The Relationship Between Cybersecurity Ratings and the Risk of Hospital Data Breaches




We investigated the progression of healthcare cybersecurity over 2014–2019 as measured by external risk ratings. We further examined the relationship between hospital data breaches and cybersecurity ratings

Materials and Methods:

Using Fortune 1000 firms as a benchmark, time trends in hospital cybersecurity ratings were compared using linear regression. Further, the relationship between hospital data breaches and cybersecurity ratings was modeled using logistic regression. Hospital breach data were collected from US HHS, and cybersecurity ratings were provided by BitSight. The resulting study sample yielded 3528
hospital-year observations


In aggregate, we found that hospitals had significantly lower cybersecurity ratings than Fortune 1000 firms, however, hospitals have closed the gap in recent years. We also found that hospitals with the low security ratings were associated with significant risk of a data breach, with the probability of a breach in a given year ranging from 14% to 33%.


Recent cyber-attacks in healthcare continue to illustrate the need to better secure information systems. While hospitals have reduced cyber risk over the past decade, they remain statistically more vulnerable than the Fortune 1000 firms against botnets, spam, and malware.


Policy makers should continue encouraging acute-care hospitals to proactively invest in security controls that reduce cyber risk. Best practices from other sectors like the financial services sector could provide useful guides and benchmarks for improvement.

Download this whitepaper

H-ISAC is all about increasing cyber resilience in the healthcare sector. We are interested in disseminating actionable content that is in keeping with security thought leadership. In alignment with this statement, we do not require your email to download original content from our website.


Translate »