Key Takeaways
- Cyber risk poses a mounting threat to the operations of health care providers, pharmaceutical companies, and medical device manufacturers. The increasing connectivity of hospital systems, medical devices, and the global pharma industry creates credit risks due to their high sensitivity to disruption, as well as the potential compromise of sensitive personal and/or financial data of patients, customers, or employees, or of intellectual property.
- Given these risks, many health care companies have made significant investments to improve their abilities to prevent, detect, and respond to cyber threats. In addition, many entities now carry fairly expensive cyber insurance policies which could mitigate the financial cost of an incident.
- To date, reported cyber incidents have had minimal impact on our credit ratings. Despite their high exposure, we believe U.S.-based health care companies can largely manage their cyber risk, assuming they continue to proactively manage risk and adapt to the evolving threat landscape.
With health care spending approaching 20% of U.S. GDP as of 2022, the health care sector is the largest in the U.S. economy. Therefore, it is not surprising that it is one of the most attacked by cyber criminals, according to cybersecurity specialist Guidewire.
Chart 1
A successful cyberattack can have both immediate and long-term effects on a company's credit quality. The first consequence of an attack could be operational disruption, with direct impact for the entity's liquidity and short-term financial performance.
An entity that fails to respond to, or recover from, a cyberattack could suffer more acute harm including meaningful financial underperformance, customer losses, and reduced access to debt markets. This could be a significant risk particularly for entities with low liquidity levels, and already limited access to capital markets. IBM Security notes that the U.S. health care sector has had the highest average cost of a data breach for 12 consecutive years, now averaging over $10 million per incident. Breach costs for pharmaceuticals trail only health care and financial companies, averaging over $5 million per breach.
Over the longer term, we consider the most significant risk to the health care industry to be reputational, regulation or litigation damages. These exposures could result in a meaningful increase in financial liabilities over the medium to long term and reduction in liquidity.
Despite the increasing frequency of the attacks, we believe U.S.-based health care companies' exposure to cyber risk is largely manageable, assuming they continue to invest in cybersecurity and proactively manage risk. Our view is supported by data from Guidewire's analysis of potential losses from cyber-incidents (based on tail-value-at-risk calculation that measures the average loss for the 40 most severe simulations in Guidewire's model). Based on this calculation, the estimated loss from cyber-incidents would be limited to less than 1% of the revenues in 94% of health care companies and less than 2% for 99% of them for a set of about 200 corporate health care issuers. In addition to the Guidewire estimates, our credit analysis considers the possible impacts a cyber incident may have on a company's reputation and business position.
Why Have Cyberattacks Had A Limited Credit Impact To Date?
We typically assess investment-grade credits as having sound risk management and, in most cases, they also have a sufficient cushion within their ratings to withstand potential losses. The only example of negative rating impact was in case of Princeton Community Hospital Inc. of West Virginia (BBB/Developing/--), which we downgraded to 'BBB' from 'BBB+' in 2019, after a 2017 cyberattack that contributed to operating and liquidity issues later exacerbated by several strategic investments. In other cases the companies were able to weather the impact. For example, although Merck & Co. Inc. suffered approximately $1.4 billion in damages resulting from the 2017 NotPetya attack, the impact was not material to the credit ratings relative to other factors such as acquisition spending, dividends, and share repurchases. In early 2022, Merck also won a legal dispute with its insurance providers, who had originally denied coverage for the NotPetya incident citing a policy exclusion for acts of war.
Companies at the lower end of the credit spectrum are typically assessed to have less fully developed risk management capabilities, but they are also generally less-attractive targets for cyber-criminals, particularly in the medical devices and pharmaceutical spaces where these companies are often less innovative than their higher-rated peers. However, even non-investment-grade health care credits often have sufficient scale and liquidity to absorb sizable cyber losses. For example, Tenet Healthcare Corp. (B+/Stable/--) absorbed a $100 million unfavorable EBITDA impact following a cyberattack in the second quarter of 2022 without a change to its ratings or outlook. We acknowledge, however, that given their increasing frequency and intensity, cyberattacks could have larger impact on the companies' financial performance going forward.
Why The Health Care Sector Is More Targeted By Cyberattacks
According to reports by Guidewire, cyberattacks on health care have risen rapidly in recent years. Cyber criminals are increasingly drawn to the sector for the following reasons:
High stakes
The potential life-and-death nature of cyber risks to hospitals is largely without parallel. An interruption to hospital IT systems can deny physicians access to necessary tools to provide care, and create operational backlogs, leading to delays and cancellations of necessary and recommended treatments. This puts health care companies in a position where they feel as though they must pay ransoms in order to bring systems back online, which in turn draws more cyber criminals to the sector.
