On July 11, 2025, the U.S. Department of Health and Human Services (“HHS”), Office of Inspector General (“OIG”) posted a report that announced the findings of a cybersecurity audit it conducted of a large Northeastern hospital, the identity of which OIG did not disclose in order to avoid increasing cyber risk to the entity.1 While its findings and recommendations generally align with what might be expected in such a review, it is notable that OIG was the auditing agency. OIG’s involvement in an audit premised largely on the regulatory requirements of the HIPAA Security Rule is a departure from prior operations. Historically, such endeavors have been the purview of the HHS Office for Civil Rights (“OCR”), which is the office tasked by law with enforcing HIPAA.
OIG’s involvement in the recently reported audit (as well as OIG’s November 2024 report finding that OCR should enhance its HIPAA audit program2) raises questions regarding the scope and frequency of audits that covered entities may expect. This report seemingly arose out of the OIG’s 2025 Work Plan item designed to determine whether OCR has performed periodic audits of hospitals to assess compliance with HIPAA and to ensure hospitals implement measures to effectively prevent, detect, and recover from cyberattacks. As part of this active Work Plan item, OIG stated it would conduct security assessments at 10 U.S. hospitals to determine whether they have adequately implemented HIPAA security requirements and effective cybersecurity measures.3 Indeed, the most recent hospital audit report acknowledged that this was “one in a series” of similar OIG audits of hospitals’ cybersecurity controls. Thus, hospitals should be aware that they could receive similar informational probes from OIG, and the consolidated results of such audits and OIG’s findings could result in increased future audit activity from OCR.
Hospital Audit Overview
The audit examined whether the hospital had implemented cybersecurity controls to: (1) prevent and detect cyberattacks; (2) ensure continuity of patient care in the event of a cyberattack; and (3) protect Medicare enrollee data.
OIG found that the hospital had implemented cybersecurity controls, but such controls could be improved to better prevent and detect cyberattacks. The report noted that, of 26 internet-accessible systems analyzed, two had weaknesses in their cybersecurity controls that could allow unauthorized user access. Additionally, 13 web applications and 16 internet-accessible systems were susceptible to cyberattacks. To improve cybersecurity measures, OIG recommended that the hospital:
- Enforce configuration management policies;
- Assess and update authentication controls;
- Assess and update configuration management controls;
- Conduct regular assessments of internet accessible systems for vulnerabilities; and
- Ensure that developers follow secure coding practices.
OIG’s Stated Purpose and Legal Basis for the Audit
OIG expressed a concern that healthcare organizations have become more vulnerable to cyberattacks as they have increasingly relied on information technology systems for patient care, telemedicine, and records management. This issue is made worse by the absence of a “required, unified, and robust cybersecurity framework across the health sector.” The agency warned that the large number of cyberattacks against healthcare organizations in recent years raises questions about whether HHS, including the Centers for Medicare & Medicaid Services, “can do more with its cybersecurity guidance, oversight, and outreach to help health care organizations implement robust cybersecurity controls to improve their cybersecurity measures.”
OIG noted that the HIPAA Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, availability, and security of electronic Protected Health Information (“ePHI”).4 The report also notes that Medicare conditions of participation require hospitals to comply with all federal laws and regulations, including the HIPAA Security Rule.5 The report suggests that OIG may interpret these legal authorities as a basis through which it is empowered to audit a healthcare organization’s cybersecurity measures.
Takeaways
The audit follows a November 2024 report in which OIG evaluated the effectiveness of the OCR HIPAA Audit Program.6 There, OIG found deficiencies in the program, including:
- The implementation of the audit program was too narrowly scoped to effectively assess ePHI; and
- OCR’s oversight of the program was not effective at improving cybersecurity protections for covered entities and business associates.
The audit report states that this is just one in a series of audits of hospitals’ cybersecurity measures that OIG is conducting. Here, OIG’s decision to audit a covered entity’s cybersecurity protocols and plans to conduct similar audits in the future suggest that OIG intends to play a more active role in evaluating data privacy and security measures, an area of healthcare compliance that has historically been the purview of OCR. This is particularly significant because cybersecurity audits for covered entities and business associates have been rare under OCR’s HIPAA Audit Program. As OIG becomes increasingly involved in this space, healthcare organizations — and hospitals in particular — are advised that the frequency and nature of cybersecurity audits may be subject to change.
[1] The report is available here: https://oig.hhs.gov/reports/all/2025/a-large-northeastern-hospital-could-improve-certain-security-controls-for-preventing-and-detecting-cyberattacks/.
[2] The Office for Civil Rights Should Enhance Its HIPAA Audit Program to Enforce HIPAA Requirements and Improve the Protection of Electronic Protected Health Information | Office of Inspector General | Government Oversight | U.S. Department of Health and Human Services.
[3] See https://oig.hhs.gov/reports-and-publications/workplan/summary/wp-summary-0000588.asp.
[4] 42 C.F.R. part 165, subparts A and C.
[5] 42 C.F.R. § 482.11.
[6] The report is available here: https://oig.hhs.gov/reports/all/2024/the-office-for-civil-rights-should-enhance-its-hipaa-audit-program-to-enforce-hipaa-requirements-and-improve-the-protection-of-electronic-protected-health-information/.
