cybersecurity vulnerabilities in blood pressure monitor
The critical cybersecurity vulnerabilities in Baxter Welch Allyn Configuration Tool and Baxter Welch Allyn Connex Spot Monitor are exploitable remotely. Continue Reading
-
News
05 Jun 2024
HHS outlines DDoS attack prevention, response tactics for healthcare
Threat actors use DDoS attacks to flood a target network with traffic, making it difficult for defenders to detect and contain the threat. Continue Reading
-
News
04 Jun 2024
Senator asks FTC, SEC to investigate UnitedHealth’s cybersecurity practices
Sen. Ron Wyden requested that the FTC and SEC chairs investigate UHG’s “numerous cybersecurity and technology failures” to determine whether federal laws were broken. Continue Reading
-
Feature
30 May 2024
How HHS-OIG conducts cybersecurity audits
Healthcare organizations and HHS entities can use the recommendations provided in HHS-OIG cybersecurity audit reports to strengthen the security of their systems. Continue Reading
-
News
29 May 2024
Healthcare ransomware attacks lead to uptick in ED visits at nearby hospitals
A ransomware attack on a hospital can affect neighboring hospitals by increasing emergency department volume, a research letter published in JAMA revealed. Continue Reading
-
News
21 May 2024
FTC finalizes Blackbaud settlement, requires revamped data retention policies
The FTC’s settlement with Blackbaud prohibits the company from misrepresenting its data security practices and requires it to create a data retention schedule. Continue Reading
-
News
21 May 2024
HHS dedicates $50M to development of autonomous cyber defense tools
ARPA-H, a division of HHS, announced the launch of the Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) program, aimed at addressing cybersecurity vulnerabilities. Continue Reading
-
News
14 May 2024
CISA, HHS warn healthcare of Black Basta ransomware attacks
Black Basta ransomware affiliates have encrypted and stolen data from 12 of the 16 critical infrastructure sectors, including healthcare. Continue Reading
-
News
09 May 2024
NSA leadership discusses critical infrastructure cyber threats
David Luber, director of cybersecurity at the NSA, discussed cyber threats impacting critical infrastructure with his predecessor, Rob Joyce, at an RSAC 2024 session. Continue Reading
-
News
09 May 2024
Ascension faces cybersecurity event, disrupting clinical ops
A cybersecurity event disrupted clinical operations at Ascension after the nonprofit health system discovered unusual activity on some tech network systems. Continue Reading
-
News
08 May 2024
RSAC 2024: Vendors sign CISA’s secure by design pledge
At an RSAC 2024 event, more than 50 enterprise software vendors signed CISA’s voluntary secure by design pledge, aimed at improving the security of software products and services. Continue Reading
-
News
08 May 2024
Insider threats in healthcare remain prevalent
Although insider threat breach rates were on the decline in past years, Verizon has recently observed a resurgence in the healthcare sector. Continue Reading
-
News
07 May 2024
Experts reflect on national cyber strategy, release version 2 of implementation plan
At RSAC 2024, government officials discussed the progress made under the National Cyber Strategy in year one and shared their vision for the future. Continue Reading
-
News
06 May 2024
RSAC 2024: Data breach survivors discuss lessons learned
Experts who have experienced data breaches firsthand discussed data breach response best practices at RSAC. Continue Reading
-
Feature
06 May 2024
Change Healthcare cyberattack exposes cybersecurity concerns
The Change Healthcare cyberattack has sparked conversations about third-party risk management, the importance of MFA, and the effects of consolidation in healthcare. Continue Reading
-
News
02 May 2024
Change Healthcare cyberattack fallout continues
Change Healthcare, part of Optum, suffered a cyberattack in late February. Continue Reading
-
News
01 May 2024
Healthcare organizations secure 50% more sensitive data than global average
The volume of sensitive data that healthcare organizations maintain makes ransomware attacks against these entities even more impactful. Continue Reading
-
News
25 Apr 2024
Threat actors increasingly exploit zero-day vulnerabilities to evade threat detection
Although exploiting zero-day vulnerabilities remains a popular tactic, Mandiant found that defenders are getting better at identifying and containing compromises. Continue Reading
-
News
17 Apr 2024
Hearing on Change Healthcare cyberattack yields more questions for UHG
UnitedHealth Group was notably absent from a House Energy and Commerce Committee hearing about healthcare cybersecurity in the wake of the Change Healthcare cyberattack. Continue Reading
-
Feature
11 Apr 2024
How Health First navigated incident response for Change Healthcare cyberattack
A well-practiced runbook helped Health First, an integrated delivery network in Florida, swiftly respond to the Change Healthcare cyberattack, though not without lessons learned. Continue Reading
