Moody's warns of revenue risks as healthcare cyberattacks increase
Photo: Christina Morillo/Pexels
A report this week from Moody's Investors Service found that cyber risk will likely remain high for the healthcare sector, leading to the potential for lost revenue, increased expenses and elevated scrutiny.
"The large amount of sensitive patient data held by the industry will make it a rich target for attacks, particularly in the form of ransomware," researchers predicted.
Still, they said, "for many, credit risk will be mitigated by healthcare systems' strong liquidity and large scale, which often allow for the continuation of critical patient care amid cyber-related disruption."
WHY IT MATTERS
The increased reliance on digital health technology has expanded innovation and access, particularly during the COVID-19 pandemic.
At the same time, Moody's notes, it leaves the healthcare sector susceptible to attacks.
"While there is no way to fully prevent cyber breaches, the expanding adoption of remote care, or telehealth, during the COVID-19 pandemic will yield additional vulnerabilities, as potentially unsecured devices will be used to access health system networks," wrote researchers in the report.
Moody's pointed to ransomware as a particular danger, flagging the vast amounts of healthcare providers' sensitive data as juicy prizes for bad actors.
"Hackers assume providers will need to restore access to patient data quickly to ensure continuity and confidentiality of patient care," said the report.
Although the Federal Bureau of Investigation recommends that victims not pay ransom, Moody's researchers observed that "ransomware offers hackers the possibility of a large payout after conducting an attack, as they demand payment for allowing files to be restored and preventing the release or sale of stolen data."
A self-reported issue survey found that not-for-profit healthcare issuers' investment in cybersecurity is on par with that of state and local governments, but that it trails other infrastructure sectors such as banks and electric utilities.
Looking forward, Moody's says healthcare systems will need to deploy additional resources to thwart future cybersecurity breaches, secure their networks from third-party vendor access points – as well as internal vulnerabilities – and step up cybersecurity financial investments.
"Efforts to invest in cybersecurity will potentially get a boost at the federal level," wrote researchers.
"The Biden administration has made cybersecurity a major focus, proposing legislation that would provide local, state, tribal and federal governments with funding to combat cyberattacks," they wrote.
"In addition, President Biden has signed an executive order aiming to reduce cyber risk exposure of the federal government, its software vendors and by extension other private-sector customers that are part of vendors’ software supply chains," they added.
THE LARGER TREND
Although tracking cybersecurity breaches can be challenging, Moody's cited a number of high-profile incidents in its evaluation of the landscape.
Those events included attacks on Scripps Health and Universal Health Services, as well as disruptions to services stemming from third-party vendors such as Blackbaud.
And more reports are likely to come: The FBI recently warned of Conti ransomware attacks, which were behind recent outages at Ireland's health service.
ON THE RECORD
"The growing interconnectedness of healthcare delivery and technology will continue to leave the sector vulnerable to breaches, as will its extensive use of third-party software vendors for clinical, billing and numerous other functions," wrote researchers.
Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.