Skip to main content

How A Cybersecurity Audit Can Identify Risk of Compromise

Analysis  |  By Jasmyne Ray  
   June 19, 2024

Audits can identify security risks and vulnerabilities.

While some organizations are still recovering from the effects of the Change Healthcare cyberattack, others are working to develop a robust cybersecurity infrastructure.

As these attacks become more sophisticated and the extent of their damage grows, organizations must be vigilant when it comes to patient data and information.

When conducting cybersecurity audits, the HHS Office of Inspector General (OIG) uses their findings to provide recommendations to help strengthen the subject’s security. For example, in a recent audit of the office’s Administration for Children and Families division, OIG found that data hosted in certain systems were at a high risk of compromise due to the following:

  • Cloud computing assets weren’t identified and inventoried accurately.
  • While there were some security controls in place, several others weren’t implemented in accordance with federal requirements/guidelines.
  • ACF didn’t perform adequate cloud and web application technical testing techniques against its systems.

In addition to reviewing ACF’s cloud computing assets, OIG looked at the configuration of the division’s scanners, performed internal, external, and web application penetration tests, and even conducted two simulated phishing campaigns.

“We made a series of recommendations to ACF to improve its security controls over cloud information systems, including that it update and maintains a complete and accurate inventory,” OIG said in a statement on the audit.

Other recommendations included getting security controls up to federal standards and using cloud security assessment tools to identify misconfigurations and weak cybersecurity controls in its cloud infrastructure.

Some organizations use multiple vendors for things like electronic health records, remote patient monitoring, and even to complete revenue cycle processes. Cloud computing assets can store vendor software and data but, as the OIG’s audit showed, lax security controls can increase their risk of being compromised.

Adam Zoller, chief information officer at Providence Health, previously explained the challenge of aligning healthcare’s cybersecurity standards with vendors.

“As a large hospital system, we are relying on hundreds of third parties,” he said. “And when some of those devices are 100% vendor-managed, they often won’t modify anything.”

Jasmyne Ray is the revenue cycle editor at HealthLeaders. 


Part of OIG's audit involved simulating a phishing campaign to get into the Administration for Children and Families division's cloud computing assets.

Organizations using technological solutions from a vendor or third-party must ensure the security controls are up to standard.

Get the latest on healthcare leadership in your inbox.