Skip to main content

Cyber Security Risk a Factor in Hospital Credit Ratings

By John Commins  
   November 25, 2015

The not-for-profit healthcare sector is not immune to cyber security threats, particularly as they relate to patient records and the disruption of medical technology, Moody's Investors Service says. And larger healthcare systems are more vulnerable than stand-alone hospitals.

The dramatic rise in IT system security breaches across all sectors of the economy – from banking to government and including healthcare, has prompted Moody's Investors Service to include "cyber risk" as a "stress-testing scenario" when assessing credit scores.

"A cyber threat's severity and duration determine how we reflect the risk in our analysis and ratings," the bond rating agency said in a report this week. "To be clear, we do not explicitly incorporate the risk of cyber attacks into our credit analysis as a principal ratings driver. But across all sectors, our fundamental credit analysis incorporates numerous stress-testing scenarios, and a cyber event—like other event risks—could be the trigger for those stress scenarios. A successful cyber event's severity and duration will be key to determining any credit impact."

The not-for-profit healthcare sector is not immune to the threat or its consequences, particularly as it relates to patient records and the disruption of medical technology, Moody's says.

"An information breach would likely not materially disrupt services and the financial impact would be limited," Moody's says. "A breach in medical technology security would present more immediate risk and impair the hospital's reputation, volumes, and financial performance. Whether or not such a cyber-event would be covered by a hospital's medical malpractice insurance is untested."

Lisa Goldstein, associate managing director, public finance group at Moody's, compares preparing for cyber risks to preparing for Medicare or Medicaid cuts. "We look at it through the lens of any hospital's next year's operating and capital budget; what the expenditures are going to be; what the pressures on operations may be," Goldstein says.

"When it comes specifically to cyber security, what component of your annual expense budget does that represent? Are you even talking about it? Are you pretty far down the road in trying to contain this risk, or just starting?"

While any hospital could be the target of a cyber attack, Moody's says larger healthcare systems are more exposed than stand-alone hospitals. "This is largely due to the highly centralized IT function at many of these regional and national systems that have domain over more patient records and medical technology than a stand-alone hospital. As a mitigant, however, many of the large systems have access to external liquidity, such as lines of credit, in addition to their own cash reserves."

John Commins is a content specialist and online news editor for HealthLeaders, a Simplify Compliance brand.

Tagged Under:

Get the latest on healthcare leadership in your inbox.