Healthcare Cybersecurity Benchmarking Study 2025: Key Findings

What You Should Know: 

– A recent report KLAS report has shed light on the ongoing cybersecurity challenges facing the healthcare industry, emphasizing the ripple effects of breaches like the 2024 Change Healthcare incident.

– The new KLAS study, the “Healthcare Cybersecurity Benchmarking Study 2025,” has analyzed the self-reported cybersecurity practices of 69 healthcare and payer organizations, revealing both progress and persistent vulnerabilities in the industry. 

– The study was a collaborative effort involving several organizations, including KLAS Research, Censinet, the American Hospital Association, Health-ISAC, the Healthcare & Public Health Sector Coordinating Councils, and the Scottsdale Institute.

Strengthening Healthcare Cybersecurity Resiliency Through Industry Best Practices & Cybersecurity Frameworks

Conducted from September to December 2024, the study emphasizes the significant impact of events like the Change Healthcare breach, which exposed the fragility of connections within the healthcare ecosystem. The findings of the study highlight the ongoing challenges healthcare organizations face in maintaining strong cybersecurity posture. The increasing reliance on third-party vendors and the adoption of new technologies like AI introduce new vulnerabilities that must be addressed proactively. 

Here are six key findings from the report: 

1. Reactive vs. Proactive Cybersecurity: Healthcare organizations continue to prioritize reactive measures, with strong coverage in “Respond” and “Recover” functions of the NIST Cybersecurity Framework (CSF) 2.0, indicating a focus on incident response and recovery. However, proactive measures, particularly in Supply Chain Risk Management and Asset Management, remain weak.  

2. Third-Party Risk: A Major Concern: The report highlights the increasing number of third-party breaches in healthcare, emphasizing the urgent need for better Supply Chain Risk Management. Effective asset management is crucial to mitigate these risks, requiring organizations to have a comprehensive understanding of their assets, including those provided by third parties.  

3. NIST CSF 2.0 Adoption Benefits: Organizations using NIST CSF 2.0 as their primary framework reported lower increases in cybersecurity insurance premiums, demonstrating a tangible financial benefit to strong cybersecurity preparedness.  

4. HPH CPGs Analysis: Similar to the NIST CSF 2.0 findings, the study reveals that third-party risk management and asset management are areas needing improvement within the Healthcare and Public Health Cybersecurity Performance Goals (HPH CPGs).  

5. AI Risk Management: As healthcare organizations increasingly adopt AI, the study emphasizes the importance of establishing robust AI governance. Unlike traditional cybersecurity programs with strong CISO ownership, AI risk management requires a cross-departmental approach to address risks related to data bias, transparency, clinical workflows, privacy, and ethics.  

6. HICP Gaps: While healthcare organizations generally have strong email protection systems, significant gaps persist in medical device security. This aligns with the broader challenges in asset management and third-party risk management identified in the report.