Published On: Fri, Nov 27th, 2015

Cyber Security Risk a Factor in Hospital Credit Ratings

healthcare-cyber-securityThe dramatic rise in IT system security breaches across all sectors of the economy – from banking to government and including healthcare, has prompted Moody’s Investors Service to include “cyber risk” as a “stress-testing scenario” when assessing credit scores.

“A cyber threat’s severity and duration determine how we reflect the risk in our analysis and ratings,” the bond rating agency said in a report this week. “To be clear, we do not explicitly incorporate the risk of cyber attacks into our credit analysis as a principal ratings driver. But across all sectors, our fundamental credit analysis incorporates numerous stress-testing scenarios, and a cyber event—like other event risks—could be the trigger for those stress scenarios. A successful cyber event’s severity and duration will be key to determining any credit impact.”

The not-for-profit healthcare sector is not immune to the threat or its consequences, particularly as it relates to patient records and the disruption of medical technology, Moody’s says.

“An information breach would likely not materially disrupt services and the financial impact would be limited,” Moody’s says. “A breach in medical technology security would present more immediate risk and impair the hospital’s reputation, volumes, and financial performance. Whether or not such a cyber-event would be covered by a hospital’s medical malpractice insurance is untested.”

Lisa Goldstein, associate managing director, public finance group at Moody’s, compares preparing for cyber risks to preparing for Medicare or Medicaid cuts. “We look at it through the lens of any hospital’s next year’s operating and capital budget; what the expenditures are going to be; what the pressures on operations may be,” Goldstein says.

“When it comes specifically to cyber security, what component of your annual expense budget does that represent? Are you even talking about it? Are you pretty far down the road in trying to contain this risk, or just starting?”

While any hospital could be the target of a cyber attack, Moody’s says larger healthcare systems are more exposed than stand-alone hospitals. “This is largely due to the highly centralized IT function at many of these regional and national systems that have domain over more patient records and medical technology than a stand-alone hospital. As a mitigant, however, many of the large systems have access to external liquidity, such as lines of credit, in addition to their own cash reserves.”

Goldstein says the response to cyber risk has varied greatly from hospital to hospital. “We are not hearing from all of our rated hospitals and health systems that this is a key concern to them. Some are talking about it. Right now most are not,” she says.

“That speaks to where they are on their IT cycle spectrum. There are hospitals and health systems that 10 years ago went through their major IT conversion and are in a better position now to focus on cyber security. Then there are others on the side of the fence who are just gearing up in 2016 for their IT electronic medical records. Cyber security is way out there.”

Overall, Moody’s said the not-for-profit healthcare sector maintains a higher risk awareness of cyber security than other sectors of the economy, which is a credit positive.

“Most hospitals have completed or are in the process of installing new patient information systems which likely have better safeguarding features than prior technology,” Moody’s said. “We estimate that one-quarter to one-third of a hospital’s annual capital budget is for information technology needs. In step with the capital budget, a growing portion of the operating budget is related to IT upgrades, warranties, security, and training.”

Goldstein says hospitals also are aware of the increased need for strong internal protocols as more information is increasingly shared with external parties, such as vendors, patients, payers, and physicians.

“You have a lot more fingers in the pot with exchanges accessing data, traditional insurers, and the government systems are now linked electronically,” Goldstein says. “Now the patient can access their own data so they have their fingers in the pot as well.”

Goldstein says it appears that hospitals and health systems that make cyber security a standing agenda item at board meetings generally have a stronger grasp of the problem and are often farther along the road toward protecting data.

John Commins is a senior editor with HealthLeaders Media.

Wayne Becker

Wayne Becker is a visionary, dynamic nursing leader with over 20 years of clinical expertise and 10+ years of management experience. Experienced in multiple organizational settings from individual community hospitals to tertiary, academic facilities. Demonstrated excellence in quality critical care and emergency care and fiscal accountability. Change agent who leads process improvement initiatives as well as managed staff through significant technology upgrades. Developed mentoring relationships that prepared staff at all levels for advanced professional opportunities.

Specialties: Trauma Nursing, Critical Care Nursing, Emergency Nursing, and pre-hospital Emergency patient care. Utilization Management and leadership experience in for-profit and non-profit environments. Union and non-union leadership experience. Multiple EDIS and CPOE platforms.

Subscribe To Blog

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

HTML Snippets Powered By :