Healthcare Organizations Struggling to Shift from Reactive to Proactive Cybersecurity
Healthcare organizations are still taking a reactive approach to cybersecurity rather than proactively taking steps to reduce risk, according to the findings of a 2025 Healthcare Cybersecurity Benchmarking Study. The study was conducted by KLAS Research in collaboration with Censinet, Health-ISAC, the Scottsdale Institute, the American Hospital Association, and the Healthcare & Public Health Sector Coordinating Councils Public-Private partnership.
Many healthcare organizations are proactively reducing cybersecurity risks by adopting cybersecurity frameworks and best practices, including the NIST Cybersecurity Framework 2.0, Health Industry Cybersecurity Practices (HCIP), NIST AI Risk Management Framework (NIST AI RMF) and, a new addition for this year, the Department of Health and Human Services (HHS) Healthcare and Public Health Sector Cybersecurity Performance Goals (HPH CPGs). The study looked at self-reported coverage within these frameworks and gaps that persist around areas such as third-party risk management and asset management.
This year, 69 healthcare and payer organizations participated in the survey between September 2024 and December 2024, and the findings were similar to previous benchmarking studies. For instance, there was high coverage of the Respond (85%) and Recover (78%) functions of the NIST Cybersecurity Framework 2.0, as was the case with the 2024 Healthcare Cybersecurity Benchmarking Study. This year’s study revealed a growing disparity between those two functions and the other four functions of the NIST CSF: Govern, Identify, Protect, and Detect. The Govern and Identify functions scored the joint lowest, with 64% coverage across both functions.
Specific areas with particularly low coverage among those six functions were supply chain risk management (Govern) and asset management (Identify), which had coverage of 52% and 53%, respectively. The study found similar gaps in adherence to the HPH CPGs. There was strong coverage of the Essential goals, with 78% average coverage across the responding organizations, and 70% average coverage of the Enhanced goals. The lowest coverage across the Essential goals was for vendor/supplier cybersecurity requirements (65%) and mitigating known vulnerabilities (74%).
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Coverage of the Enhanced goals was lower, with the lowest scores for network segmentation (56%), third-party risk disclosure and configuration management (61%), asset inventory (62%), and third-party incident reporting (64%). KLAS Research stresses the importance of network segmentation and how it can compensate for and mitigate against asset vulnerabilities, but it can be complex and expensive, requiring significant investments in infrastructure.
HCIP coverage was strongest for email protection systems (86%) and cybersecurity oversight and governance (83%), with the lowest coverage for network-connected medical device security (48%), data protection and loss prevention (58%), and network management (63%). The study indicates healthcare organizations are still in the early stages of AI risk management, with many struggling with risk remediation due to uncertainties surrounding AI. Average coverage across the four NIST AI RMF functions was only 31%: Govern (39%), Map (33%), Measure (24%), and Manage (28%).
The study found that organizations that adhere to these leading industry frameworks have enjoyed success shifting their security approach from reactive to proactive, which can translate into fewer security breaches. There are other benefits too. Healthcare organizations that use the NIST CSF 2.0 as their primary framework report lower cybersecurity insurance premium increases year-over-year.
