Among the four sectors considered to have the highest cyberrisk, hospitals and other healthcare providers have the least transparent cybersecurity protocols, according to a new report from Moody's Investors Service.
Fewer than half of the healthcare companies Moody's analyzed detailed how their boards oversee cyberrisks and only two companies noted having cyber insurance, according to the credit rating agency. Furthermore, Germany's Fresenius SE & Co. KGaA was the only one to go into detail about its cybersecurity risk management strategy.
Cyberrisk disclosures from banks, telecommunication companies and media companies specifically detailed their management strategies and were considered to be the most transparent sectors.
The Oct. 2 report evaluated public disclosures from 125 companies in North America, Asia, Europe, the Middle East and Africa. Ten of those were healthcare companies, including U.S. hospital chains HCA Healthcare Inc., Universal Health Services Inc. and Tenet Healthcare Corp.
Moody's analysts reviewed three metrics in their report: risk factor discussion, board-level oversight and risk management. High-risk sectors are considered to have a significant reliance on technology and have access to confidential information, according to the report.
Lesley Ritter, a vice president and senior cyberrisk analyst at Moody's, said not acknowledging certain cyber protocols does not mean a company is more vulnerable. However, Ritter said lacking transparency makes it hard for investors to understand if a company is prepared to address a cyberattack.
"The absence of more detailed disclosures can make it difficult to assess a company's preparedness to manage cyberrisk," Ritter said. "As successful cyberattacks increase in frequency, a lack of transparency could ultimately erode investor confidence and complicate efforts by companies to raise capital and access liquidity."
One way that companies have protected themselves against financial consequences from cyberattacks is insurance. Companies typically purchase insurance limits for anywhere between $25 million and $100 million, with some companies even spending as much as $750 million, according to the report.
While the amount seems expensive, the price can be cheaper than penalties that a company may face from federal regulators, the Moody's analysts said.
In 2018, the U.S. Department of Health and Human Services' Office for Civil Rights, which regulates privacy protection and cybersecurity issues, settled 10 cases for a total of $28.7 million — the largest total ever collected, according to a February statement from HHS. That figure included Anthem Inc.'s $16 million settlement in October 2018, the largest single penalty secured by the Office for Civil Rights.
Cybersecurity threats growing for hospitals
Moody's Oct. 2 report follows another one detailing how hospitals are increasingly vulnerable to cyberthreats due to their reliance on technology.
Hospitals' growing cyberrisk puts the industry in jeopardy of financial and operational disruption, according to the Sept. 12 report. Moody's said that as the number of cyberattacks increases, operational disruption will be the most critical area for hospitals to address.
"Any attack that impairs connected electronic devices or programs can delay care, which can be fatal in critical situations," Moody's analysts wrote in the report.
Cyberthreats will force hospitals to invest more of their budgets for cybersecurity programs and protocols, Moody's said. On average, less than 6% of hospitals' IT budgets goes toward cybersecurity, according to the report.
One recent cyberattack has hobbled DCH Health System in Alabama. The hospital system had to stop accepting new patients after an Oct. 1 ransomware attack compromised computer systems for three of its facilities. DCH Health was forced to advise emergency services to take patients to different hospitals, according to an Oct. 2 statement.
The company said Oct. 3 that the attack is continuing to impact the computer systems, and the hospitals still cannot accept new patients except for critical cases. Outpatient procedures and surgeries are expected to move forward as scheduled, according to DCH Health.
