Strengthen internal audits in healthcare: proactive strategies for compliance, risk, and data security

Imagine the drama, tension, and urgency of your favorite medical drama. The characters are medical students and residents working in an understaffed, underfunded, and overcrowded ER. There is never enough time to make thoughtful decisions that impact patient care, all while working in a setting with insufficient resources. Each decision is critical, and every delay can have life-altering impacts on patients, which takes a heavy toll on the healthcare providers.

Pursuing stability in chaos is our everyday reality. For internal audit teams working in the healthcare sector, even if the narrative lacks the TV drama, the tasks are very real, and the stakes are still very high. Internal audit has to operate under various external rules and regulations, find compliance even within growing cybersecurity risk, maintain financial accuracy, and at the same time drive operational efficiencies in an industry that never stops running. Although the challenges may seem daunting, the internal audit function is best suited to support and empower their organizations to flourish amidst a complex environment through resilience and innovation.

Let’s now explore the challenges faced by the healthcare internal audit function and some practical ways of consistently meeting the standards of compliance, risk, and efficiency. By discovering new ways of working and leveraging modern technologies, internal audit can help build their organization’s resiliency for the future while safeguarding the health of our patients.

1. Regulatory compliance: navigating the ever-changing rules of healthcare

The healthcare industry operates in an extraordinarily complicated regulatory landscape, including regulations like HIPAA, HITECH, HITRUST, FCA, and others.

• Health Insurance Portability and Accountability Act (HIPAA): U.S. federal standards governing the privacy of patient health information.
• Health Information Technology for Economic and Clinical Health (HITECH) Act: U.S. federal law to promote the adoption and use of electronic health records by healthcare organizations.
• Health Information Trust Alliance Common Security Framework (HITRUST CSF): A cybersecurity framework assists organizations, primarily in healthcare, in safeguarding and managing sensitive data, including protected health information (PHI).
• Anti-Kickback Statute and Stark Law: U.S. federal laws prohibiting certain financial relationships in the healthcare industry to avoid healthcare abuse and fraud.

According to Deloitte, healthcare will continue to be a focus for regulators because of its importance to the economy, budgets, and labor markets. The pace of regulatory change isn’t slowing down by while the challenges are not going away completely, with the right strategies, internal audit can help their organizations stay ahead of the curve. Here’s how:

• Focus on high-risk areas: Prioritize areas of compliance with the greatest risk, like fraud prevention, patient privacy, cybersecurity, and billing, to name a few. For example, by regularly analyzing Medicare claims, organizations can identify inconsistencies early and avoid costly penalties.
• Engage regulators early: Establishing connections with regulators is beneficial because it can allow you to anticipate changes early. Deloitte advises that healthcare organizations should regularly monitor legislative activity and align their compliance strategies to the changing priorities of regulatory bodies. Regularly reviewing legislative briefings or monitoring updates can ensure your compliance program evolves alongside regulatory requirements.
• Work collaboratively: To effectively address compliance, you need to work collaboratively with your legal, compliance, and IT teams to ensure everyone is aligned on priorities that apply to regulatory challenges. Monthly cross-department meetings can improve communications and reduce friction and ensure seamless compliance efforts.

2. Data security: combating sophisticated cyber threats

Cyber threats are not new to healthcare, but they are evolving and escalating faster than ever. Protiviti’s 2025 Top Risks Survey states that some of the highest operational risks in healthcare are related to expanding cyber threats due to ransomware, phishing schemes, and third-party fraud vulnerabilities in connected medical devices. Compounding these concerns is the presence of artificial intelligence (AI), which can be both a tool for protection and a weapon for attack. Yet, with proactive measures, healthcare organizations can effectively safeguard their data and systems.

One of the most effective strategies is adopting advanced AI tools. AI can quickly sift through large data sets to discover relationships and identify vulnerabilities. AI is also able to use algorithms designed to help monitor compliance related to cybersecurity frameworks like HIPAA. KPMG points out that GenAI is well-suited for both anomaly detection and augmenting threat response. By using AI-powered software, organizations can quickly detect unusual activity and respond before breaches occur. This proactive approach not only protects data but also strengthens trust.

Third-party risks are another critical focus area. Many healthcare organizations rely on external vendors, which introduces a multitude of risks and vulnerabilities. It is key that every health organization evaluate and audit vendors’ compliance with respective data security standards. Protiviti’s 2024 Top Risks in the Healthcare Industry shows that there is continued concern that third-party risks may prevent organizations from meeting targets or negatively impact their brand image. Conducting regular vendor audits and requiring cybersecurity compliance questionnaires can highlight vulnerabilities, helping organizations build stronger, more secure partnerships.

Finally, preparing for potential breaches are essential. Simulated breach exercises, such as ransomware attach scenarios, can help teams identify weaknesses and improve recovery times. According to EY, exercising incident response plans will identify weaknesses organizations have when responding to real-life cyber threats. Proactively testing different types of simulated ransomware attacks can assist teams in identifying and closing response gaps and improve recovery times.

