Document control: Report date February 14, 2026. This report is intended for internal risk planning, audit readiness, board or leadership reporting, and remediation tracking. It is aligned to CISA ransomware guidance and sector-specific frameworks. Distribute only within your organization or to authorized advisors.
How to use: Prioritize findings by phase (Critical 0–30 days, High 30–90 days, Medium 90+ days); assign owners; use Section Performance and Compliance Status tables for governance and regulator discussions.
Industry context: risk level reflects relative threat targeting and regulatory scrutiny; average attack cost is from published industry benchmarks.
Risk Level: Critical
Average Attack Cost: $10.9M*
Regulatory Frameworks: HIPAA, HITECH, NIST CSF, FDA Cybersecurity
Healthcare organizations face significant HIPAA penalties and patient safety risks during ransomware incidents.
Percentage of control objectives met across prevention, detection, response, and recovery (aligned to CISA and sector frameworks).
Good progress. Solid foundation with strategic improvements needed for comprehensive protection.
Comprehensive assessment: 42 of 58 questions completed
Typical attack paths observed in this sector; use to validate controls and tabletop exercises.
Scores by control area help focus remediation; "Sector-Specific" indicates controls tailored to Healthcare & Medical requirements.
| Section | Score | Completion | Type |
|---|---|---|---|
| Asset Management & Inventory | 75% | 6/8 | Universal |
| Backup & Recovery | 80% | 4/5 | Universal |
| Identity & Access Management | 60% | 6/10 | Universal |
| Incident Response & Recovery | 55% | 5/9 | Universal |
| Medical Device & Clinical Systems | 50% | 3/6 | Sector-Specific |
| Network Segmentation | 70% | 4/6 | Universal |
| Vulnerability Management | 65% | 5/8 | Universal |
Prioritized gaps with explanation, business impact, and implementation steps. Use with the Implementation Roadmap to assign owners and timelines.
Priority: CRITICAL
Current Status: Partially Implemented
Description: Offline or immutable backups ensure recovery capability when primary systems are encrypted. Regular testing validates restore procedures.
Framework Reference: NIST CSF, HIPAA
This finding indicates a critical gap in ransomware defenses. Implementing the recommended controls will reduce attack surface, align with regulatory expectations, and lower the risk of operational disruption, data loss, and regulatory exposure.
Critical risk. Unaddressed, this gap increases the likelihood of a successful ransomware incident, with potential for operational disruption, data loss, regulatory penalties, and reputational harm.
Priority: HIGH
Current Status: Not Implemented
Description: MFA significantly reduces the risk of credential compromise used in ransomware deployment.
Framework Reference: NIST CSF, CISA
This finding addresses an important control that strengthens defense-in-depth and compliance. Implementation will reduce residual risk and improve resilience against ransomware and related threats.
Significant risk. Addressing this recommendation reduces attack surface and improves detection, prevention, and response capabilities.
Priority: MEDIUM
Current Status: Not Implemented
Description: Tabletop exercises validate incident response plans and team readiness before an actual incident.
This finding reflects a security best practice. Implementation supports a stronger overall program and demonstrates due diligence for audits and governance.
Moderate risk. Implementation improves overall posture and supports audit and governance expectations.
Phased timeline: Critical (0–30 days), High (30–90 days), Medium (90+ days). Align with resource planning and governance cycles.
Coverage indicates alignment of current responses with each framework; use as a readiness indicator. Confirm with formal compliance review where required.
| Framework | Coverage | Status | Notes |
|---|---|---|---|
| HIPAA | 67% | Fair | Remediation needed |
| HITECH | 67% | Fair | Remediation needed |
| NIST CSF | 67% | Fair | Remediation needed |
| FDA Cybersecurity | 67% | Fair | Remediation needed |
Mapping of assessment sections and findings to framework requirements. Use for audit evidence, gap tracking, and regulator or board reporting.
| Section | Framework requirement(s) | Score | Status |
|---|---|---|---|
| Asset Management & Inventory | NIST CSF ID.AM; HIPAA | 75% | Partially met |
| Backup & Recovery | NIST CSF ID.RA; HIPAA | 80% | Met |
| Identity & Access Management | NIST CSF PR.AC | 60% | Partially met |
| Framework reference(s) | Control / finding | Priority | Status |
|---|---|---|---|
| NIST CSF; HIPAA | Maintain and test offline, immutable backups | CRITICAL | Partially implemented |
| NIST CSF; CISA | Implement and maintain multi-factor authentication (MFA)... | HIGH | Not implemented |
Start with a focused ransomware brief to clarify disruption pressure, priority findings, and immediate remediation steps. Move into the CyberCaution workspace when you need ongoing tracking, evidence management, and deeper operational workflows.