On Aug. 29, Fitch Ratings released a report entitled “Cyber Risk Continues to Grow for U.S. Not-For-Profit Hospital and Health Systems (Cost Pressures Could Amplify Cyber Vulnerabilities).” The report found that cyber risk mitigation is becoming more expensive for not-for-profit hospitals and healthcare systems, which are subject to growing frequency and gravity of attacks.
The report says that “Increasing risk requires greater investment in hardware, software and internal controls in order to prevent and address cyber breaches. However, not-for-profit hospitals are reporting thinner margins amid ongoing cost pressures, necessitating cost containment and revenue-raising measures, and cybersecurity spending may not be prioritized.”
The report explained that quantitative and qualitative factors, including the persistence of effects on operations and management responses, impact the effects of cyber breaches on ratings. To date, Fitch has not downgraded any hospitals or health systems due to a cyberattack.
“However, the credit effects of a cyberattack could be amplified due to labor pressures and inflation compressing not-for-profit hospital margins,” the report notes. “Operating metrics are down significantly in interim 2022 for most health systems compared with 2021. Issuers with weaker financial profiles would have fewer resources available to prevent or recover from a cyberattack, potentially leading to quality of care and reputational risks, and further margin erosion.”
Moreover, cyber breaches that disclose patient information are at risk of litigation costs, federal regulatory actions, and consumers losing confidence in the organization. Attacks also can affect quality of care if access to patient data is denied or medical devices are affected.
The report adds that cyber insurance is still a key risk mitigant, but the increase of cyber insurance premiums could become cost prohibitive for some organizations.
“Fitch considers cybersecurity in its analysis as part of its Environmental, Social and Governance (ESG) framework,” the report states. “A hospital’s ESG Relevance Score would be elevated if cyber risk were deemed to be material to the rating.”