- Ransomware attacks will continue among large providers for the foreseeable future, and "healthcare systems will need to deploy additional resources to thwart future cybersecurity breaches even as the pandemic continues to use up significant clinical, financial and strategic resources," according to a new report from Moody's Investors Service. The organization noted that nonprofit hospitals tend to spend less on IT security than the banking and utility sectors.
- Moreover, healthcare systems have been rendered more vulnerable due to COVID-19 as non-clinical employees working from home has led to expanded use of "less secure networks, increasing the number of access points vulnerable to a breach and driving up the frequency of 'phishing'’ attempts, due to the higher frequency of communication via email."
- The report also suggested that future attacks could lead to serious hits to the bottom lines of some providers, and could even lead to patient deaths — as was the case with a recent cyberattack of a hospital in Europe.
The warning from Moody's on health systems echos recent comments by the FDA's medical device cyber chief on the threat to medical devices. Such threats to the medtech industry, including ransomware and other malware, are growing in sophistication potentially putting patient safety at risk, Kevin Fu, acting director of medical device cybersecurity at the FDA's Center for Devices and Radiological Health said earlier this month.
The Moody's report could not specifically delineate how much ransomware attacks have ramped up in recent years, noting that many are not publicly disclosed. However, it cited research from IT security firm VMware Carbon Black, which reported 239.4 million attempted attacks on its healthcare customers last year — a nearly 10,000 % increase compared to 2019.
Scripps Health, a five-hospital system and one of San Diego's major healthcare providers, was able to weather a recent cyberattack, according to the Moody's report. Ditto for Hendrick Health, a three-hospital system in Texas. However, both had to take their IT systems down for a period of time, which Moody’s noted "can operationally alter how patient care is delivered."
While those two systems dodged a bullet, other providers have not been so fortunate — perhaps illuminating what the future of such attacks might hold.
Moody's noted that the ransomware attack in September against for-profit Universal Health Services led to postponed surgeries and ambulance diversions. The UHS attack also hit the company's bottom line hard, leading to pre-tax losses of as much as $50 million. In Germany, a patient died as a result of delayed care after University Hospital Düsseldorf was forced to turn away patients from its emergency room after a ransomware attack, also in September.
Meanwhile, hospitals and healthcare systems will likely have to invest more in IT security. According to Moody's, nonprofit providers spent about 5% of their budgets on cybersecurity last year, up from about 3% in 2018 — on par with what state and local governments spend. But electric utilities spent 11% of their budgets on cybersecurity, while banks spent 8%. That's despite the fact that 37% of hospital executives say cybersecurity performance is an organizational objective, versus 32% of banks.
"Given the growing frequency of attacks and the greater potential for operational disruption, regulatory scrutiny and reputational risk, the sector will come under increasing pressure to boost its investment in cybersecurity," the report said. "However, funds needed for cybersecurity will present a potential constraint on liquidity and operating performance, particularly as health systems face increasing costs as staffing and supply shortages will remain an industrywide challenge."
However, providers may have little choice in the matter. "The growing interconnectedness of healthcare delivery and technology will continue to leave the sector vulnerable to breaches, as will its extensive use of third-party software vendors for clinical, billing and numerous other functions," the report said. "While there is no way to fully prevent cyber breaches, the expanding adoption of … telehealth during the COVID-19 pandemic will yield additional vulnerabilities, as potentially unsecured devices will be used to access health system networks."