Hospitals More Vulnerable to Botnets, Spam, and Malware than Fortune 1000 Firms

A recent study published in the Journal of the American Medical Informatics Association (JAMIA) sought to identify the relationship between cybersecurity risk ratings and healthcare data breaches.

The study was conducted using data obtained from the Department of Health and Human Services between 2014-2019 and hospital cybersecurity ratings obtained from BitSight. The data sample included 3,528 hospital-year observations and Fortune 1000 firms were used as the benchmark against which hospital cybersecurity ratings were compared.

For many years, healthcare has lagged other industries when it comes to managing and reducing cybersecurity risk. The researchers found that in aggregate, hospitals had significantly lower cybersecurity ratings than the Fortune 1000 firms; however, the situation has been improving and, based on BitSight risk ratings, the healthcare industry has now caught up with Fortune 1000 firms. By 2019, the difference between the cybersecurity risk ratings of hospitals and Fortune 1000 firms was no longer statistically significant.

While the gap has virtually been closed between hospitals and Fortune 1000 firms, hospitals were found to be statistically more vulnerable than Fortune 1000 firms to certain types of cyberattack, notably botnets, malware and spam, where security still lagged other industry sectors.

Hospitals with low cybersecurity risk ratings were associated with a significant risk of suffering a data breach. Over the period of study, the probability of a data breach occurring at a hospital with a low cybersecurity rating was between 14% and 33%.

“Recent hacking and ransomware attacks may be shifting the security landscape for hospitals, with much larger potential hospital and patient consequences,” said researchers Sung Choi of the University of Central Florida and M. Eric Johnson of Vanderbilt University. “Ongoing risk assessment is needed to keep up with these threats and will likely require even further security investment.”

The researchers suggested hospital executives need to work to reduce risks related to their technical controls, should improve software and security applications, and tackle human vulnerabilities. Human vulnerabilities are often exploited by cyber threat actors in phishing and malware attacks. By enhancing employee security awareness training programs and conducting training more regularly, hospitals will be able to develop a security culture which will help to further reduce risk.

You can read the study in JAMIA 9DOI: 10.1093/jamia/ocab142).

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.