TL;DR: HSCC’s SMART methodology responds to a healthcare sector facing 725 breaches involving more than 500 patient records in 2024, with 36% of facilities reporting patient complications from ransomware and only 14% saying their security teams are fully staffed, according to HSCC’s 2025 report. The real issue is not just more attack volume, but a governance model that cannot keep pace with dependency sprawl, third-party risk, and thin operational capacity.
NHIMG editorial — based on content published by Imprivata: HSCC’s SMART Methodology Offers Roadmap for Healthcare Cybersecurity
By the numbers:
- In 2024, there were 725 breaches of over 500 patient records, according to HSCC’s 2025 report.
- 36% of healthcare facilities have experienced patient complications due to ransomware incidents, according to HSCC’s 2025 report.
- Only 14% of healthcare organizations report having fully staffed security teams, according to HSCC’s 2025 report.
Questions worth separating out
Q: How should healthcare organisations prioritise cybersecurity when staffing is limited?
A: They should start with critical-function mapping, not with a broad tool rollout.
Q: Why does third-party risk matter so much in healthcare cybersecurity?
A: Because many healthcare services depend on external vendors, shared platforms, and delegated access.
Q: How can zero trust help healthcare organisations reduce cyber risk?
A: Zero trust helps by removing broad implicit trust between systems and forcing access decisions to be more specific and contextual.
Practitioner guidance
- Map critical care dependencies first Identify the systems, vendors, and identity paths that support clinical operations, then rank them by the impact of interruption on patient safety and continuity.
- Review third-party access as a lifecycle process Verify which vendors still have active access to clinical or administrative systems, and make offboarding, contract renewal, and service-change reviews part of the same workflow.
- Tie zero trust to actual dependency maps Use zero trust controls to reduce implicit trust only after you know which relationships exist between users, services, and external providers.
What's in the full article
Imprivata's full article covers the operational detail this post intentionally leaves for the source:
- How the SMART methodology is structured for healthcare dependency mapping and risk visualisation.
- Why HSCC developed the toolkit over 16 months with 80 health organisations, and how that shaped the framework.
- The Access Point podcast discussion with Greg Garcia on resource constraints, continuity planning, and healthcare-specific cyber risk.
- The article’s treatment of zero trust, passwordless authentication, and third-party risk as part of a practical roadmap.
👉 Read Imprivata's coverage of HSCC's SMART methodology for healthcare cybersecurity →
HSCC SMART methodology: what it means for healthcare security teams?
Explore further
Healthcare cybersecurity is now a dependency problem, not a perimeter problem. The article shows that patient safety is affected when digital foundations expand faster than governance, staffing, and operational continuity planning. That makes the real failure mode systemic exposure across connected services, not a single point product gap. Healthcare leaders need to treat dependency visibility as a core security control, not an optional planning exercise.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and a further 47% saying they have only partial visibility, according to The State of Non-Human Identity Security.
- That same research finds that only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, showing how weak visibility becomes weak governance when access is delegated across systems.
A question worth separating out:
Q: Who should own healthcare dependency mapping and resilience planning?
A: Ownership should sit across security, infrastructure, identity, and clinical operations, because no single team sees the full dependency chain. The point is to connect technical access, vendor relationships, and care continuity into one governance process. If ownership is fragmented, the organisation will map only part of the risk.
👉 Read our full editorial: Healthcare cybersecurity SMART mapping exposes systemic risk gaps