Improving Cybersecurity Performance in Healthcare IT

Healthcare IT systems are facing a surge in cyberattacks, with ransomware, data breaches, and third-party vendor security risks causing billions in losses. In 2024 alone, attacks cost U.S. healthcare $1.4 billion, disrupted ambulance operations, and exposed millions of sensitive records. Key issues include outdated medical devices, unpatched systems, and poor vendor security management.

The Solution: Metrics and Frameworks to Strengthen Cybersecurity

Healthcare organizations are turning to performance metrics and established frameworks like NIST CSF 2.0, HPH CPGs, and HICP to improve defenses. These tools help identify vulnerabilities, track progress, and justify investments. Metrics such as ransomware recovery time, endpoint detection coverage, and PHI encryption rates are critical for measuring success.

Key Takeaways for Healthcare IT Leaders

• Adopt Frameworks: Use NIST CSF 2.0 and HPH CPGs for structured cybersecurity improvement.
• Leverage Tools: Platforms like Censinet RiskOps™ automate risk assessments and benchmarking.
• Track KPIs: Focus on metrics like Mean Time to Detect (MTTD), vendor risk scores, and medical device security.
• Benchmark Progress: Compare performance against industry peers to identify gaps and allocate resources effectively.

Cybersecurity in healthcare is no longer optional - it’s a necessity to protect patient safety, ensure operational continuity, and maintain trust.

Common Cybersecurity Challenges in Healthcare IT

Third-Party and Supply Chain Risk Management

Healthcare delivery organizations (HDOs) rely on a vast network of vendors, ranging from electronic health record providers to medical device manufacturers. This reliance creates a broad attack surface. Alarmingly, 88% of healthcare organizations experienced a cyberattack in the past year, with 40% involving third-party vendors ^[9]. The problem isn't just the number of vendors - it's also the lack of consistent oversight into their security practices. While many HDOs perform initial third-party risk assessments, ongoing monitoring often falls by the wayside, leaving vulnerabilities that attackers can exploit.

The absence of standardized vendor documentation and continuous monitoring only makes things worse. IBM's 2024 report reveals that 70% of healthcare breaches involve third parties, and organizations working with third-party vendors are 2.5 times more likely to experience a breach ^[4]. The 2021 Kaseya supply chain attack illustrates how a single compromised vendor can trigger widespread issues, enabling ransomware to spread through trusted connections. Compounding these risks are internal vulnerabilities within healthcare IT systems, which further widen the attack surface.

Medical Device and Asset Management Vulnerabilities

Network-connected medical devices introduce challenges that traditional IT security measures aren't well-equipped to handle. Around 60% of medical devices in hospitals run on outdated software that no longer receives security updates. Many of these devices still use default credentials and connect via unsecured IoT protocols ^[11]. For instance, the 2023 Medtronic pacemaker vulnerability demonstrated how attackers could potentially manipulate life-critical equipment through remote code execution.

Adding to the complexity, asset management often falls short. Only 40% of devices are accurately inventoried, leaving IT teams with a fragmented view of their network ^[5]. Unpatched devices like infusion pumps or imaging systems can serve as entry points for ransomware, making it difficult for hospitals to respond effectively. The rapid growth of the Internet of Medical Things (IoMT) has expanded the attack surface by 300% over the past five years, while threats like firmware exploits continue to evolve faster than organizations can secure their ecosystems. Meanwhile, misconfigurations and technical vulnerabilities heighten the risk of exposing sensitive patient data.

Data Protection and Privacy Concerns

Protecting patient data requires more than just meeting HIPAA compliance standards. HDOs must secure protected health information (PHI) across hybrid cloud environments, while also defending against insider threats and phishing attacks aimed at electronic health record systems. In 2023, over 700 million patient records were breached, with PHI exposure occurring in 92% of these incidents ^[10]. The financial fallout can be staggering - fines for non-compliance can exceed $1.5 million per violation. A case in point is the 2024 Advocate Aurora breach, which compromised 3 million records ^[6].

Technical missteps further exacerbate data protection issues. Misconfigurations, such as unencrypted backups and weak access controls, account for 25% of breaches ^[7]. PHI is particularly vulnerable during transmission between applications and devices, where encryption gaps can leave sensitive information exposed. Healthcare organizations were the target of 47% of all ransomware attacks in the U.S. in 2023, with recovery costs averaging $4.44 million per incident ^[8]. Beyond the financial and regulatory consequences, such failures erode patient trust and jeopardize the long-term stability of healthcare organizations.

