Cyberattacks on US hospitals are on the rise, adding a layer of financial pressure onto an industry still struggling to recover from the pandemic.
Health facilities have been hit with 226 digital incursions affecting 36 million people this year, on track to be more widespread than 2022 attacks, according to John Riggi, the national advisor for cybersecurity and risk at the American Hospital Association.
Cyber raids on hospitals more than tripled in the past five years and have become more sophisticated, just when hospitals are coping with higher costs for labor and supplies and grappling with staff shortages. The industry in 2022 had what Moody’s Investors Service analyst Matthew Cahill called “arguably the worst year in health-care history” for financial performance.
“There’s really no wiggle room for hospitals to deal with this,” Cahill said in an interview. He said cyber risk has contributed to downgrades, including one at Missouri’s Capital Region Medical Center last year following a breach.
Health-care facilities are attractive targets for cybercriminals because they hold ample personal data on patients, Matt Fabian and Lisa Washburn of Municipal Market Analytics wrote in a research note. Staffing shortages and wide use of third-party technology make the sector particularly vulnerable.
The problem is particularly dire at smaller and rural hospitals, which have more financial distress and tend to use older technology. In an April note, Moody’s cited an IBM survey that showed hospitals for 12 years have had the highest average cyberattack cost per industry, with $10.1 million in 2022.
The AHA’s Riggi said that while most hospitals have insurance, the cost to recover from attacks could be up to 10 times what insurance pays out.
The scope of the damage from such events can be considerable, MMA said, pointing to the $160 million cost of a hack last year at hospital operator CommonSpirit Health. And a rural system in Illinois cited a 2021 attack as a key reason for closing this year. Meanwhile, insurance costs to protect against incursions have soared.
The pandemic’s upheaval exacerbated the problem. “Covid was a transformative event as far as cyberrisk goes,” Omid Rahmani, who leads the public finance cybersecurity group at Fitch Ratings, said in an interview. “Most of these networks were not designed to go virtual overnight.”
Investor Concern
The problem has caught the attention of investors in the $281.3 billion of municipal hospital bonds outstanding.
“This is definitely a relevant risk,” Jason Appleson, head of municipal bonds at PGIM Fixed Income, said in an interview. “Now you have the ability to phish and do other things with the advancement in technology and AI. It’s made it so easy and affordable for your low-level criminal to come in and attack institutions with very sensitive information like a hospital.”
That means anyone on a hospital email system can click on a message and give entry to hackers, who can introduce ransomware to block access to data and attempt to extort payment.
Determining the extent of the financial risk is difficult, said Appleson, who regularly queries hospital executives on the issue. “There’s no standardized way to disclose this information,” he said.
There has been a “pretty significant uptick” in the number of attacks in recent months, with most coming from overseas state-sponsored cyberattack groups, Riggi said.
“We have foreign bad guys being sheltered by hostile nation states,” Riggi, a former FBI official who’s advised the CIA and White House on cyber- and terrorism threats, said in an interview.
“Cyber threats and the need to bolster our security of health information systems is a key priority,” director of the US Department of Health and Human Services Office for Civil Rights Melanie Fontes Rainer said in an emailed statement. She noted a “substantial increase in large data breaches.”