Cybercrime is impacting healthcare credit ratings

Cyber risk is seen on a 'steep trajectory,' leading to a 'higher priority' for healthcare C-suite
By Jessica Davis
10:56 AM
Stethoscope money credit

The rise of cybercrime is increasing the risk of healthcare institutions seeing a drop in their credit ratings, Moody's Investor's Service states in a new report.

In "Cyber Risk of Growing Importance to Credit Analysis," Moody's examines how credit analysis incorporates ever-increasing cyber risk.

[See also: 5 ways to avoid health data breaches]

"We see cyber risk as a steep trajectory," its authors write. "Credit implications associated with cyber defense, detection, prevention and response would start to take a higher priority within our credit assessments and analysis."

Although cyberattacks don't drive ratings, they're seen as event risks, in that "timing and consequences of a successful attack are uncertain." Moody's examined "numerous stress-testing scenarios" to determine the impact of possible cyberevents.

Healthcare providers are especially susceptible to these risks – as are credit card companies, financial institutions and other data carriers, the report states.

[See also: Anthem hack: 'Healthcare is a target']

Attacks are increasing as health providers and other organizations strive for interconnectivity, as hackers gain access through online means. Computer chips found in health equipment are another way data theft can occur, when placed in the wrong hands.

But the biggest security risks for healthcare organizations are patient data breaches and medical technology access, which can have a negative impact on patient care and safety.

This year alone saw some of the worst healthcare data breaches ever recorded, including Anthem.

[Learn more: Meet the speakers at the HIMSS and Healthcare IT News Privacy and Security Forum.]

Because the risk is evolving, fully understanding cyber risk scale and scope will take time, from a credit perspective, Moody's reports.

The report revealed that across the board organizations are increasing security spending and measures, but this doesn't necessarily translate to fail-safe measures, the report states; although the addition of cyber security subcommittees is a "material credit positive."

For the report, Moody's looked at risk much like a storm in that "timing and consequences of a successful attack are uncertain." However, assessment of an organization's "cyber preparedness is challenging because the risk is complex and evolving very quickly."

Additionally, the public rarely acknowledges cyber security measures or even cyber events and for disclosed events, the breaches aren't usually comparable.

Large-scale data theft attacks result in damage to company reputation and finances and cybercrimes may not be included in hospital's medical malpractice insurance. But the extent and severity of an attack is crucial to the impact on credit ratings and analysis.