To tackle these challenges, HDOs need to adopt robust performance metrics and systematic approaches. The next section will delve into how benchmarking practices and established frameworks can help mitigate these cybersecurity risks effectively.

sbb-itb-535baee

How to Plan Cybersecurity in Healthcare: SOC Plan, Ransomware Lessons & Risk Strategy

Applying Cybersecurity Benchmarks and Best Practices

Turning raw performance data into actionable steps is key to strengthening cybersecurity in healthcare IT. This is where benchmarking with established frameworks comes into play.

Using NIST CSF 2.0 and HPH CPGs for Benchmarking

Healthcare organizations need a structured way to evaluate their cybersecurity readiness and identify areas needing improvement. The NIST Cybersecurity Framework (CSF) 2.0 and the HHS Healthcare and Public Health Sector Cybersecurity Performance Goals (HPH CPGs) provide a practical starting point. The HPH CPGs are divided into two tiers:

• Essential goals: Covering basics like multi-factor authentication (MFA), email security, and vendor requirements.
• Enhanced goals: Addressing more advanced measures, such as asset inventory, network segmentation, and centralized log collection ^[12].

Recent high-profile attacks have revealed the risks in interconnected healthcare systems. Organizations that implemented essential controls, like MFA and vendor cybersecurity standards, were better equipped to detect and stop attacks.

To begin, healthcare entities should focus on the Essential CPGs to tackle common weaknesses like weak passwords, phishing, and unverified vendors. Once these foundational measures are in place, they can move on to Enhanced CPGs, which add layers of protection by isolating critical systems and preventing attackers from moving laterally within networks.

A 2025 study of 69 healthcare and payer organizations (conducted between September and December 2024) found that those leveraging these frameworks could automate third-party risk reassessments more effectively ^[1]. Additionally, the HICP framework offers a healthcare-specific alternative for organizations aiming to make targeted improvements quickly.

Applying HICP Practices for Targeted Improvements

The Health Industry Cybersecurity Practices (HICP) framework, developed by the HHS 405(d) Program, provides ten specific practices tailored to healthcare's unique risks ^[13]. Unlike broader cybersecurity frameworks, HICP zeroes in on challenges like securing medical devices and protecting patient data during transmission. Current adoption of HICP and NIST CSF averages about 70%, highlighting room for growth ^[13].

Organizations that participated in benchmarking studies in both 2023 and 2024 showed the most progress in areas like data protection, vulnerability management, and incident response ^[13]. While email security systems are widely adopted, securing medical devices remains a significant challenge for many healthcare providers ^[13]. Notably, organizations with strong cybersecurity leadership - such as a CISO or dedicated security leader - tend to outperform in areas like endpoint protection and data loss prevention ^[13].

HICP is especially effective for resource-limited organizations because it eliminates the need to adapt generic frameworks to healthcare-specific needs. For example, HICP’s focus on network management includes actionable steps like segmenting networks to protect critical assets, directly addressing vulnerabilities in medical device security. For organizations not fully aligned with NIST CSF, HICP provides a focused roadmap to improve cybersecurity coverage ^[13].

Using Censinet RiskOps™ for Cybersecurity Performance

Putting frameworks like NIST CSF 2.0 and HICP into action is no small task. It's not just about adopting these standards but also about executing them effectively. That’s where Censinet RiskOps™ steps in - a cloud-based platform tailored for healthcare organizations to tackle cybersecurity risks across third-party vendors, medical devices, and clinical applications. Let’s break down how RiskOps™ transforms these frameworks into measurable outcomes.

Automated Risk Assessments and Benchmarks

Manually assessing vendors can be a time sink, stretching resources thin and delaying risk management efforts. For instance, a mid-sized healthcare delivery organization reviewing 200 vendors annually can benefit significantly from RiskOps™. The platform automates 90% of the process, slashing the time spent per vendor from 40 hours to just 4 and cutting manual work by up to 80%. This efficiency frees up teams to focus on higher-risk areas in the supply chain ^[3].

RiskOps™ simplifies everything from questionnaires to evidence collection and scoring by mapping assessments directly to NIST CSF 2.0’s 108 subcategories. It even generates gap analyses with prioritized action plans. But it doesn’t stop there - healthcare organizations can benchmark their cybersecurity performance against industry peers using anonymized data. Metrics like third-party risk scores, vulnerability remediation times, and cybersecurity spending are all aligned with HPH CPGs, giving organizations a clear picture of how they stack up ^[3].

