Low Cybersecurity Risk Ratings Associated with Higher Risk of a Hospital Data Breach

A new study published in the Journal of the American Medical Informatics Association has explored the link between cybersecurity ratings and the risk of hospital data breaches. The study, conducted by Sung Choi of the University of Central Florida and M. Eric Johnson of Vanderbilt University, found that between 2014 and 2019, healthcare cybersecurity, measured by external risk ratings, corresponded with a higher risk of suffering a data breach.

The researchers used Fortune 1000 firms as a benchmark and compared their ratings with hospital cybersecurity ratings from BitSight. The cybersecurity risk ratings of 594 hospitals were assessed against 971 Fortune 1000 firms over the five-year period. The researchers compared time trends in hospital cybersecurity ratings using linear regression and modeled the relationship between hospital data breaches and cybersecurity ratings using logistic regression.

The researchers found that hospitals lagged the Fortune 1000 firms in terms of their cybersecurity risk ratings between 2014 and 2016; however, the gulf between the two has narrowed over time and hospitals have now generally caught up with the Fortune 1000 firms to the point that the difference in risk ratings between hospitals and Fortune 1000 firms was no longer statistically significant by 2017.

While overall risk ratings were broadly comparable, hospitals were more vulnerable than the Fortune 1000 firms to certain threats, including botnets, malware, and spam. Hospitals have improved their defenses against these threats but still lag the Fortune 100 firms.

When hospitals that had suffered a data breach were compared with hospitals that had not, the researchers found an association with low cybersecurity ratings and determined a low security rating was associated with a significant risk of a data breach. In any given year, the probability of a data breach ranged from 14% to 33%.

“Policy makers should continue encouraging acute-care hospitals to proactively invest in security controls that reduce cyber risk,” suggested Choi and Johnson.  “Hospital executives should work to reduce risks related to both technical security controls such as updated software and security applications, along with human vulnerabilities that can be addressed through enhanced training and overall security culture.”

You can read the report – – The relationship between cybersecurity ratings and the risk of hospital data breaches – on JAMIA on DOI 10.1093/jamia/ocab142