5 Questions Hospital CISOs Should Ask Before the Next HHS or Joint Commission Audit

A hospital ransomware audit is not about security. It is about whether the organization can keep care moving when the systems underneath care are no longer trustworthy.

That distinction matters for the CISO and the COO. The CISO has to prove the hospital protected electronic protected health information (ePHI), contained the threat, and restored from defensible data. The COO has to prove the hospital can sustain safe clinical operations when EHR access, medication workflows, lab ordering, imaging, claims, or referral systems are impaired.

HHS has put the point in plain language: the HHS Cyber Gateway leads with “Cyber Safety is Patient Safety.” CMS emergency preparedness guidance says cyber attacks can have a massive impact on healthcare organizations and lead to a complete shutdown of operations. The Joint Commission’s Cyber Resilience Readiness program uses the same operating frame, emphasizing clinical continuity during cyber-related technology outages, not IT restoration in isolation.

What the audit has to prove

Before an HHS/OCR compliance review, CMS emergency preparedness survey discussion, breach investigation, or Joint Commission cyber resilience conversation, a hospital CISO should be able to produce evidence for five things: clinical downtime capability, ePHI system mapping, patient-care recovery data integrity, business associate recovery obligations, and exercised restoration under clinical conditions.

The five questions below are written for that evidence review. They expose whether the hospital has operational proof or only a recovery narrative.

Why this moved from IT risk to patient-care risk

The incident record is no longer theoretical. HHS OCR said the Change Healthcare attack had “unprecedented magnitude” and affected patient care and privacy, then reported that Change Healthcare had notified OCR that approximately 192.7 million individuals had been impacted as of July 31, 2025. Ascension’s FY24 management discussion said its May 8, 2024 cyberattack interrupted access to technology network systems, caused disruptions to certain clinical operations, triggered downtime procedures, and saw EHR access restored across its ministries in mid-June. CommonSpirit disclosed that its October 2022 ransomware attack had an estimated adverse financial impact of approximately $160 million, excluding potential insurance recoveries.

The threat pressure is sector-specific. HHS HC3 reported that, as of mid-March 2024, it had tracked 730 attacks against the HPH sector worldwide over the prior six months, more than 530 affecting the U.S. HPH sector, with nearly half ransomware-related. The FBI, CISA, HHS, and MS-ISAC later warned that Interlock actors had been observed encrypting virtual machines and using double extortion after exfiltrating data in the July 22, 2025 #StopRansomware Interlock advisory.

That is the context an auditor, board, insurer, or surveyor brings into the room.

1. Which clinical services can continue safely when core systems are down?

Start with clinical service, not application name. “Epic is down” is not an audit answer. “Emergency department triage, medication administration, lab ordering, radiology reads, surgery scheduling, and transfer decisions can operate for a defined downtime window under named downtime workflows” is closer.

The Joint Commission says its Cyber Resilience Readiness program evaluates whether hospitals can maintain safe patient care, coordinate clinical and leadership response during downtime, prepare staff for a substantial cyber incident, and identify risks to clinical continuity. CMS’s core emergency preparedness rule elements also include interruptions in communications, including cyber attacks, in risk assessment and emergency planning. That language matters because it pulls the CISO out of a narrow infrastructure conversation and into the COO’s world.

Ask for the last exercised downtime package by service line:

• Which clinical workflows were tested without the EHR, patient portal, pharmacy system, lab interface, PACS, or claims clearinghouse?
• Which paper or alternate workflows were used, and who reconciled them after systems returned?
• Which patient-safety risks trigger diversion, cancellation, transfer, or executive escalation?
• Which systems must be restored before the service can return from downtime to normal operation?

2. Can we map ePHI from care delivery to recovery media?

The current HIPAA Security Rule requires administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI. The HHS Security Rule page links to the January 6, 2025 NPRM, which proposed updates to address increases in breaches and cyberattacks, common OCR investigation deficiencies, and changes in how healthcare is delivered. That NPRM is proposed rulemaking, not a final rule, but it is a useful signal of where OCR expects more concrete evidence.

Do not stop at a CMDB export. For ransomware recovery, the useful map connects ePHI to systems, dependencies, and recovery copies:

• EHR, pharmacy, lab, radiology, revenue cycle, population health, identity, and interface engines that create, receive, maintain, or transmit ePHI.
• Backup, snapshot, vault, replica, and archive locations for each system.
• Business associates and subcontractors that touch the workflow or recovery path.
• Identity, DNS, certificate, network, and device-interface dependencies required to restore the workflow.
• The owner who can approve restored data for clinical use.

HHS’s healthcare CPGs make asset inventory an enhanced goal and identify backup strategies under basic incident planning and preparedness. The audit gap is the handoff between those two. If the hospital can inventory systems but cannot trace ePHI to recoverable copies and restore dependencies, recovery planning is still incomplete.

3. Which patient-care recovery data has been validated before it is reintroduced?

Backups preserve data. They do not automatically prove the data is safe to use for medication decisions, radiology workflow, claims resubmission, or patient portal access after a compromise.

