More on Quality and Safety

Hospitals face rising risk of sophisticated cyberattacks

To date, attacks have led to patient data being exposed; Going forward, attackers will seek to disrupt hospitals' operations, Moody's says.

Increasingly sophisticated cyberattacks will pose significant threats to hospitals' operations and revenues, as well as risks to patient safety that will expose more hospitals to malpractice accusations and lawsuits, according to a recent report by credit rating agency Moody's Investors Service.

Small hospitals that lack resources and modern technology will be the most vulnerable to attacks, the report finds.


HIMSS20 Digital

Learn on-demand, earn credit, find products and solutions. Get Started >>

The healthcare sector's reliance on confidential information and technology puts it at tremendous risk for cyberattacks that could greatly damage hospitals' finances.

As the industry continues to move toward digitalization and data-sharing, the number of infiltration points for cyberattacks will grow.

Any attack that impairs connected electronic devices or programs can delay care, which can be fatal in critical situations. The biggest issue for hospitals will be threats that jeopardize patient safety and result in harm or death -- exposing hospitals to malpractice accusations and lawsuits.

Among the biggest risks: Attacks against connected medical devices such as insulin pumps, defibrillators and cardiac monitors, which are now entrenched in remote monitoring and require constant updating and patching.

Cyberattacks that compromise hospitals' electronic medical records will cause the greatest disruption by affecting hospitals' revenue cycle and disrupting cash flow in the most severe cases, the report said.

One example is ransomware attacks, in which data and systems are held hostage until the hospital pays a ransom. So far, disruptions from ransomware have been limited. But a prolonged disruption could affect margins and scheduling of procedures, and may result in the permanent loss of patient records.

Hospitals with strong risk management will be more able to respond to a major disruption. Hospital management teams are taking cyber risk management steps such as developing contingency plans to ensure patient care, employing dedicated cybersecurity staff to address threats, and conducting phishing exercises and other employee training to help prevent attacks from getting through.

However, the capacity to take these and other actions will vary--with smaller hospitals being more vulnerable. Additionally, a shortage of qualified talent will remain a challenge across the sector.


Moody's latest research into the hospital sector reveals some key findings.

Hospitals are highly vulnerable to cyberattacks with a high potential to create financial disruptions.

The interconnectedness of hospital operations and IT makes the hospital sector highly vulnerable to cyberattacks such as ransomware, malware, email phishing and infiltration through online medical devices.

The negative impacts of cyberattacks on hospitals' operations, finances and reputations are also high.

While all hospitals will be face cybersecurity threats, smaller hospitals, especially critical access hospitals, will be the most vulnerable because they typically lack the resources for dedicated cybersecurity experts and often use dated, easily compromised technology.

Cyberattacks that result in operational disruptions -- not data breaches -- present the greatest risk. To date, attacks that have led to sensitive patient data being exposed or stolen are the most common types of attacks reported by hospitals. Going forward, however, attackers will increasingly seek to disrupt hospitals' operations, Moody's said, which will jeopardize patient safety and have a significant financial impact.


Beazley Breach Insights found that healthcare is the industry most targeted by cyber criminals, accounting for 41 percent of all breaches reported to the firm last year. Roughly one-third of the breaches were related to hacking or malware attacks, with another 31 percent caused by accidental exposure.

Health providers will spend an estimated $408 per each lost or stolen patient record--about three times more than other sectors.

Despite the threats, healthcare has been behind other sectors in taking security measures. Just four to seven percent of a health system's IT budget is in cybersecurity, compared to about 15% for other sectors such as the financial industry.

Ransomware attacks on healthcare companies have been on the rise for some time now. The 2018 SamSam virus breached Allscripts' data centers last year, then attacked Hancock Health and Adams Memorial, two Indiana providers. It's estimated that the hackers behind SamSam have made more than $6 million since 2015.

Meanwhile, the WannaCry ransomware worm that attacked hospitals in 2017 and disrupted patient care remains "very aggressive in its ability to spread."


"The biggest type of risk is basically any cyber event that causes a disruption to operations, that delays patient care or jeopardizes patent safety, which could potentially result in physical harm to a patient. These are the types of events that can really open up a hospital to malpractice accusations and lawsuits," says Jenn Barr, healthcare analyst at Moody's Investors Service.

Mark Klimek is an independent writer and editor with 20 years' experience covering financial issues, healthcare and more.