The sensitive health information maintained by healthcare organizations has grown to be a very attractive target for cyberattackers over the last few years. Healthcare organizations must ensure that they are addressing the full extent of their regulatory requirements when it comes to maintaining cybersecurity and HIPAA compliance, adhering to NIST CSF and HIPAA compliance standards.
However, according to a recent study , many healthcare organizations are still not addressing their cybersecurity and HIPAA compliance requirements necessary to keep this data safe.
The study was conducted by auditing  nearly 600 healthcare organizations against NIST Cybersecurity Framework (CSF) standards and the HIPAA Privacy and HIPAA Security Rules.
The NIST CSF was created as a framework to help covered entities (defined as any healthcare provider, health plan, or clearinghouse) understand and properly execute necessary HIPAA security standards. Healthcare organizations that are not in conformance with CSF controls are at a much higher risk of a cyberattack or data breach. The study found that healthcare organizations are only in conformance with 47% of NIST CSF controls. This poses a serious threat to healthcare data on an industry-wide level, indicating that there are major gaps in the way healthcare providers are dealing with their cybersecurity.
According to the study, assisted living organizations had the highest level of conformance with NIST CSF at 95%, payers followed with 86%, and accountable care organizations at 73% of conformance. Business associates of HIPAA covered entities only averaged a 48% level of conformance. At the bottom of the list were physician groups, which recorded the lowest level of conformance at 36%.
Although conformance with the HIPAA Security Rule has been federally required for the last 14 years, many healthcare organizations are still struggling to effectively address their HIPAA requirements. On average, healthcare organizations were found to be in conformance with 72% of HIPAA Security Rule requirements–2% lower than last year. It should be stressed that HIPAA fines are levied based on the level of perceived negligence uncovered by federal investigators during a HIPAA audit. If a provider only addresses a fraction of their regulatory requirements, then HIPAA fines can and will be levied for failure to implement an effective compliance program.
Healthcare organizations can be highly secure, but that does not necessarily mean they are addressing their compliance properly. There are a few key rules that organizations must comply with: The HIPAA Privacy Rule and The HIPAA Security Rule.
The HIPAA Security Rule outlines administrative, technical, and physical safeguards that all healthcare providers and vendors must address. The administrative safeguards are about policies, procedures, documentation, and staff training. Technical safeguards are about implementing network security infrastructure such as firewalls, data backup, encryption, and malware protection. Lastly, physical safeguards are the things you do to protect the physical premise of the healthcare office like locking up file cabinets, installing alarm systems, etc.
In order for security to be addressed properly, healthcare organizations must enforce all three security standards outlined in the regulation.
Compliance with the HIPAA Privacy Rule requirements was better, but still needs some improvement. On average, healthcare organizations were complying with 77% of HIPAA Privacy Rule provisions. As a result, more than 60% of assessments revealed gaps in the maintenance of written policies and procedures related to the use and release of protected health information.
The study also concluded that insider data breaches are still a major issue for healthcare organizations. In 2018, insiders–meaning employees within an organization–were responsible for 28% of data breaches that occurred. In addition, those breaches took 255 days to detect. Data breaches caused by human error and poor employee training can lead to serious reputational and financial harm for healthcare organizations around the country.
When organizations are not complying with NIST CSF and HIPAA compliance standards, they are not only neglecting their patients’ privacy, but are also opening themselves to devastating HIPAA violations and fines.
Compliancy Group Can Help!
The Guardâ„¢ is a web-based compliance tracking app that allows healthcare organizations to confidently address all required elements of federal HIPAA regulation. We base our standards on the NIST framework to effectively address the HIPAA Privacy and Security Rule for your organization. Compliancy Group was founded to simplify HIPAA compliance and give you peace of mind. We give healthcare organizations everything they need to address the full extent of the law.
Our ongoing support and web-based compliance app gives healthcare organizations the tools to address the law so they can confidently run their business.
