Health systems and hospitals were the most frequent victims of U.S. cyberattacks in 2021, according to a Federal Bureau of Investigation report.
The sector is viewed as a target-rich environment due to the large amount of sensitive data that healthcare entities maintain for patient care and operations, according to Fitch Ratings.
“Healthcare institutions have been a top target since the early days of trafficking stolen or illicit information,” said Omid Rahmani, a Fitch associate director of U.S. public finance. “A lot of that has to do with the laws governing the confidentiality of healthcare information.”
Cyberattacks against U.S. healthcare entities rose more than 55% in 2020 compared with the previous year, according to the cloud security firm Bitglass.
If cyber thieves are able to steal data, then hospitals don't just need to worry about an initial ransom demand to restore its systems, but a second ransom demand for patients' healthcare information, Rahmani said. If the ransom isn’t paid, that data can be sold on the dark web, he said.
An estimated 92 ransomware attacks affected 600 clinics and hospitals at a cost of $21 billion in 2020, according to a Comparitech
Losses from cyberattacks are not likely to go away anytime soon. S&P Ratings recently warned public finance issuers to be on alert given the potential for cyberattacks from Russia against countries that have provided support to Ukraine after the Russian invasion.
“There is a rising likelihood of a prolonged stalemate or an escalation in military attacks, and with that we see heightened risk of cyberattacks on public and financial entities,” Zahabia Gupta, an S&P Global Ratings associate director in the sovereign and international public finance team, said during an online cyber risk seminar on April 29. “We also see an increased risk that Russia could use cyberattacks to target entities that are allied with Ukraine as a means to gain an advantage in the conflict.”
The FBI’s Internet Crime Complaint Center (IC3) anticipates an increase in critical infrastructure victimization in 2022, according to the report.
Among healthcare providers, California, with about 12% of the nation's population, had about 12% of the ransomware attacks in 2020, according to Comparitech. Florida had the second-highest number at 8%, followed by New York with 6%, and Texas with 5%.
Fitch warned in a June 2021 report that the increase in cyberattacks could become a drag on not-for-profit healthcare sector ratings as hospitals spend more to protect themselves and confront potential ransom payouts. But so far, the agency has not downgraded any hospitals for cybersecurity reasons.
Pandemic-related pressures including staffing shortages among nurses and IT staff did result in Fitch placing a neutral outlook on the industry. Moody’s Investors Service, which has a negative outlook for the sector, cited nursing shortages and the expectation that increasing labor costs will outpace revenue gains resulting in a decline in operating cash flow.
San Diego-based Scripps Health, the victim of a May 1, 2021, attack that caused a major disruption to delivery of services for the better part of a month, received a Fitch affirmation of its AA issuer default and revenue bond ratings and ton debt issued by the California Health Facilities Financing Authority Tuesday. The outlook is stable.
The five-hospital system’s financials were strong enough to maintain the AA rating despite an estimated $113 million in lost revenues and expenses from the attack, Eva Thein, a Fitch senior analyst said.
“It affected their third quarter numbers, so profitability was not as high as it would have been,” Thein said. “We factored in the drop in financial performance, but it was only one of the factors. We also look at liquidity.”
The hospital has $3.1 billion of cash-on-hand compared to $1.1 billion in combined variable and fixed rate long-term bond debt as of Sept. 30, the end of its fiscal year, Thein said.
“It’s the perspective of Fitch when it comes to any event risk including cyber risk that ‘cash is king,’” Rahmani said. “The higher rated credits have more headroom to deal with the issues.”
That doesn’t mean a computer system breach won’t be a headache, Rahmani said. But it helps to have money when you need to implement new procedures, he said.
Scripps was able to restore operations within a month, and volumes have rebounded, according to Fitch. But hackers stole patient information from 147,267 patients, according to the health system, drawing five class-action lawsuits from patients.
No assumptions are included in the analysis concerning the impact of the lawsuits because they haven’t been settled, Thein said. Hospitals that are frequent targets of lawsuits are generally well-insured, she said.
Scripps didn’t immediately respond to a request for comment.
“This has been, will be, and is increasingly so, an issue with not for profit health systems in the United States,” said Mark Pascaris, a Fitch director. “I think management teams are more aware of this and are taking diligence to prevent and minimize these attacks. Scripps is a highly rated, high-profile health system.”
Fitch analysts will focus on market fundamentals, ability to generate positive cash flow and expected debt plans as well as cyberattacks, Pascaris said.
Scripps' robust balance sheet helped it withstand the attack, but that might not be the case for smaller systems.
It would have to be a cyberattack so pronounced that it fundamentally changed the profile of the health system to the detriment of the balance sheet to have an impact on the ratings of a financial healthy system, Pascaris said.
Cyber thieves are increasingly sophisticated. Now, they may consult a financial analyst and have them evaluate a target’s financials before an attack to know just how much money an issuer can afford on a ransom, Rahmani said.
A school district hit with a ransomware attack told the thieves it couldn’t afford the ransom, but could pay less, Kiersten Todt, chief of staff for the federal Cybersecurity and Infrastructure Security Agency, said during a recent S&P seminar. The cyber criminals told the school district it had access to the district’s bank accounts and knew it could afford it, Todt said. The thieves told school officials they had a network of people who speak 14 languages and could walk them through the financial transfer.
“We have to do things to ratchet up the security posture,” Todt said.
Todt and others who spoke at the S&P online event provided actions issuers can take.
They include: sign up for alerts at StopRansonware.gov, which provides “shield up” alerts on attacks; conduct a threat assessment; and be aware of the security risks that can come from using third party vendors, because attackers will go after the weakest link, Todt said.
In weighing how prepared issuers are for cyberattacks, Geoff Buswick, an S&P Global Ratings managing director and sector lead for public finance, said during the event that analysts ask: How prepared are you for the attack? Have you improved on weaknesses? How will you respond to an attack?