- Healthcare’s Strong Network Security May Reflect Outdated Model
Organizations’ conformance with the HIPAA Security Rule was 72 percent last year, a 2 percent decrease from the previous year.
The HIPAA Security Rule established national standards to protect individuals’ electronic personal health information (ePHI) that is created, received, used, or maintained by a covered entity. The Security Rule requires healthcare organizations to implement administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of ePHI.
NIST Cybersecurity Framework Conformance on the Rise
Organizations’ conformance with the NIST Cybersecurity Framework totaled 47 percent last year, a 2 percent increase from the previous year.
The NIST Cybersecurity Framework provides a common cybersecurity structure by compiling effective standards, guidelines, and practices in one place. It can also be used to help organizations address privacy issues related to customers, employees, patients, and other parties, the document explained.
Last year, NIST updated the framework to add a section explaining how it can be used by organizations to understand and assess their cyber risk and sections on risks associated with the supply chain and purchasing commercial off-the-shelf products and services.
“The release of the Cybersecurity Framework Version 1.1 is a significant advance that truly reflects the success of the public-private model for addressing cybersecurity challenges,” said Under Secretary of Commerce for Standards and Technology and NIST Director Walter G. Copan.
The report is based on aggregated ratings from privacy and security assessments performed last year at nearly 600 healthcare provider organizations and business associates.
The firm found a decline in cybersecurity awareness and training and a disappointing score for the respond and recovery function at healthcare organizations.
“The slight decline in the Awareness and Training category under the Protection Function is very alarming considering how much more sophisticated attackers were with targeted phishing attempts and new attack vectors, such as medical devices,” said David Finn, executive vice president of strategic innovation at CynergisTek.
“Furthermore, the fact that we did not see any improvement in either the Respond or Recover functions means we may be losing even more ground with the increased number of attacks last year. Organizations need to take into account whether their individual security needs are actually being met in order to be truly secure, and not only compliant,” Finn added.
In addition, the report found:
- 74 percent of unauthorized insider access to patient records was patient’s household members and the second most common was accessing high-profile patient data
- More than 60 percent of privacy assessments found gaps in maintaining written policies and procedures to guide workforce members in managing all or some of these uses and/or disclosures of PHI
- The most common gaps among third-party vendors included risk assessment, access management, and governance
- The average rating for the respond and recover function was 2.5 out of 5
The CynergisTek said its report highlighted the growing need for healthcare organizations to make investments in cybersecurity readiness, as cybersecurity has become one of the top business risks facing healthcare today.
“The number of incidents is growing and shows no evidence of declining. Virtually every healthcare entity reports multiple cyber events a year,” the report observed.
“Those that scored higher levels of readiness in their NIST CSF [Cybersecurity Framework] assessments particularly in the Detect, Respond, and Recover categories tended to understand their environment better, react quicker, respond more efficiently and with better organization, and were able to mitigate impacts and resume operations sooner. It is all about readiness,” the report concluded.