HSCC’s SMART Methodology Offers Roadmap for Healthcare Cybersecurity

The healthcare industry is navigating a cybersecurity crisis as attacks intensify in both frequency and sophistication. In 2024, there were 725 breaches of over 500 patient records, according to the Health Sector Coordinating Council’s (HSCC) 2025 report: On the Edge: Cybersecurity Health of America’s Resource-Constrained Health Providers. The report also found that 36% of healthcare facilities have experienced patient complications due to ransomware incidents, while only 14% of healthcare organizations report having fully staffed security teams.

These vulnerabilities hit resource-strained providers the hardest—rural hospitals, community clinics, and small practices—where funding gaps, aging technology infrastructure, and workforce shortages leave critical systems exposed.

“When you have a widely expanding digital foundation for healthcare, that means that you have widely expanding points of vulnerability,” said Greg Garcia, HSCC Executive Director, on a recent episode of the Access Point podcast.

With weak governance, sprawling digital environments, increasing vendor reliance, and inconsistent policy guidance, these institutions face cyber threats that can directly disrupt care and jeopardize patient safety.

To address this systemic weakness, the HSCC Cybersecurity Working Group introduced the Health Industry Cybersecurity Sector Mapping and Risk Toolkit (SMART)—a framework and methodology designed to help healthcare organizations identify, visualize, and manage systemic and third-party cyber risks. The toolkit, developed over 16 months of collaboration among 80 health organizations, enables leaders to map dependencies, assess vulnerabilities, and plan for operational continuity. However, progress remains constrained by financial realities and resource shortages.

“There’s no hospital, no organization anywhere in the healthcare sector that is committing $500 million a year to cybersecurity,” said Garcia on the podcast. “We know we have a problem, and we actually know what we do…we just don’t have the people to do it.”

Without adequate cyber defenses, healthcare remains an attractive target for cybercriminals. As liability protections under CISA 2015 expire and incidents like the Change Healthcare breach highlight interconnected vulnerabilities, the SMART framework offers a strategic roadmap for resilience.

Through zero-trust architecture, passwordless authentication, and proactive third-party risk management, healthcare organizations can shift cybersecurity from a regulatory checkbox to a core component of patient safety.

Learn more about HSCC’s SMART methodology on episode 3 of the Access Point podcast: SMART Moves in Healthcare Cybersecurity: HSCC’s Blueprint for Critical Function Risk.