Aggregator

A CVSS score 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Simon Zuckerbraun - Trend Micro Zero Day Initiative' was reported to the affected vendor on: 2025-02-04, 30 days ago. The vendor is given until 2025-06-04 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Dell has released a Critical Security Update (DSA-2025-022) for its PowerProtect Data Domain (DD) systems to address multiple vulnerabilities that could allow attackers to compromise affected systems. These vulnerabilities, identified in various components and open-source dependencies, highlight the importance of timely patching to safeguard enterprise data protection environments. Impact of the Disclosed Vulnerabilities The vulnerabilities include seven […]

The post Multiple Flaws in Dell PowerProtect Allow System Compromise appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

A recent cybersecurity threat has emerged in the form of AsyncRAT, a remote access trojan (RAT) that leverages Python and TryCloudflare for stealthy malware delivery. This sophisticated campaign involves a complex sequence of events, starting with phishing emails that deceive users into downloading malicious payloads. Here the attack chain exploits legitimate infrastructure which makes the […]

The post AsyncRAT Abusing Python and TryCloudflare For Stealthy Malware Delivery appeared first on Cyber Security News.

While organizations have long experimented with various facets of digital transformation, the journey toward crypto-agility is one of the most significant technological transitions of our time. Success in the emerging quantum era will require technical expertise, strategic foresight, careful planning, and an unwavering commitment to security. The challenges Perhaps the most pressing challenge in the quest towards cryptographic agility is encryption key sprawl, where visibility into organizations’ encryption key ecosystem becomes cloudy. Many companies struggle … More →

The post Aim for crypto-agility, prepare for the long haul appeared first on Help Net Security.

Патч также устраняет десятки скрытых угроз, о которых вы могли и не догадываться.

A critical Cross-Site Scripting (XSS) vulnerability has been discovered in the popular open-source webmail client, Roundcube, potentially exposing users to serious security risks. Tracked as CVE-2024-57004, the flaw affects Roundcube Webmail version 1.6.9 and allows remote authenticated users to upload malicious files disguised as email attachments. Once the malicious file is uploaded, the vulnerability can be triggered when the […]

The post Roundcube XSS Flaw Allows Attackers to Inject Malicious Files appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

财政部印发《数据资产全过程管理试点方案》确定国家卫生健康委为中央试点部门，负责管理卫生健康数据资产，组织开展数据资产全过程管理试点。在此背景下，有必要深入探讨当前医疗卫生数据资产全过程管理面临的问题，以确保卫生健康相关数据资产有效管理和利用

在数字经济快速发展的当下，数据已跃升为与土地、劳动力、资本等传统生产要素并驾齐驱的关键生产要素，其重要性不言而喻。

在数字经济全球化发展的今天，个人信息的跨境流动已然成为常态。如何在促进个人信息合理利用的同时，加强个人信息保护、保障数据流动的有序性和安全性成为加强个人信息跨境流动监管的重要命题。

近日国家发展改革委、国家数据局等部门联合印发《关于完善数据流通安全治理 更好促进数据要素市场化价值化的实施方案》，为充分释放数据价值提供了重要制度保障。

Microsoft has released patches to address two Critical-rated security flaws impacting Azure AI Face Service and Microsoft Account that could allow a malicious actor to escalate their privileges under certain conditions. The flaws are listed below - CVE-2025-21396 (CVSS score: 7.5) - Microsoft Account Elevation of Privilege Vulnerability CVE-2025-21415 (CVSS score: 9.9) - Azure AI Face Service

In this Help Net Security interview, Benjamin Racenberg, Senior Intelligence Services Manager at Nisos, discusses the threat of workforce fraud, particularly DPRK-affiliated IT workers infiltrating remote roles. With HR teams and recruiters often unprepared to detect these sophisticated schemes, businesses face significant cybersecurity and employment risks. Racenberg also discusses the tactics used by these threat actors and offers strategies to strengthen hiring practices and mitigate workplace fraud. We’ve seen stories about DPRK-affiliated IT workers infiltrating … More →

The post What you can do to prevent workforce fraud appeared first on Help Net Security.

US to Investigate Whether DeepSeek Bypassed Export Controls to Obtain Nvidia Chips
Singapore has vowed to investigate allegations that Chinese artificial intelligence company DeepSeek flouted U.S. export controls to obtain high-performance Nvidia chips to power its flagship R1 reasoning application through intermediaries based in the island nation.

Security Concerns, Chinese Ownership Drive Concerns
U.S. federal agencies and corporations with ties to the government are blocking employees from using Chinese chatbot DeepSeek over security and privacy concerns. China could potentially use DeepSeek AI models to spy on American citizens, acquire proprietary secrets and conduct influence campaigns.

'Advanced Planning Unit' to Focus on Societal, Economic, Workplace Implications
Microsoft has created a new research-focused entity as part of its artificial intelligence division to analyze and anticipate the technology's societal, economic and workplace implications. It will report directly to Mustafa Suleyman, CEO of Microsoft AI.

Lawmakers Demand Answers After Musk Aides Gain Access to Key Payment Systems
Reports that a Trump administration task force headed by Elon Musk gained access to sensitive government systems have rattled the cybersecurity community amid fears of misuse. "Working for Elon Musk does not give you some supernatural shield of cyber invulnerability," said Mark Montgomery.

Миллион звёзд, 100 галактик и ни одного контакта. Что дальше?

