Saturday, July 11, 2026
EN FR
Admin
Compliance

Beyond Assumption: Measuring Security Culture with the SANS Security Awareness Maturity Model in Healthcare

Beyond Assumption: Measuring Security Culture with the SANS Security Awareness Maturity Model in Healthcare

The Problem: Culture Cannot Be Assumed

For decades, healthcare cybersecurity has relied on a transactional approach to security awareness: mandatory annual training, compliance checkboxes, and periodic phishing simulations. Yet breach data tells a different story. According to the 2024 Verizon Data Breach Investigations Report, human error remains the leading cause of healthcare data compromises, accounting for approximately 35% of incidents. More troubling, the SANS Institute's own research reveals that organizations without a formal, measurable approach to security culture assessment consistently underestimate the gap between perceived and actual employee security behavior.

The HIPAA Security Rule's administrative safeguards (45 CFR §164.308) mandate workforce security and awareness training, but the regulation is deliberately outcome-agnostic. HITRUST CSF explicitly requires "security awareness and training," yet leaves organizations to define success. NIST Cybersecurity Framework's "Govern" function (2024 update) emphasizes organizational culture and risk-informed decision-making, but offers no prescriptive maturity model. This ambiguity creates a dangerous vacuum: compliance officers check the box; boards sleep better; and CISOs remain uncertain whether their $2M awareness investment is actually shifting behavior.

The SANS Security Awareness Maturity Model (SAMM) addresses this gap directly by replacing assumption with measurement.

Understanding the SANS Security Awareness Maturity Model

Developed by SANS Institute and refined through over a decade of organizational assessments, the SAMM defines security culture maturity across five levels, progressing from ad-hoc and reactive to strategic and transformational. Unlike checkbox compliance frameworks, SAMM measures behavioral outcomes and cultural indicators that correlate with actual risk reduction.

The Five Maturity Levels

Level 1 (Ad Hoc): Security awareness is fragmented, sporadic, or absent. Training occurs only after incidents. No baseline metrics exist. Few healthcare organizations admit to Level 1, yet many function here in practice.

Level 2 (Reactive): Awareness programs exist to meet compliance mandates. Annual training is completed; policies are published. However, no systematic measurement of behavior change occurs, and awareness is siloed from operational security decisions.

Level 3 (Proactive): Organizations establish measurable awareness objectives aligned with business risk. Training is role-based. Metrics track participation, assessment scores, and phishing simulation click-through rates. Security culture begins to inform hiring and performance management.

Level 4 (Managed): Security awareness is integrated into governance. Metrics drive continuous improvement. Executive leadership visibly champions security behaviors. Incident root-cause analysis routinely identifies awareness gaps and triggers targeted interventions.

Level 5 (Transformational): Security is embedded in organizational identity. Employees autonomously identify and report risks. Awareness metrics are predictive; the organization is ahead of emerging threats. Security culture is a competitive differentiator and a control that reduces audit findings.

Why This Matters for Healthcare Compliance and Risk

Healthcare's regulatory environment makes security culture measurement non-negotiable. CMS's cybersecurity requirements (part of Conditions of Participation for Medicare/Medicaid providers) now explicitly include workforce training effectiveness. OCR's recent enforcement actions—including a $50M settlement with a major health system—cited inadequate security awareness as a contributing factor to preventable breaches. HIPAA audit protocols now assess training effectiveness, not just completion rates.

NIST CSF's Identify function requires organizations to understand "personnel, assets, data, and capabilities." SAMM operationalizes this by defining what "understanding" means in measurable terms. For CISOs preparing for third-party audits (SOC 2, HITRUST validation, NIST assessment), demonstrating SAMM maturity level 3 or higher significantly strengthens audit narratives and reduces finding likelihood.

Implementing SAMM in Healthcare Organizations

Step 1: Baseline Assessment. Conduct a self-assessment using the SANS SAMM questionnaire. Include clinical and administrative staff, IT, leadership, and compliance. Be rigorous; over-rating maturity defeats the purpose. Document current state in relation to each level's criteria.

Step 2: Establish Metrics. Define 3–5 awareness metrics aligned with organizational risk (e.g., phishing simulation click rate <5%, incident reporting rate >80% of observed events, role-specific training completion >95%, post-training assessment pass rate >85%). Baseline these metrics now; track quarterly.

Step 3: Target a 12–18 Month Roadmap. Most healthcare organizations move 1–1.5 levels per year. Targeting Level 3 or 4 is realistic; Level 5 requires 3–5 years of sustained investment.

Step 4: Integrate with Incident Response and GRC. When a security incident occurs, capture whether awareness gaps contributed. Use this data to inform 90-day awareness sprints. Link awareness metrics to the risk register; show board and executive leadership how SAMM progression reduces breach probability and notification costs.

Conclusion: Measure, Act, Transform

Security culture is healthcare's most leveraged control—more cost-effective than any technology solution and more difficult for adversaries to circumvent than any firewall. The SANS Security Awareness Maturity Model transforms culture from an assumption into a measurable asset. For CISOs and compliance officers tasked with reducing insider risk and demonstrating control effectiveness, SAMM provides both the language and the evidence base regulators and boards increasingly demand. Begin with baseline assessment, establish metrics, and commit to a multi-year culture roadmap. The evidence is clear: organizations that measure awareness systematically achieve superior breach outcomes and compliance posture.

📚 Recommended Reading

Books our AI recommends to deepen your knowledge on this topic.

📚
Implementing the NIST Cybersecurity Framework
by David Moskowitz
Moskowitz's guide to implementing NIST CSF provides essential context for aligning security awareness initiatives with the framework's Govern, Identify, and Protect functions, directly supporting SAMM maturity progression in a healthcare compliance context.
View on Amazon →
📚
Hacking Healthcare: A Guide to Standards, Workflows, and Meaningful Use
by Fred Trotter and David Uhlman
Trotter and Uhlman's exploration of healthcare workflows and meaningful use demonstrates how security awareness must be embedded into clinical and operational processes, illustrating why role-based SAMM assessment is critical in healthcare settings.
View on Amazon →
📚
Practical Cloud Security: A Guide for Cloud Environments
by Chris Dotson
Dotson's practical cloud security guidance reinforces that security culture and awareness must extend to cloud environments increasingly used by healthcare organizations, making SAMM's holistic assessment approach applicable across hybrid IT infrastructure.
View on Amazon →