Blog | Enterprise Risk Management

Fitch describes the heightened risk posed by cyberattacks on not-for-profit hospitals

Blog | Enterprise Risk Management

Fitch describes the heightened risk posed by cyberattacks on not-for-profit hospitals

Attacks increased substantially during the COVID-19 pandemic and show no signs of abating, the ratings agency says.

Not-for-profit (NFP) hospitals increasingly will face revenue and expense pressures from cyberattacks, according to Fitch Ratings.

In a July 22 news release, Fitch noted the “historic increase” in the volume and severity of cyberattacks over the past 18 months, with criminals seeking to capitalize on the COVID-19 pandemic by attacking hospitals amid the response to the crisis.

“Ransomware pay-outs and efforts to protect or ‘harden’ healthcare systems and cyber defenses are affecting hospital financial flexibility by increasing ongoing operating expenses,” Fitch wrote. “Attacks may also hinder revenue generation and the ability to recover costs in a timely manner, particularly if they affect a hospital’s ability to bill patients when financial records are compromised or systems become locked.

“The recovery time and costs associated with breaches of critical data not only pose significant financial burdens but also hamper the ability of healthcare institutions to provide care, which could ultimately have human costs.”

Attacks are a growing concern

Citing data from Bitglass, a cloud security firm, Fitch reported a 55% increase in the volume of cyberattacks in 2020 compared with 2019. Attacks also grew in impact, leading to a 16% increase in recovery costs per patient record. Full restoration of systems required an average of 236 days per attack.

“Cyberbreaches that disclose patient information carry the risk of loss of consumer confidence, litigation costs and federal enforcement actions due to regulations around patient confidentiality,” Fitch noted.

Fitch cited several trends that have given criminals increasing chances to launch cyberattacks on hospitals. For example, the transition by some hospital staff to working remotely “opened up opportunities for infiltration.”

A vulnerability that could widen even after the COVID-19 public health emergency ends is the increasing utilization of telehealth, other virtual care capabilities and integrated technology such as wearables.

“Software for such devices and heavy medical equipment such as CT scanners and MRI machines are often proprietary and designed with patient care and not necessarily cyber risk in mind,” Fitch stated. “Thus, such software may not always be fully integrated in the institutional cyber defense framework.

“Additionally, the large costs of such equipment generally mean that institutions, particularly smaller hospitals, may rely on these devices for many years, even with outdated or unsupported software, leading to gaps in institutional security systems.”

A hospital’s credit rating may be affected by cyber risk as calculated by Fitch when determining the hospital's Environmental, Social and Governance relevance score.

The ratings agency in June issued similar insights pertaining to the health plan sector, stating that “health insurers and related third parties that fail to inventory and protect sensitive customer information face increased financial, reputational, operational and regulatory risks from cyberattacks.”

About the Author

Nick Hut

is a senior editor with HFMA, Westchester, Ill. (

Related Articles | Enterprise Risk Management

News | Medicare Payment and Reimbursement

News Briefs: CMS plans to reinstate policies pertaining to the inpatient-only and ASC covered-procedures lists

A roundup of the top news affecting healthcare finance professionals.

News | Coronavirus

Healthcare News of Note: Brigham and Women’s home hospital program freed up 419 beds during early COVID-19 surge, study shows

Healthcare News of Note for healthcare finance professionals is a roundup of recent news articles: Hospital-at-home can be part of a pandemic playbook, most Americans believe nurses are underpaid, and healthcare is second to technology for DDoS attacks.

Column | Operations Management

The other supply chain issue revealed by the pandemic: Generic drugs

HFMA President and CEO Joe Fifer discusses the need for hospitals and health systems to diversify the generic drug supply chain.

Blog | Operations and Other Technology

FBI issues alert about ransomware threat affecting healthcare organizations

The Conti ransomware attacks have disrupted healthcare networks in the U.S. and abroad, according to an alert.