The Benefits of HIPAA Compliance for Medical Practices
One of the challenges when discussing the benefits of HIPAA compliance for medical practices is proving that the benefits are directly attributable to HIPAA. For example, one frequently claimed benefit of HIPAA compliance is improved efficiency. But, has efficiency improved due to complying with HIPAA, or would it have improved anyway because of other measures? How do you prove HIPAA compliance protects PHI against data breaches if you don´t experience a data breach? Alternatively, what if you do implement every HIPAA safeguard, but a breach still occurs because an individual with authorization to access PHI misuses the authorization? Although in the latter case, the medical practice may not be liable, a data breach has still occurred. While there is evidence to show that the increased adoption and use of EHRs has resulted in the more efficient delivery of healthcare and a reduction in medical errors, the increased adoption and use of EHRs is more attributable to the HITECH Act than HIPAA – the HIPAA Security Rule stipulating how data should be protected, rather than how it should...
CISA; NSA Issue Guidance on Hardening Microsoft Exchange Server Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have issued new guidance for organizations to help them secure their on-premises Microsoft Exchange servers. The guidance document builds on the advice issued in August 2025 on mitigating a high-severity vulnerability in Microsoft Exchange Server – CVE-2025-53786 – that posed a significant risk to organizations with Microsoft Exchange hybrid-joined configurations. The flaw could be exploited by an unauthenticated attacker to move laterally from an on-premises Exchange server to their Microsoft 365 cloud environment. While the vulnerability could only be exploited if an attacker first gained administrative access to the on-premises Exchange server, CISA was particularly concerned about how easy it was to escalate privileges and gain control of parts of the victim’s Microsoft 365 environment. Cyber actors have been targeting on-premises Exchange servers in hybrid environments, and CISA is concerned about organizations using misconfigured or unprotected Microsoft Exchange servers,...
Vulnerabilities Identified in Vertikal Systems Hospital Information Management Solution
Vulnerabilities have been identified in the Hospital Manager Backend Services, a hospital information management system from Vertikal Systems. One of the vulnerabilities is a high-severity flaw that can be remotely exploited in a low complexity attack to gain access to and disclose sensitive information. The vulnerabilities affect Hospital Manager Backend Services prior to September 19, 2025. The vulnerabilities have been fixed in the September 19, 2025, release and future releases. Users should ensure that their product is up to date and should contact Vertikal Systems for assistance with fixing the flaws. The most serious vulnerability is tracked as CVE-2025-54459 and has been assigned a CVSS v4 base score of 8.7 (CVSS v3.1 base score 7.5). The flaw is due to the product exposing sensitive information to an unauthorized control sphere. Hospital Manager Backend Services exposed the ASP.NET tracing endpoint /trace.axd without authentication, which means a remote attacker can obtain live request traces and sensitive information such as request metadata, session identifiers,...
George E. Weems & Vibra Hospitals Announce Data Breaches
Data security incidents have recently been announced by George E. Weems Memorial Hospital in Florida, Vibra Hospital of Sacramento in California, the California-based plastic surgeon Michael R. Schwartz, MD, and the California-based biopharmaceutical company Travere Therapeutics. George E. Weems Memorial Hospital On October 20, 2025, George E. Weems Memorial Hospital in Apalachicola, Florida, started mailing notification letters to patients affected by a recent security incident involving unauthorized access to two employee email accounts. The intrusion was detected on May 12, 2025, and the investigation confirmed that the email accounts were subject to unauthorized access from May 6, 2025, to May 12, 2025. The email accounts were reviewed, and on September 22, 2025, the hospital learned that the accounts contained patients’ protected health information, including names, addresses, phone numbers, email addresses, Social Security numbers, driver’s license numbers, account information, patient ID numbers, diagnoses and medical histories, provider names, dates of service, and health...
American Hospital Association Makes Recommendations to Support AI Adoption in Healthcare
The American Hospital Association (AHA) has responded to a September 2025 request for information (RFI) from the Office of Science and Technology Policy (OSTP) on regulatory reform on artificial intelligence (AI) to promote innovation and adoption. The Trump administration is committed to ensuring the United States achieves global dominance in AI and issued the RFI to obtain feedback from businesses and the public on current federal regulations that are hampering AI adoption and innovation. AI has tremendous potential in healthcare, from analyzing and interpreting medical images, aiding clinicians with decision-making, streamlining operations, and easing the considerable administrative burden faced by providers. While AI tools have been adopted in healthcare, the AHA says hospitals and health systems have merely scratched the surface of the potential uses to support them and the patients they serve. In order to accelerate innovation and adoption, the AHA believes regulations need to be eased. In its response, the AHA explained that around one-quarter of healthcare spending goes on...



