An anesthesiology resident assigned to Naval Medical Center San Diego monitors a patient’s vital signs during a retroperitoneal lymph node dissection surgery. (Navy)

Cyber risk mitigation costs are becoming increasingly more expensive for nonprofit hospitals and health systems as they face a similar rise in the financial and reputational costs spurred by an overall uptick of cyberattacks against the sector, according to a new Fitch Ratings analysis.

Further investments in software, hardware and internal controls are needed to defend against the growing complexity and sophistication of threats. But nonprofit hospitals may not be prioritizing cybersecurity spending due to thinner margins and necessary cost containment strategies.

The analysis follows the recent reports from both France and the U.K., both of which are facing continued fallout from separate cyberattacks against the public health systems. Reports show the outages with the U.K. National Health Service may last for several months, while the attack on Center Hospitalier Sud Francilien came with a $10 million ransom demand.

In the U.S., lawmakers are highly concerned about the health sector’s lack of timely, robust threat sharing, citing a need to dramatically boost the Department of Health and Human Services’ capabilities and resources given the exponential rise in threats.

Like many small- to medium-sized providers, nonprofit hospitals have long-faced resource challenges that have inhibited progress on needed security measures. With the COVID-19 pandemic, those resource constraints have been further compounded.

Health systems' operating margins decline to continue effect on cyber ratings

Fitch Ratings notes that operating margins have significantly dropped in 2022 for most health systems compared with last year, and projects that sector medians will decline even further in the following year and beyond.

“Additional expenses, primarily labor and equity market volatility will exert financial and operational pressure on providers in the near to medium term,” according to the analysis. “Both quantitative and qualitative factors, including persistent effects on operations and managements’ responses, influence the effect of cyber breaches on ratings.” 

Those with weaker financial standing will have fewer resources to prevent or recover from a cyberattack, which could cause issues with care quality due to medical device impacts and a loss of access to health information, while posing “reputational risk and further margin erosion.” 

If those attacks cause a patient data breach, these entities may also face a loss in consumer confidence, litigation fees, and regulatory enforcement actions, “all of which could negatively affect financial performance.”

No hospitals or health systems have been downgraded by a cyberattack to date. However, “the credit effects of a cyberattack could be amplified due to labor pressures and inflation compressing not-for-profit hospital margins.”

Fitch Ratings asserted that the use of cyber insurance “remains a key risk mitigant,” but also reiterated that the “rapid pace of cyber insurance premium growth and a tightening underwriting environment may result in the policies becoming cost prohibitive to less financially flexible organizations.”

For the last two years, the Government Account Office has examined the changing tides of cyber insurance, which confirms the changing policy costs and added security requirements are making it difficult for some healthcare providers to meet those cyber goals. The Fitch Ratings analysis confirms that nonprofits and lower resourced providers are facing an uphill battle.