IBM Audit Defense for a US Medical Hospital

Client Profile

The client is a large not-for-profit regional medical centre in the southeastern United States, operating across four main hospital buildings, two outpatient clinics, and a network of specialty care centres. With approximately 850 licensed beds, 4,200 staff members, and annual operating revenues exceeding $1.1 billion, the organisation provides acute care, oncology, cardiac surgery, and complex surgical services to a regional catchment of more than 700,000 patients.

The hospital had deployed IBM software over an 11-year period to support mission-critical clinical and administrative workloads. Its IBM estate comprised IBM WebSphere Application Server supporting the electronic health record (EHR) integration layer, IBM DB2 underpinning the patient administration system and revenue cycle management platform, and IBM MQ providing messaging infrastructure for laboratory, pharmacy, and radiology systems. All IBM workloads ran on VMware vSphere clusters hosted on a combination of on-premises blade servers and a private cloud segment introduced during a 2023 infrastructure modernisation programme.

The hospital was an IBM Passport Advantage customer operating under a legacy Enterprise Licence Agreement (ELA) that had not been formally renegotiated in six years. No ILMT audit readiness review had ever been conducted internally, and responsibility for IBM software licence compliance was split between the central IT operations team and four departmental IT groups that managed their own cluster environments.

The Challenge

IBM's Software License Review (SLR) notice arrived in Q1 2025, triggered — as later confirmed by IBM's audit team — by a routine contract renewal conversation in which the hospital's procurement team had requested updated pricing for its ELA. IBM's response was to open a formal audit rather than provide commercial terms, a pattern Redress Compliance has observed across multiple healthcare engagements when customers express renewal price sensitivity.

IBM's initial audit findings documented three categories of alleged non-compliance. First, IBM contended that sub-capacity licensing did not apply to a significant portion of the hospital's virtualised estate because ILMT agents had not been deployed on five VMware ESXi clusters managed by departmental IT teams. IBM's audit tooling had identified these clusters during the scope-setting phase and had applied full-capacity PVU calculations to all IBM software on those hosts across a 24-month lookback period. At the hospital's mix of Intel processors (100 PVUs per core) across servers with 32 to 64 physical cores per host, the full-capacity exposure was extreme.

Second, IBM asserted that even where ILMT had been deployed, reporting gaps of more than 90 days in two quarterly cycles — caused by a ILMT version upgrade that temporarily halted report generation — invalidated sub-capacity entitlement for those periods. IBM treated the reporting gaps as equivalent to complete ILMT absence and recalculated those periods at full capacity as well.

Third, IBM's auditors identified three instances where IBM WebSphere had been deployed on servers not covered by the hospital's ELA scope definition, and claimed these constituted out-of-scope deployments requiring new licence purchase at list prices plus 12 months of back-maintenance fees.

The aggregate of these three positions produced IBM's $7 million claim. The IT and legal leadership recognised that the claim was commercially devastating for a not-for-profit institution, but lacked the internal IBM licensing expertise to construct a credible technical and contractual rebuttal. Redress Compliance was engaged five days after the initial IBM findings document was received.

The Approach

Redress Compliance structured the engagement across four parallel workstreams, prioritising immediate ILMT remediation to establish a compliant posture and concurrent technical analysis to build the counter-position to IBM's claim.

ILMT Remediation and Coverage Restoration

Within five business days of engagement, ILMT agents were deployed across all five previously uncovered ESXi clusters, including every virtual machine running IBM software in those environments. ILMT was configured, agents validated, and the first compliant sub-capacity reports generated within ten days. This did not retroactively cure the historical gap — IBM was entitled to apply full-capacity calculations for the uncovered historical period — but it immediately halted further exposure accumulation and established a compliant baseline for the remainder of the review.

The reporting gaps caused by the ILMT upgrade were addressed separately. Redress obtained the full version upgrade logs and demonstrated that the ILMT infrastructure had remained structurally deployed and operational throughout; only the automated report scheduler had been temporarily disabled as part of the upgrade procedure. Under IBM's ILMT compliance documentation, a temporary scheduler interruption during a version migration does not constitute a lapse in ILMT coverage if the tool was otherwise operational and agents were generating usage data. IBM accepted this position and withdrew the reporting-gap claims entirely.

Full-Capacity Methodology Challenge

The core of the defence was challenging IBM's PVU calculations for the five uncovered clusters. IBM had applied full-capacity PVU counts based on the total physical cores of the host servers. Redress Compliance's technical team undertook a complete inventory of every virtual machine on the affected clusters at the time of alleged non-compliance, using VMware vCenter historical configuration records and the hospital's internal CMDB to reconstruct VM CPU assignments with precision.

The analysis revealed that across the five clusters, IBM software workloads were running on VMs with a combined CPU assignment of 94 virtual processors — against a total physical core count of 1,280 across the affected hosts. IBM's full-capacity calculation had assigned 1,280 PVU entitlements per physical core multiplied by 100 PVUs, producing its $7M figure. The corrected sub-capacity calculation, applied to the 94 virtual CPUs actually assigned to IBM workloads, reduced the exposure to within the hospital's existing ELA entitlement headroom. Even using IBM's most conservative interpretation of sub-capacity eligibility for the historical period, the financial gap was demonstrably zero.

Out-of-Scope Deployment Rebuttal

The three alleged out-of-scope WebSphere deployments were examined against the hospital's ELA schedule and amendment history. Two of the three deployments were on servers that had been added to the ELA via a purchase order amendment executed in 2022 — IBM's audit team had not cross-referenced the amendment documentation. The third deployment related to a WebSphere instance used exclusively for a third-party clinical application where the software was bundled and licensed as part of the application vendor's agreement; the hospital bore no direct IBM licence obligation for that instance. All three out-of-scope claims were withdrawn once supporting documentation was presented.

The Outcome

Following three rounds of counter-position submissions and two structured negotiation sessions with IBM's commercial and audit teams, IBM formally closed the Software License Review with no payment required from the hospital. The $7 million claim was eliminated in its entirety. The engagement concluded 16 weeks after Redress Compliance's initial instruction.

Beyond the immediate financial outcome, the engagement delivered lasting structural benefits for the hospital's IBM licence programme. ILMT is now fully deployed across all clusters, generating compliant quarterly reports with a centralised governance process owned by the central IT operations team. A formal ILMT audit readiness checklist was implemented, and IBM licence responsibility was consolidated away from departmental IT groups into a single licensing programme manager role. The hospital's ELA was renegotiated in parallel with the audit closure, achieving an 18% reduction in annual maintenance fees and a modernised scope definition that reflects the actual software estate.

Key Lessons for Healthcare Organisations

This engagement illustrates several IBM audit risks that are acutely elevated in healthcare settings. Decentralised IT governance — where departmental teams manage their own server infrastructure independently of the central ITAM function — consistently creates ILMT coverage gaps that IBM auditors exploit with full-capacity PVU calculations. A single uncovered ESXi host running IBM middleware can generate a seven-figure liability under IBM's methodology if the physical host is large enough.

IBM's practice of auditing shortly after renewal pricing conversations has been observed in multiple healthcare engagements. Organisations that signal price sensitivity or request ELA restructuring without independent advisory support frequently receive audit notices in preference to commercial proposals. Engaging independent IBM specialists before any formal renewal dialogue reduces this risk materially.

Finally, the ILMT reporting gap issue illustrates how technically correct behaviour — performing a version upgrade — can inadvertently create audit exposure if ILMT's scheduler is disrupted without proper documentation. ILMT upgrade and maintenance procedures should always be documented contemporaneously to provide evidence that the tool remained operationally deployed throughout any brief reporting interruption.