Changeflow GovPing Healthcare Audit HHS OIG: Hospital Cybersecurity Controls Need I...
Priority review Guidance Added Final

HHS OIG: Hospital Cybersecurity Controls Need Improvement

Favicon for oig.hhs.gov HHS OIG Reports & Publications
Published January 30th, 2026
Detected February 11th, 2026
Email

Summary

The HHS Office of Inspector General (OIG) issued a report finding that a large southeastern hospital needs to improve its cybersecurity controls, particularly for web applications. The OIG made four recommendations to enhance defenses against cyberattacks, which the hospital has concurred with.

View original document View source feed page

What changed

The HHS Office of Inspector General (OIG) has identified significant cybersecurity control weaknesses at a large southeastern hospital, as detailed in a report issued January 30, 2026. The audit found deficiencies in account management web applications lacking strong user identification and authentication, such as multi-factor authentication, and internet-facing web applications lacking adequate data input validation and protection from web-based attacks. The OIG issued four recommendations to address these vulnerabilities, including implementing stronger authentication, periodic assessment of controls, assessing the need for web application firewalls, and utilizing a wider array of security testing tools.

These findings highlight potential risks to patient data and care continuity due to inadequate cybersecurity measures. While the hospital has concurred with the recommendations, the report implies a need for other healthcare providers to review their own cybersecurity postures, particularly concerning web application security and authentication protocols. The recommendations are expected to be implemented by July 29, 2026, indicating a need for compliance officers in similar organizations to ensure their systems meet these enhanced security standards to prevent similar vulnerabilities.

What to do next

  1. Review and strengthen user identification and authentication controls, including multi-factor authentication, for all internet-accessible web applications.
  2. Assess the need for and implement web application firewalls or similar automated technical solutions to protect against web-based attacks.
  3. Enhance security testing processes to include a wider array of tools and techniques before deploying updates to production systems.

Source document (simplified)

A Large Southeastern Hospital Could Improve Certain Security Controls to Enhance Its Ability to Prevent and Detect Cyberattacks

Issued on

01/30/2026

| Posted on

02/02/2026

| Report number: A-18-22-08021

Report Materials

Why OIG Did This Audit

  • Health care’s growing reliance on information technology for patient care, telemedicine, and records has heightened vulnerability to cyberattacks. HHS has an important role in guiding and supporting the adoption of cybersecurity measures to protect patients and health care delivery from cyberattacks.
  • This audit examined whether a large hospital in the southeast United States (referred to as the “Entity”) had implemented cybersecurity controls to (1) prevent and detect cyberattacks, (2) ensure continuity of patient care in the event of a cyberattack, and (3) protect Medicare enrollee data.

What OIG Found

The Entity implemented cybersecurity controls to protect against cyberattacks, ensure the continuity of patient care in the event of a cyberattack, and protect Medicare enrollee data. However, the Entity could improve specific cybersecurity controls to further strengthen its defenses against cyberattacks. Among the four internet-accessible web applications analyzed, our testing showed that:

  • An account management web application had a cybersecurity control weakness related to access. Specifically, the web application lacked strong user identification and authentication controls, such as multi-factor authentication. As a result, we were able to use login credentials captured from our phishing campaign to gain account management access.
  • An internet-facing web application had a cybersecurity control weakness related to system and information integrity. Specifically, the web application lacked strong data input validation controls and did not employ adequate protections —such as a web application firewall— to detect and block web-based attacks. As a result, the application may have been susceptible to injection attacks, including the insertion of malicious code by threat actors.

What OIG Recommends

We made four recommendations to the Entity to improve its cybersecurity controls by strengthening its practices for safeguarding the Entity’s systems, including internet-accessible websites and applications from cyberattacks. The full recommendations are in the report.

The Entity concurred with all four of our recommendations.

Recommendation Details (4)

26-A-18-035.01 to CMS - Open Unimplemented Update expected on
07/29/2026 We recommend that the Entity implement strong user identification and authentication controls for the account management web application we exploited.
26-A-18-035.02 to CMS - Open Unimplemented Update expected on
07/29/2026 We recommend that the Entity periodically assess and update user identification and authentication controls across the Entity's systems, including internet-accessible websites and applications.
26-A-18-035.03 to CMS - Open Unimplemented Update expected on
07/29/2026 We recommend that the Entity assess all web applications to determine whether any need an automated technical solution (e.g., a web-application firewall) implemented as an extra layer of security to detect and block malicious web traffic and attempts to exploit web application vulnerabilities.
26-A-18-035.04 to CMS - Open Unimplemented Update expected on
07/29/2026 We recommend that the Entity utilize a wider array of security testing tools and techniques to better detect vulnerabilities in applications before updating production systems, such as dynamic application testing tools, static application testing tools, and manual, interactive testing, as part of its security testing process prior to deploying updates to internet-accessible production systems.
View in Recommendation Tracker Report Type Audit HHS Agencies Centers for Medicare and Medicaid Services Issue Areas Hospitals Information Technology and Cybersecurity Target Groups – Financial Groups Medicare A

Notice

This report may be subject to section 5274 of the National Defense Authorization Act Fiscal Year 2023, 117 Pub. L. 263.

Related changes

Favicon for sam.gov SAM.gov Entity Exclusions Unavailable Due to Maintenance
Routine Mar 14, 2026 SAM.gov Entity Exclusions (Debarments & Suspensions) Trade Procurement
Favicon for sam.gov SAM.gov Entity Registration and Exclusions Unavailable
Routine Mar 14, 2026 SAM.gov Entity Exclusions (Debarments & Suspensions) Trade Procurement
Favicon for sam.gov SAM.gov Entity Exclusions Unavailable During Maintenance
Routine Mar 14, 2026 SAM.gov Entity Exclusions (Debarments & Suspensions) Trade Procurement
Favicon for www.courtlistener.com Peterson v. Collins - Due Process in VA Physician Removal
Routine Mar 14, 2026 7th Circuit Court of Appeals Federal Courts
Favicon for www.courtlistener.com Kentucky Court of Appeals Opinion Affirming Case 2025-CA-0080
Routine Mar 14, 2026 Kentucky Court of Appeals State Courts
Favicon for www.courtlistener.com Kentucky Court of Appeals Opinion Affirming and Remanding
Routine Mar 14, 2026 Kentucky Court of Appeals State Courts

Source

Favicon for oig.hhs.gov
HHS OIG Reports & Publications oig.hhs.gov/reports-and-publications/all-reports-and-publications
Healthcare Audit
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
Various Federal Agencies
Published
January 30th, 2026
Compliance deadline
July 29th, 2026 (137 days)
Instrument
Guidance
Legal weight
Non-binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Healthcare providers
Geographic scope
National (US)

Taxonomy

Primary area
Healthcare
Operational domain
Compliance
Topics
Cybersecurity Data Privacy

Browse Categories

Federal Courts 26 State Courts 91 Securities Regulation 6 Financial Regulation 43 Consumer Protection 5 Drug Safety 45 Data Protection 21 Competition 2 Attorneys General 3 Insurance Regulation 5 Trade & Export 36 Legislation 42 Energy Regulation 13 Environment 3 Labor & Employment 2 Tax 1

Get Healthcare Audit alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when HHS OIG Reports & Publications publishes new changes.

Free. Unsubscribe anytime.