Moody’s: Hospitals at High Risk of Suffering Devastating Cyberattack

A new Moody’s Investors Service Report has revealed four industry sectors – hospitals, banks, market infrastructure providers, and securities firms – face significant financial risks from cyberattacks.

Those four sectors were determined to have high risk exposure to cyberattacks. All four sectors are heavily reliant on technology for day to day operations, distribution of content, or customer engagement. Increasing digitalization and interconnectedness within each sector and across different sectors is increasing cyber risk.

For the report, Moody’s assessed vulnerability to a cyberattack and the impact such an attack could have on critical businesses processes, disclosure of data, and reputation damage. Cybersecurity measures that had been deployed to protect against attacks were not considered for the report, unless mitigants had been applied uniformly across each sector – Supply chain diversity for instance. In total, 35 broad industry sectors were assessed and were given a rating of low-risk, medium-risk, or high-risk.

The health insurance, pharmaceutical, and medical device industries were rated in the medium-risk category. Hospitals were rated high risk, primarily due to the sensitive and essential nature of data used by hospitals, the value of healthcare data to hackers, the increasing number of vulnerabilities introduced from connected medical devices, and the time it would likely take to recover from an attack and the disruption to the business while an attack was mitigated.

A successful cyberattack can be costly to mitigate. Breached entities have to increase investment in technology and infrastructure, cover the cost of regulatory fines and litigation, pay higher insurance premiums, increase R&D spending, and attacks can have serious reputational effects, including higher customer churn rates and a reduction in creditworthiness.

“We view cyber risk as event risk that can have material impact on sectors and individual issuers,” said Moody’s Managing Director Derek Vadala. “Data disclosure and business disruption are the two primary types of cyber event risk that we view as having the potential for material impact on issuers’ financial profiles and business prospects.”

The financial impact of a cyberattack can be significant and long-lasting so it is important for businesses and organizations in the high-risk sectors to have “robust sources of liquidity” to weather the storm.

While larger hospitals are likely to have more financial resources to devote to mitigating threats and recovering from cyberattacks, they are not immune to attack and can still suffer a significant financial impact, especially considering many hospitals have not purchased cyber insurance due to the high cost.

Cyberattacks on businesses and organizations in high-risk sectors could potentially be catastrophic, which could have an impact on the ability of breached entities to pay back debts. Combined, the four high-risk industry sectors hold $11.7 trillion in rated debt.

In addition to the financial costs and damage to an entity that is attacked, cyberattacks in the high-risk sectors would likely have broad ripple effects and a far-reaching impact on other industry sectors.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.