Blog | Enterprise Risk Management

Fitch describes the heightened risk posed by cyberattacks on not-for-profit hospitals

Blog | Enterprise Risk Management

Fitch describes the heightened risk posed by cyberattacks on not-for-profit hospitals

Attacks increased substantially during the COVID-19 pandemic and show no signs of abating, the ratings agency says.

Not-for-profit (NFP) hospitals increasingly will face revenue and expense pressures from cyberattacks, according to Fitch Ratings.

In a July 22 news release, Fitch noted the “historic increase” in the volume and severity of cyberattacks over the past 18 months, with criminals seeking to capitalize on the COVID-19 pandemic by attacking hospitals amid the response to the crisis.

“Ransomware pay-outs and efforts to protect or ‘harden’ healthcare systems and cyber defenses are affecting hospital financial flexibility by increasing ongoing operating expenses,” Fitch wrote. “Attacks may also hinder revenue generation and the ability to recover costs in a timely manner, particularly if they affect a hospital’s ability to bill patients when financial records are compromised or systems become locked.

“The recovery time and costs associated with breaches of critical data not only pose significant financial burdens but also hamper the ability of healthcare institutions to provide care, which could ultimately have human costs.”

Attacks are a growing concern

Citing data from Bitglass, a cloud security firm, Fitch reported a 55% increase in the volume of cyberattacks in 2020 compared with 2019. Attacks also grew in impact, leading to a 16% increase in recovery costs per patient record. Full restoration of systems required an average of 236 days per attack.

“Cyberbreaches that disclose patient information carry the risk of loss of consumer confidence, litigation costs and federal enforcement actions due to regulations around patient confidentiality,” Fitch noted.

Fitch cited several trends that have given criminals increasing chances to launch cyberattacks on hospitals. For example, the transition by some hospital staff to working remotely “opened up opportunities for infiltration.”

A vulnerability that could widen even after the COVID-19 public health emergency ends is the increasing utilization of telehealth, other virtual care capabilities and integrated technology such as wearables.

“Software for such devices and heavy medical equipment such as CT scanners and MRI machines are often proprietary and designed with patient care and not necessarily cyber risk in mind,” Fitch stated. “Thus, such software may not always be fully integrated in the institutional cyber defense framework.

“Additionally, the large costs of such equipment generally mean that institutions, particularly smaller hospitals, may rely on these devices for many years, even with outdated or unsupported software, leading to gaps in institutional security systems.”

A hospital’s credit rating may be affected by cyber risk as calculated by Fitch when determining the hospital's Environmental, Social and Governance relevance score.

The ratings agency in June issued similar insights pertaining to the health plan sector, stating that “health insurers and related third parties that fail to inventory and protect sensitive customer information face increased financial, reputational, operational and regulatory risks from cyberattacks.”

About the Author

Nick Hut

is a senior editor with HFMA, Westchester, Ill. (

Related Articles | Enterprise Risk Management

Column | Healthcare Business Trends

Paul Keckley: Inflation’s impact on healthcare: 5 takeaways

For healthcare finance professionals, healthcare inflation requires intensified efforts to address five concerns: increased bad debt, increased operating costs, heightened public scrutiny of pricing policies and executive compensation, increased competition by privately funded competitors offering low-cost solutions and growth of “Occupy Healthcare” movements.

Blog | Enterprise Risk Management

Federal government, American Hospital Association issue warnings and guidance about cybersecurity threats stemming from the conflict in Ukraine

The potentially heightened risk stems from the possibility both of being targeted directly and being impacted by malware that spreads from other sectors.

Article | Cost Effectiveness of Health

5 ways the ERM playbook for health systems is due for a rewrite

Business risk for health systems has continued to evolve amid huge changes affecting the industry, including those driven by COVID-19. Health system leaders should respond by revisiting their approach to enterprise risk management (ERM) to focus on five areas of risk where their ability to deliver healthcare cost effectively could be compromised: Labor shortages, capital planning amid ongoing change, energy consumption, cyber security and price transparency.

How To | Cost Effectiveness of Health

4 essential tactics for sustaining an independent community hospital

Independent community hospital face threats to their survival, and they need to take deliberate action to address those threats in order to continue to deliver essential care cost effectively to their communities. Leading community hospitals that are committed to remaining independent share the tactics they have adopted to ensure their independence is sustainable