OIG calls on HHS to strengthen cybersecurity across divisions

HHS must address the persistent cybersecurity threats facing the healthcare sector and adapt its approach to cybersecurity within the department in order to combat increasingly sophisticated cyberthreats, the Office of Inspector General, or OIG, suggested in a new report. 

As required by statute, OIG releases an annual report on the top management and performance challenges facing HHS. The report aims to help HHS improve the effectiveness of its programs.  

Significant workforce reductions and program changes added strain to HHS' workflows in 2025, the report suggested. OIG identified five top challenges impacting the department that it can work on in 2026 and beyond: financial integrity, Medicare and Medicaid, public health, beneficiary safety and cybersecurity.  

When it comes to cybersecurity, OIG acknowledged that HHS faces persistent cybersecurity threats. What's more, the scale of HHS's IT environments requires a complex and thorough approach to cybersecurity in order to address a range of risks as well as the specific data and technology needs of each HHS division. 

"Disparate organizational approaches to cybersecurity that vary by division and program within the Department and across the Government complicate HHS’s preparedness efforts to prevent or respond to cybersecurity risks," the report noted.  

"The Department has taken steps to consolidate functions related to cybersecurity and improve its cybersecurity overall, but progress is often still dependent on each division and program." 

In addition to encouraging a unified approach to cybersecurity across all HHS divisions, OIG stressed that adequate cybersecurity solutions must be implemented by the thousands of HHS contractors and external entities. 

Effective cybersecurity programs are not one-size-fits-all, OIG acknowledged. Each division within HHS will have to implement solutions that mitigate the cyberthreats that are specific to them, which can be particularly challenging for smaller entities. Establishing clear expectations and guidelines, modernizing program rules and maintaining proper oversight will be crucial to success.  

OIG also suggested that HHS's ability to enforce HIPAA "may not be sufficient to address contemporary privacy concerns of protecting health information or increased risks to the security of electronic protected health information." 

HHS must rise to the challenge of adapting its HIPAA enforcement strategies, within the confines of the 1996 law, as privacy and security threats become more complex. 

In addition to tackling cybersecurity concerns, OIG tasked HHS with preventing, reducing and recovering improper payments, combating fraud, waste and abuse within Medicare and Medicaid, preventing chronic disease and ensuring the health and safety of beneficiaries. 

"Addressing HHS’s top management and performance challenges will support high-quality care and services, ensure careful stewardship of taxpayer dollars, and mitigate fraud and other risks so that programs operate as intended," the report concluded. 

Jill Hughes has covered healthcare cybersecurity and privacy news since 2021.