Healthcare Groups Discovered Not to be Adhering with NIST CSF and HIPAA Rules

by | Apr 17, 2019

The results of recent research conducted by the consultancy firm CynergisTek has shown that healthcare groups are not adhering with NIST Cybersecurity Framework (CSF) controls and the HIPAA Privacy and Security Rules.

For the study, CynergisTek reviewed the results of assessments at almost 600 healthcare organizations against NIST CSF and the HIPAA Privacy and Security Rules.

The NIST CSF is a voluntary framework, but the standards and best practices help groups tackle cyber risks. Healthcare groups that are not adhering with CSF controls face a higher risk of experiencing a cyberattack or data breach. On average, healthcare groups were only in conformance with 47% of NIST CSF controls. Conformance has only grew by 2% in the past year.

Assisted living groups had the highest level of conformance with NIST CSF (95%), followed by payers (86%), and accountable care groups (73%). Business associates of HIPAA covered entities only had an average conformance level of 48%. Physician bodie had the lowest level of conformance (36%).

Out of the five core functions of the NIST CSF – Identify, detect, protect, respond, and recover – conformance was lowest for discover.

Despite the fact that conformance with the HIPAA Security Rule has been mandatory for the past 14 years, many healthcare groups were found to be falling short. On average, healthcare organizations were found to be in conformance with 72% of HIPAA Security Rule requirements, which was 2% lower than last year. Critical access hospitals fared the worst with an average of 67% conformance.

Even when groups were adhering with HIPAA Rules, significant security gaps were identified, which clearly demonstrated compliance does not necessarily equal in good security.

Compliance with the requirements of the HIPAA Privacy Rule was better, but there is still major room for improvement. On average, healthcare groups were complying with 77% of HIPAA Privacy Rule provisions. Many groups had missing policies and procedures and improper postings. More than 60% of assessments showed gaps in the maintenance of written policies and procedures related to the use and release of protected health information.

Conformance with the HIPAA Privacy Rule increased yearly for payers and physician groups, but declined for hospitals and health systems, dropping from 94% in 2017 to 72% in 2018. CynergisTek explained this fall as most likely being due to higher numbers of assessments being carried out on hospitals and health systems in 2018.

CynergisTek also found that insider breaches are still a major challenge for healthcare organizations. Insiders were at fault in  28% of healthcare data breaches in 2018 and, on average, those breaches took 255 days to detect. 74% of cases involved employees viewing the health records of household members, 10% involved accessing the records of VIPs that were treated at the hospital. 8% of cases involved accessing the health records of colleagues and 8% involved accessing neighbors’ health records.

Business associates were found to be a serious security risk. They were involved in 20% of healthcare data breaches in 2018. CynergisTek found that in many instances, healthcare groups were not proactively assessing their vendors, even those that are medium to high risk. The most seen business associate failures were linked to risk assessments, governance, and access management.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy