- Hospitals continue to experience frequent and severe cyberattacks but may not be prioritizing financial resources to beef up security because of rising cost pressures that are slashing operating margins, Fitch Ratings warned in a new report.
- Risk mitigation requires greater investment in hardware, software and internal controls to prevent cyber breaches, but nonprofit hospitals that are reporting thinner margins are instead focused on cost containment and revenue improvement measures, Fitch said. Many nonprofit hospitals are facing higher labor and supply costs that have significantly compressed margins so far in 2022.
- The fallout from a cyberattack has the potential to harm an organization's quality of care and reputation, furthering margin erosion, the ratings agency cautioned. Cyber insurance is an important tool, but premiums are increasing and the underwriting environment is tightening, which could make policies cost prohibitive, Fitch said.
Cyber breaches that disclose patient information pose multiple risks to a hospital's financial performance. Fitch to date has not downgraded any health systems because of a cyberattack, but the agency is predicting further weakness in median hospital operating margins into next year and beyond.
The ratings agency said it is concerned that rising expenses primarily from labor, coupled with stock market volatility, are depleting providers' resources to fend off or respond to a cyberattack. An attack threatens not only the performance of medical devices and access to patient care, but could harm consumer confidence, raise litigation costs and bring federal regulatory enforcement actions.
Smaller healthcare companies and specialty clinics that lack the resources to protect themselves are increasingly becoming the focus of cyberattacks, according to a recent report from Critical Insight, which analyzed breach data reported to the HHS.
An electronic medical records breach at Eye Care Leaders earlier this year exposed the data of more than 2 million patients. Other recent attacks in the sector involving millions of patient records include those against revenue cycle management vendor Practice Resources, printing services vendor OneTouchPoint and accounts receivable firm Professional Financial Co.
In a positive development, the number of cyber breaches has declined since peaking in the second half of 2020, Critical Insight said. Still, about 20 million people were affected in the first half of this year alone.
Fitch said it considers cybersecurity as part of its environmental, social and governance analysis framework, and a hospital’s score in this area would be elevated if cyber risk were determined to be material to the rating.