The interconnected nature of hospital operations and information technology presents a significant and growing cyberattack risk for hospitals, particularly smaller organizations that lack enough resources to absorb any financial impact, according to a Sept. 12 Moody's Investors Service report.
Small hospitals, especially critical access hospitals, will be most vulnerable in the aftermath of a cyberattack because they usually lack resources to staff cybersecurity roles and typically have outdated technology that is easy to hack. However, all hospitals will be subject to cybersecurity threats in some capacity.
Here are three ways hospitals will be affected by cyber threats and attacks, according to Moody's:
1. Threats that jeopardize patient safety and result in harm or death. Attacks against connected medical devices, including insulin pumps, defibrillators and cardiac monitors, present a large risk for hospitals because they require constant updating and patching. These risks can expose hospitals to malpractice accusations and lawsuits.
2. EHR disruption. Ransomware and cyberattacks that compromise the EHR will impact a hospital's revenue cycle and disrupt cash flow. Other cyber threats include changing medical orders and test results. Prolonged disruption from ransomware attacks will affect hospital margins and scheduling of procedures.
3. Increased sharing of health data. As more patients and health systems share health data with vendors and third parties, data will become more vulnerable because it opens more avenues for hackers to access.
Currently less than 6 percent of IT budgets are currently allocated to cybersecurity, according to the Healthcare Information and Management Systems Society. As cybersecurity risk becomes more important, hospitals will likely dedicate more of their budgets to enhance cybersecurity programs and recruit key personnel, according to the report.
"However, small hospitals, particularly critical access hospitals, that lack the resources for a dedicated cybersecurity expert will be more vulnerable," report authors concluded. "A lack of qualified talent will also remain an industry challenge and require additional investment, leaving less room for investment in other operational areas."