Hospitals are among four sectors, holding $11.7 trillion in rated debt, at high risk for cyberattack, according to a recent Moody's Investors Service report.
Banks, securities firms and financial market infrastructure are the three other sectors most vulnerable because of their heavy reliance on technology for operations, distribution of content or customer engagement, Moody's said.
"We view cyber risk as event risk that can have material impact on sectors and individual issuers," said Moody's Managing Director Derek Vadala. "Data disclosure and business disruption are the two primary types of cyber event risk that we view as having the potential for material impact on issuers' financial profiles and business prospects."
To determine which sectors were at a high risk, Moody's focused on:
- Vulnerability to the type of attack or event to which entities in a given sector are exposed
- Potential impact of cyber events via disruption of critical business processes or negative reputational effects that lead to a loss of revenue
Hospitals were quickly regarded as high risk because of the financial disaster that would result from a cyberattack. Contributing to the $11.7 trillion world debt total, a cyberattack would significantly prevent it from paying back what it owes, according to The Washington Post.
Additionally, cyberattacks affect how long a hospital or business is offline not doing business. This is likely to cause more financial damage than the information that is hacked or exposed, according to The Washington Post.
Other sectors would also feel the ripple effects of attacks on hospitals.
Moody's determined another 20 industry sectors, which total $12 trillion in debt, were at medium-high risk or medium risk. Telecommunications, health insurance and pharmaceuticals were included in the sectors.
The report didn't so much focus on the cybersecurity protections hospitals and other industries have in place; rather, it explored how and why these organizations are at such high risk for attacks and the long-lasting effects of cyberattacks on these industries.
While hospitals have to report cyberattacks and data breaches to HHS, many other industries do not have to report cybersecurity incidents.
"One thing has confounded this type of analysis, not only for us but for others, is there's not a good strong public record of cyber events," Moody's Senior Vice President Robard Williams told The Washington Post.