Key Findings Reveal Reactive Security Stance
Healthcare organizations continue to struggle with implementing comprehensive cybersecurity measures, according to new benchmarking data. Research shows the sector remains primarily reactive rather than proactive in addressing cybersecurity risks, leaving critical vulnerabilities unaddressed. This persistent challenge affects healthcare providers of all sizes, from small clinics to major hospital networks, potentially compromising patient data and care delivery.
2025 Healthcare Cybersecurity Benchmarking Study
The “2025 Healthcare Cybersecurity Benchmarking Study” represents a collaborative effort between several prominent organizations: KLAS Research, Censinet, the American Hospital Association, the Health Information Sharing and Analysis Center, the Healthcare and Public Health Sector Coordinating Council, and the Scottsdale Institute.
This comprehensive analysis compiled responses from 69 healthcare and payer organizations surveyed between September and December 2024. The study evaluated adherence to leading cybersecurity frameworks, including the National Institute of Standards and Technology Cybersecurity Framework 2.0 (NIST CSF), Health Industry Cybersecurity Practices (HICP), Healthcare and Public Health Cybersecurity Performance Goals (HPH CPGs), and the NIST AI Risk Management Framework (RMF).
The findings align with previous iterations of the study, suggesting that despite increased awareness of cybersecurity threats, healthcare organizations have made limited progress in certain critical areas of protection. Industry experts note that this stagnation occurs despite the healthcare sector being among the most targeted industries for cyber attacks due to the high value of healthcare data and the critical nature of healthcare services.
Strong Response, Weak Prevention
Analysis of the NIST CSF 2.0 revealed that healthcare organizations continue to demonstrate high coverage in the “respond” and “recover” functions of the framework, similar to previous years’ findings. This indicates that healthcare providers are increasingly prepared to handle incidents after they occur.
“As the likelihood of cybersecurity breaches increases for both healthcare organizations and their third-party vendors, many are preparing for when, not if, they will need to employ incident response, disaster recovery, and business continuity strategies,” the study stated.
However, a concerning gap exists between immediate incident response capabilities and long-term recovery processes, indicating an area requiring significant improvement. Organizations typically showed stronger protocols for addressing immediate breaches compared to implementing comprehensive recovery processes that restore operations to normal functioning.
The study found that many organizations conduct regular incident response exercises and have established clear processes for breach notification, but fewer have developed and tested comprehensive business continuity plans that address extended service disruptions.
Critical Vulnerabilities Identified
Among the six primary NIST CSF functions, supply chain risk management (under the govern function) and asset management (under the identify function) showed the lowest coverage, averaging only 50%. This deficiency is particularly alarming given the healthcare sector’s increasing reliance on third-party vendors and connected medical devices.
The report emphasized this concern: “The low coverage for Supply Chain Risk Management is especially concerning, as the number of third-party breaches in the healthcare industry has continued to increase year over year.”
With healthcare organizations typically managing relationships with hundreds or even thousands of vendors who may have access to sensitive information or critical systems, this vulnerability represents a significant risk vector that remains inadequately addressed. Many organizations reported challenges in maintaining accurate inventories of all third-party relationships and assessing the security practices of these vendors.
Asset management weaknesses stem from difficulties in maintaining complete and accurate inventories of all technology assets, including traditional IT systems, medical devices, and increasingly, Internet of Things (IoT) devices used throughout healthcare facilities.
Financial Benefits of Framework Adoption
Organizations that adopted the NIST CSF experienced slower growth in cybersecurity insurance premiums, highlighting the financial benefits of proactive security measures and preparedness. This finding provides a compelling business case for healthcare leaders to invest in cybersecurity framework implementation, beyond the obvious benefits of preventing data breaches and service disruptions.
Insurance providers increasingly recognize the risk-reduction value of framework adoption, rewarding organizations that demonstrate mature security practices with more favorable premium rates. This correlation between framework adoption and insurance costs represents a tangible return on cybersecurity investments.
The study noted that organizations with higher framework coverage scores reported average premium increases of 15-20%, compared to 30-40% increases for organizations with lower coverage scores, representing significant financial savings that can offset security investments.
AI Security Still in Early Stages
Examination of the NIST AI Risk Management Framework revealed that healthcare organizations remain in the nascent stages of AI risk management. Most are currently focusing on establishing governance structures and working to mature their programs.
As artificial intelligence becomes increasingly integrated into healthcare operations—from diagnostic tools to administrative processes—the need for robust AI security protocols becomes more critical. The study suggests that while organizations recognize this emerging risk area, most have yet to implement comprehensive safeguards specific to AI technologies.
Organizations reported particular challenges in ensuring the security and privacy of data used to train AI systems, as well as establishing appropriate governance structures for oversight of AI development and implementation. With healthcare AI applications directly impacting patient care decisions, these security gaps present unique risks compared to other industries.
Consistent Gaps Across Frameworks
Coverage across the HPH CPGs, NIST AI RMF, and HICP consistently revealed critical vulnerabilities in third-party risk management and asset management. While email protection systems showed strength, significant gaps persist in medical device security.
The assessment of HICP coverage yielded a smaller sample size but aligned with previous findings, showing that while healthcare organizations have implemented robust email security measures, medical device security remains a concern. As the number of connected medical devices continues to grow, this gap presents an increasingly significant vulnerability.
Medical devices present unique security challenges due to their long lifecycles, proprietary operating systems, and the critical nature of their functions. Many legacy devices were not designed with cybersecurity in mind, making them particularly vulnerable to exploitation.
Path Forward: From Reactive to Proactive
The study concludes that adherence to industry-leading frameworks represents a crucial step in helping healthcare organizations transition from reactive security approaches to proactive risk management strategies, ultimately enhancing patient safety and organizational resilience.
By focusing on areas with lowest coverage scores—particularly supply chain risk management and asset management—healthcare organizations can significantly improve their overall security posture and better protect sensitive patient information from increasingly sophisticated cyber threats.
The researchers recommend that healthcare organizations prioritize developing comprehensive vendor risk management programs, implement more robust asset discovery and management tools, and establish clear governance structures for oversight of cybersecurity initiatives across the enterprise. These measures, combined with continued strong incident response capabilities, can help create a more balanced and effective cybersecurity program.
Discover the latest Provider news updates with a single click. Follow DistilINFO HospitalIT and stay ahead with updates. Join our community today!
Leave a Reply