Healthcare Groups Discovered Not to be Adhering with NIST CSF and HIPAA Rules

The results of recent research conducted by the consultancy firm CynergisTek has shown that healthcare groups are not adhering with NIST Cybersecurity Framework (CSF) controls and the HIPAA Privacy and Security Rules.

For the study, CynergisTek reviewed the results of assessments at almost 600 healthcare organizations against NIST CSF and the HIPAA Privacy and Security Rules.

The NIST CSF is a voluntary framework, but the standards and best practices help groups tackle cyber risks. Healthcare groups that are not adhering with CSF controls face a higher risk of experiencing a cyberattack or data breach. On average, healthcare groups were only in conformance with 47% of NIST CSF controls. Conformance has only grew by 2% in the past year.

Assisted living groups had the highest level of conformance with NIST CSF (95%), followed by payers (86%), and accountable care groups (73%). Business associates of HIPAA covered entities only had an average conformance level of 48%. Physician bodie had the lowest level of conformance (36%).

Out of the five core functions of the NIST CSF – Identify, detect, protect, respond, and recover – conformance was lowest for discover.

Despite the fact that conformance with the HIPAA Security Rule has been mandatory for the past 14 years, many healthcare groups were found to be falling short. On average, healthcare organizations were found to be in conformance with 72% of HIPAA Security Rule requirements, which was 2% lower than last year. Critical access hospitals fared the worst with an average of 67% conformance.

Even when groups were adhering with HIPAA Rules, significant security gaps were identified, which clearly demonstrated compliance does not necessarily equal in good security.

Compliance with the requirements of the HIPAA Privacy Rule was better, but there is still major room for improvement. On average, healthcare groups were complying with 77% of HIPAA Privacy Rule provisions. Many groups had missing policies and procedures and improper postings. More than 60% of assessments showed gaps in the maintenance of written policies and procedures related to the use and release of protected health information.

Conformance with the HIPAA Privacy Rule increased yearly for payers and physician groups, but declined for hospitals and health systems, dropping from 94% in 2017 to 72% in 2018. CynergisTek explained this fall as most likely being due to higher numbers of assessments being carried out on hospitals and health systems in 2018.

CynergisTek also found that insider breaches are still a major challenge for healthcare organizations. Insiders were at fault in  28% of healthcare data breaches in 2018 and, on average, those breaches took 255 days to detect. 74% of cases involved employees viewing the health records of household members, 10% involved accessing the records of VIPs that were treated at the hospital. 8% of cases involved accessing the health records of colleagues and 8% involved accessing neighbors’ health records.

Business associates were found to be a serious security risk. They were involved in 20% of healthcare data breaches in 2018. CynergisTek found that in many instances, healthcare groups were not proactively assessing their vendors, even those that are medium to high risk. The most seen business associate failures were linked to risk assessments, governance, and access management.