Healthcare sector’s poor cyber governance performance continues—and business strategy helps explain why


More than 41.4 million patient records were compromised by 572 healthcare data breaches in 2019, according to a study of data provided by the U. S. Department of Health and Human Services, the media, or other sources. This excludes two breaches of IT vendors servicing dental offices across the country in August and December 2019.

This figure represents a 46% y-o-y increase in breaches, continuing the steady annual increases since data analysis by Protenus started in 2016.

The healthcare sector is uniquely vulnerable to phishing attacks compared to other sectors due to high employee turnover and influx of new employees who may lack previous cybersecurity training, according to a March 2019 report published in the Journal of the American Medical Association. This study’s findings were consistent with other large-scale, multi-year studies on the topic.



Though 41.4 million compromised patient records representing a 46-percent y-o-y increase in breaches seems significant, it still likely only represents a fraction of the healthcare breaches that occurred in the past year considering most breaches go undetected by companies.

Looking at this issue through a cyber-financial (CyFi) lens, there are a number of primary factors contributing to the healthcare industry’s persistent underperformanceon cyber governance:

  • Growth through acquisition. M&A has defined the healthcare sector in recent years. Policy trends have accelerated growth via M&A. Network integration of two large, complex networks, even if successful, creates new vulnerabilities[KD1] . This business strategy of choice has led to increasingly complex and more difficult-to-manage networks that exponentially increase the number of vulnerabilities facing companies in the sector.
  • Accelerated third-party outsourcing. Healthcare supply chains have been notoriously complex, but the corporate drive for greater efficiency and cost savings amidst the push to digitally transform has created additional supply chain vulnerabilities most companies have not considered when making strategy decisions about outsourcing.
  • Increased reliance on IoT. Operational processes often combined with sensors and data transmission execute critical functions that were previously entirely analog-driven—an industry trend that has only accelerated in recent years. This has significantly increased cost-efficiency, productivity, and margin expansion that C-suites and shareholders seek, but also cyber vulnerabilities that lead to increased breaches.

Personal health data is some of the most valuable data for cyber criminals and based on the sector’s underperformance, it is some of the easiest to obtain. The continued rise of ransomware and targeting of the healthcare sector will continue to inflict financial damage on companies stemming from operational disruptions.

See a Rite Aid use case on the dangers of prioritizing growth and cost efficiencies over cybersecurity, a not uncommon decision that has contributed to the structural challenges facing the sector today.

We use cookies to make our website more user-friendly and effective

The Cyberhedge Indices Cookie Policy

What are the Cyberhedge Cyber Governance Indices?

These first ever benchmarks prove good cyber governance matters to shareholder value. They measure stock market performance of companies with good and with bad cyber governance scores. Scores are based on Cyberhedge’s proprietary cyber governance rating methodology. Market performance is tracked by an independent firm. The results show that companies with good cyber governance outperform their peers in US, UK, and EU markets.

Information that we collect

Here you can see and customize the information that we collect about you. To learn more, please read our privacy policy

Continue on website