Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Beta This is a new resource

Series: Audits of the Effectiveness of HHS's Governance To Ensure Hospitals Implement Measures To Prevent, Detect, and Recover From Cyberattacks

Announced on  | Last Modified on  | Series Number: W-00-24-42035
Status
Active
Agency
Centers for Medicare and Medicaid Services, Office for Civil Rights, Office of the Secretary

OBJECTIVE

Ransomware, destructive malware, insider threats, and even honest mistakes present an ongoing threat to U.S. hospital operations and the security of electronic protected health information (ePHI).The more quickly and effectively hospitals detect and respond to attacks that may affect the availability and integrity of their data, the more likely they may avoid service disruptions that could potentially affect patient data or lives and save time and money that would be required to recover from such attacks. In recent years, multiple hospitals have fallen prey to significant cyberattacks, including ransomware attacks during the COVID-19 pandemic that have impacted hospital operations and patient care. In October 2020, the Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and Department of Health and Human Services (HHS) issued a joint cybersecurity advisory regarding ransomware activity targeting the health care and public health sector. The advisory stated that threat actors have continued to develop new functionality and tools, thereby increasing the ease, speed, and profitability of ransomware attacks.HHS-OIG will audit HHS's governance over its programs to determine whether HHS's Office of Civil Rights (OCR) has performed periodic audits of hospitals to assess compliance with Health Insurance Portability and Accountability Act (HIPAA) Security, Privacy, and Breach Notification rules and determine whether these audits effectively assessed ePHI protections. In addition, we will determine whether CMS's certification process for participation in the Medicare program requires hospitals participating in the Medicare program to implement minimum security safeguards to prevent and detect cyberattacks, ensure continuity of patient care, and protect beneficiary data. We will also conduct security assessments at 10 U.S. hospitals to determine whether they have adequately implemented HIPAA security requirements or effective cybersecurity measures to prevent, detect, and recover from cyberattacks.

There are 6 projects in this series.

Project titles will remain unpublished until projects are complete and reports are posted.

ACTIVE PROJECTS IN THIS SERIES (4)

Project A-18-22-08021 Announced on Feb 7, 2022

Project OAS-25-18-032 Announced on Jan 30, 2025

Project OAS-25-18-033 Announced on Jan 31, 2025

Project OAS-25-18-108 Announced on Jun 11, 2025

COMPLETED PROJECTS IN THIS SERIES (2)

North Shore University Hospital

Project A-18-22-08019 Completed on July 2, 2025

Audit of the Effectiveness of OCR's Governance To Ensure Hospitals Implement Measures To Prevent, Detect, and Recover From Cyberattacks

Project A-18-21-08014 Completed on November 21, 2024

TIMELINE

  • April 5, 2021
    Series Number W-00-24-42035 Assigned
  • April 5, 2021
    Project Announced

    Audit of the Effectiveness of OCR's Governance To Ensure Hospitals Implement Measures To Prevent, Detect, and Recover From Cyberattacks - A-18-21-08014

  • November 15, 2021
    Project Announced

    North Shore University Hospital - A-18-22-08019

  • February 7, 2022
    Project Announced

    Project A-18-22-08021

  • November 21, 2024
    Project Complete - A-18-21-08014

    Audit of the Effectiveness of OCR's Governance To Ensure Hospitals Implement Measures To Prevent, Detect, and Recover From Cyberattacks has been marked as complete. This audit resulted in 4 recommendations.

  • January 30, 2025
    Project Announced

    Project OAS-25-18-032

  • January 31, 2025
    Project Announced

    Project OAS-25-18-033

  • June 11, 2025
    Project Announced

    Project OAS-25-18-108

  • July 2, 2025
    Project Complete - A-18-22-08019

    North Shore University Hospital has been marked as complete. This audit resulted in 5 recommendations.

