Hospital Cybersecurity Ratings Catch Up to Other Industries

September 01, 2021 - Healthcare organizations maintain valuable protected health information (PHI) that make them prime targets for ransomware attacks, but hospital cybersecurity ratings historically lag behind most other industries.

While hospitals achieved significantly lower cybersecurity ratings from 2014 to 2016 compared to Fortune 1000 firms, healthcare providers have been slowly closing the gap ever since, according to a study published recently in the Journal of the American Medical Informatics Association.

By 2017, researchers found that the gap in cybersecurity ratings compared to other industries was no longer statistically significant.  

“The reduction in the gap in security rating suggests that healthcare providers are catching up to the general cybersecurity performance of large, publicly traded firms,” the study explained.

However, hospitals remain significantly more vulnerable to data breaches than other industries. Researchers found that hospitals were still significantly more vulnerable to botnets, spam, and malware compared to Fortune 1000 firms.

The study focused on commercial risk ratings provided by BitSight, an external ratings organization. The researchers used logistic regression to determine the relationship between cybersecurity ratings and the occurrence of data breaches.

Researchers narrowed in on each hospital or firm’s security rating and compromised system score.

“A security rating is a summary measurement of an organization’s cybersecurity performance in the dimensions of compromised systems, diligence, user behavior, and data breaches,” the study explained.

“The compromised system score measures vulnerability against botnets, spam, and malware. Both measures range from 250 to 900, with higher ratings corresponding to better security.”

Hospitals with the cybersecurity ratings under 400 had on average between a 38.3 percent and 49.4 percent chance of experiencing a data breach.

The number of data breaches reported to HHS increased from 270 in 2015 to 510 in 2019, and the upward trend is continuing today, researchers found.

A joint report from IBM Security and Ponemon Institute revealed that healthcare data breaches incurred costs averaging $9.23 million per incident in 2020, a $2 million increase from 2019.

The researchers confirmed their hypothesis that hospitals had lower cybersecurity ratings than other industries despite being at high risk for a data breach. However, the gap is significantly smaller than they originally hypothesized, showing that hospitals are taking preventive measures to combat cyberattacks.

In 2020 alone, 560 healthcare organizations fell victim to ransomware attacks. As cybersecurity incidents become more frequent alongside the ongoing strain of COVID-19, it is clear that hospitals must turn their attention and resources to mitigating and preventing ransomware attacks by means of proactive cybersecurity initiatives.

“Hospital administrators and researchers recognize that hospitals must improve cybersecurity. As with other management initiatives, measurement is important and improved security starts with measuring risks,” the study pointed out.

“Quantifying cybersecurity risk is an important step in developing an effective security program that prevents data breaches. Objective measures of risk help decision-makers to make informed choices.”

However, another recent study discovered that cybersecurity investment was not a high priority for most hospital IT teams. Over half of survey respondents admitted that their hospitals were unprotected against some of the most common cybersecurity vulnerabilities.

Even as hospitals slowly close the gap in commercial cybersecurity ratings, it appears that cyber threats will remain a significant challenge for the foreseeable future, often at the expense of patient privacy.