Hospitals More Vulnerable to Botnets, Malware and Spam than Fortune 1000 Companies

The Journal of the American Medical Informatics Association (JAMIA) published a recent study that sought to determine the connection of cybersecurity risk ratings to healthcare data breaches.

The study was carried out utilizing hospital cybersecurity ratings acquired from BitSight and information acquired from the Department of Health and Human Services from 2014 to 2019. The information sample contained 3,528 hospital-year observations. Also, the researcher used Fortune 1000 companies as the standard against which to compare hospital cybersecurity ratings.

For several years, healthcare has been slow compared to other industrial sectors with regards to handling and minimizing cybersecurity risk. The researchers observed that in general, hospitals had considerably lesser cybersecurity ratings compared to the Fortune 1000 companies; nevertheless, the scenario has been getting better and, according to BitSight risk ratings, the healthcare sector has caught up with Fortune 1000 companies at this point. By 2019, there is no statistically significant difference between the cybersecurity risk ratings of hospitals and Fortune 1000 companies.

Although the difference has practically been closed between hospitals and Fortune 1000 companies, hospitals were identified to be statistically more susceptible than Fortune 1000 companies to certain types of cyberattack, especially botnets, spam, and malware, where security continues to lag behind other industries.

Hospitals having low cybersecurity risk ratings were connected with a substantial risk of experiencing a data breach. For the period of the study, the likelihood of a data breach happening at a hospital having a low cybersecurity rating was 14% to 33%.

Current hacking and ransomware attacks might be changing the security scenario for hospitals, with a greater probable hospital and patient outcomes, according to researchers M. Eric Johnson of Vanderbilt University and Sung Choi of the University of Central Florida. Continuing risk assessment is necessary to remain in line with these threats and will probably necessitate even more security investment.

The researchers advised that hospital officers should work to minimize risks associated with their technical controls, must enhance security and software programs, and deal with human vulnerabilities. Cyber threat actors often exploit human vulnerabilities in malware and phishing attacks. By improving training programs for employee’s security awareness and doing training more frequently, hospitals could create a security culture that will help to even more minimize risk.

Read the study in JAMIA 9DOI: 10.1093/jamia/ocab142).

About Christine Garcia 1304 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at