December 6, 2019
3 Minutes

Cybersecurity Capability Maturity Model

A unique capability maturity model to assist healthcare organizations of all sizes, analyze, prioritize, and improve their cybersecurity capabilities.

Sensato developed the Cybersecurity Capability Maturity Model to assist healthcare organizations of all sizes analyze, prioritize, and improve their cybersecurity capabilities. Designed specifically for the healthcare industry, the model provides a single unified boardroom-to-basement understanding of a hospital’s cybersecurity and privacy.

Sensato’s Cybersecurity Capability Maturity Model was derived from the ‘C2M2 Maturity Model’ designed for use by the U.S. Department of Energy. The maturity model provides flexible guidance to help organizations develop and improve their cybersecurity preparedness across ten critical domains. As a result, the model tends to be at a high level of abstraction and can be interpreted for organizations of various structures and sizes while also fulfilling HIPAA assessment requirements. “We adopted the C2M2 model because of all the other assessments; this model is really comprehensive for the healthcare industry yet uncomplicated. In other words, it is easy to implement, provides a quick turn-around, and gives us a full picture of the client’s cybersecurity and privacy environment to design effective strategies”, stated Kelli Watson, Director of Solutions Delivery. 

Sensato’s cybersecurity experts conduct the Cybersecurity Capability Maturity Model program in conjunction with the organizations’ IT team over a two-day workshop. The model evaluates the following ten domains, providing measurement to help organizations identify areas of potential weakness and strengths in their security program, and formulating the foundation for a holistic cybersecurity strategy. 

  • Risk Management 
  • Asset, Change, and Configuration Management 
  • Identity and Access Management                                                                    
  • Threat and Vulnerability Management
  • Situational Awareness 
  • Information Sharing and Communications
  • Event and Incident Response and Continuity of Operations
  • Supply Chain and External Dependencies Management
  • Workforce Management
  • Cybersecurity Program Management 


During the workshop, hospitals receive a threat intelligence briefing and discuss overall cybersecurity best practices. Sensato then guides the IT team through the maturity model tool that encompasses the ten critical domains. Once the workshop concludes, Sensato analyzes the findings and crafts a custom set of reports, recommendations, and strategies specific to the organization. The Sensato team also provides a detailed synopsis that helps the organization determine its next steps and the overall plan.  

Sensato’s Cybersecurity Capability Maturity Model program includes several outcome components.

Findings Report: 

A custom report, which analyzes the findings from the workshop, is presented to the client. The report includes results by domain and provides specific guidance on how to address gaps and immature practices.

Strategic Recommendations: 

One of the most valuable outcomes of the Sensato Cybersecurity Capability Maturity Model is the strategic recommendations component. These are not simple recommendations, but the basis of a plan prioritizing specifics to the organization. Sensato’s strategic recommendations consider the organization’s economics, maturity levels, and risk levels to provide a solid foundation for strategic planning.


This interactive planning session walks the client through the findings, represented through a dashboard (shown below), and strategic recommendations. The dashboard is a critical asset that enables the facility not only the understanding but also builds the foundation for dialogue, prioritization of investments, tactical and strategic planning, and much more. Sensato includes two planning sessions, allowing the client to hold a conference with the overall team and board/executive committee.

The maturity model is truly designed to provide a board room-to-basement understanding of organizations’ cybersecurity preparedness and capabilities. The model is beneficial in providing a focused effort in the ten domains where the clients need to make improvements within their hospitals. “What I commonly see among our customers is that they find the dashboard very useful. It is a visual representation of the assessment that helps them summarize the weakness and strengths as well as present the outcomes to their team and executive leadership”, stated Kelli.

To learn more about the program, please contact us
Cybersecurity Awareness Month Recap - Resources and Tips
October was National Cybersecurity Awareness Month which is meant to put a spotlight and focus on cybersecurity education and taking action to protect yourself and your organization from a cyberattack. Here’s a roundup of some of the top things we shared in October.
Four New Phishing Tactics to Watch Out For
By now most healthcare organizations perform cybersecurity awareness training and their staff are on the lookout for phishing emails. Cyber attackers are getting more savvy, however and are coming up with new phishing techniques that are harder to spot. Below are some examples of these new tactics and how to spot them.
Real-time Review of Oklahoma State University Cybersecurity Breach
Healthcare organizations that are victims of a cyberattack are reported daily. Reviewing OCR findings to identify actions you can take to protect your organization from similar attacks is a good best practice. Here is a review of the OSU breach to use as an example.
No items found.