Healthcare Cybersecurity Benchmarking Study 2025
Strengthening Healthcare Cybersecurity Resiliency Through Industry Best Practices & Cybersecurity Frameworks

NIST CSF 2.0

• Healthcare organizations continue to be more reactive than proactive in their approach to cybersecurity
• Like last year, the Respond and Recover functions have the strongest coverage—organizations are preparing for when, not if, they will need to rapidly respond to cybersecurity incidents
• Also like last year, Supply Chain Risk Management (previously a category under the Identify function; now a category under the new Govern function) and Asset Management (under the Identify function) are the areas most in need of improvement, especially as third-party breaches increase
• Those using NIST CSF 2.0 as a primary framework report lower cybersecurity insurance premium increases year over year

HPH CPGs

• Analysis of the HPH CPGs shows that, as with NIST CSF 2.0, third-party risk management and asset management are both opportunities for improvement

NIST AI RMF

• Respondent organizations are starting with AI governance as a foundation for AI risk management and are still in the early stages of AI risk remediation
• Although cybersecurity programs see more success when there is high CISO ownership, AI programs see more success with a different approach; to ensure safe and ethical AI use, organizations must implement cross-departmental ownership and involve stakeholders outside of cybersecurity (since AI also presents risks associated with data bias and transparency, clinical workflows, privacy, and ethics)

HICP

• HICP coverage is similar to last year—medical device security continues to be a critical gap

What’s Not Included in This Summary Report?

This report summarizes key findings. Participants in the Healthcare Cybersecurity Benchmarking Study receive the full report, which includes:

• A detailed analysis of financial ratios and operational metrics (e.g., percentage of IT budget and workforce allocated to cybersecurity)
• Peer comparisons of IT and cybersecurity organizational structure and functional ownership
• Insight into the root cause drivers of coverage gaps

Participating organizations also gain exclusive benefits, including personalized remediation plans, tailored reports to prioritize cybersecurity investments and facilitate executive and board communications, and enhanced peer group comparisons to fully contextualize their performance.

To participate in next year’s Benchmarking Study, please email benchmarks@censinet.com.

NIST CSF 2.0

Cross-industry cybersecurity framework consisting of six functions (previous versions of the framework had five functions); recommended by the HHS 405(d) Program and by government entities like OCR for HIPAA compliance

Organizations Continue to Be More Reactive Than Proactive in Their Approach to Cybersecurity

Coverage of the NIST CSF 2.0 functions is similar to that of the NIST CSF 1.1 functions reported on in previous years. There are two notable insights. First, the Govern function (a new addition to NIST CSF 2.0) and Identify function tie for the lowest coverage—this marks the third consecutive year that the Identify function has had the lowest coverage. Second, the coverage disparity between the Respond function and the other functions has become more pronounced. As the likelihood of cybersecurity breaches increases for both healthcare organizations and their third-party vendors, many are preparing for when, not if, they will need to employ incident response, disaster recovery, and business continuity strategies.

Supply Chain Risk Management & Asset Management Remain the NIST CSF 2.0 Categories with Lowest Coverage

For the third consecutive year, Supply Chain Risk Management (previously a category under the Identify function; now a category under the Govern function) and Asset Management (a category under the Identify function) have the lowest coverage, with coverage at an average of just over 50% across respondents. The low coverage for Supply Chain Risk Management is especially concerning, as the number of third-party breaches in the healthcare industry has continued to increase year-over-year. Asset management, which is closely linked to third-party and supply chain management, requires organizations to maintain a detailed inventory and understanding of all assets, including third-party hardware, software, data, and storage systems. This knowledge allows organizations to identify and address vulnerabilities in third-party products and services and mitigate potential risks.

