HSCC SMART methodology: what it means for healthcare security teams

TL;DR: HSCC’s SMART methodology responds to a healthcare sector facing 725 breaches involving more than 500 patient records in 2024, with 36% of facilities reporting patient complications from ransomware and only 14% saying their security teams are fully staffed, according to HSCC’s 2025 report. The real issue is not just more attack volume, but a governance model that cannot keep pace with dependency sprawl, third-party risk, and thin operational capacity.

NHIMG editorial — based on content published by Imprivata: HSCC’s SMART Methodology Offers Roadmap for Healthcare Cybersecurity

By the numbers:

• In 2024, there were 725 breaches of over 500 patient records, according to HSCC’s 2025 report.
• 36% of healthcare facilities have experienced patient complications due to ransomware incidents, according to HSCC’s 2025 report.
• Only 14% of healthcare organizations report having fully staffed security teams, according to HSCC’s 2025 report.

Questions worth separating out

Q: How should healthcare organisations prioritise cybersecurity when staffing is limited?

A: They should start with critical-function mapping, not with a broad tool rollout.

Q: Why does third-party risk matter so much in healthcare cybersecurity?

A: Because many healthcare services depend on external vendors, shared platforms, and delegated access.

Q: How can zero trust help healthcare organisations reduce cyber risk?

A: Zero trust helps by removing broad implicit trust between systems and forcing access decisions to be more specific and contextual.

Practitioner guidance

• Map critical care dependencies first Identify the systems, vendors, and identity paths that support clinical operations, then rank them by the impact of interruption on patient safety and continuity.
• Review third-party access as a lifecycle process Verify which vendors still have active access to clinical or administrative systems, and make offboarding, contract renewal, and service-change reviews part of the same workflow.
• Tie zero trust to actual dependency maps Use zero trust controls to reduce implicit trust only after you know which relationships exist between users, services, and external providers.

What's in the full article

Imprivata's full article covers the operational detail this post intentionally leaves for the source:

• How the SMART methodology is structured for healthcare dependency mapping and risk visualisation.
• Why HSCC developed the toolkit over 16 months with 80 health organisations, and how that shaped the framework.
• The Access Point podcast discussion with Greg Garcia on resource constraints, continuity planning, and healthcare-specific cyber risk.
• The article’s treatment of zero trust, passwordless authentication, and third-party risk as part of a practical roadmap.

👉 Read Imprivata's coverage of HSCC's SMART methodology for healthcare cybersecurity →

HSCC SMART methodology: what it means for healthcare security teams?

Explore further

View Full Forum →  |  NHI Foundation Course →