An increase in cyberattacks may become a drag on not-for-profit healthcare sector ratings as hospitals and systems spend more to protect themselves and confront potential ransom payouts, Fitch Ratings warns in a new report.
“The healthcare sector has seen a historic increase in the number and severity of cyber assaults over the past 18 months. The sector is viewed as a target-rich environment due to the large amount of sensitive data that healthcare entities maintain for patient care and operations,” according to the report “Relentless Cyber Attacks to Pressure NFP Hospitals’ Operations.”
Attacks accelerated as the COVID-19 pandemic opened new portals of access with more information shared online and that burden came at the same time the sector dealt with overwhelming demands for care treating pandemic patients.
As the sector’s operations return to a new normal with increased virtual-based care and other operational changes, Fitch forsees little let up in the attacks.
“I don’t think this ends. Going forward, it’s going to be a top-five management issue,” Kevin Holloran, head of Fitch’s U.S. not-for-profit healthcare sector team, said in an interview Monday. “Healthcare is a target-rich environment and is a rich trove for attackers with many ports of entry.”
Hospitals must deal with attacks on both the revenue and operational fronts all of which impact their balance sheets.
They must spend upfront to protect or “harden” their systems against attacks that can lead to threats of shutdowns if a ransom demand is not paid and then the payment, if needed, further weighs on expenses. On the revenue side, attacks can hurt the ability to bill patients, recover costs, and they can damage patient relationships.
Identify theft and even outside blackmail or extortion can occur should a wealthy or high-profile patient’s personal information and treatment be threatened with exposure.
The U.S. Department of Health and Human Services estimates that sizable cyber breaches in 2020 exposed patient data of more than 22 million Americans. Patient data is considered confidential, and the maintenance and disclosure of such data are governed by patient confidentiality laws on the federal and state levels.
“Cyber breaches that disclose patient information carry the risk of loss of consumer confidence, litigation costs and federal enforcement actions due to regulations around patient confidentiality,” the report warns.
While there have been some high-profile cases over the last few years they might belie the true number of attacks. Hospitals tell Fitch they have staved off millions of attacks, with an emphasis on millions.
Fitch cited information from the cloud security firm Bitglass noting that cyberattacks against U.S. healthcare entities rose by over 55% in 2020 compared with the previous year. Attacks also increased in sophistication and scale, with more than a 16% increase in the average cost to recover each patient record in 2020 versus 2019. Restoration of systems to pre-attack status took an average 236 days.
Scripps Health in May suffered an attack on its computer servers that temporarily blocked patient portals and it disrupted some care. In 2016, Banner Health disclosed an attack that allowed hackers to gain access to personal information of several million.
Fitch now asks hospitals for detailed information on the subject but there’s no detailed rules on disclosure with the exception that borrowers must disclose what is “material” for investors.
Over the last 18 to 24 months, Holloran said Fitch has moved from simple questions over how good a hospital feels about its cybersecurity to detailed questioning on access points, efforts to protect them, whether they have cyber insurance and whether they run cyber drills in the event of a major breach.
Cyberattacks haven’t driven a downgrade but it’s just a matter of when, not if,, Holloran said.
“They’ve become more commonplace and a little more vicious so it’s probably going to have an impact on a rating eventually,” he said.
And while the fiscal burden might weigh on a credit, the most daunting concern is the potential to disrupt care that could lead to a death, Holloran said.
