Internet Risk Surface in the Healthcare Sector

The healthcare sector is facing a severe prognosis in the digital era, with 861 reported breaches of protected health information in just the last 24 months. This report benchmarks the digital risk factors facing healthcare institutions to diagnose the underlying causes of this vulnerability. While the “prototypical” healthcare firm maintains a smaller internet footprint with fewer hosts and service providers than other sectors, its finding density remains among the highest in the world.

A critical discovery of this study is the extreme degree of performance variation across the sector. The “worst” exposure rates in healthcare are significantly worse than the worst rates seen in any other industry. This is particularly true for small providers, who exhibit finding rates 3x higher than their larger, better-resourced peers. Smaller institutions like nursing care facilities manage the smallest footprints but face the highest levels of relative exposure.

Hosting models add another layer of complexity. The rate of severe security findings for high-value healthcare assets in the cloud is 10x higher than for those hosted on-premises—the largest such imbalance of any sector analyzed. This suggests a sector-wide readiness gap as institutions migrate sensitive patient data into cloud environments without fully adapting their security paradigms.

Key Findings

• Highest Relative Exposure: Healthcare maintains some of the highest average rates of severe security findings, outranking sectors like finance and energy.
• The 10x Cloud Penalty: High-value healthcare assets in the cloud are ten times more likely to have severe findings than those hosted on-premises.
• 3x Small Provider Gap: The smallest healthcare providers exhibit a rate of severe findings three times higher than that of the largest institutions.
• Nursing Facility Risk: The nursing and residential care subsector has the smallest internet footprint but the highest levels of vulnerability exposure.
• Supply Chain Risks: Information-heavy supply chain partners, including collection agencies and EHR providers, represent some of the highest find rates in the ecosystem.
• Hospital Footprint Paradox: Hospitals maintain the largest internet footprints (139 hosts typical) but achieve the lowest rates of severe findings in the subsector.