Healthcare companies could see drops in their credit ratings as a result of the dramatic rise in cybercrime, according to the ratings agency Moody's Investors Service.
All entities that hold data are at risk, Moody's outlined Monday in its report, Cyber Risk of Growing Importance to Credit Analysis. Moody's said it does not yet consider cyberattacks to be principal drivers of ratings. But in creating risk assessments across multiple industries, the agency does look at “numerous stress-testing scenarios," and a cyberevent could make an impact.
The report finds that large-scale data theft attacks result in serious damage to a company's reputation and finances. Particularly vulnerable to these risks are credit card companies and financial institutions, as well as healthcare providers and other data carriers and users.
“It's definitely something we are going to keep taking looks at going forward,” said Moody's spokesman Joe Mielenhausen.
Four of the five worst healthcare data breaches on a federal list kept since 2009 occurred this year. Hackers were responsible for all four and those events alone exposed more than 103 million individuals' records.
Meanwhile, CMS data indicate that 88% of physicians and other eligible providers and 97% of eligible hospitals have been paid for buying and adopting an electronic health-record system at least capable of connecting with other EHRs and health information exchanges. These new systems “likely have better safeguarding features than prior technology,” the report said.
Still, cyber risks are rising rapidly across the board “as interconnectivity grows,” the rating agency notes. Internet connectivity creates “a hacker's point of entry.” The so-called “Internet of things” puts connectable computer chips into a wide array of equipment from home thermostats to many in-hospital monitors and pumps.
In a section focused on health, Moody's noted that as the number of cybersecurity events rises, hospitals are at increased risk of an attack in two areas—a breach of patient data and access to medical technology. And “that could lead to harmful clinical events.”
Of the two types of attack, Mielenhausen said, “the far more terrifying” would be hackers disrupting the function of medical technology. “The point we make by bringing it up is it's certainly on the hospitals' radar screens as potentially catastrophic.”
The report underscored that cyberevents might not be covered by a hospital's medical malpractice insurance.
“As a result, cyber risk will become more pervasive and begin to take a higher priority within our credit assessments and analysis,” Moody's said.
