Health systems get failing grade when it comes to NIST cybersecurity best practices: report

Healthcare organizations continue to fall short with managing cybersecurity risks as measured by how well they are conforming with recognized best practices for security and privacy.

Health systems and hospitals have an average 46% conformance with the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), which is unchanged from last year, according to Cynergistek’s annual report on the state of healthcare cybersecurity.

NIST CSF is a voluntary framework, but it is an industry-recognized resource of standards, guidelines and best practices to manage cybersecurity-related risk.

“Overall the results from a NIST CSF perspective were still well below where we would like to see them,” said Mac McMillan, CEO of Cynergistek.

Payers had a respectable conformance level at 86%. Accountable care organizations did as well with a 73% conformance level. Business associates had an average conformance level of 48%, and physician groups had the lowest conformance at 36%.

Assisted living organizations have among the highest conformance with the NIST cybersecurity framework at 95%, up from 86% last year. However, assisted living organizations are not, typically, highly automated, frequently do not have electronic medical records and have only minimal “core systems,” the report noted.

RELATED: New healthcare cybersecurity council wants to make HITRUST the standard for assessing third-party risks

The cybersecurity report aggregates ratings from privacy and security assessments performed in 2018 at nearly 600 healthcare provider organizations and business associates to measure how well organizations are conforming to the NIST cybersecurity framework as well as HIPAA privacy and security rules.

While the HIPAA security rule has been in effect for 14 years, healthcare organizations are still only achieving 72% conformance with the HIPAA security rule, a C-level grade at best. It is possible to perform well against the HIPAA security rule and still have significant gaps in actual implementation of security functions and controls, McMillan notes in the report.

“Compliance does not equate to security,” McMillan said, noting the report’s data are a clear indicator that while HIPAA security rule conformance hovers in the low 70% range year over year, NIST CSF conformance hovers in the upper 40% range.

Healthcare organizations’ conformance with NIST's cybersecurity best practices was up 2% year over year while HIPAA security rule conformance declined 2%.

“In 2018 there was a lot of news and questions about the age and relevance of HIPAA in 2018—this may be reflective of those discussions or may indicate that HIPAA is less relevant in healthcare today than it was when the security rule became effective in 2005,” McMillan said in the report.

“Today’s business models, care delivery models, technology, and threat landscape would be nearly unrecognizable from the world of 2005,” McMillan wrote.

Healthcare organizations had average conformance of 77% with the HIPAA privacy rule. Privacy programs scored higher overall in compliance but still suffered from missing policies, improper postings or missing policies and procedures, according to the report.

“There is no such thing as being partially compliant in privacy. This will become an even larger issue once the California Consumer Protection Act and GDPR become fully enforceable,” McMillan said in the report.

RELATED: HHS security policies should focus on incentives, not penalties, health IT leaders say

The report found internal data breaches continue to be a significant challenge for healthcare organizations, and 74% of unauthorized insider access to patient records was users’ household members. The second most common form of unauthorized insider access was accessing high profile (VIP/confidential) patient data.

Third-party vendors also represent a security risk—vendors working with healthcare organizations account for more than 20% of the breaches experienced, and they have accounted for some of the largest breaches to date, according to the report.

But many healthcare organizations do not proactively assess their vendors either before or at the onset of services. At least 20% of the vendors assessed represented a medium to high risk to the healthcare organizations they served, the report found. The most common gaps among third-party vendors included risk assessment, access management and governance.

The results highlight the growing need for healthcare organizations to make serious investments in cybersecurity readiness, the report authors wrote.