CynergisTek Study Reveals the Non-Conformance of Healthcare Organizations with NIST CSF and HIPAA Rules

The consultancy company CynergisTek conducted a study recently and found that healthcare organizations aren’t in conformity to the HIPAA Privacy and Security Rules and the NIST Cybersecurity Framework (CSF) controls. CynergisTek studied the NIST CSF and the HIPAA Privacy and Security Rules assessment results of about 600 healthcare organizations.

Though the NIST CSF framework is voluntary, its criteria and best practices are beneficial for managing cyber risks. Healthcare organizations that do not conform with the CSF controls are at a higher risk of having a cyberattack or security breach. The average conformance rate of healthcare organizations with NIST CSF controls was only 47%, with a 2% increase from last year.

The different types of organizations had the following level of conformance with NIST CSF:

  • Assisted living organizations – 95%
  • Payers – 86%
  • Accountable care organizations – 73%
  • Business associates of HIPAA covered entities – 48%
  • Physician groups – 36%

The NIST CSF has five core functions: Identify, detect, protect, respond, and recover. The function with the lowest conformance was detect.

Although HIPAA Security Rule conformance has been demanded for 14 years, a lot of healthcare organizations still fall short. The average conformance with HIPAA Security Rule requirement for healthcare organizations was only 72%, which is 2% lower than the past year. Critical access hospitals had the worst conformance average of 67%.

Though organizations were in compliance with HIPAA Rules, there were considerable security gaps identified, which shows that compliance does not automatically mean security.

It is good to comply with the HIPAA Privacy Rule requirements, but there is much to improve. The average HIPAA Privacy Rule compliance rate of healthcare organizations was 77%. Some of the problems in numerous organizations are the lack of policies and procedures and inappropriate postings. Over 60% of assessments showed gaps in the availability of written policies and procedures associated with the use and disclosure of protected health information (PHI).

Payers and physician groups have increased their conformance with the HIPAA Privacy Rule year over year, but hospitals and health systems declined in their conformance from 94% (2017) to 72% (2018). The decline is probably because of a higher number of hospitals and health systems assessed in 2018.

CynergisTek additionally noted that healthcare organizations continue to be challenged by insider breaches. 28% of healthcare breaches in 2018 were caused by insiders and the breaches took 255 days on average to detect. The following gives further information of insider breaches:

  • Employees accessing on the health files of household members – 74%
  • Accessing the files of VIPs treated in a hospital – 10%
  • Accessing the health files of co-workers – . 8%
  • Accessing the health files of neighbors – 8%

Business associates also pose a big security risk as 20% of 2018’s healthcare data breaches had their involvement. CynergisTek mentioned in the study that healthcare organizations do not proactively evaluate their vendors in most cases. The most frequent business associate problems were associated to risk assessments, access management and governance.

About Christine Garcia 1303 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at