Research Day


Document Type





INTRODUCTION: Information Technology in health care has rapidly expanded in the past decade, fundamentally changing the way clinicians care for their patients. With this rapid adoption, cybercriminals have increasingly targeted the health industry due to a large amount of vulnerable patient health and financial information. A growing body of research suggests that the health care industry lags behind other industries in securing vital data, and should devote more effort and funding to mitigate this risk [1]. In this study, we generate monetary estimates to quantify how much hacking incidents could cost the country and compare how geographical regions within the United States differ. Understanding the potential financial impact of a hacking breach is vital for health care organizations as well as policy makers in the United States.

METHODS: All available reported breaches classified as an information technology (IT) hacking breach, including completed and ongoing investigations, were downloaded from the U.S. Department of Health and Human Services Office for Civil Rights (as of September 21, 2017). An application in the Python programming language was developed to identify, extract, and quantify the distribution of breach locations for IT hacking breaches. Summary statistics, including total number of breaches within stated range, by breach type, and by region were calculated using Microsoft Excel version 15.24 (Redmond, WA). We utilized an average per-record cost of $355 for health care organization data breaches, reported by the 2016 Cost of Data Breach Study: Global Analysis performed by the Ponemon Institute [2]. We included data breaches with the highest likelihood of cybercrime involvement (i.e. hacking/IT incident, and hacking/IT incident/unauthorized access or disclosure). Estimates of monetary loss for each compromised record included all breaches affecting between 3,000 and 100,000 individuals, as larger, more catastrophic breaches were out of scope of the Ponemon estimates. We stratified the data by region of the United States as per boundaries set by the U.S. Census Bureau to identify areas at greatest risk of financial harm from health IT data breach. We included nine regions with the following designations:

New England, Mid-Atlantic, East North Central, North Central, South Atlantic, East South Central, West South Central, Mountain, Pacific. Several tables and figures were constructed to visualize this data.

RESULTS: Each compromised record poses a monetary risk of approximately $355 [2]. In total, the reported breaches pose a potential loss of $1,346,671,555 between 2013 and 2017. The three regions with the largest number of individuals affected, and thus at risk of largest potential financial loss, are the South Atlantic (745,355), West South Central (650,929), and Middle Atlantic (499,443).

CONCLUSIONS: There are well-documented cases where organizations were affected by cybercrime and resulted in catastrophic loss of patient care [3]. With the rapid growth of electronic health records comes the rapid growth of risk. This study shows that over 1.3 billion USD was at risk of compromise in the United States between 2013 and 2017, with significant geographical variation. We have established a simple method to quantify cybercrime risk for healthcare organizations, which can be useful when budgeting security information technology and disaster mitigation strategies.


[1] Kruse CS, Frederick B, Jacobson T, et al. Cybersecurity in healthcare: A systematic review of modern threats

and trends. Technol Heal Care 2017;25:1–10. doi:10.3233/THC-161263

[2] Ponemon Institute. 2016 Cost of Data Breach Study: Global Analysis. June 2016.

[3] Clarke R, Youngstein T. Cyberattack on Britain’s National Health Service - A Wake-up Call for Modern

Medicine. N Engl J Med 2017;377:409–11. doi:10.1056/NEJMp1002530

This document is currently not available here.