Seventy-four percent of unauthorized insider access to patient records was users’ household members and the second most common was accessing high profile (VIP/confidential) patient data, according to a 2019 Measuring Progress: Expanding the Horizon report. 

Additional findings include: 

• More than 60 percent of privacy assessments found gaps in maintaining written policies and procedures to guide workforce members in managing all or some of these uses and/or disclosures of PHI.
• The most common gaps among third-party vendors included risk assessment, access management, and governance.
• In terms of the Five Core Functions, there was a surprising .4 percent decline in Awareness and Training this year.
• The average rating for the Respond and Recover Function was 2.5 (on a scale of 0 – 5), indicating the healthcare industry is still not as prepared to respond to a cyber incident as they should be.
• An average 47 percent conformance with NIST CSF controls and an average 72 percent conformance with the HIPAA Security Rule, reflecting only a two percent increase with conformance with NIST CST and a two percent decrease in conformance with the HIPAA Security Rule from the previous year’s findings. 

 After being in effect for 14 years, the industry is still only achieving 72 percent compliance on the HIPAA Security Rule, according to the report.