Fortified Health Security just released its biannual 2025 Mid-Year Horizon Report, offering a unique view into what is really happening inside cybersecurity at hospitals, healthcare systems, and their extended digital environments.
At the midpoint of 2025, we’re seeing healthcare organizations take cybersecurity more seriously, investing in innovative tools and better frameworks; however, some of the most foundational gaps remain unresolved.
Unlike other reports that rely on publicly disclosed incidents or lagging OCR data, this one is different. It is built on Fortified’s own rolling NIST CSF assessment data, collected from 2023 to the present, paired with real-world observations from the field.
The Mid-Year Horizon Report shows where the industry is heading and what needs to change now. The message is clear: healthcare must think differently about cybersecurity.
Signs of Momentum
The good news is that progress is happening. The report identifies several key areas where healthcare organizations are making progress.
- Identity and access management, once a notoriously neglected area, is starting to see meaningful improvement as organizations assess their directories, prioritize role-based access, and lay the foundation for modern IAM solutions.
- Cybersecurity is also gaining boardroom visibility. Executive leaders and governance committees are treating security as a strategic concern, not just a regulatory checkbox.
- Risk assessments are evolving from static reports to tools that drive insight, planning, and measurable progress. More healthcare entities are aligning with NIST-based maturity models, providing them with a more comprehensive view of their posture.
- Incident response planning has matured. Healthcare organizations are now recognizing cyber incidents as enterprise-wide disruptions, not just isolated events. They are now aligning responses with business continuity and disaster recovery strategies, which represents a significant shift that reflects a broader awareness among leadership teams.
Risks Still Run Deep
Despite these gains, some of the most fundamental challenges are proving difficult to overcome.
Asset management remains one of the sector’s weakest areas. Many organizations still can’t produce a comprehensive, current-state inventory of their connected devices, especially when clinical systems are tracked separately from traditional IT systems. That lack of visibility causes undetected threats and delayed response efforts.
Maintenance of security controls has improved, but it remains a risk. That’s because hospitals are relying on outdated platforms, including legacy systems, decentralized patching, and underfunded infrastructure, which are difficult to secure.
Supply chain risk management and third-party oversight continue to be ongoing risks that challenge healthcare organizations in their effective management. Some organizations are beginning to integrate risk scores into procurement decisions, but others still treat vendor assessments as one-time events. That lack of consistency leaves gaps that attackers are more than willing to exploit.
The Threat Landscape Is Not Waiting
While regulatory uncertainty creates inaction among many healthcare leaders, the threats aren’t stopping. The Horizon Report notes a rise in AI-powered phishing, opportunistic attacks on outdated portals, and risk exposure from commonly overlooked digital assets, such as event registration sites and remote login interfaces.
Hospitals cannot afford to wait for policy clarity. Executive orders and draft legislation are in motion, but enforcement and standards are still evolving. Meanwhile, attackers are taking advantage of every lagging system and every moment of inaction.
Thinking Differently Is No Longer Optional
What sets the most resilient healthcare organizations apart is not just framework alignment or budget allocation; it is also the ability to adapt to changing circumstances. It is a mindset. The leaders who are succeeding are the ones asking better questions and refusing to accept the status quo.
The Horizon Report explores the ideas of pushing boundaries and challenging the old playbook with three main articles.
In “The IQ of AI,” written by Fortified’s Vice President of Threat Services, Preston Duren, he states that the most innovative use of artificial intelligence is to augment, rather than replace, human intelligence. Automation can accelerate workflows, but only human analysts can bring the context needed to make patient-safe decisions.
Senior Director of Threat Operations, T.J. Ramsey, takes a closer look at attack surface monitoring and argues that tools like ASM are only helpful if the security fundamentals are strong. Without proper controls, these platforms only reflect the symptoms of deeper problems.
And Fortified’s COO, William Crank, reminds us that peer collaboration is still one of the most underutilized tools in the healthcare cybersecurity toolkit. Silence leads to stagnation. Real progress happens when leaders are willing to share stories, challenge assumptions, and learn from one another.
A Smarter Path Forward Starts Here
Fortified created the 2025 Mid-Year Horizon Report for healthcare leaders who want to go beyond reactive measures and believe cybersecurity is not just a compliance issue but a patient safety priority.
If your healthcare organization is ready to take the next step toward a more defensible, resilient cybersecurity program, start here.
Download the full report now to get the insights, data, and perspectives that will shape the second half of 2025 and beyond.
