As we continue to look at the digital risk surface of healthcare firms, it is important to note that this study was not only created to be a source of information for gaps in cybersecurity programs, it is also meant to be a guide for creating better third-party risk management programs in the healthcare industry.  Hospitals, labs, pharmaceutical companies, research institutes, etc. are vital to our world, and the data they hold requires the utmost care and security measures. 

Having compared Healthcare to other sectors, we now examine major subsectors within Healthcare according to the following NAICS designations:

  • Ambulatory Health Care: Offices that provide a range of outpatient services.
  • Hospitals: Provide inpatient medical, diagnostic, and treatment services.
  • Nursing and Residential Care: Provide nursing, supervisory, or care to residents.
  • Social Assistance: Provide a variety of social services directly to clients.

The graphic below compares these Healthcare subsectors using a set of key cybersecurity dimensions. Here we see that hospitals generally maintain a much larger Internet surface area (hosts, providers, countries), but a substantially lower rate of security findings. We take a small measure of comfort in that result, despite hospitals being more routinely impacted than any other Healthcare subsector in our study of multi-party cyber incidents.


Cyber Risk Surface of Healthcare Subsectors

The image above compares Healthcare subsectors along key risk dimensions. Note the shifts in ranking among columns. Nursing care facilities, for example, show the smallest Internet footprint but the highest levels of exposure.

The data is not at all comforting with respect to the Nursing and Residential Care subsector. It has the smallest Internet footprint yet the highest levels of exposure. Outpatient (Ambulatory) and Social services mostly fall in between hospitals and nursing facilities. Overall, these results reinforce the lesson that dimensions of the Internet risk surface vary substantially, even among organizations in the same industry. Thus, such distinctions need to be considered when assessing and managing third-party risk associated with different types of healthcare providers.

To learn more about the risk surface of healthcare firms, download the full report here. You will see the full results from the research and will find out how you can use the information to enhance your third-party cyber risk program.