OIG: Gaps in Standards, Third-Party Oversight Put Agencies, Health Sector at Risk
Auditors say the U.S. Department of Health and Human Services should buttress its ability to respond to cyberthreats by standardizing governance and controls across its many divisions – and also do a better job of overseeing its many contractors and the risk they introduce.
See Also: On-Demand | NYDFS MFA Compliance: Real-World Solutions for Financial Institutions
A fractured approach to cybersecurity with varying controls across division and programs “complicate HHS’s preparedness efforts to prevent or respond to cybersecurity risks,” wrote the HHS Office of the Inspector General in one of two new reports published this week.
Auditors noted improvements but said that efforts to consolidate cybersecurity functions “is often still dependent on each division and program.”
In addition, third-party risks, posed by legions of contractors and other third-party vendors, complicate matters further. “Cybersecurity solutions must be implemented not just within the department but also by the thousands of HHS contractors, grantees and other external entities,” auditors wrote.
Auditors also included cybersecurity risk management as a top priority in a semiannual report this week to Congress. A successful cyberattack could jeopardize departmental operations and also potentially compromise the health and welfare of the individuals HHS serves.
Improved departmental cybersecurity is a longstanding concern. “HHS faces persistent cybersecurity threats that exacerbate challenges related to how the Department uses data and technology essential to accomplishing its mission,” auditors underscored in a November 2025 report (see: Inspector General Flags Security Gap in NIH Genomics Project).
Auditors say the current state of cybersecurity at HHS is not entirely the department’s fault. “Challenges remain that the department has limited authorities or resources to address, including the industry’s reliance on legacy technology and workforce challenges.”
Neither do out-of-date regulations around cybersecurity and data privacy matters help matters.
HHS’s ability to enforce “the decades-old HIPAA Privacy Rule and HIPAA Security Rule – may not be sufficient to address contemporary privacy concerns of protecting health information or increased risks to the security of electronic protected health information,” auditors wrote.
“Working within the statutory authorities established by HIPAA in 1996, HHS must adapt as privacy and security needs evolve.”
The department’s Office of Civil Rights in the final days of the Biden administration issued a proposed overhaul to the 20-year-old HIPAA security rule, and similarly in the final days of the first Trump administration issued proposed modifications to the nearly 30-year-old HIPAA Privacy Rule.
Both proposals remain on HHS’ current regulatory agenda but so far OCR has not publicly disclosed how it plans to proceed with finalizing either rule (see: Health Data Privacy, Cyber Regs: What to Watch in 2026).
An HHS spokesperson said the department is already addressing many of the issues spotlighted in the OIG reports.
“HHS is streamlining its IT and cybersecurity systems to better serve the Department and the American people, modernizing outdated, Biden-era systems, to improve security, efficiency and accountability across HHS,” the spokesperson said.