Readers of this blog know well that hospitals’ cybersecurity measures aren’t exactly impenetrable, as hack after hack attests.
This isn’t just a concern for health system execs, though. Financial analyst firm Moody’s Investors Service has just a released a new report outlining its concerns about the adequacy of hospital cyber-defenses and the consequences facilities could face if they don’t tighten those defenses substantially.
In the report, Moody’s takes official notice of the barrage of successful cyberattacks on hospitals, particularly ransomware and cyberattacks that compromise EHR, noting that these attacks not only expose information, they also threaten the facilities’ bottom line. Such attacks, it says, “[affect] hospitals’ revenue cycle and [disrupt] cash flow in the most severe cases.”
In addition to these threats, it notes that medical device vulnerabilities are a potent emerging threat for hospitals, with insulin pumps, defibrillators and cardiac monitors standing out as targets. The list of such targets is likely to expand over time, it said. “As the industry continues to push toward digitalization and increased data-sharing among programs, devices and vendors, the number of infiltration points for cyberattacks will grow,” it warns.
Then, there’s the long-term issue that dogs the industry – the relatively small among hospitals earmark for these defenses. As Moody’s points out, hospitals seldom earmark more than 5% of their IT budgets for cybersecurity, according to a report released this year by Gartner.
So what are health IT leaders to make of this report? If nothing else, it’s a reminder that the damage from successful cyberattacks ripples not only beyond your institution but out into other indirect but important stakeholders keeping a close watch on your business.
One way to address the concerns of Moody’s analysts might be to invest more in cybersecurity infrastructure. Of course, spending levels don’t in and of themselves correlate directly with the effectiveness of cybersecurity defense, but they aren’t irrelevant either. And it probably does mean something that healthcare spending on such protections falls below banking and financial services sector, which allocated 7.3% of IT budgets for cybersecurity, and the retail and wholesale sector, which set aside 6.1%.
There are lower-hanging fruit hospital IT leaders can pluck as well. For example, a recent survey by security vendor Kaspersky found roughly a third of healthcare employees had never gotten cybersecurity training from their employer, and 19% said they thought their organization should offer more such training. Addressing this gap is a no-brainer.
Nothing much is likely to change if hospital C-suite leaders and board members don’t think cybersecurity is critical. As things stand, many of these leaders think breaches are less expensive than putting a robust cyber-defense, at least until a breach actually happens.
With Moody’s warning that cyberattacks can have a “material impact” on individual hospitals’ credit rating, however, maybe healthcare CIOs will have an easier time getting their colleagues to take cyber-threats seriously.