Healthcare Cybersecurity Challenges Persist as Sector Struggles to Shift from Reactive to Proactive Strategies
Healthcare organizations of all sizes continue to face significant challenges in addressing systemic cybersecurity risks, with new benchmarking data revealing that the industry remains largely reactive rather than proactive in its approach.
The findings come from the 2025 Healthcare Cybersecurity Benchmarking Study, a collaborative effort by KLAS Research, Censinet, the American Hospital Association (AHA), the Health Information Sharing and Analysis Center (H-ISAC), the Healthcare and Public Health Sector Coordinating Council (HSCC), and the Scottsdale Institute. The study gathered responses from 69 healthcare and payer organizations between September and December 2024, assessing their alignment with key cybersecurity frameworks, including:
- NIST Cybersecurity Framework (CSF) 2.0
- Health Industry Cybersecurity Practices (HICP)
- Healthcare and Public Health Cybersecurity Performance Goals (HPH CPGs)
- NIST AI Risk Management Framework (RMF)
Key Findings: Strong Response & Recovery, but Gaps in Prevention & Risk Management
1. Persistent Focus on Reactive Measures
Consistent with past years, healthcare organizations reported high coverage in the “Respond” and “Recover” functions of the NIST CSF 2.0, indicating strong incident response and disaster recovery capabilities. However, long-term recovery planning lags behind immediate response efforts, suggesting room for improvement.
“As cyber threats grow, healthcare organizations are preparing for when—not if—they will face a breach, emphasizing incident response and business continuity strategies,” the study noted.
2. Critical Gaps in Supply Chain & Asset Management
Under the NIST CSF, the lowest coverage areas were:
- Supply Chain Risk Management (Govern function) – 50%
- Asset Management (Identify function) – 50%
This is particularly concerning given the rising number of third-party breaches impacting healthcare.
3. Cybersecurity Insurance Benefits from Framework Adoption
Organizations implementing the NIST CSF saw slower growth in cybersecurity insurance premiums, reinforcing the financial benefits of proactive risk management.
4. Emerging AI Risk Management Efforts
Adoption of the NIST AI RMF remains in early stages, with many organizations still establishing governance structures for AI-related risks.
5. HICP & HPH CPG Findings Align with Past Trends
- HPH CPGs showed gaps in third-party risk management and asset management.
- HICP assessments (with a smaller sample size) confirmed strong email security but persistent weaknesses in medical device security, mirroring 2024 results.
Moving from Reactive to Proactive Security
While progress has been made, the study highlights that greater adherence to leading cybersecurity frameworks can help healthcare organizations transition to a more proactive security posture, reducing risk and improving resilience.
“The healthcare sector must prioritize foundational cybersecurity practices—particularly in supply chain and asset management—to mitigate escalating threats,” the report concluded.
Final Takeaway:
Healthcare cybersecurity remains heavily reactive, but organizations that invest in comprehensive risk management, third-party oversight, and AI governance can better protect patient data and reduce long-term vulnerabilities.
Expanding its reach beyond CRM, Salesforce.com has launched a new service called AppExchange OEM Edition, aimed at non-CRM service providers. Read more
Salesforce.com, a prominent figure in cloud computing, has finalized a deal to acquire Jigsaw, a wiki-style business contact database, for Read more
Salesforce Enhances Service Cloud with AI-Driven Intelligence Engine Data science and analytics are rapidly becoming standard features in enterprise applications, Read more
Following swiftly after last week's successful launch of Financial Services Cloud, Salesforce has announced the second installment in its series Read more
