System hacking

Hospitals lag other companies in cybersecurity risk ratings


A study published this week in the Journal of the American Medical Informatics Association found that hospitals with low cybersecurity ratings were more likely to experience a data breach.  

The research, which also compared hospital cybersecurity ratings with Fortune 1000 firms, found that health systems remain statistically more vulnerable to botnets, spam and malware.  

“Recent hacking and ransomware attacks may be shifting the security landscape for hospitals, with much larger potential hospital and patient consequences,” wrote University of Central Florida’s Sung Choi and Vanderbilt University’s M. Eric Johnson in the study.  

“Ongoing risk assessment is needed to keep up with these threats and will likely require even further security investment,” they added.  


First, Choi and Johnson compared longitudinal cybersecurity risk ratings from BitSight of 594 hospitals with the ratings of 971 Fortune 1000 firms over the course of five years. (A disclosure notes that Johnson served as an early-stage advisor to BitSight and holds unexpired options for his involvement with the firm from 2012 to 2013.)  

They found that, overall, hospitals had significantly lower security ratings than the Fortune 1000 firms from 2014 to 2016 – but the gap narrowed over time.   

By 2017 through the end of the study period in 2019, that difference was no longer statistically significant.  

“The reduction in the gap in security rating suggests that healthcare providers are catching up to the general cybersecurity performance of large, publicly traded firms,” read the study.  

However, that catch-up has not been consistent across the board: When it comes to measures of vulnerability against botnets, spam and malware, hospitals have improved but are still lagging behind.  

Choi and Johnson also compared the cybersecurity ratings of hospitals that had experienced a data breach with those that had not.  

Perhaps unsurprisingly, hospitals with low security ratings were associated with significant risk of a data breach.  

“Hospital executives should work to reduce risks related to both technical security controls such as updated software and security applications, along with human vulnerabilities that can be addressed through enhanced training and overall security culture,” observed Choi and Johnson.  


Although hospitals and health systems certainly aren’t alone when it comes to being targeted – recent attacks on pipelines, meat processors and government agencies make that clear – the potential risk to patient care means their incidents often make major news.  

Recently, Scripps Healthcare experienced a weeks-long network shutdown following a ransomware attack – only to then face a series of lawsuits from individuals saying the health system should have protected their data better.  


“Policy makers should monitor the risk to the healthcare sector and provide incentives for hospitals to invest in risk management and overall information security,” said Choi and Johnson in the JAMIA study.

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Healthcare IT News is a HIMSS Media publication.


Read More:Hospitals lag other companies in cybersecurity risk ratings

Products You May Like