A new report issued by Moody's Investors Service concludes that it must take potential cyber security breaches more seriously as it assesses the creditworthiness of healthcare and other business entities.
"We see cyber risk rising at a steep trajectory. This means the credit implications associated with cyber defense, detection, prevention and response should start to take a higher priority within our credit assessments and analysis," read the report.
Indeed, earlier this year, in a healthcare cybersecurity survey, 81 percent of healthcare executives said their organizations had experienced a cyberattack over the past two years.
Many health insurers and even hospital systems have reported widespread security breaches in recent years. Between 2009 and 2011, nearly 8 million Americans had their medical records exposed by some form of breach, according to data from the U.S. Department of Health and Human Services. Earlier this year, the UCLA Healthcare system reported a breach that may have exposed data of some 4.5 million patients. And Anthem also reported that hackers were able to compromise its system, exposing data of as many as 80 million current and former health plan enrollees.
The issue has become more of a concern in the healthcare provider setting as many more medical devices become wirelessly networked. "The advance of the 'Internet of things' within more devices and appliances opens up new markets. As a result, cyber risk will become more pervasive and begin to take a higher priority within our credit assessments and analysis," the Moody report said.
Moody's said its cyber risk assessments will take several factors under consideration, including the duration and severity of any breach.
However, the ratings agency did say that proactive governance by healthcare and other entities would help their profiles.
"More cyber security expertise is being added to boards and trustee governance," said Jim Hempstead, Moody's associate managing director and lead author of the report, in a statement. "We expect many issuers will create distinct cyber security subcommittees, which is a material credit positive."