Cybersecurity investments could go by the wayside at cash-strapped hospitals, Fitch warns

More not-for-profit hospitals will likely become susceptible to cyberattacks as slimming margins keep hard-hit organizations from making the necessary investments and preparations, Fitch Ratings wrote in a report released Monday.

Although a handful of recent industry trends are increasing the costs of protecting hospitals from attack, the agency warned that a successful breach would only add to a hospitals’ financial woes and potentially affect their credit ratings.

“Both quantitative and qualitative factors, including persistent effects on operations and managements’ responses, influence the effect of cyber breaches on ratings,” the agency’s analysts wrote in the report. “However, the credit effects of a cyberattack could be amplified due to labor pressures and inflation compressing not-for-profit hospital margins.

“Issuers with weaker financial profiles would have fewer resources available to prevent or recover from a cyberattack, potentially leading to quality of care issues, reputational risk and further margin erosion,” they wrote.

Cyberattacks targeting healthcare organizations have become more frequent and on average more costly, according to third-party analyses cited in the report.

The pandemic has also led more providers to adopt remote healthcare services and other technology-based tools that heighten hospitals’ exposure to third-party software systems and vendors—adding to the extensive cybersecurity risk already brought by a facility’s numerous aging medical devices, Fitch wrote.

What’s worse, the agency said that many hospitals have had to rely on workforces that are either fatigued, understaffed and comprised of new or temporary workers, all of which could limit their ability to maintain cybersecurity best practices.

As hospital margins near pandemic lows with little sign of relief on the horizon, Fitch warned that many strained organizations could begin to deprioritize their cybersecurity spending.

These hospitals may be left with understaffed IT departments due to the high competition for cybersecurity talent, the group wrote, or could be forced to skimp on cyber insurance in light of premium cost increases outpacing those of other insurance coverage.

“The rapid pace of cyber insurance premium growth and a tightening underwriting environment may result in [cyber insurance] policies becoming cost prohibitive to less financially flexible organizations,” Fitch analysts wrote. “This could lead to a rise in small to medium systems experiencing attacks that materially affect profitability and future access to capital.”

Fitch noted that it has yet to downgrade any hospitals or health systems due to a cyberattack. However, the agency said that it does consider an organization’s cybersecurity as part of its Environmental, Social and Governance Relevance Score, an analysis used to indicate corporate factors that could impact an issuer’s credit rating.

“Cyber risk is both a social risk in terms of safety and security, and a governance risk in terms of management effectiveness,” the group wrote. “A hospital’s ESG Relevance Score would be elevated if cyber risk were deemed material to the rating.”