For-profit versus non-profit cybersecurity posture: breach types and locations in healthcare organisations

Abstract

Background The implementation of emerging technologies has resulted in an increase of data breaches in healthcare organisations, especially during the COVID-19 pandemic. Health information and cybersecurity managers need to understand if, and to what extent, breach types and locations are associated with their organisation’s business type. Objective To investigate if breach type and breach location are associated with business type, and if so, investigate how these factors affect information systems and protected health information in for-profit versus non-profit organisations. Method The quantitative study was performed using chi-square tests for association and post-hoc comparison of column proportions analysis on an archival data set of reported healthcare data breaches from 2020 to 2022. Data from the Department of Health and Human Services website was retrieved and each organisation classified as for-profit or non-profit. Results For-profit organisations experienced a significantly higher number of breaches due to theft, and non-profit organisations experienced a significantly higher number of breaches due to unauthorised access. Furthermore, the number of breaches that occurred on laptops and paper/films was significantly higher in for-profit organisations. Conclusion While the threat level of hacking techniques is the same in for-profit and non-profit organisations, certain breach types are more likely to occur within specific breach locations based on the organisation’s business type. To protect the privacy and security of medical information, health information and cybersecurity managers need to align with industry-leading frameworks and controls to prevent specific breach types that occur in specific locations within their environments.