New Healthcare Security Benchmark Highlights Key Investment Priorities and Risks

March 12, 2025

By Allison Proffitt 

March 12, 2025 | At a session in the Cybersecurity Pavilion of ViVE last month, Cormac Miller, President and CCO of Censinet, presented the company’s 2025 cybersecurity benchmark for the healthcare sector. This year’s benchmark revealed that for the third year in a row, organizations are focusing on respond and recover capabilities. The findings compare company surveys to industry readiness frameworks, including NIST 2.0 and CPGs, highlighting the evolving landscape of healthcare cybersecurity. 

Censinet co-sponsored the benchmarking study with KLAS Research, the American Hospital Association, Health-ISAC, Health Sector Coordinating Council, and the Scottsdale Institute. The benchmark was based on surveys sent to 73 healthcare organizations.  

This was the fifth year of the benchmark, and the first year to use the Cybersecurity Framework (CSF) 2.0 from the National Institute for Standards and Technology, which was released in February 2024. The benchmark breaks down six core cybersecurity functions: Govern, Identify, Protect, Detect, Respond, and Recover.  

  • Govern: The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.
  • Identify: The organization’s current cybersecurity risks are understood
  • Protect: Safeguards to manage the organization’s cybersecurity risks are used
  • Detect: Possible cybersecurity attacks and compromises are found and analyzed.
  • Respond: Actions regarding a detected cybersecurity incident are taken.
  • Recover: Assets and operations affected by a cybersecurity incident are restored. 

Companies are using the benchmarking findings in two major ways, Miller reported: to protect patient safety and to prioritize investments to close critical gaps. Cybersecurity in healthcare in recent years has focused more on Respond and Recover functions, reflecting a growing awareness that cyber incidents are inevitable, making rapid response and mitigation critical to minimizing operational disruptions and patient safety risks. 

“In the last two or three years, I think the message has been it’s not a question of ‘If?’; it’s a question of ‘When?’” he said. “We’ve seen a lot of investment in Respond and Recover.” The healthcare industry, in general, is better positioned to respond to “acute episodes” of insecurity, Miller said.  

The Govern and Identify functions, however, have the lowest coverage reported of the options, underlining that healthcare is still more prepared to be reactive, not proactive. He highlighted three areas of cyber immaturity identified by the benchmark confronting healthcare security leaders.  

Supply Chain Risk: Ensuring that third-party vendors adhere to strict cybersecurity standards remains a major challenge, particularly as healthcare organizations rely on a complex web of suppliers. 

Asset Management: Many institutions struggle to maintain a comprehensive inventory of IT and operational technology assets, creating blind spots in their security posture. 

Platform Security: Protecting the integrity of digital healthcare platforms, including electronic health record (EHR) systems and connected medical devices, is a pressing concern as cyber threats become increasingly sophisticated. 

Cybersecurity Performance Goals 

In addition to the NIST framework, the benchmark team also considered the Cybersecurity Performance Goals from CISA (US Cybersecurity Infrastructure Security Agency). The CPGs were mapped to the NIST security framework in 2023. CISA describes the CPGs as: “a prioritized subset of IT and OT cybersecurity practices aimed at meaningfully reducing risks to both critical infrastructure operations and the American people. These goals are applicable across all critical infrastructure sectors and are informed by the most common and impactful threats and adversary tactics, techniques, and procedures (TTPs) observed by CISA and its government and industry partners, making them a common set of protections that all critical infrastructure entities — from large to small — should implement.” 

Miller categorizes the CPGs into essential and enhanced security practices. And for the most part, he said, healthcare organizations have good coverage of the essentials including basic cybersecurity training, email security, multifactor authentication, strong encryption, and separate user and privileged accounts. The outlier in the essential group, he said, was vendor supplier cybersecurity requirements. “The number one thing that we hear is, ‘We have a process that we use; how do we scale that?’ There’re a lot of vendors that need to be reassessed and it’s just a resource issue.”  

In the enhanced security practices list, some areas have strong coverage including cybersecurity testing, cybersecurity mitigation, and centralized log collection. But Miller also called out other areas of notable weakness. Configuration Management, as a subset under NIST’s Platform Function, is an area of ongoing challenge. Network segmentation, third party incident reporting, and third-party vulnerability disclosure were also challenges.  

Working with outside groups always introduces new security challenges, Miller said. “Again, I think it just goes to the sheer number of vendors.” Medical device security is a particular weak spot, Miller observed.  

AI Risk Management: A Developing Focus 

As artificial intelligence (AI) becomes more integrated into healthcare operations, organizations are beginning to form governance committees to oversee AI-related security risks. It’s clear that while frameworks for AI risk management are emerging, practical execution and oversight remain in the early stages. 

NIST has an AI Risk Management Framework (AI-RMF), but only 13 organizations filled out the optional surveys on this framework, Miller said.  

“It’s a little bit of a starter set of data, but at a high level, I think we found what you would expect is that this is an emerging discipline. Folks are still getting their feed underneath them as it comes to managing AI risk,” Miller said.  

In this early dataset, Miller noticed more investment in AI governance than in the execution steps of Measuring and Managing risk. “I think most folks are in the process of establishing some sort of governance committee and establishing policy,” he said. Vendors are, again, a security risk that is still a bit vague. “I really think [with vendors] you are trying to separate some of the marketing versus what’s actually in the application.”  

Miller recommended frequent reassessments of AI risk—“It’s a fast-changing discipline!” he said.  

The Road Ahead 

Censinet is committed to publishing the benchmark annually, but also to keeping open enrollment for organizations to contribute. Miller hopes it will provide a roadmap for healthcare organizations seeking to strengthen their cybersecurity defenses. But Miller also emphasized that the benchmark is now offering rolling enrollment. Any participants can access the data after they submit their own scores and are able to filter it to define their own cohort of peers.  

With cyberattacks on hospitals and healthcare systems on the rise, the emphasis on rapid response, third-party risk management, and AI governance is expected to shape security strategies in the years ahead. 

As healthcare institutions continue to navigate an increasingly complex threat landscape, the adoption of cybersecurity best practices will be essential in ensuring resilience and protecting sensitive patient data.