A historic jump in the number and severity of cyber assaults on hospitals during the last 18 months will cause "material revenue and expense pressures" on nonprofit hospitals and health systems, according to a report from Fitch Ratings.
The sector is viewed as a target-rich environment due to the large amount of sensitive data that healthcare entities maintain for patient care and operations.
Cyber crime accelerated during the pandemic as cyber criminals took advantage of the crisis, causing immense disruption to the healthcare sector at a time when it was facing enormous patient care demands. Ransomware pay-outs and efforts to protect or harden healthcare systems and cyber defenses are affecting hospital financial flexibility by increasing ongoing operating expenses, according to Fitch Ratings.
Attacks may also hinder revenue generation and the ability to recover costs in a timely manner, particularly if they affect a hospital’s ability to bill patients when financial records are compromised or systems become locked. The recovery time and costs associated with breaches of critical data not only pose significant financial burdens but also hamper the ability of healthcare institutions to provide care, which could ultimately have human costs, Fitch analysts wrote.
Sizable cyber breaches in 2020 exposed patient data of more than 22 million Americans, according to the Department of Health and Human Services.
Cyberattacks against U.S. healthcare entities rose by over 55% in 2020 compared with the previous year according to the cloud security firm Bitglass. Attacks also increased in sophistication and scale, with more than a 16% increase in the average cost to recover each patient record in 2020 versus 2019. Restoration of systems to pre-attack status took an average of 236 days.
Hospital and health system databases contain critical and sensitive patient data, which are highly sought after by cyber criminals for ransomware and double extortion schemes. In the U.S., patient data is considered confidential, and the maintenance and disclosure of such data are governed by patient confidentiality laws on the federal and state levels, e.g., Health Insurance Portability and Accountability Act (HIPAA).
Cyber breaches that disclose patient information carry the risk of loss of consumer confidence, litigation costs and federal enforcement actions due to regulations around patient confidentiality, Fitch analysts wrote.
During the COVID-19 pandemic, increased remote work for nonessential staff opened up opportunities for infiltration, as did the sector's ongoing use of integrated technology such as smart medical monitoring devices, telehealth and other virtual care capabilities. Software for such devices and heavy medical equipment such as CT scanners and MRI machines are often proprietary and designed with patient care and not necessarily cyber risk in mind, the report noted.
Also, the large costs of such equipment generally mean that institutions, particularly smaller hospitals, may rely on these devices for many years even with outdated or unsupported software, leading to gaps in institutional security systems.
The report comes as an April data breach at technology vendor Elekta impacted a handful of hospitals. Advocate Aurora Health, Jefferson Health, Michigan's McLaren Health Care Corporation, Renown Health in Nevada, Yale New Haven Health, Lifespan, Southcoast Health and the Cancer Centers of Southwest Oklahoma have all notified thousands of patients that their protected health information may have been comprised by the Elekta breach, according to HealthITSecurity.
The technology company said on its website that its "first-generation cloud-based storage system has experienced a data security incident" and that a subset of customers in North America are affected.
According to the HHS Office of Civil Rights breach portal, the breach affected 64,000 patients at McLaren Health Care alone.
In an earlier report, Fitch analysts noted that the U.S. health insurers face growing risks from cybersecurity threats due to the increasingly sophisticated techniques used by cybercriminals amid the expansion of remote healthcare delivery and growing digitization of insurance transactions, clinical records and billing. Health insurers and related third parties that fail to inventory and protect sensitive customer information face increased financial, reputational, operational and regulatory risks from cyberattacks, Fitch Ratings said.
Cybersecurity is a considerable administrative expense and may lower returns given the growing frequency of attacks, according to analysts. The healthcare industry will spend upwards of $125 billion cumulatively on cybersecurity products and services from 2020 through 2025, according to Cybersecurity Ventures.
Key to reducing risks is the identification of gaps in security areas and IT systems where risks to critical assets are highest, including hardware and software on mobile devices, laptops, workstations and servers, Fitch analysts wrote.