This is where hospital ransomware recovery differs from ordinary disaster recovery. A clean server boot is not enough if the restored data contains encrypted files, malware, altered scripts, tampered interface queues, or attacker-created administrative state. The risk is not only downtime. The risk is restoring data that pushes the hospital back into clinical disruption.

Ask for recovery validation evidence by clinical service:

• The newest validated recovery point for EHR, pharmacy, lab, PACS, identity, and revenue-cycle systems.
• The inspection method used before the restore was approved.
• The files, databases, objects, or volumes that were skipped, and why.
• The malware, ransomware, and encryption indicators checked.
• The evidence retained for HHS, the board, the insurer, and internal quality review.

Ransomware recovery starts with a provable clean recovery point walks through this distinction in more detail. In healthcare, the same concept becomes a patient-care control: restored data should be validated before it feeds orders, results, prescriptions, billing, or portals. Our case study on proving backup integrity across 300 hospitals shows how that control can be delivered across hospital environments without placing agents on hospital systems.

4. Can we prove vendor and business associate recovery obligations before the incident?

Change Healthcare made the business associate question impossible to treat as paperwork. HHS OCR’s FAQ reminded covered entities that they remain responsible for breach notification obligations, even when a business associate is involved, and that business associates must notify covered entities without unreasonable delay and no later than 60 calendar days after discovering a breach.

The January 2025 HIPAA Security Rule NPRM also proposed a new annual Security Rule compliance audit and business associate verification obligations. HHS estimated that all regulated entities would need to conduct a Security Rule compliance audit because it would be a new requirement under proposed 45 CFR 164.308(a)(14).

For a hospital CISO, the practical question is narrower than contract language:

• Which vendors can interrupt care, claims, eligibility, pharmacy operations, imaging, patient communication, or ePHI access?
• Which vendors must provide recovery evidence, not only incident notification?
• Which contracts require restoration testing, backup integrity evidence, and recovery-time reporting?
• Which business associate reports can be produced before an audit without manually assembling screenshots?
• Which vendor dependencies sit outside the hospital’s restore test?

Our compliance page frames the output as timestamped recovery validation evidence mapped to frameworks such as HIPAA. That is the right artifact shape for vendor reviews too: a dated record tied to systems and data, not a generic attestation.

5. Have we run a restore exercise under clinical conditions?

A tabletop asks whether leaders know what they would decide. A clinical restore exercise asks whether the hospital can actually operate through the decision.

The exercise should include the CISO, COO, clinical leadership, pharmacy, lab, radiology, revenue cycle, privacy, legal, communications, and the service owners for identity and network dependencies. The scenario should require a restore choice, not only a containment choice. It should force the team to decide whether a recovery point is acceptable for patient care, which services can return first, what stays in downtime, and what evidence the organization keeps.

Use a service-level exercise, not an estate-wide abstraction. For example:

• Restore the minimum viable emergency department workflow.
• Validate medication administration and reconciliation after downtime.
• Bring lab ordering and results back with interface queues intact.
• Restore PACS access with radiology reads and prior studies available.
• Reconnect claims or eligibility only after confirming the data path and business associate status.

The HHS HICP program says HICP 2023 helps organizations prepare for and fight cyber threats that can impact patient safety. The HHS CPGs include centralized incident planning and preparedness as an enhanced goal, with a focus on maintaining, drilling, and updating cyber incident response plans for relevant threat scenarios.

The restore exercise is where those ideas become evidence.

Objections worth answering before the audit

The audit packet to ask for this quarter

Ask the team for one packet covering one high-risk clinical service. It should include the downtime workflow, ePHI system map, last validated recovery point, skipped-data list, business associate dependency list, restore exercise result, and the named approver for returning the workflow to normal operations.

Sources

[1] HHS, The Security Rule.

[2] Federal Register, HHS Office for Civil Rights, HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information, Proposed Rule, 6 January 2025.

[3] HHS Cyber Gateway, Healthcare and Public Health Cybersecurity Performance Goals.

[4] HHS Cyber Gateway, Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients, HICP 2023 Edition.

[5] Joint Commission, Cyber Resilience Readiness Program.

[6] HHS OCR, Change Healthcare Cybersecurity Incident Frequently Asked Questions.

[7] HHS HC3, HC3’s Top 10 Most Active Ransomware Groups, Analyst Note, 5 April 2024.

[8] CMS, Homeland Security Threats.

[9] CMS, Core Emergency Preparedness Rule Elements.

[10] FBI, CISA, HHS, and MS-ISAC, #StopRansomware: Interlock, Joint Cybersecurity Advisory AA25-203A, 22 July 2025.

[11] Ascension, Management’s Discussion and Analysis of Financial Condition and Results of Operations for FY24, 2024.

[12] CommonSpirit Health, Unaudited Quarterly Report, December 31, 2023, 15 February 2024.

[13] Elastio, Ransomware Recovery Starts With a Provable Clean Recovery Point.

[14] Elastio, Proving Backup Integrity Across 300 Hospitals.

[15] Elastio, Compliance: NYDFS, DORA, HIPAA Recovery Evidence.