The Latest News in Cybersecurity

FBI War on Cybercrime Update The FBI has announced 15 arrests, indictments, seizures, and prison sentences this year in its war on cybercrime As the investigative arm of the U.S. Department of Justice, the Federal Bureau of Investigation is charged with exploring cyberattacks and intrusions that affect organizations such as power utilities, telecommunications networks, hospitals, schools, and other infrastructure vital to our communities. The FBI leads law enforcement actions against individuals engaging in cybercrime, collaborates with international agencies to address transnational crimes, and works with U.S. Attorneys to prosecute cybercriminals. Year-to-date, the FBI has announced 15 arrests, seizures, indictments, operational disruptions, and prison sentences for cybercriminals. The small sample below offers a sense of the scale and variety of these cybercrimes and the associated penalties. Cryptocurrency and money laundering played a role in financing a number of these cybercrimes, and in multiple cases criminals operated online marketplaces for the purpose of selling cybercrime tools and stolen data.  

Cyberskills Gaps and Staff Shortages are Reducing Cyber Resilience Recent reports quantify scope of challenges affecting systems security Fewer than 15% of organizations are confident that they have both the people and the skills necessary to meet their cybersecurity objectives, according to a 2025 report by the World Economic Forum. More than 65% of organizations report a moderate to critical cyberskills gap. The report also cites a global staffing shortage of four million cybersecurity professionals. The 2024 ISC2 Cybersecurity Workforce Study produced similar findings, although it estimates the global staffing shortage at 4.8 million. Most respondents reported concerns that their cybersecurity teams lack sufficient numbers or the right range of skills to meet organizational objectives. Almost 60% of respondents indicate that cyberskills gaps have significantly affected their ability to secure their organizations. According to the study, even as demand rises for cyber professionals needed to adequately secure their companies, employers are cutting back on both hiring new personnel and developing their existing cybersecurity teams. These combined actions are reducing cyber resilience around the world, including in the U.S. According to multiple reports, a lack of distinct career paths, the rising cost of professional certifications, outdated training content, stress on the job, and the threat of being replaced by AI applications are discouraging individuals from pursuing careers in cybersecurity—creating shortfalls in qualified cybersecurity personnel and cybersecurity expertise. 

The Path to HITRUST Certification May Be a Rocky Road if You’re Not Prepared HITRUST readiness is a critical step to smooth, successful certification An undisputed leader in cybersecurity assurance, HITRUST offers a complete and efficient approach to regulatory compliance and security risk management. Becoming HITRUST certified inspires confidence among your customers, partners, and other stakeholders. By demonstrating your all-in commitment to data security, HITRUST Certification enhances your credibility and provides a keen competitive edge. Small wonder that HITRUST Certification is considered the gold standard for healthcare cybersecurity and third-party assurance. This blog explores important aspects of HITRUST Certification to help you determine HITRUST is right for you, and will guide you in preparing for HITRUST Certification.

Adversarial Machine Learning is Fighting Back Hackers and other adversaries have found hot new targets in AI and machine learning apps Although some of us are adapting faster than others, most of us are getting used to the notion that artificial intelligence and machine learning are beginning to make our lives a bit easier, even while we recognize some of the downsides of AI. (Let’s face it, if today’s typical chatbot experience was our only contact with AI, the future would look pretty grim.) Unhelpful, poorly trained chatbots aside, AI and machine learning bring us conveniences like traffic predictions and alternate route suggestions, converting speech to text, online shopping recommendations, language translations, image recognition and object detection functions, some decent customer service triage, and those notorious self-driving vehicles, to name just a few. Most of these, and a whole lot more, are here to stay.

ClickFix Scams Target Computer Users Across Industries and Borders Fake CAPTCHA screens, document error alerts, and phony Facebook messages infect user PCs with data-stealing malware A clever new cyberscam is wreaking havoc among businesses, hospitality venues, healthcare providers, and other organizations. The scam uses the psychology of social engineering to exploit our human desire to fix little computer problems ourselves, rather than calling IT or opening a ticket. Instead, a pop-up screen on your computer offers simple instructions to fix the document, reload the webpage, or simply prove you are not a robot. Sounds easy enough for the typical computer user, right? In truth, the easy part is falling for the scam. And no computer user is safe.