-
News
10 Apr 2024
Physicians report widespread financial turmoil due to Change Healthcare cyberattack
More than half of surveyed physicians have had to dip into personal savings to manage the financial strain caused by the Change Healthcare cyberattack, the AMA found. Continue Reading
-
News
08 Apr 2024
Advanced cybersecurity performance translates to higher shareholder returns
Highly regulated industries like healthcare delivered a 372% higher shareholder return compared to their peers, further highlighting the organization-wide importance of cybersecurity. Continue Reading
-
News
04 Apr 2024
AHA observes uptick in hospital IT help desk social engineering schemes
Threat actors have been using the stolen identity of revenue cycle employees to conduct social engineering schemes and divert payments. Continue Reading
-
News
28 Mar 2024
Healthcare security culture steadily improving, but gaps remain
Healthcare security culture maturity gaps can make the sector vulnerable to increased cyber risk, KnowBe4’s Security Culture Report suggests. Continue Reading
-
News
27 Mar 2024
HHS offers resource guide to providers impacted by Change Healthcare cyberattack
The guidance document consists of health plan contact information to help providers bridge communication gaps as they work to recover from the Change Healthcare cyberattack. Continue Reading
-
News
26 Mar 2024
HC3 alerts shed light on two popular healthcare cyberattack tactics
Recent HC3 sector alerts warned healthcare organizations of email bombing and credential harvesting, both of which may be used to enable healthcare cyberattacks. Continue Reading
-
News
25 Mar 2024
New cyber legislation would provide advance payments to providers facing hacks
Senator Mark Warner introduced legislation that would allow providers to receive advance payments in the event of a cyber incident, provided they meet minimum cybersecurity standards. Continue Reading
-
News
20 Mar 2024
Change Healthcare cyberattack affecting hospital finances, care access
Nearly 60 percent of responding hospitals said the revenue impact of the Change Healthcare cyberattack is $1 million per day or higher. Continue Reading
-
News
19 Mar 2024
MA hospitals losing $24M per day following Change Healthcare cyberattack
In addition to reimbursement losses, Massachusetts hospitals are reporting claims processing and pharmacy disruptions due to the Change Healthcare cyberattack. Continue Reading
-
News
18 Mar 2024
63% of known exploited vulnerabilities found on healthcare networks
A study shows just how exposed medical devices and implementations are to cyberattacks from CISA-tracked known exploited vulnerabilities. Continue Reading
-
News
12 Mar 2024
Healthcare hit hardest by ransomware last year, FBI IC3 report shows
LockBit and ALPHV/BlackCat were the top ransomware variants to impact critical infrastructure sectors last year, according to the FBI’s 2023 Internet Crime Report. Continue Reading
-
Answer
11 Mar 2024
What the LockBit ransomware gang’s return means for healthcare
An international law enforcement operation disrupted one of the most prolific ransomware groups, only for them to reemerge days later. Continue Reading
-
News
06 Mar 2024
Lurie Children’s Restores Key Systems Following Cyberattack
After a month of outages, Lurie Children’s Hospital has reactivated its EHR platform and other key systems. Continue Reading
-
News
05 Mar 2024
HHS Releases Statement on Change Healthcare Cyberattack
CMS will issue guidance encouraging payers to relax prior authorization and utilization management requirements as Change Healthcare system outages persist, HHS said. Continue Reading
-
News
04 Mar 2024
Optum Offers Temporary Funding Assistance For Change Healthcare Customers
The AHA suggested that the program “will not come close” to meeting the needs of its members as the Change Healthcare cyberattack fallout continues. Continue Reading
-
News
04 Mar 2024
NIST Releases CSF 2.0, Caters to Audience Beyond Critical Infrastructure
The NIST CSF 2.0 is the document’s first major update in the decade since it was first released. Continue Reading
-
Feature
01 Mar 2024
Understanding the Impact of the Change Healthcare Cyberattack on Providers
From major pharmacy chains to independently owned practices, providers across the country are facing significant operational challenges as the Change Healthcare outages continue. Continue Reading
-
News
29 Feb 2024
MGMA Urges HHS to Financially Assist Medical Groups Amid Change Cyberattack
The advocacy group requested guidance, financial resources, and enforcement discretion to help medical groups stay afloat as the Change Healthcare cyberattack outages persist. Continue Reading
-
Feature
28 Feb 2024
Healthcare Faces Uncertainty Amid Change Healthcare Cyberattack
Business continuity remains paramount as the fallout from the Change Healthcare cyberattack continues. Continue Reading
