nGuard

Call us p. 704.583.4088
Client PortalSpeak to an Expert

nGuard

HIPAA SECURITY RULE: MANDATORY 2026 UPDATES

nGuard | HIPAA Security Rule 2026 Mandates
Technical Briefing

HIPAA SECURITY RULE:
MANDATORY 2026 UPDATES

The HHS Unified Agenda targets May 2026 for final action. Effective date occurs 60 days post publication; compliance is mandatory 180 days thereafter.

The Removal of Choice: Addressable vs Required

Implementation flexibility is abolished. The proposed rule transitions all implementation specifications to mandatory status. Organizations can no longer bypass controls based on internal risk tolerance or perceived irrelevance.

Legacy Framework

Addressable Flexibility
  • Compensating controls permitted
  • Risk-based implementation options
  • Subjective interpretation allowed

2026 Mandate

Prescriptive Enforcement
  • 100% Mandatory Implementation
  • No compensating controls permitted
  • Limited exceptions for technical impossibility

Mandatory Technical Safeguards

The following technical controls are required for all covered entities regardless of operational size or infrastructure complexity.

Encryption & MFA

  • Encryption of ePHI at rest and in transit across databases, file systems, endpoints, and networks.
  • MFA required for all authenticated access to systems housing ePHI.

Continuous Testing

  • Vulnerability Scans: Mandatory performance every 6 months.
  • Penetration Tests: Mandatory full testing every 12 months.

Network Security

  • Network Segmentation: Required to limit lateral threat movement.
  • Secure Configuration: Mandatory removal of unused ports and software.

Data Resilience

  • Explicit technical controls for backup and recovery testing.
  • 72-Hour recovery objective for all critical data systems.

Response & Notification Windows

24h

Access Changes

Notify appropriate parties within 24 hours of workforce access modification or termination.

72h

System Recovery

Restore critical data and systems within 72 hours of contingency plan activation.

24h

BA Activation

Business Associates must notify Covered Entities within 24 hours of contingency plan activation.

Administrative Safeguards

Asset Inventories

Network maps and hardware/software inventories must undergo a formal annual review.

Risk Analysis

Risk assessments must explicitly document inventory, threats, and specific vulnerability levels.

Annual Audit

A formal Security Rule Compliance Audit is now a mandatory annual requirement (every 12 months).

Criticality Analysis

Organizations are now required to maintain a formal criticality analysis. This documentation must prioritize systems for restoration to support the 72 hour recovery objective.

Required Documentation Pillars

IR Plans
Testing Proof
Effectiveness Reviews
Workforce Reporting

Strengthened Vendor Management

Workforce Coordination

Specific workflows must ensure appropriate parties receive notification within 24 hours of access modification. This eliminates the risk of orphan accounts remaining in third party or internal systems.

BA Verification

Annual written verification of required technical safeguards from all Business Associates is now mandatory. Organizations must actively verify vendor compliance rather than passively assuming it.

nGuard Compliance & Research

Briefing based on HHS Unified Agenda projections and proposed 2026 HIPAA Security Rule updates. Final action targets May 2026.

© nGuard.

This Week in Cybersecurity (TWiC) — How Nation-States Are Speedrunning the Kill Chain

Google: state-backed actors are using Gemini across the full attack lifecycle
What happened: Google’s Threat Intelligence Group (GTIG) and related coverage describe multiple state-backed clusters leveraging Gemini for end-to-end campaign support: target research, translating and tailoring phishing content, drafting pretexts, troubleshooting scripts, and iterating on payload components when something breaks in the field. GTIG also notes interest in “agentic” workflows, prompts that try to turn the model into a repeatable operator (e.g., pseudo-auditors, “expert pentester” personas) rather than a one-off helper.

Why it matters: The biggest shift isn’t magically novel exploits, it’s throughput. When recon, lure-quality, and tooling iteration get cheaper, defenders see more tailored attempts against cleared staff, vendors, and frontline operational roles.

What to do next:

  • Tighten identity and inbox controls where “good-enough lures at scale” hurt most: MFA enforcement, conditional access, and high-signal detections for impersonation and unusual login paths.
  • Run short, frequent simulations focused on recruiter/vendor themes and “attachment-less” social engineering.

Poland’s wind/solar incident: destructive intent, OT impact, and the edge-device reality

What happened: Poland’s CERT describes coordinated destructive attacks on Dec. 29, 2025 that hit at least 30 wind and solar farms, plus other targets (including a combined heat-and-power plant and a manufacturing firm). The report frames the activity as cyber sabotage, comparing it to deliberate arson, and notes the attacks affected both IT and OT, which is still relatively rare in publicly reported incidents. Operationally, the renewables impact centered on loss of communications/visibility between facilities and distribution operators; generation continued, but CERT stresses the access level created risk of disruption at affected sites.

CISA later highlighted the same event as a warning signal for OT/ICS programs: insecure edge exposure and weak remote access hygiene remain the consistent “front door” for these outcomes.

Why it matters: DER (distributed energy resources) expands the target surface: many small sites, many vendors, uneven hardening, yet still a national resilience concern because loss of view/control is often the step before physical effect.

What to do next:

Dell RecoverPoint zero-day (CVE-2026-22769): exploited since mid-2024 with stealthy backdoors

What happened: Reporting and primary research describe active exploitation of a critical Dell RecoverPoint for Virtual Machines flaw (CVE-2026-22769), assessed at CVSS 10.0 and rooted in a hardcoded credential risk. Activity was observed since at least mid-2024 and tied to a China-nexus cluster tracked as UNC6201.

Post-compromise, investigators describe deployment of webshell/backdoor tooling and techniques aimed at staying quiet inside virtual infrastructure, precisely the kind of environment where one control-plane foothold can amplify access across many systems.

Why it matters: Backup/replication and virtualization-adjacent platforms sit in the blast radius of everything. When adversaries get persistence there, the problem is not one server, it’s credential access, snapshot abuse, and lateral movement at scale.

What to do next:

  • Treat “virtualization and backup control planes” as Tier-0: fastest patch SLAs, strict admin access, and dedicated monitoring.
  • Hunt for unusual admin actions, unexpected network interfaces/routes, and suspicious outbound patterns from management systems.
  • If patch + verification capacity is thin, pair vulnerability management with targeted hunting.

Salt Typhoon: FBI says the telecom espionage threat is still ongoing

What happened: U.S. officials continue signaling that Salt Typhoon activity remains live. Reporting from CyberScoop quotes an FBI cyber leader describing the threat as “still very much ongoing,” reinforcing that the telecom compromise problem is not a closed 2024 chapter, it’s an enduring exposure with long-tail risk to public and private sectors.

Why it matters: Telecom-layer access can enable surveillance, metadata exploitation, and downstream targeting, classic national security stakes with broad second-order effects.

What to do next:

  • Reduce “quiet persistence” with continuous validation: harden and monitor edge infrastructure, enforce least privilege, and aggressively baseline what “normal” management traffic looks like.
  • Make sure DDoS, outages, or “routine” service events don’t become cover for stealthier intrusion steps, tie network events into incident response workflows.
  • Many organizations benefit from an IR retainer or on-call escalation path here; it’s less about buying tools and more about being able to prove eradication when adversaries optimize for staying power.

The CISA ChatGPT Data Leak and the “Shadow AI” Challenge

Recent reports have confirmed that the Acting Director of the Cybersecurity and Infrastructure Security Agency (CISA), Madhu Gottumukkala, uploaded several sensitive “For Official Use Only” (FOUO) documents to a public version of ChatGPT. While the documents were not classified, they contained sensitive contracting information not intended for public release. Although the Director had requested a temporary exception to use the tool, the incident triggered automated security alerts because the data was uploaded to a public platform rather than a protected, agency-approved environment.

This incident highlights a critical “Shadow AI” risk: the tendency for even the most security-conscious professionals to bypass established guardrails for the sake of convenience or productivity.

Bridging the Gap Between Policy and Practice
For many organizations, the disconnect between executive-level goals and day-to-day security compliance is a major vulnerability. We often see leadership teams inadvertently normalize the use of public AI tools without applying the same rigor used for other enterprise systems. Engaging Virtual CISO (vCISO) services can help bridge this gap by establishing governance frameworks that are both practical and inclusive. A vCISO ensures that security policies are not just a set of rules on a shelf, but are integrated into the workflow of every department, including the executive suite.

Technical Guardrails and Visibility
The CISA leak was detected because automated sensors were in place to flag the movement of sensitive data. This underscores the necessity of Security Configuration Audits, particularly concerning Data Loss Prevention (DLP) settings. Many organizations have the right tools but haven’t tuned them to recognize or block the “copy-paste” or “file upload” behaviors associated with public AI interfaces. Regularly auditing these configurations ensures your technical defenses stay ahead of evolving user habits.

Proactive Risk Identification
Understanding where your sensitive data lives and how it moves is the foundation of a strong defense. We recommend conducting a Best Practice Strategic Security Assessment or a targeted Risk Assessment to identify potential exposure points. These assessments look beyond traditional malware to examine how emerging technologies like Generative AI might be creating new, unmonitored pathways for data egress. By identifying these “exception pathways” early, you can provide safer, governed alternatives for your team.

Cultivating a Security-First Culture
Ultimately, security is a human challenge. This incident serves as a perfect case study for your next Security Awareness Training session. It demonstrates that the risk is not just about “bad actors” but about well-intentioned employees making mistakes with new tools. Training should focus on the specific risks of public LLMs, such as how OpenAI may retain and use uploaded data for model training, effectively making your private company data part of the public domain.

Other AI News We’re Tracking

  • Malicious AI “Skills”: We are monitoring reports regarding “OpenClaw,” an open-source AI agent system. Recent warnings highlight security risks where malicious “skills” or third-party plugins could be used to exfiltrate data from the environments where these agents are deployed. This represents a shift in supply chain attacks, moving from traditional software libraries to the emerging ecosystem of AI plugins.
  • Deepfake Financial Fraud: A recent report from Arup details a staggering $25 million loss due to a deepfake video call where an employee was convinced by “digital clones” of their CFO and colleagues to authorize multiple transfers. This highlights the need for multi-factor authorization processes that go beyond visual or vocal confirmation.

Qantas Breach: Personal Info of 5.7M Customers Compromised

Qantas has confirmed that personal data from 5.7 million customers was compromised after attackers hit a third-party system used by one of its call centers. The breach happened on June 30 and fortunately, didn’t affect any Qantas flight operations or core systems. Still, the exposed data could open the door to phishing and other social engineering attacks.

On July 7, the attacker made contact; likely in an attempt to extort the company. While Qantas didn’t name names, the tactics line up with campaigns seen from a well-known threat group: Scattered Spider.

What Was Accessed

Qantas says no passwords, credit cards, or passport details were taken, but there’s still a lot of customer data in the mix:

  • 4 million records included names, emails, and Frequent Flyer info.
    • 1.2 million were solely names and emails.
    • 2.8 million included Frequent Flyer numbers inclusive of point balances and tier status.
  • 1.7 million records had extra personal details:
    • Addresses (1.3 million)
    • Dates of birth (1.1 million)
    • Phone numbers (900,000)
    • Gender (400,000)
    • Meal preferences (10,000)

That might not sound like much, but attackers love this kind of data. It’s enough to create highly convincing phishing scams or even build synthetic identities.

Quick Tip: If you store any personal data—especially things like names, emails, and birthdays—treat it like gold. Run regular audits to monitor who has access to it, especially across third-party vendors and call center platforms.

A Vendor Weak Spot

The attack didn’t come through Qantas’ own network—it came through a third-party system used to support its contact center. This is becoming a trend across industries: attackers are hitting vendors and supply chain partners to get around strong internal defenses.

Qantas has started contacting affected customers and says there’s no current sign the data has been leaked. But with an extortion attempt in play, the risk isn’t over.

Quick Tip: It’s not enough to lock down your own network. Third-party platforms that handle customer info—like contact centers, chatbots, or payment processors—need security reviews and testing too. Penetration testing and gap assessments will help uncover hidden exposure points and lack of third-party controls.

Familiar Threat Actors: Scattered Spider Suspected

While Qantas hasn’t officially confirmed who’s behind the attack, the indicators point to Scattered Spider, a threat group known for targeting the aviation and retail sectors. They specialize in social engineering, SIM swapping, and phishing support staff to get into internal systems.

Scattered Spider has also been connected to ransomware deployment in other industries, sometimes using tools like DragonForce to encrypt and lock systems after stealing data. Luckily, 4 suspects potentially connected to the cybercrime group have been arrested in the UK for their involvement in other attacks against major British retailers.

Quick Tip: Don’t just look for malware, watch for strange account behavior or login patterns. Threat groups like Scattered Spider rely on credential theft and social engineering, so behavioral monitoring and anomaly detection are key. A well-managed SIEM can help spot signs before the damage spreads.

Not Just “Low-Risk” Data

Qantas was quick to point out that sensitive info like financial details and passwords weren’t part of this breach. That is good news but it doesn’t mean the risk is low. The kind of Personably Identifiable Information (PII) that was taken (names, addresses, dates of birth, and more) can still be used in highly targeted phishing attacks.

Even something like a meal preference, when combined with other personal details, can make a scam email look a lot more convincing.

Quick Tip: If you’re collecting customer data—especially across different touchpoints—make sure you’re reviewing it regularly and stripping out unnecessary fields. And if you haven’t tested your employees with a phishing simulation recently, now’s a good time. Together, social engineering and awareness training create a solid defense against human-focused attacks.

Final Thoughts

The Qantas breach shows how attackers don’t always need to hack your primary environment to cause major damage. A third-party vendor, combined with the right data and a bit of social engineering, can create a serious threat to your customers and your brand.

It’s not just about keeping your systems secure. It’s about knowing who else touches your data and validating that those connections are safe. your environment is secure against these evolving threats.

Global Credential Database Discovered Containing Logins for Microsoft, Apple, Facebook, and More

184 Million Passwords Exposed in Major Infostealer Leak: What You Need to Know

A newly uncovered database containing more than 184 million login credentials has surfaced, posing significant risks to individuals, businesses, and even governments across the globe. Discovered by cybersecurity researcher Jeremiah Fowler, the exposed data includes usernames, passwords, emails, and, in some cases, authentication URLs and financial account credentials. The data set, over 47GB in size, was stored in an unprotected, publicly accessible format, without encryption or password protection.

While the database has since been taken offline by its hosting provider, World Host Group, the length of exposure and the number of unauthorized accesses remain unknown. Early analysis suggests the credentials were not obtained from a breach of major platforms, but rather through infostealer malware which is malicious software that quietly collects sensitive data from infected user devices.

A Cybercriminal’s Dream Dataset
The exposed credentials reportedly span a wide array of platforms and services:

  • Microsoft
  • Google
  • Facebook
  • Apple
  • Instagram
  • PayPal
  • Netflix
  • Roblox
  • Discord
  • Government and banking portals across more than 29 countries

Fowler’s sample verification revealed that many of the credentials were active, with users confirming that leaked email and password combinations were still in use. Some of the leaked email addresses were linked to .gov domains, raising national security concerns.

Unlike traditional breaches that exploit server-side vulnerabilities, this incident is believed to stem from infostealer infections. These malware variants are often delivered via phishing emails, compromised websites, or pirated software. Once installed, they extract saved credentials from browsers, emails, and applications, sending them back to attackers without any visible signs to the victim.

Credential Stuffing, Identity Theft, and Other Risks
Once credentials are stolen, they can be used in:

  • Credential stuffing attacks: Reused passwords allow attackers to compromise multiple accounts across platforms.
  • Identity theft: Leaked financial, health, or government account details can be used for fraudulent activity.
  • Phishing and social engineering: Personal data is often repurposed to craft targeted, believable phishing messages.
  • Corporate espionage: Access to business systems via reused or weak credentials could lead to data loss or reputational damage.

What You Can Do to Stay Safe
Even if you are unsure whether your credentials were in the leak, taking the following steps is essential:

  • Change your passwords immediately, starting with accounts tied to services in the leak. Prioritize financial, health, and email accounts.
  • Use strong, unique passwords for every account. Avoid simple or reused credentials across services.
  • Enable multi-factor authentication (MFA) wherever available to add an extra layer of account protection.
  • Monitor your accounts for unusual login activity or changes you didn’t make.
  • Scan for malware using trusted antivirus software to ensure your system is not currently compromised.
  • Avoid storing sensitive documents in your email inbox. Use encrypted cloud storage solutions instead.

How nGuard Can Help
To protect your organization against the rising threat of credential leaks and infostealer malware, nGuard offers the following services:

  • Security Awareness Training: Educate your employees on phishing, social engineering, and malware risks to reduce the chances of infection.
  • Social Engineering Testing: Assess and strengthen your human defenses by simulating real-world phishing emails, voice scams, and physical intrusion attempts. nGuard helps you identify employee susceptibility and delivers targeted training to reduce risk.
  • Incident Response: Be prepared with a tested plan in case your systems are breached due to compromised credentials.

Wrap Up
This incident shows how attackers are shifting from platform breaches to user-side compromises using stealthy malware. Even the most security-conscious users can fall victim to an infostealer infection if the right precautions are not in place. With credentials now serving as keys to nearly every aspect of digital life, taking proactive steps to strengthen your security posture is more important than ever.

Now is the time to assess your risk, update your credentials, and implement layered defenses across all accounts and systems. If your organization needs help protecting its users and infrastructure from the next infostealer campaign, nGuard is ready to assist.

Windows Under Attack: May 2025 Patch Tuesday Unveils 5 Active Zero-Days

Microsoft’s May 2025 Patch Tuesday unveiled a concerning landscape for Windows administrators, addressing 78 vulnerabilities, including five zero-day exploits actively leveraged in the wild. These vulnerabilities span critical components of the Windows operating system, emphasizing the necessity for immediate action and robust security measures.

The Zero-Day Threat Landscape
The five zero-day vulnerabilities patched this month are:

  • CVE-2025-30397: A memory corruption vulnerability in the Microsoft Scripting Engine, potentially allowing remote code execution if a user visits a malicious website.
  • CVE-2025-30400: An elevation of privilege flaw in the Windows Desktop Window Manager (DWM) Core Library, which could allow attackers to execute code with elevated privileges.
  • CVE-2025-32701 and CVE-2025-32706: Elevation of privilege vulnerabilities in the Windows Common Log File System (CLFS) driver, which have been a recurring target for attackers due to improper input validation.
  • CVE-2025-32709: An elevation of privilege issue in the Windows Ancillary Function Driver for WinSock, affecting multiple Windows Server versions.

These vulnerabilities have been actively exploited, with some linked to targeted espionage and financially motivated attacks, including ransomware deployments.

Strategic Response and Mitigation
Given the active exploitation of these zero-days, organizations should prioritize the following actions:

  1. Immediate Patch Deployment: Ensure all systems are updated with the latest security patches released in May 2025.
  2. Vulnerability Assessment: Conduct comprehensive assessments to identify and remediate vulnerabilities within your environment.
  3. Security Monitoring: Implement continuous monitoring to detect and respond to potential exploitation attempts promptly.
  4. Employee Awareness: Educate staff about the risks associated with these vulnerabilities and promote best practices to prevent exploitation.

Integrating these measures into your security strategy is crucial to defend against the evolving threat landscape.

Looking Ahead
The recurrence of zero-day vulnerabilities in critical Windows components underscores the importance of a proactive and layered security approach. Organizations must remain vigilant, ensuring timely updates, continuous monitoring, and comprehensive security assessments to safeguard against emerging threats.

Chat Icon Chat Close

Learn how nGuard can secure your data

Ready to take the next step? Speak to an nGuard expert and get your questions answered today.

Chat Popup

No thanks, maybe later