A new report from the Cybersecurity and Infrastructure Security Agency (CISA) reveals a 50% reduction in remediation times for critical cyber vulnerabilities within healthcare organizations. This marks a significant milestone in improving cybersecurity across critical infrastructure sectors. The “Cybersecurity Performance Goals Adoption” report highlights healthcare as one of the most engaged sectors in implementing voluntary cybersecurity guidelines. However, gaps remain in areas such as email security and operational technology (OT) protections.
Healthcare’s Cybersecurity Progress: A Closer Look
The report assessed the adoption of six key cybersecurity performance goals (CPGs) introduced by CISA. These goals aim to help organizations mitigate risks to critical infrastructure by aligning practices with the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF).
Among the report’s findings, healthcare organizations demonstrated a notable decrease in known exploited vulnerabilities (KEVs). The average number of KEVs per organization dropped from 1.5 in 2022 to below 0.5 in 2024. Additionally, healthcare entities reduced their SSL vulnerability resolution times from nearly 200 days to just 12 days over the two-year analysis period.
“This rapid improvement demonstrates the commitment of healthcare organizations to securing their networks and protecting patient data,” the report stated.
Notable Advances in Cybersecurity Practices
The report highlighted several key metrics that reflect progress in healthcare cybersecurity:
- Faster Remediation Times
Organizations resolved critical vulnerabilities 50% faster and high-severity vulnerabilities 25% faster compared to 2022. - Decreased Exploitable Services
Healthcare organizations showed a steady decline in internet-facing exploitable services, such as Remote Desktop Protocol (RDP) and File Transfer Protocol (FTP), which are common attack vectors for ransomware. - Encryption Protocols
Outdated encryption methods, including older versions of SSL and Transport Layer Security (TLS), declined significantly in the sector. These vulnerabilities dropped from 3.8 to 2.5 instances per entity by 2024. - Increased Enrollment in Cyber Hygiene Services
Enrollment in CISA’s Cyber Hygiene (CyHy) scanning service grew by 201%, reflecting healthcare organizations’ increasing focus on proactive threat detection and mitigation.
Persistent Challenges: Email Security and OT Risks
Despite significant progress, the report highlighted areas where healthcare organizations lagged. Only 2% of entities implemented a comprehensive email security configuration that includes Domain-based Message Authentication, Reporting, and Conformance (DMARC), Sender Policy Framework (SPF), and STARTTLS. “This gap exposes organizations to phishing attacks and email spoofing,” the report stated.
Operational technology (OT) risks also presented a challenge, with 5% of healthcare organizations having exposed OT connections to the public internet. These connections often manage critical medical devices and infrastructure. “Unsecured OT systems pose a severe risk to patient safety and operational continuity,” the report warned.
Actionable Recommendations for Healthcare IT Executives
To further enhance cybersecurity, CISA recommends healthcare IT leaders adopt the following practices:
- Implement Comprehensive Email Security
Configure DMARC, SPF, and STARTTLS to protect against phishing and email spoofing. - Regularly Audit Vulnerabilities
Use vulnerability scanning tools to identify and prioritize remediation of KEVs. - Upgrade Encryption Protocols
Replace outdated SSL and TLS configurations with agile, modern encryption standards. - Limit Exposed Services
Minimize internet-facing exploitable services, including RDP and FTP, to reduce attack vectors. - Strengthen OT Protections
Secure OT systems by limiting public internet access and enhancing internal safeguards. - Adopt Security.txt Files
Publish standardized vulnerability disclosure files to streamline communication and response to cyber incidents.
The Growing Importance of Security.txt Files
The report emphasized the need for healthcare organizations to adopt security.txt files, which provide contact information for reporting vulnerabilities. While adoption of these files remains low, CISA urged organizations to use them as a simple yet effective way to improve cybersecurity posture. “A well-implemented security.txt file can enhance response times and reduce the impact of zero-day vulnerabilities,” the report stated.
The Road Ahead for Healthcare Cybersecurity
While the progress outlined in the report is encouraging, CISA acknowledged the ongoing nature of cybersecurity challenges. The agency plans to refine its performance goals and expand analytics to provide more granular insights into adoption trends.
Dr. Anika Gardenhire, Chief Digital & Information Officer at Ardent Health Services, emphasized the stakes for healthcare organizations. “Cybersecurity is not just an IT responsibility—it’s a mission-critical imperative for health systems,” she said.
The report concluded, “Every vulnerability mitigated and every second saved in response time can make a life-saving difference in healthcare.”
For more healthsystemCIO Cyber vulnerabilities content click here.
Share Your Thoughts
You must be logged in to post a comment.