The not-for-profit healthcare sector is not immune to cyber security threats, particularly as they relate to patient records and the disruption of medical technology, Moody's Investors Service says. And larger healthcare systems are more vulnerable than stand-alone hospitals.
The dramatic rise in IT system security breaches across all sectors of the economy – from banking to government and including healthcare, has prompted Moody's Investors Service to include "cyber risk" as a "stress-testing scenario" when assessing credit scores.
"A cyber threat's severity and duration determine how we reflect the risk in our analysis and ratings," the bond rating agency said in a report this week. "To be clear, we do not explicitly incorporate the risk of cyber attacks into our credit analysis as a principal ratings driver. But across all sectors, our fundamental credit analysis incorporates numerous stress-testing scenarios, and a cyber event—like other event risks—could be the trigger for those stress scenarios. A successful cyber event's severity and duration will be key to determining any credit impact."
The not-for-profit healthcare sector is not immune to the threat or its consequences, particularly as it relates to patient records and the disruption of medical technology, Moody's says.
"An information breach would likely not materially disrupt services and the financial impact would be limited," Moody's says. "A breach in medical technology security would present more immediate risk and impair the hospital's reputation, volumes, and financial performance. Whether or not such a cyber-event would be covered by a hospital's medical malpractice insurance is untested."
Lisa Goldstein, associate managing director, public finance group at Moody's, compares preparing for cyber risks to preparing for Medicare or Medicaid cuts. "We look at it through the lens of any hospital's next year's operating and capital budget; what the expenditures are going to be; what the pressures on operations may be," Goldstein says.
"When it comes specifically to cyber security, what component of your annual expense budget does that represent? Are you even talking about it? Are you pretty far down the road in trying to contain this risk, or just starting?"
While any hospital could be the target of a cyber attack, Moody's says larger healthcare systems are more exposed than stand-alone hospitals. "This is largely due to the highly centralized IT function at many of these regional and national systems that have domain over more patient records and medical technology than a stand-alone hospital. As a mitigant, however, many of the large systems have access to external liquidity, such as lines of credit, in addition to their own cash reserves."
Goldstein says the response to cyber risk has varied greatly from hospital to hospital. "We are not hearing from all of our rated hospitals and health systems that this is a key concern to them. Some are talking about it. Right now most are not," she says.
"That speaks to where they are on their IT cycle spectrum. There are hospitals and health systems that 10 years ago went through their major IT conversion and are in a better position now to focus on cyber security. Then there are others on the side of the fence who are just gearing up in 2016 for their IT electronic medical records. Cyber security is way out there."
Overall, Moody's said the not-for-profit healthcare sector maintains a higher risk awareness of cyber security than other sectors of the economy, which is a credit positive.
"Most hospitals have completed or are in the process of installing new patient information systems which likely have better safeguarding features than prior technology," Moody's said. "We estimate that one-quarter to one-third of a hospital's annual capital budget is for information technology needs. In step with the capital budget, a growing portion of the operating budget is related to IT upgrades, warranties, security, and training."
Goldstein says hospitals also are aware of the increased need for strong internal protocols as more information is increasingly shared with external parties, such as vendors, patients, payers, and physicians.
HIE Documentary Shocks, Angers Patients
"You have a lot more fingers in the pot with exchanges accessing data, traditional insurers, and the government systems are now linked electronically," Goldstein says. "Now the patient can access their own data so they have their fingers in the pot as well."
Goldstein says it appears that hospitals and health systems that make cyber security a standing agenda item at board meetings generally have a stronger grasp of the problem and are often farther along the road toward protecting data.
John Commins is a content specialist and online news editor for HealthLeaders, a Simplify Compliance brand.