Collaborative Risk Management for HDOs and Vendors

Vendor risk management often feels like a game of email tag, with spreadsheets flying back and forth. RiskOps™ replaces this chaos with shared dashboards, real-time notifications, and joint remediation plans. Vendors can directly submit evidence while healthcare organizations monitor progress on risks, such as medical device vulnerabilities ^[3].

The Censinet Cybersecurity Data Room™ offers vendors a secure, HIPAA-compliant space to manage and share risk assessments for their products and services. Features like 1-Click Assessment™ let vendors instantly share security documentation, cutting down delays in sales and renewals. This collaborative setup has delivered impressive results - users report 50% faster third-party assessments and a 30% improvement in risk scores within the first year. One healthcare delivery organization even saw a 40% drop in supply chain incidents, thanks to benchmarking and coordinated fixes ^[3]. These tools make proactive risk management not just possible but practical.

Real-Time Metrics and Continuous Improvement

RiskOps™ doesn’t just help you manage risks; it helps you understand them in real-time. Live dashboards display key performance indicators like risk score trends, remediation speeds, and benchmark gaps. Visual charts track how risks are reduced over time, offering a clear picture of progress.

The Portfolio Risk Management feature takes things further by providing a contextual view of risks across systems, regions, and enterprise levels. It covers everything from supply chains to medical devices and clinical care. With Portfolio Tiering, risks are categorized based on their importance and business impact, automating workflows to ensure high-risk vendors get immediate attention while lower-priority ones follow streamlined processes.

These insights empower leadership to make smarter, data-driven decisions about cybersecurity investments and resource allocation. By aligning with standards like NIST CSF 2.0 and HICP practices, organizations can ensure their cybersecurity strategies are both effective and aligned with industry benchmarks ^[3].

Measuring Success and Tracking Improvements

Defining Key Performance Indicators (KPIs)

To measure progress effectively, healthcare organizations need to establish clear KPIs that track critical areas like patient data protection, medical device security, and third-party vendor risk management.

Here are some key metrics to focus on:

• Mean Time to Detect (MTTD): Aim for detection within 24 hours.
• Mean Time to Respond (MTTR): Target response times of 72 hours or less.
• Framework Compliance: Strive for 95% adherence to NIST CSF 2.0 controls.
• Third-Party Risk: Reduce high-risk vendors from 30% to 10% annually and ensure all vendors in the supply chain are assessed.
• Medical Device Security: Achieve 100% asset inventory accuracy, conduct weekly vulnerability scans covering 98% of devices, and resolve critical vulnerabilities within seven days.
• Data Protection: Ensure 100% encryption compliance for PHI at rest and in transit, while keeping unauthorized access attempts below 1%.

Phishing simulation results can also offer insight into staff readiness. For example, top-performing organizations achieve an 85% success rate in these tests, compared to the industry average of 65%. Additionally, patch management is a cornerstone of device security, with a goal of patching 90% of medical devices within 30 days of a vulnerability disclosure.

By defining these KPIs, healthcare organizations can create a roadmap for improving their cybersecurity posture.

Using Metrics to Drive Improvements

Real-time dashboards play a crucial role in turning data into actionable insights. For example, tracking trends like a reduction in MTTR from 96 hours to 48 hours over a quarter highlights areas of progress. Setting quarterly targets and using alerts to flag when MTTR exceeds 72 hours ensures timely intervention.

Benchmarking against industry peers provides valuable context. If your third-party risk assessment completion rate hits 90% while the industry average hovers around 70%, you're ahead. However, gaps in areas like medical device security or vendor remediation signal where further work is needed. These benchmarks help pinpoint specific deviations from best practices. For instance, one mid-sized U.S. hospital reduced its breach risk by 40% in a year by closely monitoring vendor risk scores and MTTR, while achieving 92% compliance with NIST CSF through focused supplier prioritization.

Post-incident reviews are another essential tool. Analyze which KPIs flagged the issue to refine your approach moving forward. Regularly benchmark against peers and update KPIs to address evolving threats. Healthcare leaders who adopt updated cybersecurity frameworks report impressive results, such as identifying vulnerabilities 40% faster and achieving a 35% improvement in risk reduction rates.

