Moody’s Investors Service released a comment today, detailing the cyber risks associated with not-for-profit and public healthcare.
Moody’s discusses cyber risk in healthcare.
Moody’s Investors Service released a sector comment on the not-for-profit and public healthcare sector, and associated cyber risk with the industry.
Assessing cyber risk.
Moody’s says that the not-for-profit healthcare sector has a Very High risk categorization. Digitization and the use of third-party software are growing, keeping cyber risk elevated for the sector. The IBM Security Cost of a Data Breach Report is referenced, saying how the healthcare industry worldwide had the highest average cost of a data breach 11 years in a row, with an approximately 30% increase in average cost from 2020.
CommonSpirit Health, the second-largest not-for-profit healthcare system in the US, fell victim to a ransomware attack in the fall. It reports that it followed protocols, taking systems offline, and mitigating the disruption. Third-party vendors also provide risk; Yale New Haven Health in Connecticut was one of 170 victimized in a third-party breach. Elekta, a third-party vendor of medical devices, took its IT system offline after a cyberattack, which impacted those that use the vendor.
Mitigating the risk.
94% of survey respondents reported having standalone cyber insurance, but premiums continue to increase, and limits are being put in place, making the coverage less expansive. Vetting third-party vendors is also important; while most respondents (92%) said they assess new vendors, only 76% reassess current vendors.