Policy & enforcement heat up

HHS signals an aggressive stance on information blocking. On Sept. 3, HHS said it’s “cracking down” on practices that restrict the access, exchange, or use of electronic health information (EHI). The press release reiterates that health IT developers/HIEs can face civil penalties up to $1M per violation, while CMS program disincentives may apply to providers. HHS also pointed to ONC/OIG coordination and encouraged reporting via ONC’s portal. For security leaders, the message is clear: governance around data sharing and API-based access is now a top-tier enforcement priority, not just an interoperability issue. (HHS.gov)

OIG issues a companion Enforcement Alert (Sept. 4). The alert emphasizes OIG’s posture on investigating alleged information blocking—relevant for compliance, legal, and security teams that oversee EHI gateways, app connections, and auditability of data-sharing decisions. Expect more scrutiny on whether denials of access are truly compliant with exceptions (e.g., preventing harm, privacy, security). (HHS Office of Inspector General, HealthIT.gov)

Threat activity & advisories

Allied cyber agencies warn on Chinese state-sponsored tradecraft. AHS/AHA highlighted a new joint advisory (NSA, CISA, FBI and multiple partners) detailing APT techniques observed globally. Of note for health systems: persistent access via edge devices/routers, abuse of management endpoints, and exploitation of known vulnerabilities (e.g., Ivanti CVE-2024-21887, PAN-OS CVE-2024-3400, Cisco IOS XE CVE-2023-20198). The CSA includes concrete hunting guidance and mitigations—useful for network and clinical engineering teams maintaining WAN and remote-clinic links. (American Hospital Association, CISA)

Ransomware pressure remains elevated. Industry tracking this week continued to show steady activity and new listings on data-leak sites, reinforcing the sector’s persistent exposure. (H-ISAC’s daily “TLP:GREEN” updates remained active through Sept. 2–5.) (American Hospital Association)

Notable incidents & notifications

University of Iowa Community HomeCare (UI Health Care affiliate) – 211,000 affected. Public notices (Aug. 29) and follow-on coverage early this week confirmed an unauthorized access discovered July 3 that allowed viewing/copying of files with PII/PHI (names, DOB, MRNs, provider, dates of service, insurance details, some SSNs). EHR systems were not affected. Notifications began Aug. 29. For CISOs, this is a reminder to review affiliate data flows, shared stores, and third-party file repositories that sit outside core EHRs. (United Healthcare, University of Iowa Healthcare, The HIPAA Journal)

Aspire (Michigan) – 138,386 impacted; BianLian claimed theft earlier this year. On Sept. 4, regional press summarized notifications tied to a late-2024/early-2025 intrusion. Reported exposed data ranges from identifiers to financial/medical details; Epic EHR was reportedly not affected; credit monitoring offered. Even though the compromise occurred months earlier, this week’s public reporting underscores the long tail of patient notifications and litigation risk. (Huron Daily Tribune)

France: regional hospital identity-data servers targeted. French regional health authorities reported “end of last week” (i.e., Aug. 30–Sept. 5) a cyberattack against shared servers hosting patient identity data across multiple public hospitals; medical-record content was not believed impacted. Identity stores that underpin scheduling/registration are high-value: protect IAM and admin pathways with the same rigor as clinical systems. 

Sector intel & community signals

Health-ISAC publishes “Melding of State and Criminal Threat Actor Motivation: The Nebulous Normal” (Sept. 5). The paper captures the increasingly blurred lines between state interests and criminal monetization—aligning with the week’s APT advisory. Useful context for updating threat models and tabletop scenarios that cross cybercrime and geopolitics. (health-isac.org)

Law & governance watch

Reauthorization of cyber threat-sharing protections advances. With the Cybersecurity Information Sharing Act of 2015 set to sunset Sept. 30, a House panel advanced a 10-year extension informally dubbed the WIMWIG Act, keeping safe-harbor protections for sharing indicators with government/partners. The bill heads to the full House; Senate path remains uncertain. Continuity here matters for hospital participation in sharing programs and legal risk calculus. (NextGov/FCW, Federal News Network)

What this means (actions for healthcare CISOs)

• Tighten decisioning around data sharing. Ensure your information-blocking governance is real: document exception use, produce audit trails, validate security rationales, and align API/portal policies with ONC/OIG expectations. Re-brief legal, HIM, and app teams on Sept. 3–4 updates. 
• Prioritize edge-device threat hunting. Review configs and logs for VPNs/routers/firewalls; check for web-UI abuse and unusual WSMA/management traffic; validate mitigations for the named Ivanti/PAN-OS/Cisco CVEs. Coordinate with network vendors and MSSPs on current IOCs. 
• Scrutinize shared repositories & affiliates. Map where patient identity and encounter files live outside the EHR (affiliates, homecare, billing, research). Apply least privilege, immutable backups, and DLP on shared stores; rehearse exfil-response comms. 
• Lean into intel sharing. Track the CISA-law reauth; maintain H-ISAC participation and operationalize TLP:GREEN/RDS insights into patch and detection sprints.