Kicking Off Cybersecurity Awareness
Month 2025

Today marks the start of Cybersecurity Awareness Month and this year’s theme is Building a Cyber Strong America. The focus is simple: every organization, especially small and mid-sized teams that keep our communities running, can strengthen national resilience by turning safe habits into everyday culture. CISA’s guidance centers on four essentials any team can practice, plus a few “level-up” moves that add resilience without adding friction.

The CISA’s Core Four

These are the seatbelts of cybersecurity. Practice them daily, document them in policy, and prove they’re working.

1. Update software

   • Do now: Turn on automatic updates for operating systems, browsers, EHR/line-of-business apps, VPNs, and appliances.

   • Why it matters: Patches close known holes that attackers actively exploit.

   • Micro-task: Name an “Update Owner” and record last patch dates in your evidence log.

2. Use strong, unique passwords (with a manager)

   • Do now: Require long, random, unique passwords and roll out a password manager to everyone.

   • Why it matters: Eliminates reuse and simplifies secure sign-in.

   • Micro-task: Replace any shared logins with named accounts and vault credentials.

3. Turn on multifactor authentication (MFA)

   • Do now: Enforce MFA on email, EHR/record systems, admin consoles, billing, and cloud apps. Prefer security keys or authenticator apps over SMS.

   • Why it matters: Stops most account-takeovers, even if a password leaks.

   • Micro-task: Finish your “Top 10 MFA” rollout list this week.

4. Recognize and report phishing

   • Do now: Add a “Report Phish” button, post three tell-tale signs, and teach “hesitate → verify → report.”

   • Why it matters: Most incidents start with a click—fast reporting limits damage.

   • Micro-task: Hold a 10-minute huddle today; show how to verify and where to report.

Level Up Your Defenses

Once the Core Four are in motion, add resilience that helps you detect, recover, and keep running:

• Logging & monitoring to spot anomalies quickly and create auditable evidence of control health.

• Encrypted, tested backups using the 3-2-1 rule (three copies, two media types, one off-site) and regular restore tests.

• Encryption in transit and at rest so data is unreadable if intercepted or stolen.

Map the Core Four to Regulated Controls

• HIPAA Security Rule: access controls, audit controls, integrity, transmission security

• SOC 2: CC6 (access), CC7 (monitoring), CC8 (change), CC9 (vendor risk)

• ISO 27001: identity & access, logging/monitoring, supplier relationships, backup & recovery

Treat these habits as living controls: write them down, assign owners, keep timestamps/screenshots as proof for audits.

Your October “Core Four” Challenge

• Week 1: Patch 100% of systems and name an Update Owner

• Week 2: Roll out your password manager and retire shared logins

• Week 3: Close remaining MFA gaps on email and critical apps

• Week 4: Company-wide phish drill, then 15-minute coaching

Not a Checklist—It’s Culture

Checklists don’t stop threats but habits do. CISA’s campaign exists to help organizations like yours build everyday discipline that protects people, data, and operations—and, collectively, helps build a cyber strong America.

Fortify Your Core Four with VRC

Partner with VanRein Compliance to help you patch plan and evidence, password-manager rollout, MFA gap closure, phishing drill with training, and a verified backup restore—organized in VRC1 so you’re audit-ready all year.

Kick off Cybersecurity Awareness Month the right way. Let’s strengthen your defenses and make security a daily habit together.

🚨 𝗩𝗥𝗖 𝗔𝗟𝗘𝗥𝗧: Cadia Healthcare will pay $182,000 and complete a 2-year corrective action plan after posting patient names, photos, and treatment details online without valid HIPAA authorizations—affecting 150 patients. OCR also cited missing safeguards and failure to notify individuals.

Remember: Marketing needs HIPAA, too. Get written authorizations, tighten policies, and train your team before you hit “publish.” Partner with VanRein Compliance to protect your patients and your brand from intake to marketing.

Maryland’s MODPA Is Live

Maryland’s Online Data Privacy Act (MODPA) takes effect today. If you serve Maryland residents—whether you’re based in MD or not—you now have new obligations for how you collect, use, share, and honor choices about personal data. Treat MODPA as part of your state privacy stack alongside laws like CPRA/CPA/CTDPA, and tighten a few essentials this week so you don’t fall behind

Coverage

• Any organization that processes personal data of Maryland residents, subject to thresholds/exemptions.

• If you run multi-state operations or online services that reach MD, assume you’re in scope until counsel confirms otherwise.

Core Obligations

• Opt-in for sensitive data (e.g., minors’ data, health, precise location).

• Data minimization & purpose limitation (collect only what you need; use it only for stated purposes).

• Consumer rights (access, correction, deletion, and portability).

• Opt-outs (targeted advertising, sale, certain profiling impacting individuals).

• Universal opt-out signals (respect recognized browser/device signals where applicable).

• Vendor governance (DPAs on file; due diligence on processors/sub-processors; DPIAs where risk is high).

MODPA Week-1 Checklist

1. Add “Maryland” to your state matrix and flag systems that touch MD residents.

2. Update your privacy notice to reflect MD rights/opt-outs and your data uses in plain language.

3. Turn on universal opt-out handling in your consent/CM platform and verify it actually suppresses tracking/ads.

4. Confirm DPAs and DPIAs with key vendors (analytics, ads, AI-enabled tools, payment/CRM/helpdesk). Capture evidence of review.

5. Stand up a rights-request workflow (intake, identity verification, fulfillment within deadlines). Document who owns each step.

6. Minimize high-risk data: remove unnecessary fields, shorten retention, and document your purpose test.

7. Train frontline teams (support, marketing, product, clinic ops) on MD rights and escalation paths.

Practical Tips to Avoid Surprises

• Map your signals end-to-end. If you honor global opt-out signals, confirm suppression works across all platforms (web, mobile, tagged emails).

• Prove it works. Keep screenshots/exports: CMP logs, DSR request tracker, DPA repository, DPIA summaries, and test results.

• Close the vendor gap. Ask processors for attestations on retention limits, regional storage, and restrictions on training models with your data.

• Align with security basics. MODPA + security go together: MFA for admin tools, least-privilege roles, patching, and encrypted, tested backups.

How MODPA Fits Your Bigger Picture

Treat MODPA as one policy surface in a unified privacy program that scales across states. The more you centralize rights handling, vendor contracts, and evidence, the easier each new state law becomes, and the smoother your customer experience.

Privacy isn’t just legal text—it’s operational trust. Meeting MODPA on day one shows customers and partners that you respect their choices and steward their data responsibly. Put the fundamentals in place this week, prove they work, and you’ll be ready for the next state that comes online.

Make MODPA Manageable with VRC

VanRein Compliance can update your state matrix and privacy notice, configure universal opt-out handling, review vendor DPAs/DPIAs, and stand up a repeatable rights-request process with proof organized in VRC1.

📅 Book a MODPA Readiness Session to get compliant fast and stay ahead as new state laws roll in.