Moody’s discusses cyber risk in healthcare.

Moody’s Investors Service released a sector comment on the not-for-profit and public healthcare sector, and associated cyber risk with the industry.

Assessing cyber risk.

Moody’s says that the not-for-profit healthcare sector has a Very High risk categorization. Digitization and the use of third-party software are growing, keeping cyber risk elevated for the sector.  The IBM Security Cost of a Data Breach Report is referenced, saying how the healthcare industry worldwide had the highest average cost of a data breach 11 years in a row, with an approximately 30% increase in average cost from 2020.

Examples.

CommonSpirit Health, the second-largest not-for-profit healthcare system in the US, fell victim to a ransomware attack in the fall. It reports that it followed protocols, taking systems offline, and mitigating the disruption. Third-party vendors also provide risk; Yale New Haven Health in Connecticut was one of 170 victimized in a third-party breach. Elekta, a third-party vendor of medical devices, took its IT system offline after a cyberattack, which impacted those that use the vendor.

Mitigating the risk.

94% of survey respondents reported having standalone cyber insurance, but premiums continue to increase, and limits are being put in place, making the coverage less expansive. Vetting third-party vendors is also important; while most respondents (92%) said they assess new vendors, only 76% reassess current vendors.