Blog | Enterprise Risk Management

Fitch describes the heightened risk posed by cyberattacks on not-for-profit hospitals

Blog | Enterprise Risk Management

Fitch describes the heightened risk posed by cyberattacks on not-for-profit hospitals

Attacks increased substantially during the COVID-19 pandemic and show no signs of abating, the ratings agency says.

Not-for-profit (NFP) hospitals increasingly will face revenue and expense pressures from cyberattacks, according to Fitch Ratings.

In a July 22 news release, Fitch noted the “historic increase” in the volume and severity of cyberattacks over the past 18 months, with criminals seeking to capitalize on the COVID-19 pandemic by attacking hospitals amid the response to the crisis.

“Ransomware pay-outs and efforts to protect or ‘harden’ healthcare systems and cyber defenses are affecting hospital financial flexibility by increasing ongoing operating expenses,” Fitch wrote. “Attacks may also hinder revenue generation and the ability to recover costs in a timely manner, particularly if they affect a hospital’s ability to bill patients when financial records are compromised or systems become locked.

“The recovery time and costs associated with breaches of critical data not only pose significant financial burdens but also hamper the ability of healthcare institutions to provide care, which could ultimately have human costs.”

Attacks are a growing concern

Citing data from Bitglass, a cloud security firm, Fitch reported a 55% increase in the volume of cyberattacks in 2020 compared with 2019. Attacks also grew in impact, leading to a 16% increase in recovery costs per patient record. Full restoration of systems required an average of 236 days per attack.

“Cyberbreaches that disclose patient information carry the risk of loss of consumer confidence, litigation costs and federal enforcement actions due to regulations around patient confidentiality,” Fitch noted.

Fitch cited several trends that have given criminals increasing chances to launch cyberattacks on hospitals. For example, the transition by some hospital staff to working remotely “opened up opportunities for infiltration.”

A vulnerability that could widen even after the COVID-19 public health emergency ends is the increasing utilization of telehealth, other virtual care capabilities and integrated technology such as wearables.

“Software for such devices and heavy medical equipment such as CT scanners and MRI machines are often proprietary and designed with patient care and not necessarily cyber risk in mind,” Fitch stated. “Thus, such software may not always be fully integrated in the institutional cyber defense framework.

“Additionally, the large costs of such equipment generally mean that institutions, particularly smaller hospitals, may rely on these devices for many years, even with outdated or unsupported software, leading to gaps in institutional security systems.”

A hospital’s credit rating may be affected by cyber risk as calculated by Fitch when determining the hospital's Environmental, Social and Governance relevance score.

The ratings agency in June issued similar insights pertaining to the health plan sector, stating that “health insurers and related third parties that fail to inventory and protect sensitive customer information face increased financial, reputational, operational and regulatory risks from cyberattacks.”

About the Author

Nick Hut

is a senior editor with HFMA, Westchester, Ill. (

Related Articles | Enterprise Risk Management

How To | Cost Effectiveness of Health

4 essential tactics for sustaining an independent community hospital

Independent community hospital face threats to their survival, and they need to take deliberate action to address those threats in order to continue to deliver essential care cost effectively to their communities. Leading community hospitals that are committed to remaining independent share the tactics they have adopted to ensure their independence is sustainable

News | Financial Leadership

Healthcare News of Note: The negative impact of work on health and well-being is the No. 1 reason nurses gave for why they are planning to leave their job

Healthcare News of Note for healthcare finance professionals is a roundup of recent news articles: Negative impacts of work spur nurses’ plans to leave their jobs, annual healthcare spending is higher than ever for insured individuals, and climate change is having a negative effect on human health.

News | Medicare Payment and Reimbursement

News Briefs: CMS plans to reinstate policies pertaining to the inpatient-only and ASC covered-procedures lists

A roundup of the top news affecting healthcare finance professionals.