Survey shows that 97% of healthcare lawyers expect their involvement in cybersecurity matters to increase within the next three years, but many worry that their healthcare industry clients are ill-prepared to deal with an attack, and lagging other sectors of the economy.
More than eight in 10 (84%) healthcare sector attorneys have been called on to evaluate security incidents and develop internal policies and procedures, and nearly all of them (97%) expect their involvement in cybersecurity matters to increase over the next three years.
That's according to a nationwide survey of more than 300 healthcare sector attorneys conducted by Bloomberg Law and the American Health Lawyers Association (AHLA). The survey also found that:
- More than 90% of corporate healthcare attorneys believe their organizations are at greater risk for a cyberattack than companies in other industries.
- About 40% said their plans are too generic and lack specific guidance for the types of incidents their organizations or clients might face and have not been adequately tested.
- One-third of attorneys said that plans are not updated to reflect the most recent types of cyber threats or organizational changes.
"Healthcare providers have stepped up in recent years to identify and address cyber threats before they materialize, but according to survey findings, healthcare attorneys still believe that the health care industry is more vulnerable to breaches and attacks than other industries," David Cade, CEO at the AHLA, said in remarks accompanying the survey. "Quality education for attorneys working in this area will help them effectively counsel clients in preventing and responding to cyberattacks."
The dramatic rise in IT system security breaches across all sectors of the economy – from banking to government and including healthcare, prompted Moody's Investors Service last year to include "cyber risk" as a "stress-testing scenario" when assessing credit scores.
Cyber Security Risk a Factor in Hospital Credit Ratings
The not-for-profit healthcare sector is not immune to the threat or its consequences, particularly as it relates to patient records and the disruption of medical technology, Moody's said.
"An information breach would likely not materially disrupt services and the financial impact would be limited," Moody's stated. "A breach in medical technology security would present more immediate risk and impair the hospital's reputation, volumes, and financial performance. Whether or not such a cyber-event would be covered by a hospital's medical malpractice insurance is untested."
Lisa Goldstein, associate managing director, public finance group at Moody's, compared preparing for cyber risks to preparing for Medicare or Medicaid cuts.
"We look at it through the lens of any hospital's next year's operating and capital budget; what the expenditures are going to be; what the pressures on operations may be," Goldstein said.