The growing threat of ransomware attacks — and the cost to both deal with and prevent them — adds to the pressures on an already battered hospital sector that’s at risk of acute and longer-term fiscal wounds.
Attacks to date have exacted a financial toll by disrupting operations. CommonSpirit Health’s October ransomware attack illustrates the operational impact, as it forced some the nation’s largest not-for-profit systems offline and led to the cancellation or rescheduling of a number of appointments.
The reputational damage is harder to quantify for the sector, but the need for preventative investments and costly insurance adds to the pressures hospitals have faced this year from labor struggles, supply chain issues, and inflation that have set back their recovery from COVID-19 pandemic blows.
Negative rating actions, so far, have been limited as financial cushions have managed to absorb the costs, but the threat is intensifying, S&P Global Ratings warned in a report earlier this month on healthcare credits including not-for-profit hospitals.
“While many for-profit and not-for-profit hospitals have thus far had sound reserves to absorb the one-time higher expenses related to cyberattacks, pressures from the current operating environment for health care providers could be exacerbated by operational disruption or increased costs of a cyberattack,” the report said. “This could further constrain cash flow and liquidity and put downward pressure on ratings, particularly for those entities already in a weaker credit position.”
For the NFP hospital sector, the risks stem from ransomware attacks that impact patient data and can cause business interruption that would have a direct impact on liquidity and short-term financial performance. The evolving threats have raised the need for investments to prevent, detect and respond to cyber threats and costly insurance to manage the fiscal toll.
“An entity that fails to respond to, or recover from, a cyberattack could suffer more acute harm including meaningful financial underperformance, customer losses, and reduced access to debt markets,” S&P said. “Over the longer term, we consider the most significant risk to the health care industry to be reputational, regulation or litigation damages.”
The subject is one that’s likely to intensify for investors, Municipal Market Analytics said in a recent outlook piece.
“Better disclosure of an organization’s preparedness, planned costs for upgrades, and staffing, and information on cyber incidents attempted versus those that resulted in a breach, along with the breach’s severity and cost, will be increasingly important to investor understanding of the incremental risk (downgrade or worse) inherent in their holdings,” MMA said.
Credit deterioration has mostly been avoided to date for those that have suffered attacks because of sufficient financial cushions to deal with losses.
The notable exception in the NFP sector was Princeton Community Hospital Inc. of West Virginia which S&P cut to BBB/developing from BBB-plus in 2019 after a 2017 cyberattack that contributed to operating and liquidity issues later exacerbated by several investments.
The healthcare sector has a target on its back, according to Guidewire, which S&P quotes in its report. The value of medical records on the black market, especially when records contain a social security number, is reportedly many times greater than that of a compromised credit card number.
S&P cites several reports noting that cyberattacks targeting hospitals have increased by nearly 50% since 2020 according to the U.S. Department of Health and Human Services. In addition to volume increases, cyberattacks have also become more sophisticated. Nearly half of all U.S. hospitals have had to disconnect their networks due to escalating ransomware attacks according to a Philips/Cyber MDX study.
The FBI has expressed concern that health systems are a prime target for online attacks due to the mandatory electronic transition of medical records and high payouts for medical records in the black market. The pandemic trend of work-from-home and consolidation activity also heighten exposure to attacks.
Larger hospitals reported an average shutdown of 6.2 hours at a cost of $21,500 per hour, while midsize hospitals reported an average shutdown of 10 hours at more than double the cost: $45,700 per hour.
Scripps Health suffered a ransomware attack in 2021 taking a $93 million one-time hit with $25 million in additional expenses this year. Its AA rating survived.
The S&P report doesn’t address CommonSpirit’s attack as it is still investigating and assessing the toll. The ransomware attack came to light in October as the system was preparing to enter the market with a $1.3 billion issue. The sale went on as planned while the system dealt with the attack that caused operational headaches.
Some other larger hospital systems that recently faced cyber breaches include Advocate Aurora, Baptist Medical Center, Broward Health, Texas Tech University Health Science Center, and Michigan Medicine.