Conclusion and Next Steps

Key Takeaways

The February 2024 Change Healthcare attack highlighted how cybersecurity lapses can ripple across the healthcare ecosystem, affecting patient safety, care delivery, and operational continuity nationwide ^[14]. Organizations that align with frameworks like NIST CSF 2.0, HPH CPGs, and HICP are better positioned to handle these emerging threats ^[14].

However, significant challenges remain - especially in managing third-party risks and maintaining accurate asset inventories. As Censinet emphasizes, "Healthcare leaders must be able to actively track, measure, adjust, and improve progress and effectiveness of their cybersecurity program" ^[2]. This calls for a shift from static, once-a-year assessments to dynamic, ongoing monitoring and real-time performance tracking. Addressing these vulnerabilities requires continuous risk evaluation and proactive vendor oversight.

Peer benchmarking provides another layer of insight, offering a clear perspective on how your organization compares within the industry. The 2025 Benchmarking Study, which surveyed 69 healthcare and payer organizations between September and December 2024, found strong links between framework adoption, staffing levels, and overall resilience ^[14]. Regularly measuring your performance against industry standards can help you fine-tune investments and address critical gaps.

These findings lead directly to actionable steps for healthcare IT leaders.

Recommended Actions for Healthcare IT Leaders

• Adopt standardized frameworks: Implement NIST CSF 2.0 and HPH CPGs to establish measurable maturity goals ^[14]. Additionally, consider integrating the NIST AI Risk Management Framework to prepare for AI-related risks.
• Strengthen third-party risk management: Use tools like Censinet RiskOps™ to automate vendor assessments, enhance enterprise risk oversight, and gain real-time visibility into your risk environment. These platforms can reduce manual effort while ensuring thorough risk coverage.
• Define clear KPIs: Metrics such as Mean Time to Detect (MTTD), Mean Time to Respond (MTTR), and vendor risk scores should guide your continuous improvement efforts. Real-time dashboards can provide actionable insights to track progress effectively.
• Benchmark against peers: Regularly compare your cybersecurity spending, staffing levels, and framework adoption with similar organizations. This helps identify areas for improvement, optimize resource allocation, and align your priorities with industry best practices. By quantifying outcomes and tracking progress, cybersecurity can evolve from a cost burden into a key driver of patient care and financial stability.

FAQs

Which cybersecurity framework should we start with?

The NIST Cybersecurity Framework (NIST CSF) is a solid foundation for healthcare organizations looking to strengthen their cybersecurity efforts. It provides a structured yet adaptable way to handle cybersecurity risks, ensuring alignment with HIPAA requirements while tackling challenges unique to the healthcare sector.

The framework is built around key components like customizable profiles and five core functions: Identify, Protect, Detect, Respond, and Recover. These elements help organizations create tailored strategies to manage risks effectively.

To make the process easier, Censinet supports NIST CSF 2.0 by offering tools that simplify implementation. These tools assist healthcare organizations in assessing their cybersecurity practices and improving their overall maturity in this critical area.

What are the most important KPIs to track first?

When it comes to healthcare cybersecurity and risk management, a few key performance indicators (KPIs) stand out. These include:

• Incident Response Time: How quickly your team can identify and address security incidents.
• Compliance Audit Scores: A measure of how well your organization meets regulatory requirements.
• Patient Safety Indicators: Metrics that reflect how cybersecurity impacts overall patient safety.
• Vendor Risk Ratings: Assessments of third-party vendors to ensure they don't pose unnecessary risks.
• Mean Time to Risk Resolution: The average time it takes to resolve identified risks.

Tracking these KPIs helps paint a clear picture of your organization's cybersecurity performance, adherence to regulations, and overall risk management effectiveness.

How can we continuously monitor third-party risk?

Healthcare organizations can stay on top of third-party risks by using real-time tracking systems that offer clear visibility into vendor activities and compliance. With automated assessments and alerts, these systems cut down on manual work and ensure quick responses to potential issues. Tools like Censinet RiskOps™ provide centralized dashboards, streamlined workflows, and actionable alerts. This setup helps identify and address risks early, making third-party risk management more efficient and effective for healthcare providers.

Related Blog Posts

• Best Practices for DevSecOps in Healthcare IT
• Building Vendor Risk Frameworks for Healthcare IT
• 5 Challenges in Healthcare Cyber Risk Management
• HHS Cybersecurity Performance Goals (CPGs) Achieved by Only 1 in 4 Health Systems