Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it's official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Audit of the Effectiveness of HHS's Governance To Ensure Hospitals Implement Measures To Prevent, Detect, and Recover From Cyberattacks

Ransomware, destructive malware, insider threats, and even honest mistakes present an ongoing threat to U.S. hospital operations and the security of electronic protected health information (ePHI). The more quickly and effectively hospitals detect and respond to attacks that may affect the availability and integrity of their data, the more likely they may avoid service disruptions that could potentially affect patient data or lives and save time and money that would be required to recover from such attacks. In recent years, multiple hospitals have fallen prey to significant cyberattacks, including ransomware attacks during the COVID-19 pandemic that have impacted hospital operations and patient care. In October 2020, the Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and Department of Health and Human Services (HHS)issued a joint cybersecurity advisory regarding ransomware activity targeting the health care and public health sector. The advisory stated that threat actors have continued to develop new functionality and tools, thereby increasing the ease, speed, and profitability of ransomware attacks. HHS-OIG will audit HHS's governance over its programs to determine whether HHS's Office of Civil Rights (OCR) has performed periodic audits of hospitals to assess compliance with Health Insurance Portability and Accountability Act(HIPAA) Security, Privacy, and Breach Notification rules and determine whether these audits effectively assessed ePHI protections. In addition, we will determine whether CMS's certification process for participation in the Medicare program requires hospitals participating in the Medicare program to implement minimum security safeguards to prevent and detect cyberattacks, ensure continuity of patient care, and protect beneficiary data. We will also conduct security assessments at 10 U.S. hospitals to determine whether they have adequately implemented HIPAA security requirements or effective cybersecurity measures to prevent, detect, and recover from cyberattacks.

Announced or Revised Agency Title Component Report Number(s) Expected Issue Date (FY)
Revised HHS, OCR, CMS Audit of the Effectiveness of HHS's Governance To Ensure Hospitals Implement Measures To Prevent, Detect, and Recover From Cyberattacks Office of Audit Services W-00-21-42035 2025