Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

A Large Northeastern Hospital Could Improve Certain Security Controls for Preventing and Detecting Cyberattacks

Issued on  | Posted on  | Report number: A-18-22-08019

Report Materials

Why OIG Did This Audit

  • Health care’s growing reliance on information technology for patient care, telemedicine, and records has heightened vulnerability to cyberattacks. HHS has an important role in guiding and supporting the adoption of cybersecurity measures to protect patients and health care delivery from cyberattacks.
  • This audit examined whether a large hospital in the northeast United States (referred to as the “Entity”) had implemented cybersecurity controls to (1) prevent and detect cyberattacks, (2) ensure continuity of patient care in the event of a cyberattack, and (3) protect Medicare enrollee data.

What OIG Found

The Entity implemented cybersecurity controls to ensure continuity of patient care in the event of a cyberattack and protect Medicare enrollee data. However, it could improve specific cybersecurity controls to better prevent and detect cyberattacks. We found:

  • Among the 26 internet-accessible systems analyzed, 2 had weaknesses in their cybersecurity controls that could allow unauthorized user access.
  • 13 web applications and 16 internet-accessible systems had weaknesses in their cybersecurity controls, making them susceptible to interactions and manipulations by attackers.

What OIG Recommends

We made five recommendations to the Entity to improve its cybersecurity measures, including that it enforce configuration management policies, assess and update authentication controls, assess and update configuration management controls, conduct regular assessments of internet accessible systems for vulnerabilities, and ensure that developers follow secure coding practices. The full recommendations are in the report.

The Entity concurred with all five of our recommendations.

25-A-18-077.01 to CMS - Open Unimplemented
Update expected on 01/01/2026
We recommend that the Entity enforce and periodically assess compliance with its configuration and change management policy, which requires that a security impact analysis be performed for all newly deployed or modified systems, including contractor-deployed systems, and that any discovered issues or unsecure configuration settings are resolved before a system is deployed or exposed to the internet.

25-A-18-077.02 to CMS - Open Unimplemented
Update expected on 01/01/2026
We recommend that the Entity periodically assess and update its identification and authentication controls in its systems to ensure users are uniquely identified and authenticated; strong authentication and authenticators (e.g., passwords) have sufficient strength to prevent common cyberattacks against authentication controls (e.g., password spraying); and feedback of authentication information during the authentication process is not disclosed.

25-A-18-077.03 to CMS - Open Unimplemented
Update expected on 01/01/2026
We recommend that the Entity periodically assess and update its configuration management controls in its systems to ensure information system flaws are identified and timely corrected; configuration settings for IT products on its systems are secure and in compliance with established configuration baselines; and systems functionality, including functions, ports, protocols, and services are limited to only those that are necessary.

25-A-18-077.04 to CMS - Open Unimplemented
Update expected on 01/01/2026
We recommend that the Entity establish a policy or process to periodically assess its internet-accessible systems and applications security controls against security control standards from NIST SP 800-53 or similar industry web application security standards and promptly resolve any identified weaknesses.

25-A-18-077.05 to CMS - Open Unimplemented
Update expected on 01/01/2026
We recommend that the Entity implement a policy that requires developers to follow secure coding practices for its web applications in accordance with the Entity's approved cybersecurity framework or industry web application security best practices for coding, testing, and maintaining web applications and establish a procedure to confirm adherence to the requirements.

View in Recommendation Tracker
Report Type
Audit
HHS Agencies
Centers for Medicare and Medicaid Services
Issue Areas
Emergency Preparedness and Response Hospitals Information Technology and Cybersecurity
Target Groups
-
Financial Groups
Medicare A

Notice

This report may be subject to section 5274 of the National Defense Authorization Act Fiscal Year 2023, 117 Pub. L. 263.