For many, the 2024 Change Healthcare cybersecurity breach was a wake-up call; its drastic effects emphasized just how interwoven—and often fragile—the connections are between health systems, payers, and third-party vendors. To thwart ongoing and evolving cybersecurity threats, many organizations are implementing cybersecurity frameworks and best practices.
The recently published 2025 Healthcare Cybersecurity Benchmarking Study examines organizations’ self-reported coverage of four different frameworks, guidelines, or best practices: NIST Cybersecurity Framework 2.0 (NIST CSF 2.0), the Healthcare and Public Health Cybersecurity Performance Goals (HPH CPGs), the Health Industry Cybersecurity Practices (HICP), and the NIST AI Risk Management Framework (NIST AI RMF). Data comes from a survey administered by Censinet, and the resulting benchmarking study is co-sponsored by Censinet, KLAS, the American Hospital Association, the Health Information Sharing and Analysis Center, the Healthcare and Public Health Sector Coordinating Council, and the Scottsdale Institute.
A Look at the Study’s Key Findings
NIST CSF 2.0
- Healthcare organizations continue to be more reactive than proactive in their approach to cybersecurity
- Like last year, the Respond and Recover functions have the strongest coverage—organizations are preparing for when, not if, they will need to rapidly respond to cybersecurity incidents
- Also like last year, Supply Chain Risk Management (previously a category under the Identify function; now a category under the new Govern function) and Asset Management (under the Identify function) are the areas most in need of improvement, especially as third-party breaches increase
- Those using NIST CSF 2.0 as a primary framework report lower cybersecurity insurance premium increases year-over-year
HPH CPGs
- Analysis of the HPH CPGs shows that, as with NIST CSF 2.0, third-party risk management and asset management are both opportunities for improvement
NIST AI RMF
- Respondent organizations are starting with AI governance as a foundation for AI risk management and are still in the early stages of AI risk remediation
- Although cybersecurity programs see more success when there is high CISO ownership, AI programs see more success with a different approach; to ensure safe and ethical AI use, organizations must implement cross-departmental ownership and involve stakeholders outside of cybersecurity (since AI also presents risks associated with data bias and transparency, clinical workflows, privacy, and ethics)
HICP
- HICP coverage is similar to last year—medical device security continues to be a critical gap
An Opportunity to Identify & Address Vulnerabilities
This is the third year KLAS has participated in publishing this study. Over the years, organizations’ self-reported coverage of NIST CSF 2.0 has stayed roughly the same, even as more data has been collected via the benchmarking survey. (The 2025 study is the first of the benchmarking studies to measure coverage with the HPH CPGs and NIST AI RMF; the HICP-assessment portion of the survey was optional.)
We at KLAS feel that this study can help organizations evaluate their vulnerabilities and develop a plan of action. As shown in the key findings section, third-party risk management and asset management continue to be opportunities for improvement. These areas are critical to focus on, especially in light of the Change Healthcare breach—organizations should be aware of how third parties and different assets affect security and then proactively take precautions.
Regarding NIST CSF 2.0, the fact that coverage of the Respond function significantly increased speaks to the level at which organizations are trying to prepare for when incidents occur. It could be that the Respond function feels like the easiest area to address, or it is possible that organizations see it as an urgent priority, since cybersecurity breaches are not a matter of “if” but “when.”
Hope for the Future of Cybersecurity
There are a lot of factors that play into cybersecurity, and it can feel like an overwhelming task for organizations to tackle. Staffing shortages and budget restraints are top barriers. Many organizations are turning to managed services firms to outsource some or all of their cybersecurity management, yet as mentioned earlier, third-party risk management is a gap for many organizations.
Regardless, we at KLAS are hopeful that organizations can address their challenges and use actionable insights to prioritize risks effectively. It is important to note that organization-wide buy-in and leadership engagement are critical to success. As organizations become more invested in cybersecurity and use available frameworks and best practices, they can become more resilient and better able to prepare for the worst.
For more insights, read the benchmarking study on KLAS’ website, and listen to the webinar where KLAS’ cybersecurity expert, Jaren Day, discusses the study’s findings with Censinet.
© Char_mon / Adobe Stock
