Cyber Security Awareness Month 2025

October is widely recognized as Cyber Security Awareness Month, observed internationally to help the public stay safe online by sharing practical steps for self-protection.

While cybersecurity is always a top priority in the healthcare sector, October serves as a valuable opportunity to refresh our knowledge and strategies. There are a number of resources available to support knowledge sharing and to help us update our cybersecurity practices.

In the spirit of the awareness month, we at HIROC are highlighting for you in this article two highly trending and detrimental cybersecurity threats that Subscribers should be aware of to strengthen their cyber safety strategy and associated most impactful recommendations:

Privacy and Security Breaches Resulting from Third-party Breaches:

Cybersecurity breaches resulting from supply chain attacks and compromised vendor-hosted environments have been trending upward. Recent high-profile vendor breaches in the industry have shown that a single vendor breach can impact multiple organizations (e.g. Custom Relationship Management system component breach). 

Recommendation:

• Adopt risk management strategies and due diligence activities to ensure that all critical systems hosted externally by third-party providers (i.e. vendors critical to your operations) are appropriately protected from security breaches or unauthorized access to personal health information (PHI).
• It’s important that healthcare organizations have a comprehensive incident response plan and regularly conduct system downtime testing, disaster recovery drills and leadership-focused tabletop exercises. 

Social Engineering Tactics such as phishing and vishing: 

Open-access generative artificial intelligence (AI) tools have enabled cyber threat actors to create targeted phishing and vishing campaigns designed to trick users into disclosing sensitive information (e.g. UserID, Passwords, MFA codes) or unknowingly perform malicious actions (e.g. change bank account information).

The Canadian Centre for Cyber Security’s National Cyber Threat Assessment 2025-2026 report states:

“Phishing is one of the most reported types of fraud in Canada and spear phishing has one of the highest reported levels of financial impact to victims. For example, spear phishing can lead to compromises that result in the theft of sensitive data and can cause significant financial losses for businesses.” ¹

Recommendation:

• Implement phishing-resistant Multi-factor Authentication for all critical systems.
• Where possible, deploy device-based authentication and geo-fencing.
• Roll out a social engineering and phishing-focused campaign with a role-based training program for all employees.

Trusted Resources:

There are several guidelines and assessments available through trusted resources to support managing the above risks. HIROC has curated a number of valuable resources through trusted agencies and sources – check them out!

• Canadian Centre for Cyber Security, Cyber Supply Chain Security for Small and Medium-Sized Organizations, ITSAP.00.070 (Ottawa: Canadian Centre for Cyber Security, 2025), online: https://www.cyber.gc.ca/en/guidance/cyber-supply-chain-security-small-medium-sized-organizations-itsap00070
• Canadian Centre for Cyber Security, Guidance on Cloud Security Assessment and Authorization, ITSP.50.105 (Ottawa: Canadian Centre for Cyber Security, 2020), online: https://www.cyber.gc.ca/en/guidance/guidance-cloud-security-assessment-and-authorization-itsp50105
• Matthew Finio & Amanda Downie, Third-Party Risk Management, IBM Think (29 May 2024), online: https://www.ibm.com/think/topics/third-party-risk-management
• Canadian Centre for Cyber Security, Defending Against Data Exfiltration Threats, ITSM.40.110 (Ottawa: Canadian Centre for Cyber Security, 2023), online: https://www.cyber.gc.ca/en/guidance/defending-against-data-exfiltration-threats-itsm40110.
• Canadian Centre for Cyber Security, Cyber Security Best Practices for Managing Email, ITSAP.60.002 (Ottawa: Canadian Centre for Cyber Security, 2025), online: https://www.cyber.gc.ca/en/guidance/cyber-security-best-practices-managing-email-itsap60002
• Canadian Centre for Cyber Security, National Cyber Threat Assessment 2025–2026 (Ottawa: Canadian Centre for Cyber Security, 2024), online (PDF): https://www.cyber.gc.ca/sites/default/files/national-cyber-threat-assessment-2025-2026-e.pdf
• Caroline Libarian & Travis Walker, Understanding Vendor Management and Your Third-Party Risks (Toronto: Healthcare Insurance Reciprocal of Canada, 2024), online (PDF): https://www.hiroc.com/system/files/resource/files/2024-01/UNDERSTANDING%20VENDOR%20MANAGEMENT%20AND%20YOUR%20THIRD-PARTY%20RISKS.pdf
• Healthcare Insurance Reciprocal of Canada (HIROC), Tips for Spotting Phishing Emails (Toronto: HIROC, 2022), online (PDF): https://www.hiroc.com/system/files/resource/files/2022-09/HIROC%20Tips%20for%20Spotting%20Phishing%20Emails%2C%202022.pdf

¹ Canadian Centre for Cyber Security, National Cyber Threat Assessment 2025–2026 (Ottawa: Canadian Centre for Cyber Security, 2024), pg 23.

By Kopiha Nathan, Privacy and Compliance Officer

Don't forget to register for HIROC's Cyber Workshop on November 18. This event is complimentary and exclusively for HIROC Subscribers. Register Now.