The Human Element: Rethinking Cybersecurity Maturity in Healthcare with SANS

Editor’s Note: 

This blog offers a preview of the updated SANS Security Awareness and Culture Maturity Model, which will be featured in full in the upcoming 2025 SANS Security Awareness Report, launching August 13. The model is introduced in the section “Cultivating a Culture That Mitigates Risk” and provides a structured, practical path for advancing organizational security culture and reducing human risk. For healthcare leaders seeking to improve cybersecurity maturity, it highlights actionable steps to move beyond compliance-based training and build a resilient, security-minded workforce. 

The KLAS Cybersecurity Solutions for Healthcare 2025 Report found that healthcare organizations are over-relying on technology to drive cybersecurity maturity. This calls for a shift in focus from technology to one that also include the human element. As organizations get better at using technology to secure their environments, people have become the primary attack vector. 

Despite years of investment in expanding their technology stacks, healthcare organizations continue to fall victim to high-impact cyberattacks. For example, Episource, the medical billing giant owned by a subsidiary of UnitedHealth, announced this month that it suffered a data breach in February 2025, exposing the personally identifiable information (PII) of more than 5.4 million people. And they weren’t alone. In the first half of 2025, the Identity Theft Resource Center reported 283 healthcare data breaches, up nearly 20% in the same period in 2024. Healthcare breaches haven’t stopped, nor have the operational disruptions, delayed patient care, and regulatory pressures that follow them. 

It's not due to a lack of tools. In fact, more than half of healthcare organizations polled in a HIMSS Healthcare Cybersecurity Survey planned to increase security spending in 2025. However, it’s important to understand that technology alone doesn’t drive maturity. According to the latest KLAS Cybersecurity Solutions for Healthcare 2025 Report, most healthcare security vendors remain focused on infrastructure tools like cloud security, endpoint protection, network segmentation, and identity. These capabilities dominate the landscape of reported offerings. But when healthcare CISOs were asked about their greatest obstacles to maturity, the answer was not technology gaps, it stemmed from a lack of staffing and skill expertise.

That disconnect reflects a broader issue facing the industry: many maturity conversations are still centered on products over people. The KLAS report also found that while demand is growing for managed services such as SOC support and third-party risk management, very few vendors offer services that directly address the human layers of security, things like awareness training, behavioral simulations, and workforce operational readiness.  

To drive real, measurable maturity, organizations must shift their focus from just technology to prioritizing the human element: the security professionals managing risk and the broader workforce whose daily actions influence exposure. This is where SANS can serve as a key partner to the healthcare industry. Listed as a top contributor in the KLAS report's proactive security and workforce readiness categories, SANS was recognized for delivering structured training and simulation programs that help healthcare organizations build readiness and close critical maturity gaps.

Preparing Practitioners for Real-World Execution 

Healthcare security teams operate in complex environments where timing, coordination, and technical judgment directly affect outcomes. Between legacy systems, third-party dependencies, and constant alert volume, even adequately staffed teams can struggle to maintain control.  

SANS training is designed to help alleviate that complexity and drive higher levels of practitioner efficiency in the areas that matter most. Courses focus on building operational fluency, how to lead response workflows during incidents, implement controls effectively, and align tactical decisions with broader business goals. The curriculum is execution-focused, with scenario-based learning and immediate applicability. For example: 

Leadership and Strategic Readiness

• LDR512: Security Leadership Essentials for Managers: Equips security managers with the skills to lead programs, communicate risk, and drive alignment across business and technical teams. 
• LDR551: Building and Leading Security Operations Centers: Guides leaders through the design, staffing, and continuously improving SOC capabilities tailored to their organization’s needs. 
• LDR521: Security Culture for Leaders: Enables security leaders to institutionalize a strong security culture organization-wide.

Foundational Technical Proficiency

• SEC401: Security Essentials – Network, Endpoint, and Cloud: Covers the core elements of cyber defense and detection across infrastructure, ideal for generalist upskilling or leveling junior staff. 
• SEC450: Blue Team Fundamentals: Security Operations and Analysis: Provides hands-on experience in monitoring, threat hunting, and triage within a modern SOC environment.

