Strengthening healthcare cyber defenses challenged by third-party, asset-related risks

Editor's Note

Healthcare organizations are improving their ability to respond to cyberattacks but continue to fall short on preventing them—particularly when it comes to managing third-party and asset-related risks.

That’s the key takeaway from the 2025 Healthcare Cybersecurity Benchmarking Study conducted by KLAS Research and partner organizations. Surveying 69 healthcare and payer organizations between September and December 2024, the benchmarking report examines organizations self-reported capabilities, focusing particularly on persistent gaps in third-part risk management and asset management. To address ongoing and evolving cybersecurity threats, many organizations are adopting and implementing cybersecurity frameworks and best practices, such as the NIST Cybersecurity Framework 2.0 (NIST CSF 2.0), the Healthcare and Public Health Cybersecurity Performance Goals (HPH CPGs), the Health Industry Cybersecurity Practices (HICP), and the NIST AI Risk Management Framework (NIST AI RMF). High coverage of these frameworks and best practices is a strong indicator of an organization’s cybersecurity maturity and preparedness.

Findings reveal most respondents have robust incident response capabilities in place. “Many organizations are adopting and implementing cybersecurity frameworks and best practices, such as the NIST Cybersecurity Framework 2.0 (NIST CSF 2.0), the Healthcare and Public Health Cybersecurity Performance Goals (HPH CPGs), the Health Industry Cybersecurity Practices (HICP), and the NIST AI Risk Management Framework (NIST AI RMF),” the report reads. “High coverage of these frameworks and best practices is a strong indicator of an organization’s cybersecurity maturity and preparedness.”

Organizations using NIST CSF 2.0 as their primary cybersecurity framework experienced smaller year-over-year increases in cyber insurance premiums, indicating a link between strong preparedness and financial protection. However, analysis also shows a tendency to be reactive rather than proactive. Respond and Recover functions have the highest coverage, while Supply Chain Risk Management and Asset Management represent persistent gaps. As detailed in the report, these persistent weaknesses are especially concerning in the wake of the 2024 Change Healthcare breach, which exposed the fragility of third-party connections across the industry.

New for this year, the benchmarking study also evaluated organizations against the Healthcare and Public Health Cybersecurity Performance Goals (HPH CPGs). As was the case with the NIST CSF 2.0 analysis, the HPH CPGs revealed underperformance in third-party and asset management, particularly in vendor security requirements and network segmentation.

This 2025 report marks the first time the Healthcare Cybersecurity Benchmarking Study has looked at coverage of the HPH CPGs, and analysis shows that—as with NIST CSF 2.0—third-party risk management and asset management are opportunities for improvement. 

When assessed against the Health Industry Cybersecurity Practices (HICP), organizations continued to perform well in areas like email security, but medical device security remained a critical vulnerability. As in previous years, this area trailed significantly behind others, further highlighting the industry’s ongoing challenge in safeguarding third-party technologies. 

Overall, the report reveals hospitals are better prepared to respond to cyber incidents, but sustainable security will require greater investment in upstream risk prevention.