This week brought a mix of policy shocks, urgent patching, and a headline-grabbing hospital incident overseas. Here are the developments healthcare leaders should track—and what to do next.

1) U.S. shutdown + CISA 2015 lapse = weaker intel sharing, thinner defenses

The federal shutdown that began Oct 1 forced the Cybersecurity and Infrastructure Security Agency (CISA) to furlough a majority of its workforce—just ~35% remained on duty—right as the Cybersecurity Information Sharing Act of 2015 (CISA 2015) expired on Sept 30. The law’s lapse removes key liability protections for private-sector threat sharing with the government, which experts warn could chill the flow of actionable intel hospitals rely on. For providers, this means fewer timely joint advisories, slower cross-sector correlation, and more uncertainty around sharing indicators of compromise.

The broader shutdown also hit health agencies: HHS contingency plans call for furloughing roughly 41% of staff, constraining oversight and coordination at a moment of elevated ransomware activity against care delivery. Sector analysts cautioned that CISA’s reduced capacity hampers the “connect-the-dots” work hospitals can’t easily do alone.

What to do now: Re-emphasize your private ISAC/ISAO pipelines (e.g., HS-ISAC), tighten local partner sharing agreements, and pre-authorize legal guardrails for bi-directional intel exchange with regional peers.

2) Splunk vulnerabilities disclosed—health systems should patch fast

On Oct 1, Splunk published new advisories covering multiple web-component issues and a denial-of-service flaw (CVE-2025-20370) that can spike CPU with crafted LDAP binds until services restart. Supported fixed versions include 10.0.1 / 9.4.4 / 9.3.6 / 9.2.8 (and specific Splunk Cloud builds). Given Splunk’s ubiquity in hospital SOCs and SIEM stacks, these are urgent weekend-window patches.

Action items:

• Patch Splunk Enterprise/Cloud to the versions listed in the advisory.
• Validate admin-capability scoping (e.g., change_authentication) and review RBAC drift.
• Add post-patch health checks (CPU, indexer latency, auth logs) and regression tests for saved searches/dashboards. 

3) Oracle-linked extortion campaign touches multiple sectors—watch third-party risk

By Oct 3, Oracle confirmed some customers received mass extortion emails following suspected exploitation of known vulnerabilities, aligning with a high-volume campaign security teams began flagging in late September. While not healthcare-specific, many providers and revenue-cycle partners run Oracle systems; any compromise in that ecosystem can cascade into PHI exposure or billing disruption. If your org—or your BAs—use Oracle E-Business tools, treat this as a supply-chain exposure and verify patch levels and identity controls.

4) Yom Kippur-timed attack on major Israeli hospital

Israel’s Shamir Medical Center reported an attempted intrusion during Yom Kippur (Oct 1–2). The Qilin group claimed a ransomware operation and boasted of 8 TB of stolen data; subsequent local reporting noted hospital operations continued while teams investigated potential email data exposure. Even if geographically distant, the playbook—holiday timing, data theft, pressure via public claims—mirrors tactics U.S. hospitals have faced.

5) Breach trends remain elevated

HIPAA Journal updated its sector metrics this week (as of Oct 1) using OCR data through mid-September, reinforcing that 2025 remains on pace for another heavy breach year. Use this as a board-friendly signal to sustain investment in core hygiene (MFA everywhere, identity hardening, EDR tuning, immutable backups) while you tackle bigger architecture moves.

What this means for provider CISOs right now

• Double-down on non-government sharing: With CISA’s capacity constrained and CISA 2015 protections lapsed, lean into HS-ISAC, regional collaboratives, and trusted vendor intel feeds. Pre-clear sharing protocols with counsel. 
• Patch Splunk this weekend: Treat the Oct 1 advisories as a paging event for SecOps/IT. Lock down high-privilege capabilities and validate dashboards and scheduled searches post-update. 
• Triage Oracle exposure: Inventory Oracle dependencies (including vendors handling claims, ERP, or HR data). Confirm recent patches and enforce phishing-resistant MFA on admin access. Ask BAs for attestation.
• Harden for holiday-timed incidents: The Shamir case underscores adversary timing. Freeze high-risk changes during holidays, ensure on-call depth, and rehearse EHR-downtime + ransom negotiation playbooks. 
• Keep boards informed: Use the shutdown + law-lapse storyline to explain why intel flow may be noisier and why internal detection engineering (and OT/clinical systems monitoring) must pick up slack.