3. Financial accuracy: mitigating fraud and billing errors

Billing fraud, miscoding, and financial mismanagement remain a primary risk for healthcare organizations. According to KPMG, AI and data analytics can help internal audit enhance fraud detection, gain deeper insights for risk assessments, and perform continuous auditing. But with the right tools and strategies, internal auditors can turn these challenges into opportunities for improvement. Here’s how.

• Leverage predictive analytics solutions like AuditBoard Analytics allow organizations to review billing data at scale, identifying risks like incorrect coding or fraudulent billing early. Analytics gives internal audit the ability to proactively identify unique risks early and stop them before they become costly non-compliance or, worse, lost revenue. By analyzing billing data on a frequent basis (e.g., monthly), patterns of fraud or error can be detected and addressed before they escalate.
• Standardize financial controls: Consistently updating policies and providing continual training on coding and billing practices can reduce errors and increase reimbursements. For example, implementing a standardized billing manual and hosting semiannual training ensure all staff are aligned on best practices.
• Monitor emerging fraud trends: Staying informed about new fraudulent schemes, such AI-enabled phishing attacks on financial systems, allows internal audit and its business partners to adjust and improve their strategies. Subscribing to industry fraud alerts and updating fraud detection methods can help organizations stay one step ahead.

By leveraging predictive analytics, standardizing financial controls, and monitoring fraud trends, healthcare organizations can achieve financial sustainability while enhancing compliance.

4. Operational efficiency: breaking down silos and streamlining processes

Healthcare internal audit teams often struggle with inefficiencies caused decentralized systems and manual workflows. Operational efficiency is a top priority for organizations, especially given the increasing cost of labor and future workforce shortages.

One solution is to centralize audit tools. Platforms such as AuditBoard enable real-time collaboration across departmental silos, reducing administrative burden and minimizing inefficiencies that can result from multiple data streams. By centralizing information into one platform, organizations and internal audit teams can simplify reporting and align teams around shared goals.

Another important strategy is to automation. Automating routine tasks like control testing allows internal audit to focus on higher-value work. According to EY, automation enhances accuracy by limiting human error, leading to consistent and reliable results, while enabling real-time monitoring, allowing for timely detection and remediation of issues.

Collaboration across the organization is a key component. Partnerships between IT, compliance, and clinical teams are essential for aligning organizational goals and risk priorities, including cybersecurity and regulatory compliance. For instance, forming cross-functional task forces help tackle shared priorities like cybersecurity and compliance more effectively.

By centralizing technology solutions, automating tasks, and collaborating across the organization, you create a better operating environment for internal audit.

5. Today’s advanced technologies: transforming healthcare auditing

The healthcare sector is embracing a variety of powerful technologies that are transforming how risks are managed, compliance is monitored, and operational effectiveness is achieved. These technologies are helping internal audit transform their roles and deliver greater value.

Generative AI is one of the most transformative technologies for internal audit. Generative AI (GenAI) can analyze unstructured data, such as patient records, and identify risks and generate actionable insights. Internal audit teams are already using secured GenAI tools to analyze patient records to identify patterns of fraud, streamline compliance monitoring, and lessen administrative burdens. Using AI to automate compliance reporting reduces time spent on manual tasks, freeing up resources for strategic initiatives.

Real-time risk monitoring is another critical advancement. Visibility into emerging risks is essential, which is why dashboards and risk monitoring solutions aid internal audit teams in tracking risks are they arise, identifying risk trends, enabling teams to respond quickly. Having a connected risk platform can centralize data from across the organization, including vendor performance metrics, compliance reports, and cybersecurity monitoring. Configuring alerts for vendor compliance or cybersecurity issues ensures nothing falls through the cracks.

Third-party risk management has been revolutionized by automation. As healthcare organizations increasing rely on outside vendors, the need for vendor oversight has grown. Automating vendor risk management helps organizations monitor compliance with regulatory requirements and contractual obligations and address issues proactively. Consolidating vendor data into a one system improves vendor oversight and reduces administrative burdens.

Through the automation of third-party risk management, internal audit gains the ability to manage vendor risk efficiently, allowing them to focus on strategic initiatives that drive organizational success.

A proactive approach to healthcare auditing

Internal audit teams in the healthcare sector are vital to their organizations amidst growing risk and complexity, much like the doctors and nurses on your favorite TV medical drama. As internal audit respond to compliance regulations, threats to cybersecurity demands, increased workforce shortages, and employer actions to avoid rising costs to deliver care, auditors need to plan and act in even more constructive and innovative ways.

Emerging and developing technologies like generative AI, machine learning, and interactive data analytics are not just helping internal audit, they are making them more efficient and improving their risk management practices that lead to greater value-based outcomes. By leveraging the growth of these technologies, internal audit can transform their role from reactive compliance enforcers to strategic partners in organizational success.

About the authors

Scott Madenburg, CIA, CISA, CRMA, is Market Advisor, SOX & Internal Audit at AuditBoard. Prior to AuditBoard, Scott was Head of Audit at Mobilitie LLC, with nearly two decades experience in operational, IT, and financial auditing, as well as SOX compliance. Connect with Scott on LinkedIn.