-
News
27 Feb 2024
HSCC Issues Five-Year Health Industry Cybersecurity Strategic Plan
The five-year plan aims to improve the diagnosis of healthcare cybersecurity from “critical” to “stable” condition by 2029, HSCC said. Continue Reading
-
News
27 Feb 2024
Cybersecurity Preparedness Tied to Lower Insurance Premium Increases
Adoption of the NIST CSF was correlated with lower cyber insurance premium increases, KLAS and partners found in the latest edition of the Healthcare Cybersecurity Benchmarking Study. Continue Reading
-
Feature
27 Feb 2024
Exploring the Health Industry Cybersecurity Practices (HICP) Publication, How to Use It
The Health Industry Cybersecurity Practices (HICP) publication can be a key asset to improving cybersecurity within healthcare organizations of all sizes. Continue Reading
-
News
20 Feb 2024
Authorities Successfully Disrupt LockBit Ransomware Group
The US and UK disrupted LockBit ransomware group’s operations and developed decryption tools that may allow victims to restore systems infected by LockBit. Continue Reading
-
News
16 Feb 2024
GAO Urges HHS to Increase Oversight of Ransomware Practices
GAO recommended that HHS work with CISA to develop evaluation processes to assess the effectiveness of federal support in helping the sector reduce ransomware risk. Continue Reading
-
News
15 Feb 2024
New Legislation Aims to Strengthen Healthcare Cybersecurity Within HHS
The Strengthening Cybersecurity in Health Care Act would require HHS to perform regular evaluations of its cybersecurity systems. Continue Reading
-
News
13 Feb 2024
Chicago Children’s Hospital Confirms Cyber Threat Activity
Phone, email, and electronic systems at Lurie Children’s in Chicago have remained offline for nearly two weeks following a cyberattack. Continue Reading
-
News
12 Feb 2024
Akira Ransomware Aggressively Targets Healthcare, HC3 Warns
In the year since the group was first identified, Akira ransomware has claimed at least 81 victims, favoring healthcare and other critical infrastructure sectors. Continue Reading
-
News
08 Feb 2024
KLAS Highlights Top Security, Privacy Solutions This Year
Claroty, Protenus, and Fortified Health Security were among the security and privacy vendors ranked Best in KLAS for 2024. Continue Reading
-
News
05 Feb 2024
Ransomware Makes ECRI’s Top Health Tech Hazards List
The threat of ransomware and the risks of third-party web analytics software on patient confidentiality were among ECRI’s top health tech hazards of 2024. Continue Reading
-
Feature
01 Feb 2024
How HHS Cybersecurity Performance Goals Will Impact Healthcare
The HHS cybersecurity performance goals are voluntary at the moment but will likely be the basis for future cyber mandates in healthcare. Continue Reading
-
News
29 Jan 2024
FL Bill Seeks to Reduce Cyber Incident Liability For Entities That Meet Industry Standards
Under the Cybersecurity Incident Liability Act, Florida businesses would not be liable in connection with a cybersecurity incident provided they comply with certain cyber standards. Continue Reading
-
News
26 Jan 2024
Researchers Observe Increase in Emerging Ransomware Groups Targeting Healthcare
Healthcare used to be an off-limits sector for ransomware groups, but emerging ransomware gangs were not afraid to target the sector in 2023, GuidePoint Security observed. Continue Reading
-
News
24 Jan 2024
HHS Unveils Healthcare Cybersecurity Performance Goals
The voluntary cybersecurity performance goals follow HHS’ recently released healthcare cybersecurity concept paper and provide a roadmap for improving security across the sector. Continue Reading
-
News
23 Jan 2024
Threat Actors Abuse ScreenConnect Access to Target Healthcare
HC3 issued a sector alert warning healthcare organizations of potential unauthorized access to systems as a result of threat actors abusing the remote access tool ScreenConnect. Continue Reading
-
News
19 Jan 2024
AHA Warns Hospitals of IT Help Desk Social Engineering Scheme
Threat actors have been using the stolen identities of revenue cycle employees to launch social engineering schemes against hospital IT help desks. Continue Reading
-
News
18 Jan 2024
Massachusetts Fertility Test Center Reaches $1.25M Data Breach Settlement
Class members alleged that ReproSource Fertility Diagnostics failed to protect patient data and delayed notification following a data breach. Continue Reading
-
Answer
12 Jan 2024
Exploring the Role of Identity and Access Management in Healthcare
Identity and access management is a crucial component of any healthcare organization’s security strategy. Continue Reading
-
Feature
10 Jan 2024
How the Executive Order on AI Will Impact Healthcare Cybersecurity
President Biden’s executive order on safe, secure, and trustworthy AI emphasizes the need to establish rigorous security standards, which will have an impact on healthcare cybersecurity. Continue Reading
-
News
10 Jan 2024
NY AG: Refuah Health Must Invest $1.2M In Security Following Ransomware Attack
