Cyberattacks on US healthcare companies is a growing risk that could have negative implications for issuer credit profiles due to increasing financial and reputational costs, says Fitch Ratings.
Both quantitative and qualitative factors, including the persistence of effects on operations and cash flow, management’s response and leverage headroom relative to sensitivities, will influence future rating actions. Cybersecurity is already a factor in Fitch’s ESG Relevance Scores for healthcare issuers, due to the social and governance aspects of attacks.
The frequency and severity of attacks with respect to the number of individuals affected and costs to healthcare companies has increased over the past five years. There were 713 known breaches affecting approximately 45.7 million individuals in 2021, up from 329 breaches affecting 16.7 million individuals in 2016, according to data from the US Department of Health and Human Services.
We believe greater use of medical devices, remote patient monitoring, slow upgrades to technology, the use of post-merger legacy systems and increased use of third parties due to the digital transition have raised the sector’s vulnerability to cyberattacks.
Cyberattack costs can include expenses for notifying patients, lost business and ransom payments, with insight on the cost of a ransomware attack to a hospital’s bottom line beginning to surface.
Cybercrime in healthcare has increased during the pandemic, as the sector experienced periods of elevated patient demand and staff shortages. These things spurred new legislative proposals to strengthen US businesses’ defense mechanisms against cyber threats.
The SEC voted to propose rules for incident reporting and disclosures, providing shareholders enhanced and standardized information regarding cybersecurity risk, along with management’s strategy to prevent attacks.
Transparency about the nature of cyberattacks, damages suffered and remediation actions is viewed favorably. Fitch’s ESG Relevance Scores, which include considerations for cyber incidents, reflect the relevance and materiality of ESG issues and explain their impact on our credit rating decisions