Incident Response and Detection

• SEC501: Advanced Security Essentials – Enterprise Defender: Builds on foundational skills with a focus on defending enterprise environments, including in-depth coverage of SIEM tuning, packet analysis, identity protection, and modern detection techniques across on-prem and cloud systems. 
• SEC504: Hacker Tools, Techniques, and Incident Handling: Builds deep technical skill in identifying, responding to, and containing attacks using real-world adversary tools and tactics.

Explore the full list of SANS course and certification offerings here. 

Organizations that adopt SANS training see measurable returns on their investment. In a recent SANS-sponsored IDC study The Business Value of SANS: Proven Impact of Cybersecurity Training, teams that trained with SANS detected incidents 50% faster, contained them 4.2 times faster, and recovered 2.6 times faster than their non-trained peers. These kinds of improvements translate directly to fewer disruptions, tighter containment windows, and less pressure on response teams.  

In a healthcare setting, that can mean the difference between a manageable event and operational downtime that puts patients at risk. Over time, it also builds internal leadership capacity, reducing over-reliance on senior staff and improving overall team resilience.

Cultivating a Culture That Mitigates Risk: A 2025 Model Preview

Security failures rarely begin in the SOC. They start with an overlooked alert, a misplaced click, or a missed opportunity to report something that didn’t feel right. For healthcare organizations where workflows are fast and distributed, employees often encounter threats before the security team does. That’s why cultivating a strong organizational culture of cyber hygiene is foundational to achieving maturity. 

The SANS Security Awareness and Culture Maturity Model offers a structured path for building that culture. It defines five stages of maturity, showing how organizations evolve from baseline training to proactive security culture embedded in day-to-day operations:

1. Non-Existent: No formal program is in place. Employees have no idea they are targets, that their actions have a direct impact on the security of the organization, do not know or follow organization policies, and easily fall victim to attacks.
2. Compliance-Focused: The program is designed primarily to meet specific compliance or audit requirements. Training is limited to annual or ad hoc basis. Employees are unsure of organizational policies and/or their role in protecting their organization’s information assets.
3. Promoting Awareness and Behavior Change: The program identifies the top human risks to the organization and the behaviors that manage those risks. It goes beyond annual training and includes continual reinforcement throughout the year. More mature programs in this stage identify additional roles, departments, or regions that represent unique risks that require additional or specialized role-based training. Content is communicated in an engaging and positive manner that encourages behavior change. As a result, employees understand their role in cybersecurity, follow organizational policies, and exhibit key behaviors to secure the organization.
4. Long-Term Culture Change: The program has the processes, resources, and leadership support in place for long-term sustainment. In addition, the security team has moved beyond continuous training and is focusing on additional human related drivers, such as simplifying security policies and workforce communications, supporting incentive programs, or improving how the security team partners with and enables other departments. As a result, security is an established part of the organization’s culture, and the workforce believes in, support, and prioritize security in their daily actions and processes.
5. Optimization and Resilience: The program has a robust metrics framework aligned with and supporting organization's mission and business goals. It no longer just measures and reports on changes in behavior and culture, but ultimately how these changes reduce risk and enable leadership to achieve their strategic priorities. As a result, the program is continuously improving and able to demonstrate a return on investment.

Most healthcare organizations are in Stage 2 or early Stage 3. They have training, but it hasn’t yet translated into measurable behavior change. Advancing further requires changing how security is communicated, reinforced, and led. By leveraging the SANS model, CISOs can identify why their awareness programs underperform, make proven adjustments, and communicate results to earn leadership buy-in.

Improve Your Security Maturity with SANS

A strong security culture doesn’t form on its own. It grows through repeated contact, leadership modeling, and meaningful measurement. The organizations that successfully move up the maturity curve are those that treat the human element as their first line of defense. When technical teams are equipped to execute and the broader workforce is engaged in reducing risk, organizations gain the agility and resilience required to manage today’s threats.  

SANS provides the training frameworks and cultural benchmarks you need to get there.

Visit https://www.sans.org/why-work-with-sans/ to learn more.  

The full details of the updated model, including new guidance for measuring cultural maturity and advancing program impact, will be available in the 2025 SANS Security Awareness Report, which will be released on August 13.