Small rural hospitals and health clinics appear to be the one of the most vulnerable parts of the municipal debt market to financial losses stemming from cyberattacks.
Experts say these facilities are more likely to have fewer resources to withstand cyberattacks, and health records have become a favored target for cyber criminals.
Moody’s Investors Service, which rates about $250 billion in hospital debt across roughly 300 hospital systems, highlighted that vulnerability in a report last September.
Moody’s considers hospitals to be small if they have about 200 beds or fewer with median annual revenues around $240 million to $250 million.
Health care facilities have a high risk of cyberattacks compared to medium-low risk for local governments and school districts, according to Moody’s.
“The value of a patient healthcare record is perceived to be higher than even credit cards now,” said Eric Brown, former CEO for the nonprofit California Telehealth Network based in Sacramento. That network serves 34 critical access hospitals as well as rural clinics with broadband service and cybersecurity.
Brown said he sees more than a million attempts per month to compromise the security of those facilities. In November Brown became county manager for Washoe County, Nevada.
Brown said there’s a higher monetary value to patient health care records because cybercriminals can file false claims “particularly if they are Medicaid or Medicare patients.”
“The majority of our rated universe can withstand the impact of a cyberattack whereas some of these much smaller critical access hospitals or hospitals that don’t have access to capital may have a harder time recovering,” said Moody’s public finance analyst Jennifer Barr.
In November Princeton Community Hospital in West Virginia received a ratings downgrade from S&P Global Ratings to BBB from BBB-plus on series 2012A refunding bonds, two years after a cyberattack weakened the hospital’s reserves, which already were declining because of operating losses. Another factor in the downgrade was the integration risk associated from the acquisition of a regional medical center.
“When you have a rural hospital it’s just like having a small government,” said Phil Bertolini, co-director of the Center for Digital Government. “They don’t necessarily have the manpower or people power they need and the right skill sets to do what they need to do. Plus they are in these remote networks.”
Bertolini and Teri Takai, executive director of the Center for Digital Government, highlighted the danger of cyberattacks at a presentation Monday at the National Association of Counties legislative conference in Washington.
Takai, a former chief information officer for the states of Michigan and California as well as the first female CIO at the Department of Defense, said the attacks have become ubiquitous.
“If you think the way the attacks are happening today, it isn’t like anybody is being specifically targeted,” Takai said. “It’s a blanket target. People tend to think I am small and they are not going to get at me. That’s the fallacy. But that's not the way the attacks work now.”
That’s why Takai and Bertolini advise hospitals and clinics to be collaborative and join networks.
“Any entity that is small and is trying to protect themselves, really has to think more broadly and they have to partner,” said Takai. “They have to think about sharing services with others so that they can leverage resources and then also sharing resources with government entities.”