Fitch Ratings-New York/Chicago/Austin-29 August 2022: Cyber risk mitigation is becoming more expensive for not-for-profit hospitals and healthcare systems, which are subject to increasing frequency and severity of attacks, Fitch Ratings says in its report Cyber Risk Continues to Grow for U.S. Not-For-Profit Hospital and Health Systems. Increasing risk requires greater investment in hardware, software and internal controls in order to prevent and address cyber breaches. However, not-for-profit hospitals are reporting thinner margins amid ongoing cost pressures, necessitating cost containment and revenue-raising measures, and cyber security spending may not be prioritized.
Both quantitative and qualitative factors, including the persistence of effects on operations and management responses, influence the effects of cyber breaches on ratings. Fitch has not downgraded any hospitals or health systems due to a cyberattack to date.
However, the credit effects of a cyberattack could be amplified due to labor pressures and inflation compressing not-for-profit hospital margins. Operating metrics are down significantly in interim 2022 for most health systems compared with 2021. Issuers with weaker financial profiles would have fewer resources available to prevent or recover from a cyberattack, potentially leading to quality of care and reputational risks, and further margin erosion.
Cyber breaches that disclose patient information carry the risk of loss of consumer confidence, litigation costs and federal regulatory enforcement actions, all of which could negatively affect financial performance. Cyberattacks also have the potential to affect quality of care by affecting medical devices or denying access to patient data.
Cyber insurance remains a key risk mitigant. However, the rapid pace of cyber insurance premium growth and a tightening underwriting environment may result in the policies becoming cost prohibitive to less financially flexible organizations. Fitch considers cybersecurity in its analysis as part of its Environmental, Social and Governance (ESG) framework. A hospital’s ESG Relevance Score would be elevated if cyber risk were deemed to be material to the rating.
Contacts:
Omid Rahmani
Associate Director, US Public Finance
+1 512 215-3734
Fitch Ratings, Inc.
Terrace 1
2600 Via Fortuna, Suite 330
Austin, TX 78746
Gregory Dziubinski
Associate Director, US Public Finance
+1 312 606-2347
Fitch Ratings, Inc.
One North Wacker Drive
Chicago, IL 60606
Kevin Holloran
Senior Director, US Public Finance
+1 512 813-5700
Sarah Repucci
Senior Director, Fitch Wire
Credit Policy – Research
+1 212 908-0726
Media Relations: Sandro Scenga, New York, Tel: +1 212 908 0278, Email: [email protected]
The above article originally appeared as a post on the Fitch Wire credit market commentary page. The original article can be accessed at www.fitchratings.com. All opinions expressed are those of Fitch Ratings.