- A new report from Moody's Investors Service rates the risk of cyberattacks on the hospital sector as high, noting such attacks are growing in frequency and "will continue to evolve."
- The primary reason for the high risk is hospitals' reliance on technology. Banks and securities firms are in a similar situation.
- Moody's believes cyber threats can be neutralized by hospitals that devote resources to their security. However, smaller facilities — and especially critical access hospitals — will be particularly vulnerable due to their relative lack of resources.
There have been several high-profile cyberattacks on hospitals in recent years, with some, such as Hollywood Presbyterian Medical Center in Los Angeles, paying a five-figure cryptocurrency ransom in 2016 in order to gain back control of its IT system.
The new Moody's report concludes that such attacks will only continue to become more frequent and the type of attacks will likely change over time. Currently, "ransomware and cyberattacks that comprise (EHR systems) will cause the greatest disruption, affecting hospitals’ revenue cycle and disrupting cash flow in the most severe cases."
However, the report cites another growing threat against medical devices. It notes the FDA warning that certain insulin pumps manufactured by Medtronic are vulnerable to cyberattacks. Moody's also says defibrillators and cardiac monitors may be vulnerable to attack.
"As the industry continues to push toward digitalization and increased data-sharing among programs, devices and vendors, the number of infiltration points for cyberattacks will grow," the report says. "Any attack that impairs connected electronic devices or programs can delay care, which can be fatal in critical situations."
Meanwhile, hospital staff are preparing themselves for such incidents by creating contingency and disaster response plans, conducting internal risk assessments, educating staff and obtaining cyber insurance, among other steps. But the report notes that little more than 5% of hospital IT budgets are currently earmarked for cybersecurity.
Nevertheless, Moody’s observes that "hospitals we rate generally have had sufficient financial resources to absorb the impact of a cyberattack." But that may not be the case for smaller hospitals and critical assess hospitals "that lack the resources for a dedicated cybersecurity expert," therefore making them more vulnerable.
There is also a shortage of qualified cybersecurity experts in the hospital sector, meaning hiring qualified staff will "require additional investment, leaving less room for investment in other operational areas," the report concludes.