CynergisTek has released a report which reveals that a significant number of healthcare organisations fail to comply with important pieces of healthcare legislation, including HIPAA’s Privacy and Security Rules.

CynergisTek, a consultancy firm, also discovered that healthcare organisations fail to conform with NIST’s Cybersecurity Framework controls. NIST is a non-regulatory agency of the United States Department of Commerce. The primary goal of the organisation, which is a working physical science laboratory, is to promote innovation and industrial competitiveness in the United States.

For the study, CynergisTek analysed the results of assessments at almost 600 healthcare organisations against NIST CSF and the HIPAA Privacy and Security Rules.

Healthcare organisations are not legally obliged to follow NIST’s CSF; it is a voluntary framework. However, the framework includes standards and best practices that can assist healthcare organisations in defending their networks against potentially catastrophic cyber attacks. Healthcare organisations that ignore the CFS’s controls and recommendations are therefore at risk of a data breach, and all of the associated consequences.

The report found that, on average, healthcare organisations were only in conformance with 47% of NIST CSF controls. Conformance has only increased by 2% in the past year.

There was a significant discrepancy in the degree of conformance between different types of healthcare body. Assisted living organisations had the highest level of conformance with NIST CSF (95%), followed by payers (86%), and accountable care organisations (73%). However, just under half of the business associates included in the study conformed with NIST CSF (48%). Physician groups were the worst performing group, with only 36 %.

The NIST CSF lists five core functions for data protection; identify, detect, protect, respond, and recover. CynergisTek found that organisations were least likely to conform with the requirements in ‘detect’ function.

Unlike NIST CSF, all HIPAA-covered entities are legally required to comply with HIPAA’s Security and Privacy Rules. Despite compliance being mandatory for over a decade, CynergisTek found the levels of compliance to be poor. On average, healthcare organisations were found to be in conformance with 72% of HIPAA Security Rule requirements, which was 2% lower than last year. Critical access hospitals fared the worst with an average of 67% conformance. Worryingly, CynergisTek identified significant security gaps even in organisations which complied with HIPAA’s Rules.

Organisations were more likely to comply with HIPAA’s Privacy Rule; however, despite their legal obligations, healthcare organisations were complying with 77% of HIPAA Privacy Rule provisions. More than 60% of assessments revealed gaps in the maintenance of written policies and procedures related to the use and release of protected health information.

CynergisTek found that compliance with HIPAA’s Privacy Rule increased year over year for payers and physician groups. Surprisingly, there was a significant drop in compliance for hospitals and health systems, falling from 94% in 2017 to 72% in 2018.

CynergisTek explained this fall as most likely being due to higher numbers of assessments being performed on hospitals and health systems in 2018, so more non-compliant organisations were being identified.

CynergisTek’s report identified insider breaches as a persistent challenge for healthcare organisations. Insiders were responsible for 28% of healthcare data breaches in 2018 and, on average, those breaches took 255 days to detect. Three-quarters of these insider cases involved employees accessing the health records of household members, 10% involved accessing the records of VIPs that were treated at the hospital. 8% of cases involved accessing the health records of co-workers and 8% involved accessing neighbours’ health records.

Business associates were involved in 20% of healthcare data breaches in 2018, indicating that they pose a significant risk to the confidentiality of patient data. CynergisTek found that in many cases, healthcare organisations were not proactively assessing third-party vendors, even those that are medium to high risk. The most common business associate failures were related to risk assessments, governance, and access management.

CynergisTek’s report indicates that organisations must take further measures to implement all of the necessary safeguards to protect patient data, and ensure that their business associates are doing likewise.