Healthcare organizations lagging behind NIST Cybersecurity Framework, HIPAA guidance

A new study from CynergisTek finds just 47 percent conformance with NIST CSF controls and 72 percent compliance with the HIPAA Security Rule.
By Mike Miliard
12:36 PM
Share

Despite some halting progress with cybersecurity readiness, healthcare is still lacking in many key areas, according to a new progress report from the consultancy CynergisTek.

In particular, the study took a look at how healthcare organizations are stacking up with the advice and best practices of the NIST Cybersecurity Framework, as well as the HIPAA privacy and security rules. The findings, say CynergisTek researchers, are "sobering."

WHY IT MATTERS
To start with, the report – based on the results of assessments, audits and reviews performed by CynergisTek at some 600 healthcare organizations and business associates – found that, from the perspective of NIST CSF most of those orgs surveyed were still performing "well below where we would like to see them," said CynergisTek CEO Mac McMillan in the report.

It found an average 47 percent conformance with NIST CSF controls and an average 72 percent compliance with the HIPAA Security Rule.

While the HIPAA adherence was slightly better and "within normal range," several specific findings underscored a key point that's become a mantra: "compliance does not equate to security," he said.

For example, while hospitals and health systems may be meeting the letter of the law when it comes to HIPAA rules, CynergisTek researchers found that one of the key planks of conformance with NIST CSF – breach detection – was not where it should be for many of those organizations it assessed.

"Given the threat environment we operate in today where literally some percentage of almost everything computerized is a threat, the inability to effectively discover and respond to events is a real issue," said McMillan.

Worse than the numbers themselves is the fact that they represent only a minimal improvement in NIST CST conformance since a similar progress report was done this past year – just a 2 percent increase – and CynergisTek actually saw a 2 percent decrease compliance with the HIPAA Security Rule.

Researchers also found that of the five "core functions" of the NIST CSF – identify, detect, protect, respond and recover – there was relative stability, year-to-year, even as "detect" component lagged the other four.

But when it came to awareness and training, a key driver of the "protect" plank, there was a slight downtick in conformance, the report shows.

That's "likely not significant," researchers conceded, but "it does beg the bigger question around security: If you are not improving, are you actually slipping back?"

Among some other notable findings from the study: More than 60 percent of CynergisTek's assessments discovered noticeable gaps in the maintenance of written policies and procedures to guide healthcare workforce around the use and release of PHI.

As for third-party vendors, "the most common gaps among included risk assessment, access management, and governance," researchers found. And at healthcare organizations, nearly 75 percent of unauthorized insider access came from employees' household members.

THE LARGER TREND
Interestingly, at least on the subject of breach detection, the findings of the Cynergistek report diverge somewhat with those of another study this week, from BakerHostetler, which found that while phishing scam artists are still doing their darndest to take advantage of employee error, one of the bright spots had to do with substantial improvements in in-house detection among the organizations it surveyed.

Whichever of those stats is more indicative of the true larger picture, however, its inarguable that healthcare still has major work to do when it comes to cybersecurity preparedness – and that goes for all employees across the enterprise, from low-level back office staff to the CEO. Indeed, as we showed this week, too many CEOs – amazingly – still aren't giving infosec the high-level attention and on-the-ground resources it deserves and demands.

ON THE RECORD
David Finn, executive vice president of strategic innovation at CynergisTek, said the decline in the awareness and training category under the NIST CSF "protect" capability "is very alarming considering how much more sophisticated attackers were with targeted phishing attempts and new attack vectors, such as medical devices."

In addition, "the fact that we did not see any improvement in either the respond or recover functions means we may be losing even more ground with the increased number of attacks last year," he noted. "Organizations need to take into account whether their individual security needs are actually being met in order to be truly secure, and not only compliant."

Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com

Healthcare IT News is a HIMSS Media publication.