On March 11, 2025, Microsoft released security updates that address 57 vulnerabilities, including six critical zero-day flaws that are currently being exploited by cybercriminals. These vulnerabilities, particularly those related to remote code execution, could allow attackers to gain unauthorized access to systems, potentially leading to unauthorized actions such as data compromise, system manipulation, or service disruption.
The Department of Health and Human Services (HHS) strongly encourages healthcare organizations to take immediate steps to address these vulnerabilities. Microsoft’s guidance, along with the Multi-State Information Sharing and Analysis Center (MS-ISAC) Advisory 2025-022, provides crucial steps for identifying and addressing these threats in a way that aligns with each organization’s specific risk profile.
Given that these vulnerabilities are actively targeted, swift action is critical to prevent potential exploitation, which could compromise sensitive patient data and disrupt essential healthcare services. HHS also recommends that healthcare organizations implement the Healthcare and Public Health Cybersecurity Performance Goals (CPGs) to further strengthen their security posture.
By addressing these vulnerabilities as soon as possible, healthcare organizations can better protect critical systems and safeguard patient information from growing cyber threats.