Respond & Recover Are NIST CSF 2.0 Functions with Highest Coverage; Organizations Are Prepared to Quickly Respond to Cybersecurity Incidents but Can Further Enhance Long-Term Resiliency

The Respond function has the highest coverage; respondent organizations report having well-defined incident response procedures, including strong incident mitigation tactics and clear communication protocols. However, many organizations have more mature processes for immediate responses compared to processes for long-term recovery and business continuity. While organizations generally excel at internal and external communication during recovery efforts—thus ensuring that stakeholders are informed about status and progress—recovery plan execution is an area for improvement. Organizations could strengthen their coordination of various teams, resources, and activities as they work to fully restore operations. As organizations increase their coverage of supply chain management, it is likely they will gain a more complete understanding of the areas in which they need to recover.

Primary Adoption of NIST CSF 2.0 Is Connected to Lower Cybersecurity Insurance Premium Growth

Organizations that invest in higher cybersecurity preparedness see tangible benefits. In this study, those who have adopted NIST CSF 2.0 as their primary cybersecurity framework see lower year-over-year increases to their cybersecurity insurance premiums. The 2024 study showed similar results (for those who adopted NIST CSF 1.1 as their primary framework), underscoring that robust cybersecurity preparedness can translate into tangible benefits.

HPH CPGs 

Comprises a set of essential and a set of enhanced cybersecurity performance goals developed by HHS, in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA) and industry partners

A First Look Reveals Similar Gaps in Third-Party Risk Management & Asset Management

This 2025 report marks the first time the Healthcare Cybersecurity Benchmarking Study has looked at coverage of the HPH CPGs, and analysis shows that—as with NIST CSF 2.0—third-party risk management and asset management are opportunities for improvement. The Essential Goals have higher coverage overall, with the exception being Vendor/Supplier Cybersecurity Requirements, which is well below average. The Enhanced Goals, which include several outcomes related to third-party risk management and asset management, also have coverage that falls well below average. Network Segmentation, one of the Enhanced Goals, has the lowest coverage across both goal types. Network segmentation can be very complex, requiring significant investments in infrastructure; however, it can compensate for, and mitigate, asset vulnerabilities. For example, segmenting medical or legacy devices that no longer receive security patches helps restrict the devices’ access to the internet and other critical systems, thus lowering risk.

NIST AI RMF 

Cross-industry framework consisting of four functions designed to help organizations assess and manage AI-specific risks and ensure responsible, trustworthy, and secure AI adoption

Organizations Are in Early Stages of AI Risk Management; Broad Ownership from Multiple Stakeholders Is Critical for Safe, Secure & Ethical AI Use

This report is also the first Healthcare Cybersecurity Benchmarking Study to look at coverage of NIST AI RMF. The 13 organizations that opted to respond are in the early stages of AI risk management, and many face challenges with risk remediation due to uncertainties surrounding AI. Although AI presents unprecedented opportunities to benefit healthcare organizations, it also introduces unique cybersecurity risks. Respondent organizations have started implementing governance around the use, development, and deployment of AI, a process that aligns with the Govern function of NIST AI RMF. As AI programs grow and mature, organizations should establish cross-departmental ownership that includes a broad set of stakeholders in order to achieve safe, secure, and ethical use of AI. This recommendation contrasts with traditional cybersecurity risk management, where high program ownership is typically maintained by the CISO.

HICP

Set of 10 healthcare-specific cybersecurity mitigating practices based on the top threats to healthcare cybersecurity; recommended by HHS 405(d) Program to improve cybersecurity preparedness

Organizations Continue to Have Strong Email Protection Systems but Have Significant Gaps Around Medical Device Security 

The HICP-assessment portion of the Healthcare Cybersecurity Benchmarking Survey was optional, resulting in a lower sample size. Coverage of HICP is close to the levels reported in past years, with most organizations having email protection systems in place but room for improvement with medical device security. Coverage for the latter has lagged the other mitigating practices for three consecutive years and supports findings from NIST CSF 2.0 and the HPH CPGs that third-party risk management and asset management still lag behind in industry coverage.