Study Reveals Widespread Nonconformance with HIPAA Rules and NIST CSF Controls

It has been 14 years since the HIPAA Security Rule requirements have been mandatory, but many healthcare organizations are still not in conformance with all aspects of the Security Rule, according to a recent study by consultancy firm CynergisTek. HIPAA Privacy conformance is a little better, but there is still considerable room for improvement.

The study also revealed that many healthcare organizations that have adopted the NIST Cybersecurity Framework (CSF) are not in conformance with all CSF controls.

CynergisTek conducted an analysis of assessments of nearly 600 healthcare organizations against HIPAA Privacy and Security Rule requirements and NIST CSF controls.

CynergisTek chose to assess conformance rather than compliance, as many of the requirements of the HIPAA Security Rule are addressable rather than required elements. A HIPAA covered entity may not have complied with a specific aspect of the Security Rule as an alternative measure may have been implemented in its place. Consequently, compliance would be more difficult to assess.

On average, healthcare organizations were only in conformance with 77% of HIPAA Privacy Rule requirements, 72% of HIPAA Security Rule requirements, and 47% of NIST SF controls.

The most common areas of nonconformance with the HIPAA Privacy Rule were in relation to gaps in policies and procedures, especially patients’ right of access and the release of ePHI. More than 60% of assessed organizations had gaps in policies and procedures related to PHI release.

HIPAA Security Rule conformance was worse, with nonconformance found in many areas, including risk assessments – One of the most important requirements of the HIPAA Security Rule. Many healthcare organizations have been financially penalized for risk assessment failures that were discovered by OCR during compliance assessments. Critical access hospitals were the worst offenders which were, on average, only compliant with 67% of HIPAA Security Rule provisions.

CynergisTek also identified many security gaps, even at healthcare organizations that were compliant with most aspects of the HIPAA Security Rule, showing that compliance with the HIPAA Security Rule does not necessarily equate to security.

Adoption of the NIST CSF is only voluntary, but many organizations that have chosen to implement the framework are not conforming to all CSF controls. CynergisTek notes there has been little improvement since last year, with conformance increasing by an average of 2% in the past year.

The most common area where healthcare organizations were not conforming with NIST CSF controls was the detection of cyberattacks and data breaches. The second of the five core functions of the framework.

This is of concern, as not only are healthcare organizations leaving themselves open to attack by not fulling conforming with NIST CSF controls, when a cyberattack does occur, many lack the capability to detect a breach promptly.