Symmetric encryption should use a random IV (Initialization Vector) which should have the same length of the encryption key.
CWE-330: Use of Insufficiently Random Values: The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
CWE-1204: Generation of Weak Initialization Vector (IV): The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive.
HIPAA Security Rules 164.312(a)(2)(iv): Encryption and Decryption: Implement a mechanism to encrypt and decrypt electronic protected health information.
OWASP-ASVS v4.0.1 V1.6 Cryptographic Architectural Requirements.(1.6.1): Verify that there is an explicit policy for management of cryptographic keys and that a cryptographic key lifecycle follows a key management standard such as NIST SP 800-57.