Greater IT Security Does Not Equal Fewer Cyberattacks for Hospitals, Study Shows

Presented by Office of Public Affairs and Communications

The Verizon Data Breach report indicates the health care sector is the top target for cyberattacks. And, as hospitals do more to guard against attacks, it’s not necessarily translating into fewer data breaches, according to research from the University of Notre Dame.

“When Do IT Security Investments Matter? Accounting for the Influence of Institutional Factors in the Context of Healthcare Data Breaches,” published in MIS Quarterly, found that the increased use of information technology security systems by hospitals did not equal fewer breaches, contrary to predictions.

Lead author Corey Angst, professor of IT, Analytics, and Operations in Notre Dame’s Mendoza College of Business, says, “It even seems that only certain types of hospitals are able to reap the benefits of having a greater number of IT security systems. Those hospitals that symbolically, as opposed to substantively, adopt practices are not effective in using IT security to thwart breaches. We also found that it takes time for hospitals to realize the benefits of substantive adoption.”

The team studied data breaches in U.S. hospitals from 2005-2013. Depending on the year, the number of hospitals varied from 4,000 to almost 6,000 — nearly every hospital in the U.S. The researchers continued to collect data on hospital breaches through May 2018.