  • Today
    4 Audits In-Progress
  • Est FY2026
    Estimated Fiscal Year for Series Completion

2 REPORT PUBLISHED

The Office for Civil Rights Should Enhance Its HIPAA Audit Program to Enforce HIPAA Requirements and Improve the Protection of Electronic Protected Health Information (A-18-21-08014)

25-A-18-015.01 to OCR - Open Unimplemented
Update expected on 05/20/2025
We recommend that the Office for Civil Rights expand the scope of its HIPAA audits to assess compliance with physical and technical safeguards from the Security Rule.

25-A-18-015.02 to OCR - Open Unimplemented
Update expected on 05/20/2025
We recommend that the Office for Civil Rights document and implement standards and guidance for ensuring that deficiencies identified during the HIPAA audits are corrected in a timely manner.

25-A-18-015.03 to OCR - Open Unimplemented
Update expected on 05/20/2025
We recommend that the Office for Civil Rights define and document criteria for determining whether a compliance issue identified during a HIPAA audit should result in OCR initiating a compliance review.

25-A-18-015.04 to OCR - Open Unimplemented
Update expected on 05/20/2025
We recommend that the Office for Civil Rights define metrics for monitoring the effectiveness of OCR's HIPAA audits at improving audited entities' protections over ePHI and periodically review whether these metrics should be refined.

View in Recommendation Tracker

A Large Northeastern Hospital Could Improve Certain Security Controls for Preventing and Detecting Cyberattacks (A-18-22-08019)

The Entity implemented cybersecurity controls to ensure continuity of patient care in the event of a cyberattack and protect Medicare enrollee data. However, it could improve specific cybersecurity controls to better prevent and detect cyberattacks. We found:

  • Among the 26 internet-accessible systems analyzed, 2 had weaknesses in their cybersecurity controls that could allow unauthorized user access.
  • 13 web applications and 16 internet-accessible systems had weaknesses in their cybersecurity controls, making them susceptible to interactions and manipulations by attackers.

25-A-18-077.01 to CMS - Open Unimplemented
Update expected on 01/01/2026
We recommend that the Entity enforce and periodically assess compliance with its configuration and change management policy, which requires that a security impact analysis be performed for all newly deployed or modified systems, including contractor-deployed systems, and that any discovered issues or unsecure configuration settings are resolved before a system is deployed or exposed to the internet.

25-A-18-077.02 to CMS - Open Unimplemented
Update expected on 01/01/2026
We recommend that the Entity periodically assess and update its identification and authentication controls in its systems to ensure users are uniquely identified and authenticated; strong authentication and authenticators (e.g., passwords) have sufficient strength to prevent common cyberattacks against authentication controls (e.g., password spraying); and feedback of authentication information during the authentication process is not disclosed.

25-A-18-077.03 to CMS - Open Unimplemented
Update expected on 01/01/2026
We recommend that the Entity periodically assess and update its configuration management controls in its systems to ensure information system flaws are identified and timely corrected; configuration settings for IT products on its systems are secure and in compliance with established configuration baselines; and systems functionality, including functions, ports, protocols, and services are limited to only those that are necessary.

25-A-18-077.04 to CMS - Open Unimplemented
Update expected on 01/01/2026
We recommend that the Entity establish a policy or process to periodically assess its internet-accessible systems and applications security controls against security control standards from NIST SP 800-53 or similar industry web application security standards and promptly resolve any identified weaknesses.

25-A-18-077.05 to CMS - Open Unimplemented
Update expected on 01/01/2026
We recommend that the Entity implement a policy that requires developers to follow secure coding practices for its web applications in accordance with the Entity's approved cybersecurity framework or industry web application security best practices for coding, testing, and maintaining web applications and establish a procedure to confirm adherence to the requirements.

View in Recommendation Tracker
Work Plan Type
Office of Audit Services
HHS Agencies
Office for Civil Rights Office of the Secretary Centers for Medicare and Medicaid Services
Issue Areas
Departmental Operational Issues Emergency Preparedness and Response Hospitals Information Technology and Cybersecurity
Target Groups
-
Financial Groups
Medicare A