Why Healthcare Providers Must Comply with PCI DSS When patients use credit cards to pay for health services, providers must meet the requirements of the payment card industry’s new Data Security Standard As a healthcare provider, you are governed by the Payment Card Industry’s Data Security Standard (PCI DSS) if you process, transmit, or store cardholder data. In the same way that your compliance with HIPAA is required to protect your patients’ health information, compliance with PCI DSS is required to protect your patients’ payment information. This is true: When you accept a co-pay by credit card When a patient hands you a debit card to cover their office visit When you accept a prepaid card in payment for a medical supply, such as a brace the patient needs, or for a service When a patient provides their credit card information online to pay their medical bill. There are numerous other payment card acceptance scenarios that require your compliance with the PCI Data Security Standard.  You have a responsibility to know and understand them, just as you are required to understand and comply with HIPAA.

The Changing Cybersecurity Landscape in 2025 Navigating compliance with the new PCI DSS, CMMC, and HIPAA Security Rule Looming compliance deadlines, relentless cyberthreats, and a shifting regulatory landscape have combined to make 2025 a challenging year for cybersecurity. While the effects of an evolving regulatory climate are yet to be determined, here’s what we know about impending security updates from the payment card industry (PCI DSS 4.0.1), the Department of Defense (CMMC 2.0), and the HHS Office for Civil Rights (HIPAA Security Rule). CMMC 2.0 and the new HIPAA Security Rule represent updates to previous versions of these federal security regulations; PCI DSS 4.0.1 is an update to the industry’s previous security standard. All three of these security updates have key implementation milestones in 2025. PCI DSS 4.0.1 addresses formatting and typographical errors discovered in v4.0 and provides additional implementation guidance for users, with minimal changes to the existing security requirements of v4.0. CMMC 2.0 significantly streamlines security requirements to three levels of cybersecurity, aligns the requirements at each level with well-known NIST cybersecurity standards, and relieves the smallest contractors of unnecessary compliance burdens. The new HIPAA Security Rule aims to further strengthen cybersecurity safeguards for electronic protected health information, or ePHI, in the most substantial healthcare security update in more than a decade.

How Human Vulnerabilities Affect Your Security Actively managing your human security risk is essential to effective cybersecurity Human vulnerabilities, leading to human failures, were responsible for more than two thirds of data breaches (68%) in 2024. The failures were not malicious or deliberate. Instead, they resulted from employees falling victim to phishing schemes and other social engineering attacks, and making human errors that affected company security. These two top examples of human security risk were spotlighted in Verizon’s 2024 Data Breach Investigations Report. Cybersecurity tools and technologies have evolved to their most effective levels ever. So it’s no surprise that cybercriminals have turned increasingly to the weakest link in the security chain by exploiting our human vulnerabilities. Fortunately, that link is gradually being strengthened thanks to more effective management of human security risk, including regular cybersecurity training.

2024 Healthcare Data Breaches Reported to HHS OCR Set New Records Data breaches reported in 2024 set new cost and impact records, with healthcare breaches affecting nearly 180 million individuals 2024 may be in our rearview mirror, but let’s not dismiss it just yet. There are valuable lessons to be learned from HIPAA violations and healthcare data breaches against the backdrop of general security incident reports published by leaders in the information technology industry. In 2024, the number of data breaches across the globe reached a record high of 10,000, and the average cost of a data breach rose 10% to a record $4.88 million (USD).

Office for Civil Rights has proposed new HIPAA security requirements for ePHI in the first major Security Rule update in a decade The environment in which healthcare is provided in the U.S. has changed dramatically. Cyberattacks, ransomware crimes, and data breaches have increased significantly throughout the healthcare industry. The HHS Office for Civil Rights (OCR), which enforces the HIPAA Security Rule, continues to find the same compliance failures with every audit and investigation.