Skip to main content
close search
site logo
Dive Brief

Rising hospital ransomware attacks could endanger patients, hit bottom lines hard, Moody's says

Published May 27, 2021
By
Ron Shinkman
Joe Raedle via Getty Images

First published on

Healthcare Dive

Dive Brief:

  • Ransomware attacks will continue among large providers for the foreseeable future, and "healthcare systems will need to deploy additional resources to thwart future cybersecurity breaches even as the pandemic continues to use up significant clinical, financial and strategic resources," according to a new report from Moody's Investors Service. The organization noted that nonprofit hospitals tend to spend less on IT security than the banking and utility sectors.
  • Moreover, healthcare systems have been rendered more vulnerable due to COVID-19 as non-clinical employees working from home has led to expanded use of "less secure networks, increasing the number of access points vulnerable to a breach and driving up the frequency of 'phishing'’ attempts, due to the higher frequency of communication via email."
  • The report also suggested that future attacks could lead to serious hits to the bottom lines of some providers, and could even lead to patient deaths — as was the case with a recent cyberattack of a hospital in Europe.

Dive Insight:

The warning from Moody's on health systems echos recent comments by the FDA's medical device cyber chief on the threat to medical devices. Such threats to the medtech industry, including ransomware and other malware, are growing in sophistication potentially putting patient safety at risk, Kevin Fu, acting director of medical device cybersecurity at the FDA's Center for Devices and Radiological Health said earlier this month.

The Moody's report could not specifically delineate how much ransomware attacks have ramped up in recent years, noting that many are not publicly disclosed. However, it cited research from IT security firm VMware Carbon Black, which reported 239.4 million attempted attacks on its healthcare customers last year — a nearly 10,000 % increase compared to 2019.

Scripps Health, a five-hospital system and one of San Diego's major healthcare providers, was able to weather a recent cyberattack, according to the Moody's report. Ditto for Hendrick Health, a three-hospital system in Texas. However, both had to take their IT systems down for a period of time, which Moody’s noted "can operationally alter how patient care is delivered."

While those two systems dodged a bullet, other providers have not been so fortunate — perhaps illuminating what the future of such attacks might hold.

Moody's noted that the ransomware attack in September against for-profit Universal Health Services led to postponed surgeries and ambulance diversions. The UHS attack also hit the company's bottom line hard, leading to pre-tax losses of as much as $50 million. In Germany, a patient died as a result of delayed care after University Hospital Düsseldorf was forced to turn away patients from its emergency room after a ransomware attack, also in September.

Meanwhile, hospitals and healthcare systems will likely have to invest more in IT security. According to Moody's, nonprofit providers spent about 5% of their budgets on cybersecurity last year, up from about 3% in 2018 — on par with what state and local governments spend. But electric utilities spent 11% of their budgets on cybersecurity, while banks spent 8%. That's despite the fact that 37% of hospital executives say cybersecurity performance is an organizational objective, versus 32% of banks.

"Given the growing frequency of attacks and the greater potential for operational disruption, regulatory scrutiny and reputational risk, the sector will come under increasing pressure to boost its investment in cybersecurity," the report said. "However, funds needed for cybersecurity will present a potential constraint on liquidity and operating performance, particularly as health systems face increasing costs as staffing and supply shortages will remain an industrywide challenge."

However, providers may have little choice in the matter. "The growing interconnectedness of healthcare delivery and technology will continue to leave the sector vulnerable to breaches, as will its extensive use of third-party software vendors for clinical, billing and numerous other functions," the report said. "While there is no way to fully prevent cyber breaches, the expanding adoption of … telehealth during the COVID-19 pandemic will yield additional vulnerabilities, as potentially unsecured devices will be used to access health system networks."

Editors' picks

Company Announcements

View all | Post a press release
New Published Study Shows MedLite ID as Faster and Simpler Solution to Primary Medication Infu…
From Orion Innovations
November 20, 2024
SYNDEO Medical Announces European MDR Approval for Two Product Brands
From SYNDEO Medical
November 06, 2024
Lunit Shows Promise of AI in Predicting Immunotherapy Response for Rare Cancer Patients at SIT…
From Lunit
November 10, 2024
Viz.ai Wins Prestigious Prix Galien USA Award for Best Digital Health Solution
From Viz.ai
November 12, 2024
Editors' picks
Latest in Medical Devices
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell