The Healthcare and Public Health Sector Highlights

Table of Contents​​​

• MS-ISAC Cybersecurity Advisory: Critical Vulnerabilities in Google Chrome
• MS-ISAC Cybersecurity Advisory:  Critical Vulnerability in CrushFTP
• GAO Report on Cloud Computing: Private Sector Best Practices for Federal Agencies
• ODNI: 2025 Annual Threat Assessment of the U.S. Intelligence Community
• AMA's Guide to Strengthening Cybersecurity in Healthcare for Physicians
• Microsoft's New Guidance to Strengthen Zero Trust Maturity Model
• NIST AI 100-2 E2025: New Taxonomy and Terminology for Adversarial Machine Learning Attacks and Mitigations
• HPH Sector Ransomware Resource Library
• Latest CISA Vulnerability Summary

MS-ISAC Cybersecurity Advisory: Critical Vulnerabilities in Google Chrome

Source: MS-ISAC

The Multi-State Information Sharing and Analysis Center (MS-ISAC) released a cybersecurity advisory (2025-031) regarding a critical vulnerability (CVE-2025-2783) in Google Chrome, affecting versions prior to 134.0.6998.177/.178 on Windows. Exploitation of this flaw could allow attackers to execute arbitrary code in the context of the logged-on user, potentially leading to the installation of malicious programs, data manipulation, or the creation of new accounts with full administrative privileges. Users with administrative rights are at higher risk. The vulnerability is actively being exploited through phishing emails that direct users to malicious websites opened in Chrome. To mitigate the risk, MS-ISAC recommends updating Chrome to the latest version, applying the principle of least privilege by limiting user rights, implementing automated patch management, enabling anti-exploitation features, and educating users about phishing and social engineering attacks. For additional information, refer to the MS-ISAC advisory.
 

MS-ISAC Cybersecurity Advisory:  Critical Vulnerability in CrushFTP

Source: MS-ISAC

MS-ISAC released a cybersecurity advisory regarding a vulnerability in CrushFTP versions 10 and 11, which could allow unauthorized access to systems. This flaw, triggered by an exposed HTTP(S) port on the web interface, could enable attackers to remotely control the server, execute code, install programs, and modify or delete data. Additionally, attackers could create new user accounts with full rights. The vulnerability can be mitigated if the Demilitarized Zone feature in CrushFTP is enabled. While no active exploitation has been reported, users are urged to apply updates immediately, conduct regular vulnerability scans, and follow security best practices. The risk is considered high for large and medium-sized businesses and government entities, with smaller entities facing moderate risk. For additional information, refer to the MS-ISAC advisory.
 

GAO Report on Cloud Computing: Private Sector Best Practices for Federal Agencies

Source: GAO

The Government Accountability Office (GAO) released a report examining private sector practices in cloud computing adoption and their relevance to federal efforts. As both private and public sectors continue to invest in cloud computing to reduce IT costs and improve scalability, the report identifies leading practices in three key areas: acquisition, cybersecurity, and workforce development. In the area of acquisition, companies excel by defining clear business cases for cloud adoption, negotiating precise agreements, and assessing service performance. For cybersecurity, leading companies implement incident response plans, establish continuous monitoring, and clarify the roles and responsibilities between the company and its cloud provider. In workforce development, companies focus on identifying skill gaps, improving recruitment and retention strategies, and shifting internal culture to support cloud adoption.

The report also highlights several challenges faced by companies when adopting cloud computing solutions, including shared cybersecurity responsibilities with providers and the need for additional investments in workforce training and cybersecurity tools. To address these challenges, many companies have implemented multi-cloud strategies to increase flexibility and avoid vendor lock-in, though managing multiple providers can introduce additional complexity and costs. Overall, the report emphasizes that the private sector’s cloud adoption practices provide valuable insights for federal agencies, helping them manage risks and optimize resource utilization as they expand their cloud computing efforts. For more details on the GAO findings, refer to the Cloud Computing Report.
 

ODNI: 2025 Annual Threat Assessment of the U.S. Intelligence Community

Source: ODNI

The Office of the Director of National Intelligence (ODNI) has released the 2025 Annual Threat Assessment (ATA). The assessment provides a comprehensive analysis of the diverse and growing threats facing the United States, its citizens, and its global interests. It highlights the significant risks posed by both state and nonstate actors, including terrorist and criminal organizations. Cyber and intelligence threats from nation-states such as China and Russia are targeting U.S. wealth, critical infrastructure, and media. Additionally, state adversaries like Russia, China, Iran, and North Korea are employing both asymmetric and conventional tactics to challenge U.S. power, promote alternative global systems, and avoid direct conflict. Their growing cooperation further intensifies the threat environment, as these actors align to counter U.S. influence. The assessment underscores the increasingly complex and interconnected security landscape, where various threats reinforce each other, making the situation more perilous. Prepared by the National Intelligence Council, this report reflects the Intelligence Community’s commitment to informing U.S. policymakers and the public about emerging risks, providing critical insights for strategic decision-making. For more detailed insights and the full analysis, refer to the Annual Threat Assessment.
 

AMA's Guide to Strengthening Cybersecurity in Healthcare for Physicians

Source: AMA

The American Medical Association (AMA) offers valuable resources to help physicians safeguard their practices against cybersecurity threats such as viruses, malware, and hackers. With increasing risks to patient health records and other sensitive data, the AMA stresses the importance of protecting these digital assets. They recommend that physicians adopt strong cybersecurity practices, including secure access protocols, encryption, and regular system updates. Additionally, the AMA advocates for ongoing education on cybersecurity best practices and provides guidance on ensuring compliance with the Health Insurance Portability and Accountability Act and other regulations to defend against cyberattacks. For more detailed information on how physicians can improve cybersecurity practices in their practices, refer to the AMA article.
 

NIST AI 100-2 E2025: New Taxonomy and Terminology for Adversarial Machine Learning Attacks and Mitigations

Source: NIST

The National Institute of Standards & Technology (NIST) released a publication titled A Taxonomy and Terminology of Attacks and Mitigations in Adversarial Machine Learning. The report provides a comprehensive taxonomy of adversarial machine learning (AML) concepts. It organizes key elements into a conceptual hierarchy, including machine learning methods, attack life cycle stages, and attacker goals and capabilities. The publication also highlights the current challenges in securing Artificial Intelligence (AI) systems and outlines strategies for mitigating and managing adversarial attacks. The aim is to establish a common language for the rapidly evolving field of AML, helping to guide future standards and best practices for AI security. To learn more about the taxonomy and terminology of adversarial machine learning, you can access the report for detailed insights and guidance.
 

Microsoft's New Guidance to Strengthen Zero Trust Maturity Model

Source: Microsoft

Microsoft has released new guidance to assist U.S. government agencies and their industry partners in aligning with the Cybersecurity and Infrastructure Security Agency's Zero Trust Maturity Model (ZTMM). The guidance aims to help agencies adopt Zero Trust principles by configuring Microsoft cloud services across the five key pillars of Identity, Devices, Networks, Applications & Workloads, and Data. It supports the transition through the model’s four stages: Traditional, Initial, Advanced, and Optimal, offering tailored, actionable advice for each stage. Microsoft’s cloud services, including Microsoft Entra ID, Intune, Defender for Endpoint, GitHub, Purview, and Azure networking, play crucial roles in helping agencies meet these requirements. Real-world examples, such as the United States Department of Agriculture's phishing-resistant multi-factor authentication and the U.S. Navy's collaboration with Microsoft, demonstrate how these solutions are being implemented successfully. The guidance provides both immediate and long-term strategies for achieving a comprehensive Zero Trust architecture and continuously adapting to evolving cybersecurity threats. For more detailed insights, refer to the Microsoft guidance.
 

HPH Sector Ransomware Resource Library

The HPH Sector Highlights-Cybersecurity Edition features this continually growing HPH Ransomware Resource Library in every weekly bulletin. The library has a variety of resources that you can use to keep your healthcare facility protected from ransomware attacks.

• HPH Cybersecurity Performance Goals
• HHS HC3 Ransomware & Healthcare Informational Slides
• ASPR TRACIE Cybersecurity Topic Collection- Ransomware Resources
• Healthcare System Cybersecurity: Readiness & Response Considerations
• StopRansomware.gov
• CISA’s Stop Ransomware Resource
• CISA Cyber Security Evaluation Tool (CSET): the Ransomware Readiness Assessment (RRA)
• CISA Fact Sheet: Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches
• FBI IC3 Webpage for Ransomware
• CISA's Cybersecurity Alerts & Advisories
• Ransomware Risk Management: A Cybersecurity Framework Profile (NISTIR 8374)
• HC3 and 405(d)'s Prepare, React, and Recover from Ransomware guide
• New Zealand Computer Emergency Response Team guide on ransomware protection for businesses
• Ransomware Task Force: Combating Ransomware Report

Latest CISA Vulnerability Summary

The latest CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the NIST National Vulnerability Database (NVD) in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned Common Vulnerability Scoring System (CVSS) scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

Comments and Questions

If you have comments or questions, send an email to hhscyber@hhs.gov. The OCIP team will work to answer your inquiries or connect you to the proper entity. 

Traffic Light Protocol (TLP) Designation: CLEAR