Independent Study Finds Hospitals With Low BitSight Ratings Have Greater Breach Risk

Andrew Burton | October 13, 2021 | tag: BitSight Security Research

Hospitals are under cyber attack. Are they able to defend themselves? A new study published in the Journal of the American Medical Informatics Association (JAMIA) provides brand new perspectives on the state of hospital cybersecurity performance.

The study, which was conducted by academic researchers from Vanderbilt University and the University of Central Florida, found that while hospitals continue improving their security defenses, they significantly underperform Fortune 1000 firms. It also found that hospitals with low BitSight Security Ratings (scores of 400 or lower) were associated with significant risk of a data breach—with the probability of a breach in a given year ranging from 38.3% to 49.4% (see graph below).

The study provides a unique analysis of hospital cybersecurity issues. Historic studies of healthcare and hospital cybersecurity performed by researchers have relied on qualitative survey data as opposed to quantitative organizational-performance data. 

Hospitals with low bitsight ratings

Predicted probabilities of breach risk by security rating among hospitals with 95% confidence intervals. 

The study concluded that quantifying cybersecurity risk is an important step in developing an effective security program. Additionally, it recommended that hospitals implement a method to quantify cybersecurity risks to make informed decisions about allocating resources. Finally, the study found that objective risk measurement tools, such as BitSight’s cybersecurity rating system, can help hospital decision makers make informed choices.

Ransomware Blamed In Hospital Death


Ransomware attacks can seriously impact a hospital's ability to serve patients effectively and can even result in loss of life. According to the Wall Street Journal, a lawsuit filed in April 2021 alleges that outages resulting from a cyberattack on a hospital in Mobile, AL resulted in an infant’s death. 

The lawsuit against Springhill Medical Center claims that hospital personnel missed warning signs that the fetus’ blood and oxygen supplies were dangerously low, because the attack cut off equipment that monitors fetal heart activity. Springhill refused to pay the ransom when the hackers struck, according to the WSJ report. Instead, it tried to contain the damage by shutting down the network and using a variety of workarounds. It should be noted that this is the ransomware response recommended by the FBI

The hospital denies any wrongdoing. “We stayed open and our dedicated healthcare workers continued to care for our patients because the patients needed us,” said Springhill CEO Jeffrey St. Clair in an email to the WSJ. 

If proven in court, the case could mark the first confirmed death associated with a ransomware attack. However, a recent report by the Ponemon Institute for Cencinet found that 22% of surveyed providers saw an increase in the rate of mortality following a cyberattack.

Few Hospitals Conduct Comprehensive Security Risk Assessments


Hospitals handle a massive amount of sensitive information and may lack the security resources and acumen of other large organizations. As a result, they represent a fat target to attackers. According to the 2020 Healthcare Information and Management Systems Society (HIMSS) Healthcare Cybersecurity Survey

Relatively few healthcare organizations are conducting end-to-end security risk assessments. Many risks are unaddressed, due to the lack of comprehensive security risk assessments. Furthermore, the legacy system footprint is growing within many healthcare organizations. Sensitive information is exposed and such systems are vulnerable to attack.

Today’s threat actors launch highly effective, targeted attacks rather than the “spray and pray” tactics used in the past. It is estimated that attackers have illegally grossed hundreds of millions of dollars while causing major outages in everything from regional transportation systems to a massive fuel pipeline supplying a large swath of the East Coast of the US.

With this kind of success, it’s unlikely we will see an end to the ransomware epidemic anytime soon. To protect against cyber attacks, hospitals and healthcare organizations require a robust security strategy and the ability to evaluate security performance across the entire ecosystem, including third party suppliers. Continuous testing and incremental improvement is the most effective way to create a cyber-resilient organization.

Ransomware: The rapidly evolving trend ebook

Suggested Posts

Cambridge Centre for Risk Studies and BitSight Partner on Cybersecurity Economics

We are excited to announce a new research partnership with the Cambridge Centre for Risk Studies (CCRS). Our joint research will analyze the relationship between organizational cybersecurity investments and risk reduction. 

READ MORE »

BitSight Algorithm Update: What You Should Know

BitSight is committed to creating trustworthy, data-driven, and actionable measurements of organizational cybersecurity performance. As part of this commitment, BitSight periodically makes improvements to our ratings algorithm. These...

READ MORE »

Independent Study Finds Hospitals With Low BitSight Ratings Have Greater Breach Risk

Hospitals are under cyber attack. Are they able to defend themselves? A new study published in the Journal of the American Medical Informatics Association (JAMIA) provides brand new perspectives on the state of hospital cybersecurity...

READ MORE »

Get the Weekly Cybersecurity Newsletter.