Attacks increased substantially during the COVID-19 pandemic and show no signs of abating, the ratings agency says.
Not-for-profit (NFP) hospitals increasingly will face revenue and expense pressures from cyberattacks, according to Fitch Ratings.
In a July 22 news release, Fitch noted the “historic increase” in the volume and severity of cyberattacks over the past 18 months, with criminals seeking to capitalize on the COVID-19 pandemic by attacking hospitals amid the response to the crisis.
“Ransomware pay-outs and efforts to protect or ‘harden’ healthcare systems and cyber defenses are affecting hospital financial flexibility by increasing ongoing operating expenses,” Fitch wrote. “Attacks may also hinder revenue generation and the ability to recover costs in a timely manner, particularly if they affect a hospital’s ability to bill patients when financial records are compromised or systems become locked.
“The recovery time and costs associated with breaches of critical data not only pose significant financial burdens but also hamper the ability of healthcare institutions to provide care, which could ultimately have human costs.”
Attacks are a growing concern
Citing data from Bitglass, a cloud security firm, Fitch reported a 55% increase in the volume of cyberattacks in 2020 compared with 2019. Attacks also grew in impact, leading to a 16% increase in recovery costs per patient record. Full restoration of systems required an average of 236 days per attack.
“Cyberbreaches that disclose patient information carry the risk of loss of consumer confidence, litigation costs and federal enforcement actions due to regulations around patient confidentiality,” Fitch noted.
Fitch cited several trends that have given criminals increasing chances to launch cyberattacks on hospitals. For example, the transition by some hospital staff to working remotely “opened up opportunities for infiltration.”
A vulnerability that could widen even after the COVID-19 public health emergency ends is the increasing utilization of telehealth, other virtual care capabilities and integrated technology such as wearables.
“Software for such devices and heavy medical equipment such as CT scanners and MRI machines are often proprietary and designed with patient care and not necessarily cyber risk in mind,” Fitch stated. “Thus, such software may not always be fully integrated in the institutional cyber defense framework.
“Additionally, the large costs of such equipment generally mean that institutions, particularly smaller hospitals, may rely on these devices for many years, even with outdated or unsupported software, leading to gaps in institutional security systems.”
A hospital’s credit rating may be affected by cyber risk as calculated by Fitch when determining the hospital's Environmental, Social and Governance relevance score.
The ratings agency in June issued similar insights pertaining to the health plan sector, stating that “health insurers and related third parties that fail to inventory and protect sensitive customer information face increased financial, reputational, operational and regulatory risks from cyberattacks.”