IT security teams within US healthcare providers historically have had much smaller budgets than in other industries. As a result, they have struggled to implement advanced security capabilities and sophisticated risk management practices. With HIPAA audits and fines on the rise, a rapidly changing threat landscape, and increasing public sensitivity regarding patient privacy, we are seeing an increased focus on security and risk maturity. This report helps healthcare security pros learn from their peers and provides recommendations for addressing critical technology risks.