Posted By Steve Alder on Apr 21, 2025
Healthcare organizations are still taking a reactive approach to cybersecurity rather than proactively taking steps to reduce risk, according to the findings of a 2025 Healthcare Cybersecurity Benchmarking Study. The study was conducted by KLAS Research in collaboration with Censinet, Health-ISAC, the Scottsdale Institute, the American Hospital Association, and the Healthcare & Public Health Sector Coordinating Councils Public-Private partnership.
Many healthcare organizations are proactively reducing cybersecurity risks by adopting cybersecurity frameworks and best practices, including the NIST Cybersecurity Framework 2.0, Health Industry Cybersecurity Practices (HCIP), NIST AI Risk Management Framework (NIST AI RMF) and, a new addition for this year, the Department of Health and Human Services (HHS) Healthcare and Public Health Sector Cybersecurity Performance Goals (HPH CPGs). The study looked at self-reported coverage within these frameworks and gaps that persist around areas such as third-party risk management and asset management.
This year, 69 healthcare and payer organizations participated in the survey between September 2024 and December 2024, and the findings were similar to previous benchmarking studies. For instance, there was high coverage of the Respond (85%) and Recover (78%) functions of the NIST Cybersecurity Framework 2.0, as was the case with the 2024 Healthcare Cybersecurity Benchmarking Study. This year’s study revealed a growing disparity between those two functions and the other four functions of the NIST CSF: Govern, Identify, Protect, and Detect. The Govern and Identify functions scored the joint lowest, with 64% coverage across both functions.
Access the full benchmarking study in the HIPAA Journal. Click Here
