The US Department of Health and Human Services (HHS) Office of Inspector General (OIG) posted a new report on July 11, 2025, which found that a large hospital in the northeastern United States could improve certain cybersecurity controls to better prevent and detect cyberattacks.
The audit, issued on July 2, 2025, assessed whether the hospital (referred to as the “Entity”) had implemented cybersecurity controls to prevent and detect cyberattacks, ensure continuity of patient care in the event of a cyberattack, and protect Medicare enrollee data. While the Entity had taken steps to maintain patient care continuity and safeguard enrollee data, OIG identified weaknesses in its ability to prevent and detect cyber threats.
Of the 26 internet-accessible systems analyzed, two had weaknesses that could allow unauthorized user access. Additionally, 13 web applications and 16 internet-accessible systems were found to be susceptible to interactions and manipulations by attackers due to inadequate cybersecurity controls.
OIG made five recommendations to the Entity, including enforcing configuration management policies, assessing and updating authentication and configuration management controls, regularly assessing internet-accessible systems for vulnerabilities, and ensuring that developers follow secure coding practices. The Entity concurred with all five recommendations.
The report notes that healthcare organizations continue to face growing cyber threats due to their reliance on information technology systems for patient care, telemedicine, and records management. In 2022 alone, HHS received reports of 64,592 data breaches affecting nearly 42 million healthcare records.
You can read the full report here.
Compliance Perspective
Issue
Cyberattacks targeting healthcare organizations have increased in frequency and complexity. These attacks can compromise sensitive data, disrupt care delivery, and jeopardize resident safety. As healthcare facilities continue to rely on electronic health records (HER), telemedicine, and other technologies, it is essential to maintain strong cybersecurity measures in accordance with the Health Insurance Portability and Accountability Act (HIPAA) and evolving sector guidance. This includes implementing access controls, secure coding practices, vulnerability assessments, and robust incident response protocols.
Discussion Points
- Review and update your facility’s policies and procedures related to cybersecurity, electronic protected health information (ePHI) protection, system access, and software configuration. Ensure that current cybersecurity guidance, such as authentication protocols and secure coding standards, are reflected in your documentation and system management practices.
- Train all staff on cybersecurity awareness, with a focus on secure use of electronic systems, recognizing phishing or other social engineering attacks, and understanding their role in protecting resident data. Provide additional education on secure development and access practices to any staff involved in IT, EHR systems, or data management.
- Periodically audit all internet-accessible systems, applications, and electronic processes to identify potential vulnerabilities. Audit staff understanding of cybersecurity protocols and ensure that any weaknesses in system configuration or access management are addressed.
*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*