An audit of a large northeastern hospital by the Department of Health and Human Services Office of Inspector General (HHS-OIG) has identified cybersecurity gaps and weaknesses that are likely to be present in similarly sized hospitals across the country.
Cyberattacks on healthcare organizations have increased sharply in recent years. Between 2018 and 2022, there was a 93% increase in large data breaches reported to the HHS’ Office for Civil Rights (OCR) and a 278% increase in large data breaches involving ransomware. In 2022 alone, OCR received 64,592 reports of healthcare data breaches, across which the protected health information of 42 million individuals may have been exposed or stolen.
The HHS plays an important role in guiding and supporting the adoption of cybersecurity measures to protect patients and healthcare delivery from cyberattacks. The large number of successful cyberattacks raises questions about whether the HHS, including the Centers for Medicare and Medicaid Services (CMS) and OCR, could do more with its cybersecurity guidance, oversight, and outreach to help healthcare organizations implement robust cybersecurity controls and better protect their networks from attack.
While OCR usually conducts audits of HIPAA-regulated entities to assess cybersecurity and compliance with the HIPAA Rules, HHS-OIG’s 2025 Work Plan includes a series of 10 audits of U.S. hospitals to gain insights into healthcare cybersecurity and assess the cybersecurity measures that have been put in place. A northeastern hospital with more than 300 beds agreed to an audit to assess whether appropriate cybersecurity controls had been implemented for preventing and detecting cyberattacks, whether protocols had been developed for ensuring the continuity of care during a cyberattack, and the controls in place to protect Medicare enrollee data. The audited entity was not named due to the threat of cyberattacks.
The hospital is part of a network of providers that share protected health information for treatment, payment, and healthcare operations, and is a covered entity under HIPAA required to implement safeguards to ensure the confidentiality, integrity, and availability of protected health information. As a provider of healthcare services under the Medicare program, the hospital is also required to comply with the CMS Conditions of Participation (CoPs). The hospital had implemented measures to comply with the CoPs and HIPAA, and had voluntarily implemented the NIST Cybersecurity Framework to reduce and better manage cybersecurity risks
The hospital was found to have implemented data security measures to protect Medicare data and had effective cybersecurity controls to ensure continuity of care in the event of a cyberattack, including appropriate network architecture, backup strategies, incident response plans, and disaster recovery controls. HHS-OIG did, however, identify several cybersecurity weaknesses and security gaps.
HHS-OIG conducted several simulated cyberattacks on Internet-facing systems and found its cybersecurity controls, which included a web application firewall (WAF), were generally effective at blocking or limiting malicious requests. Simulated phishing emails were also sent to employees, and no employee responded or interacted with the fake website HHS-OIG had set up for the phishing scam.
HHS-OIG analyzed 26 internet-accessible systems and discovered two had weaknesses in their cybersecurity controls that could potentially be exploited by threat actors to gain access to systems. HHS-OIG also identified 13 web applications with cybersecurity weaknesses related to configuration management controls, and 16 Internet-accessible systems had weaknesses in their cybersecurity controls regarding identification and authentication that left them susceptible to interactions and manipulations by threat actors
HHS-OIG explained that the weaknesses occurred due to the integration of two systems with its existing IT environment without following security best practices. Further, while there were procedures for periodically assessing web application security controls, they were not effective at identifying weaknesses before they were potentially exploited, and industry web application security best practices had not been effectively implemented.
While the systems that were susceptible to some of the HHS-OIG’s simulated attacks did not contain patient data, compromising those systems could potentially provide attackers with a launch pad for conducting additional attacks against other systems, including systems that contained patient data. A threat actor could also use information gathered in an attack on a vulnerable system to conduct more convincing social engineering campaigns on the workforce.
The hospital concurred with all five HHS-OIG recommendations:
- Enforce and periodically assess compliance with its configuration and change management policy.
- Periodically assess and update its identification and authentication controls.
- Periodically assess and update its configuration management controls.
- Establish a policy or process to periodically assess its internet-accessible systems and application security controls for vulnerabilities.
- Ensure developers follow secure coding practices.
The post HHS-OIG Audit Finds Security Gaps at Large Northeastern Hospital appeared first on The HIPAA Journal.