Benchmarking data shows healthcare cybersecurity pain points

Effectively tackling systemic healthcare cybersecurity challenges remains a pain point for healthcare organizations of all sizes. New benchmarking data collected from healthcare and payer organizations shows that the sector is continuing to take a reactive, rather than proactive, approach to reducing risk.

These findings were the result of a partnership between KLAS Research, Censinet, the American Hospital Association, the Health Information Sharing and Analysis Center, the Healthcare and Public Health Sector Coordinating Council and the Scottsdale Institute, which teamed up to issue the 2025 edition of the "Healthcare Cybersecurity Benchmarking Study."

This year's study compiled responses from 69 healthcare and payer organizations surveyed between September and December 2024. The 2025 results were consistent with past iterations of the study, which similarly analyzed healthcare's coverage of leading cybersecurity frameworks, like the National Institute of Standards and Technology Cybersecurity Framework 2.0 (NIST CSF) and the Health Industry Cybersecurity Practices (HICP).

This year's study also analyzed adherence to the Healthcare and Public Health Cybersecurity Performance Goals (HPH CPGs) and the NIST AI Risk Management Framework (RMF).

Analysis of the NIST CSF 2.0 found that, like last year, healthcare organizations reported high coverage of the "respond" and "recover" functions of the framework.

"As the likelihood of cybersecurity breaches increases for both healthcare organizations and their third-party vendors, many are preparing for when, not if, they will need to employ incident response, disaster recovery, and business continuity strategies," the study stated.

While response and recovery efforts remain strong, the report showed that organizations tend to have more mature processes for immediate response versus long-term recovery, showing a potential area for improvement.

In terms of specific areas under the six primary NIST CSF functions, supply chain risk management (under the govern function) and asset management (under the identify function) had the lowest coverage, with an average of 50%.

"The low coverage for Supply Chain Risk Management is especially concerning, as the number of third-party breaches in the healthcare industry has continued to increase year over year," the study noted.

Like last year, adoption of the NIST CSF was connected to lower cybersecurity insurance premium growth, underscoring the benefits of preparedness.

Coverage across the HPH CPGs, the NIST AI RMF and the HICP similarly exposed critical gaps while displaying promising signs of improvement. HPH CPG coverage also showed gaps in third-party risk management and asset management.

Meanwhile, results surrounding the NIST AI RMF showed that healthcare organizations remain in the early stages of AI risk management, and are actively working to establish governance and mature their programs.

The assessment of HICP coverage yielded a smaller sample size, but was consistent with last year's findings, which showed strong email protection systems but gaps in medical device security.

Overall, the study showed that adherence to leading industry frameworks can play a key role in helping healthcare organizations shift their security approaches from reactive to proactive.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.