Google has shipped patches to address 47 security flaws in its Android operating system, including one it said has come under active exploitation in the wild. The vulnerability in question is CVE-2024-53104 (CVSS score: 7.8), which has been described as a case of privilege escalation in a kernel component known as the USB Video Class (UVC) driver. Successful exploitation of the flaw could lead

What 2025 HIPAA Changes Mean to You
madhav
Tue, 02/04/2025 - 04:49

Thales comprehensive Data Security Platform helps you be compliant with 2025 HIPAA changes.

You are going about your normal day, following routine process at your healthcare organization, following the same business process you’ve followed for the last twelve years. You expect Personal Health Information (PHI) to be protected, thankfully due to HIPAA Compliance.

HIPAA forces organizations to build a security system for personal health information. You certainly wouldn't print your personal health information and pass it out to anyone. HIPAA ensures that businesses treat your personal health information with extra care, encrypting it, restricting who can access it, and ensuring systems that store it are secure and continuously tested. Every time you receive medical care, HIPAA is working behind the scenes to keep your PHI safe from cybercriminals.

According to the Thales Data Threat Report, Healthcare and Life Sciences Edition, in 2023, among healthcare and life sciences respondents, human error (76%) is the leading reported cause of cloud data breaches, well ahead of a lack of MFA, the second highest, at 11%. To compound issues, identity and encryption management complexity is a serious issue. 60% of healthcare respondents have five or more key management systems in use.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that created the national standards when it was first published to protect sensitive patient health information (PHI) from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.

Who does it apply to?

Covered Entities: All entities accessing protected personal health information (PHI), including health plans, health insurance organizations, hospitals, clinics, pharmacies, physicians, and dentists, among others.

Business Associates: Third-party service providers that create, receive, maintain, or transmit ePHI on behalf of covered entities. Examples include IT contractors or cloud storage vendors.

Key Dates

On December 27, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to strengthen cybersecurity protections for electronic protected health information (ePHI), which is expected to go into effect on March 7, 2025 following a comment period. HIPAA is not a static regulation. Since its original publication, it has been periodically updated to remain relevant.

What Changed?

The changes are extensive. They focus on new written policies and procedures, technical safeguards, and updated business associate agreements, which are summarized below.

• Elimination of "Addressable" Standards: The distinction between "required" and "addressable" implementation specifications has been removed. This means that HIPAA-regulated entities are now required to comply with all security standards, with specific, limited exceptions.
• Strengthened Security Measures:
  • Mandatory Encryption: Encryption is now a mandatory requirement for all ePHI, both at rest and in transit, with limited exceptions.
  • Multi-factor Authentication: Clear definitions to enhance security when accessing sensitive systems.
  • Enhanced Risk Analysis: More stringent requirements for conducting and documenting risk analyses.
  • Vulnerability Scanning and Penetration Testing: Regular vulnerability scanning and penetration testing are now mandatory.
  • Improved Incident Response: Clearer guidelines and expectations for responding to security incidents.
  • Alignment with NIST Guidelines: Incorporates well recognized cybersecurity best practices.
  • Stronger Penalties: Increased consequences for negligence and repeated breaches.

Failure to be HIPAA Compliant

The penalties for non-compliance with HIPAA vary based on the perceived level of negligence and can range from $100 to $50,000 per individual violation, with a maximum penalty of $1.9 million per calendar year. Additionally, violations can also result in jail time of 1–10 years for the individuals responsible.

Thales Solution for HIPAA Compliance

No single tool enables organizations to be 100% compliant, but thankfully, Thales has comprehensive data security solutions that align to HIPAA requirements. Thales is driven by a vision to protect data and all paths to it, enabling you to become more compliant and more secure. Thales helps organizations address the requirements for safeguarding PHI necessary to comply with HIPAA by analyzing risk, reducing risk from third parties, access control and authentication, encrypting PHI at rest and in transit, protecting encryption keys, and de-identifying PHI in databases.

How Thales’s Helps with HIPAA Compliance

It's been one year since Thales and Imperva joined as two data security leaders. Although there is no silver bullet for improving your data security posture, Thales’s comprehensive data protection and monitoring strategy is now a clear solution to assist with HIPAA compliance. It offers remarkable encryption, multi-factor authentication, and cybersecurity solutions that enable healthcare organizations to find industry leading solutions for their data security, monitoring, and compliance needs.

With Thales’s solution depth, you can now be HIPAA compliant without investing in a confusing set of tools through multiple vendors. Thales’s Application Security, Data Security, and Identity and Access Management Solutions have the advanced security and compliance features that enable you to address new HIPAA requirements.

Summary

Thales is a major solution provider for organizations that want to achieve HIPAA compliance, remain HIPAA compliant, or adhere to new HIPAA requirements published in January 2025. HIPAA requirements are complex, and changed for the first time in 12-years, prompting organizations to look to Thales for application security, data security, and identity and access management solutions to help with HIPAA compliance.

Download our Thales Data Threat Report, Healthcare and Life Sciences Edition, to learn more about how data protection solutions and shorten your time to becoming HIPAA compliant.

Doug Bies | Product Marketing Manager
More About This Author > basic

The post What 2025 HIPAA Changes Mean to You appeared first on Security Boulevard.

GenAI offers financial services institutions enormous opportunities, particularly in unstructured dataset analysis and management, but may also increase security risks, according to FS-ISAC. GenAI can organize oceans of information and retrieve insights from it that you can use to improve business operations, maximize your markets, and enhance the customer experience. Those GenAI-analyzed datasets can turn up information about fraud, threats, and risks, which present remarkable security opportunities. “GenAI presents enormous opportunities for financial firms to … More →

The post 8 steps to secure GenAI integration in financial services appeared first on Help Net Security.