In today’s digital age, cybersecurity and securing patient data have become absolutely critical for healthcare operations. Recently, KLAS hosted a webinar covering the lessons of the 2025 Healthcare Cybersecurity Benchmarking Study. Our cybersecurity expert, Jaren Day, hosted with guests Linda Stevenson, CIO at Fisher-Titus Health; Ed Gaudet, CEO of Censinet; and John Reggi, National Advisor for Cybersecurity and Risk at the American Hospital Association.
If you have not yet read the study, I recommend taking a look. Cosponsored by KLAS Research, Censinet, the American Hospital Association, and other key organizations, the study aims to enhance cybersecurity maturity across the healthcare sector. Dive into this recap of the webinar to learn more.
Points to Know
The webinar centered on the following points:
- Organizations are generally more reactive than proactive in their cybersecurity efforts. Awareness of vulnerabilities isn’t enough; proactive defense and leadership alignment are crucial.
- Healthcare cyberattacks have surged dramatically, with a 500% increase in hacks affecting protected health information and a 300% rise in ransomware attacks since 2020. These attacks pose significant threats to patient safety and healthcare operations.
- Benchmarking in studies like this helps healthcare organizations, especially those in rural areas, gain insights into their cybersecurity programs, prioritize initiatives, and allocate resources effectively. It also educates leaders and board members, integrating cybersecurity into the overall strategy.
- Managing third-party risks remains a challenge. Continuous investment in both internal and external cybersecurity measures is essential to ensure resilience and preparedness against cyber threats.
KLAS Insights
Jaren emphasized that organizations overall are still more reactive than proactive, as seen in the report. He highlights the importance of proactive leadership, stating: “Some even know that there are vulnerabilities, but they don’t really have clear prioritization or leadership alignment. Awareness alone isn’t really protection. Proactive defense really has to be the goal here.”
He also pointed out that we can’t just make cybersecurity a onetime initiative. Rather, it’s an ongoing responsibility.
Insights from AHA
We know that healthcare cyberattacks have increased, but John from AHA highlights just how much. He says, “We’ve seen a 500% increase [since 2020] in the hacks affecting individuals’ protected health information. We’ve also seen about a 300% increase in ransomware attacks targeting hospitals and health systems of all sizes from rural hospitals all the way up to major multistate systems.”
These statistics are staggering and bring to life just how urgent this challenge is. John emphasizes that cyber risk extends far beyond the IT department, affecting every aspect of healthcare operations and posing a significant threat to patient safety. These attacks not only compromise protected health information but also disrupt healthcare delivery, potentially endangering patients’ lives. For instance, ransomware attacks can encrypt networks and data, causing massive delays in medical services, which can be especially critical in rural areas where the nearest hospital might be miles away.
John finishes by talking about how healthcare organizations must not only defend against attacks but also prepare so they can maintain safe and quality care during disruptions.
Fisher-Titus on Benchmarking
Linda addressed why Fisher-Titus participated in the benchmarking study; they knew they needed perspective to see where they stand in cybersecurity. She reiterated that cybersecurity is not just an IT concern but an organization-wide and industry-wide initiative. By participating in benchmarking assessments, healthcare organizations, and especially rural ones with limited resources, can gain valuable insights into their cybersecurity programs, identifying strengths and areas for improvement.
This process helps prioritize initiatives and allocate resources effectively, especially in rural healthcare settings where budgets and staff are limited. Beyond those reasons, benchmarking provides a framework for educating leaders and board members, ensuring that cybersecurity remains a top priority and is integrated into the overall organizational strategy.
Censinet on the Methodology and Findings of the Cybersecurity Study
Ed from Censinet shared that the new report aims to provide healthcare organizations with actionable data to enhance their cybersecurity programs and leverage peer insights. It covers various frameworks, including the NIST Cybersecurity Framework, HHS’ cybersecurity performance goals, and the AI risk management framework. These benchmarks help organizations understand their current cybersecurity posture, identify gaps, and plan for future improvements. Ed emphasized the importance of benchmarking in gaining visibility into cybersecurity metrics and organizational control, which is crucial for effective resource allocation and risk management.
Ed also highlights the ongoing challenge of third-party risk, particularly in the supply chain—a finding mentioned several times throughout the webinar. Despite investments in response and recovery functions, many healthcare organizations struggle with asset management and identifying vulnerabilities within their systems. Ed stressed the need for continuous investment in both internal and external cybersecurity measures to ensure resilience and preparedness against cyber threats.
Learn More About Healthcare Cybersecurity
In today’s rapidly evolving cybersecurity landscape, staying informed and proactive is more important than ever. The insights shared in the webinar provide valuable guidance for healthcare leaders looking to enhance their cybersecurity strategies and protect their organizations. This blog only covers the content of the webinar in part; please take the opportunity to dive deeper into these findings and learn from industry experts by watching the full webinar or reading the report.
You can also learn more from KLAS’ cybersecurity expert in his recent blog: The Cybersecurity Update in Healthcare: What We’re Hearing in the Industry.
© tirachard / Adobe Stock
