Pramote Lertnitivanit/istock via

Healthcare struggles with risk remediation in first half of 2026

Healthcare organizations are improving at identifying cyber threats, but remediation efforts continue to lag due to resource constraints and operational challenges.

Maintaining visibility into incoming cyber threats has long been a challenge for healthcare organizations. But, according to a new report from Fortified Health Security, the industry is getting better at it. The company's analysis of rolling NIST Cybersecurity Framework 2.0 client assessment data showed a 60% increase in critical and high-risk findings in the first half of 2026 compared to last year.

However, remediating those risks is something healthcare has not yet mastered. The report found that risk remediation dropped to 6.4% in the first quarter of 2026, down from 23.3% over the same period in 2025. What's more, on average, an identified risk remained unresolved for 345 days.

"This isn't the story of a single catastrophic breach," the report stated. "It's the story of visibility outpacing capacity."

Increased framework adoption highlights high-risk areas

The good news is that healthcare organizations that have adopted the NIST CSF 2.0 are benefiting from it, the report stated. The framework is effectively highlighting cybersecurity gaps. Identifying these vulnerabilities is half the battle, and healthcare is getting better at it.

The report found that supply chain risk management findings are on track for a 6x increase in 2026 compared to 2025. Identity management, authentication and access control findings are trending toward a 4x increase. Although an increase in vulnerability findings may seem like a red flag, it shows that healthcare organizations have increased visibility into vulnerabilities that might have otherwise gone unnoticed.

Fortified Health Security assessed where the healthcare sector stands regarding the six functions of the NIST CSF 2.0: govern, protect, identify, detect, respond and recover.

Overall, the analysis found that healthcare organizations are getting better at incident eradication, defining roles and responsibilities and responding to cyber incidents. However, assessing critical supplier risk, continuous monitoring, oversight and training are all areas in which they continue to lag.

These shortcomings are largely due to operational constraints, such as staffing shortages, the report said.

"The human capital challenge is not new to healthcare cybersecurity. Modern tooling and security frameworks are just making the gaps it leaves more visible," the report noted. "Even where teams have prioritized well, remediation has stalled because you simply can't close a finding if you don't have the people to do the work. No framework fixes a headcount problem."

Along with finite resources, prioritization challenges remain a bottleneck to effective remediation.

With a multitude of vulnerabilities to address in a given day, security teams must determine whether a vulnerability is associated with an active ransomware campaign, whether the system is patient-facing and other important considerations. This time-consuming process, however necessary, can delay risk remediation, especially when staff is limited.

Overall, healthcare organizations are getting better at identifying their risk areas. The next step is effectively mitigating those risks.

"The organizations that use that visibility to drive prioritization, a strategic roadmap, and the resourcing towards remediation will be the ones that turn a growing list of findings into risk reduction rather than the next headline," the report stated.

Jill Hughes has covered health tech news since 2021. Her coverage areas include cybersecurity, HIPAA compliance, interoperability, AI and EHRs.

Dig Deeper on Health data threats