Study: Better IT Security Doesn’t Mean Fewer Hospital Cyberattacks

A recent study by researchers at the University of Notre Dame looked at 938 data breaches and found institutional factors play the biggest role in the likelihood of hospital cyberattacks.
Published: June 8, 2018

In healthcare, investing more time and money in IT security systems doesn’t equate to fewer data breaches, according to a recent study.

The study, titled “When Do IT Security Investments Matter? Accounting for the Influence of Institutional Factors in the Context of Healthcare Data Breaches” and published in MIS Quarterly by researchers at the University of Notre Dame, found that the increased use of information technology security systems by hospitals does not equal fewer breaches, reports News Wise.

The study looked at 938 data breaches in U.S. hospitals from 2005 to 2013. Depending on the year, the number of hospitals monitored ranged from 4,000 to 6,000.

The researchers argue institutional factors play a role in determining which hospitals — such as smaller health systems, older health systems, for-profit or nonprofit — are less likely to suffer repercussions from a data breach.

——Article Continues Below——

Get the latest industry news and research delivered directly to your inbox.

“It even seems that only certain types of hospitals are able to reap the benefits of having a greater number of IT security systems,” said lead author Corey Angst, a professor at Notre Dame’s Mendoza College of Business. “Those hospitals that symbolically, as opposed to substantively, adopt practices are not effective in using IT security to thwart breaches. We also found that it takes time for hospitals to realize the benefits of substantive adoption.”

Researchers continued to collect data on hospital breaches through May 2018 and an investigative report by Verizon found the healthcare sector was the top target for cyberattacks in 2018.

In February, a phishing attack at Aultman Health Foundation in Ohio potentially breached the data of 42,600 patients. In March, LifeBridge Health and LifeBridge Potomac Professionals in Maryland potentially exposed records of 500,000 patients in a data breach.

“While our report suggests there was a spike in breaches in the first quarter of 2018, our assessment is that these things tend to fluctuate quite a bit over the years,” Angst said. “But to be clear, the threat to hospitals is significant and not decreasing in any meaningful way at least going back to 2006.”

The Verizon report suggests hospitals are attracting more threats because they are adopting new technologies at a fast pace.

The study also suggests that hospitals that are early adopters of innovative IT solutions are less likely to suffer a breach, but Angst emphasizes that simply purchasing IT security systems is not an adequate response to stop data breaches.

“New processes, including training, changes in mindsets and procedures, need to accompany any technology,” Angst said. “In addition, it appears there is a learning curve associated with gaining value from IT security. It takes time for the benefits to accrue.”

Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series