As healthcare organizations move closer to the February 16, 2026, compliance deadline for the updated 42 CFR Part 2 requirements, they are doing so in an environment defined by persistent ransomware activity, slow remediation of known exploited vulnerabilities, expanding clinical attack surfaces, and growing use of unmanaged technologies. This month’s Brief focuses on how these forces intersect and why privacy, security, and clinical continuity can no longer be treated as separate conversations.
Why This Matters Now
The Part 2 updates expand where highly sensitive substance use disorder data can be stored, accessed, and redisclosed across integrated care models. While this supports better coordination of care, it also increases the impact of cyber incidents that disrupt clinical workflows or expose trusted systems. At the same time, Fortified continues to observe that many of the most damaging healthcare incidents originate from well-known weaknesses rather than sophisticated new attack techniques.
This Month’s Key Risk Signals
- Clinical Continuity vs. Business Continuity: Cyber incidents increasingly disrupt diagnostics, imaging, referrals, and care coordination before they disrupt billing or core administrative systems, directly impacting patient outcomes.
- Slow Response to Known Exploited Vulnerabilities: Delayed remediation of KEVs remains a leading contributor to ransomware and intrusion impact across healthcare environments.
- Shadow IT and Shadow AI Expansion: Unvetted tools introduce unmanaged data paths that complicate governance, consent enforcement, and incident response.
- Medical Device and Converged Environment Exposure: Thousands of connected clinical devices expand the blast radius of incidents and increase patient safety risk.
Threat Bulletin 1: Cisco Secure Email & Web Manager Under Active Exploitation (CVE-2025-20393)
1. Overview – What Happened and Why It Matters
Fortified Health Security issued a threat bulletin following confirmation of active exploitation of CVE-2025-20393, a critical, maximum-severity vulnerability affecting Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager appliances running AsyncOS when the Spam Quarantine feature is internet-reachable. This flaw allows unauthenticated remote attackers to execute arbitrary commands with root privileges on the underlying operating system and establish persistent access.
2. Healthcare Impact
For healthcare delivery organizations, compromise of email security appliances represents more than an IT control failure. These systems support referrals, care coordination, clinical communications, and the exchange of sensitive behavioral health and substance use disorder information. Exploitation enables attackers to bypass traditional email defenses, exfiltrate sensitive data, and deliver ransomware or phishing campaigns through trusted channels.
3. Recommended Actions
Organizations should immediately inventory affected appliances, validate exposure, apply Cisco patches using emergency maintenance windows if required, assess for compromise, and rebuild systems where persistence is identified. Administrative access should be restricted, unnecessary services disabled, and enhanced monitoring implemented.
4. Questions to Ask Your Team
- Do we have complete visibility into exposed email infrastructure?
- How quickly can we patch actively exploited systems?
- What clinical workflows depend on email during high-acuity events?
Threat Bulletin 2: Patch STAT – KEV Discipline Gaps in Healthcare
1. Overview – What Happened and Why It Matters
A second Fortified alert emphasizes urgent action following Cisco’s release of official patches. Threat activity linked to a nation-state–aligned adversary reinforces that known exploited vulnerabilities remain a dominant entry point due to delayed remediation and configuration drift.
2. Healthcare Impact
Delayed response to KEVs increases dwell time, lateral movement, and operational disruption. Healthcare organizations may remain financially operational while clinical services such as imaging and referrals are degraded, directly impacting patient care.
3. Recommended Actions
Organizations should define remediation SLAs tied to clinical impact, regularly validate configurations, exercise incident response scenarios involving infrastructure compromise, and align remediation priorities with systems supporting patient care.
4. Questions to Ask Your Team
- How do we prioritize KEVs impacting clinical systems?
- What is our average remediation time?
- Where do delays most often occur?
Together, these bulletins illustrate how quickly known weaknesses can translate into operational and clinical risk.
CISO Q&A
Russell Teague (CISO): How do these threat bulletins connect to the upcoming Part 2 deadline?
Troy Cruzen (vCISO): Part 2 expands where highly sensitive data exists and how it flows across systems. At the same time, we are seeing attackers compromise foundational infrastructure that many organizations assume is already secure. When those systems are impacted, Part 2 data becomes part of a much larger clinical and trust issue, not just a compliance concern.
Russell Teague (CISO): We often talk about clinical continuity versus business continuity. How does that play out during incidents?
Troy Cruzen (vCISO): We routinely see hospitals that can still bill patients or access portions of the EHR, but imaging, email, or referral workflows are disrupted. That delay in diagnosis or coordination is where the real impact occurs. Cyber events increasingly affect care delivery before they affect revenue.
Russell Teague (CISO): Are delayed responses to known vulnerabilities still a major driver?
Troy Cruzen (vCISO): Yes. Many incidents trace back to vulnerabilities that were known and actively exploited. Competing priorities and change management delays increase exposure. As Part 2 data becomes more prevalent, the consequences of those delays grow.
Russell Teague (CISO): Where do medical devices and Shadow AI fit into this picture?
Troy Cruzen (vCISO): They expand complexity and risk. Medical devices increase lateral movement opportunities, while Shadow IT and Shadow AI introduce invisible data paths. Both make it harder to enforce consent, maintain visibility, and respond effectively during an incident.
Closing Perspective
The February 2026 42 CFR Part 2 deadline is arriving amid persistent execution challenges across healthcare cybersecurity. This is not simply a privacy compliance milestone. It is a test of operational readiness, clinical resilience, and patient trust. Organizations that address Part 2 in isolation will struggle. Those that view it in the context of clinical continuity, remediation discipline, and expanding attack surfaces will be far better positioned for the realities ahead.