New York Attorney General Letitia James also secured $450K in penalties from Refuah Health, which suffered a ransomware attack after it allegedly failed to safeguard patient information. Continue Reading
-
Answer
04 Jan 2024
Top Healthcare Cybersecurity Predictions For This Year
Industry experts predicted a focus on AI and supply chain security as ransomware threats continue to threaten healthcare cybersecurity in 2024. Continue Reading
-
News
28 Dec 2023
GAO Urges FDA, CISA to Revamp Medical Device Cybersecurity Agreement
The FDA and CISA maintain a 5-year-old agreement about medical device cybersecurity management that must be updated to reflect organizational changes, GAO suggested. Continue Reading
-
News
20 Dec 2023
CISA’s Healthcare Risk and Vulnerability Assessment Reveals Sector-Wide Improvement Areas
CISA urged the healthcare sector to use phishing-resistant MFA, implement network segmentation, and verify the implementation of appropriate hardening measures to mitigate cyber risk. Continue Reading
-
News
19 Dec 2023
DOJ Disrupts BlackCat Ransomware Variant, Offers Decryption Key to Victims
BlackCat ransomware group, also known as ALPHV or Noberus, has been known to target the healthcare sector. Continue Reading
-
News
14 Dec 2023
AHA Raises Concerns Over HHS Cybersecurity Strategy
The AHA is opposed to HHS’s proposals for mandatory cybersecurity requirements for hospitals, claiming that it would detract from the sector’s shared mission. Continue Reading
-
News
12 Dec 2023
HC3 Explores Open-Source Software Risks in Healthcare Sector
Open-source software is used to support every critical infrastructure sector, but publicly accessible code and vulnerabilities pose a risk to the healthcare sector. Continue Reading
-
News
07 Dec 2023
HHS Unveils Healthcare Cybersecurity Strategy
The new concept paper outlines HHS’s plans for strengthening healthcare cybersecurity, including future updates to HIPAA and the establishment of voluntary performance goals. Continue Reading
-
Feature
07 Dec 2023
What the 23andMe Data Breach Reveals About Credential Stuffing
Using credential stuffing, hackers did not even need to access internal systems at 23andMe to cause a large-scale leak impacting 6.9M individuals. Continue Reading
-
News
04 Dec 2023
Hospitals Urged to Secure Systems Against Citrix Bleed Cybersecurity Vulnerability
The LockBit 3.0 ransomware gang has been exploiting the Citrix Bleed cybersecurity vulnerability to evade password requirements and multi-factor authentication. Continue Reading
-
News
01 Dec 2023
Capital Health Experiencing Network Outages Amid Potential Cyberattack
Capital Health in New Jersey is continuing to care for patients amid network outages that are believed to be caused by a cyberattack. Continue Reading
-
News
30 Nov 2023
NY AG Issues Consumer Alert Regarding PJ&A Healthcare Data Breach
New York Attorney General Letitia James encouraged New Yorkers to take action to prevent identity theft following a healthcare data breach at a medical transcription company. Continue Reading
-
News
30 Nov 2023
Kroger Faces Lawsuits For Sharing Health Data With Meta Via Tracking Pixel Use
The two proposed class action lawsuits alleged that Kroger unlawfully used tracking technologies to collect sensitive health data which was then transmitted to Meta. Continue Reading
-
News
28 Nov 2023
Thanksgiving Day Healthcare Cyberattack Impacts Hospitals Across Multiple States
Ambulances are being diverted from several hospitals owned by Ardent Health Services following a healthcare cyberattack that impacted facilities across multiple states. Continue Reading
-
News
27 Nov 2023
HC3 Warns Healthcare Sector of Persisting Emotet Malware Threats
Emotet has been described as the “world’s most dangerous malware” and it frequently targets the healthcare sector, HC3 warned. Continue Reading
-
News
22 Nov 2023
CISA Releases Healthcare Cybersecurity Vulnerability Mitigation Guide
CISA issued a cybersecurity vulnerability mitigation guide to help the healthcare sector address encryption weaknesses, web application vulnerabilities, and other threats to security. Continue Reading
-
News
16 Nov 2023
BlackSuit Ransomware Is Credible Threat to Healthcare Cybersecurity, HC3 Says
BlackSuit ransomware shares many traits with Royal ransomware and the now defunct Conti ransomware group, both of which targeted the healthcare sector. Continue Reading
-
News
15 Nov 2023
FBI, CISA Urge Immediate Action to Mitigate Rhysida Ransomware Risks
The federal government urged organizations to prioritize remediate known vulnerabilities, segment networks, and enable multifactor authentication to lower the risk of Rhysida ransomware. Continue Reading
-
News
13 Nov 2023
NY Proposes Tightened Cybersecurity Regulations For Hospitals
In addition to the proposed cybersecurity regulations, New York Governor Kathy Hochul announced $500 million in funding dedicated to upgrading hospital technology systems. Continue Reading