Sensitive personal and financial data
Health care organizations typically process and retain vast amounts of personal and private data. The value of medical records on the black market, especially when records contain a social security number, is reportedly many times greater than that of a compromised credit card number. Additionally, HIPAA violations for the unauthorized disclosure of health data can result in substantial fines to health care companies, again increasing their perceived likelihood to pay ransoms to quickly resolve breaches.
Increasing connectivity
Through an increased reliance on wireless communication from patient beds to care teams and developments including telemedicine, remote patient monitoring, wearable devices and implants, the potential attack surface of health care organizations and medical device manufacturers has expanded significantly in recent years. These factors multiply the number of potential vulnerabilities for the sector and dramatically increase the number of potential attackers.
How Health Care Subsectors Fare Regarding Cyber Risk
Health services
Cyberattacks targeting hospitals have increased by nearly 50% since 2020 according to the U.S. Department of Health and Human Services. In addition to volume increases, cyberattacks have also become more sophisticated. Nearly half of all U.S. hospitals have had to disconnect their networks due to escalating ransomware attacks according to Philips/Cyber MDX study. Larger hospitals reported an average shutdown of 6.2 hours at a cost of $21,500 per hour, while midsize hospitals reported an average shutdown of 10 hours at more than double the cost or $45,700 per hour. As such, affected hospitals have been forced to resort to manual processes and procedures due to the disruptions to their IT systems, forcing them to scale back the number of patients that can be served until the event is mitigated, and consequently affecting their bottom line.
While many for-profit and not-for-profit hospitals have thus far had sound reserves to absorb the one-time higher expenses related to cyberattacks, pressures from the current operating environment (e.g., labor shortages, inflation, supply chain disruption) for health care providers (including large health care systems) could be exacerbated by operational disruption or increased costs of a cyberattack. This could further constrain cash flow and liquidity and put downward pressure on ratings, particularly for those entities already in a weaker credit position.
Medical devices
Medical devices are increasingly connected to the internet, with notable examples including wearable devices that send patient data to the cloud or monitoring systems and injection devices that grant caregivers remote-access capabilities. The amplified connectivity has expanded the sector's exposure to cyber risks, with vulnerabilities reported by the FDA that include risks that certain medical devices could be made unavailable, and the potential for unauthorized users to access sensitive information, modify settings, or even tamper with the device's functionality. For example, infusion pumps are particularly susceptible to cyberattacks. A study published earlier this year by Palo Alto Networks, a cybersecurity provider, found that as many as 75% of the devices that are connected to hospital networks contain known cybersecurity flaws, possibly giving a malicious actor access to the device's controls or to any unencrypted data that passes to or from a pump.
We also believe legacy devices, servicing beyond their intended lifecycles present a special challenge to both hospitals and original equipment manufacturers (OEMs). In its 2021 discussion paper, the FDA warned that these unpatched medical devices will become increasingly vulnerable to cyberattacks over time and has called for more communication from OEMs when they can no longer support software upgrades and patches needed to address their devices' cybersecurity risks.
The vulnerabilities mentioned in the FDA cybersecurity safety communications and other alerts were self-identified and the agency has not received reports of these vulnerabilities being abused. The estimated remediation costs for the reported vulnerabilities fell below a threshold that would change our assessments of companies' financial positions. Subsequently, the sector has heretofore not had any credit rating actions related to cybersecurity.
Pharmaceuticals
The pharmaceutical industry is susceptible to cyberattacks as well, albeit often indirectly, and at times attacks of a different nature than other health care subsectors. Given its dependence on global supply chains for raw materials and widespread outsourcing of noncore functions to contract development and manufacturing organizations (CDMOs), including contract research organizations (CROs), third-party risk can extend the attackable surface of even the most conservative and cybersecurity-conscientious pharmaceutical companies and expose them to meaningful cyber risks.
Patient data is generally only an indirect risk, as pharma companies typically don't gather information on the ultimate users (except for pharmacovigilance reporting to regulators) and because clinical trials which involve gathering personal health data are often outsourced. Accordingly, cyberattacks on pharmaceutical companies often focus on the theft of intellectual property, or to inflict reputational harm.
In recent years, the pharmaceutical industry has been a magnet for sophisticated attacks from criminal and state-sponsored attackers. The industry attracts such attention given its highly valuable intellectual property concerning drug development, drug composition, and manufacturing processes.
Selected Attacks And Vulnerabilities
We've provided examples of the selected attacks and reported vulnerabilities from the three subsectors below. In all cases, except Princeton Community Hospital Inc., the company absorbed the financial impacts without affecting the rating.
Selected Cyberattack Examples And Impacts | ||||
---|---|---|---|---|
Subsector | Report date | Company | Details | Financial impact |
Health care services | April 2022 |
Tenet Healthcare Corp. (B+/Stable/--) |
Acute-care operations were disrupted and confidential company and patient information was accessed. | Unfavorable impact of about $100 million to quarterly EBITDA and unknown impact from the filing of a class action lawsuit |
Health care services | September and October 2020 |
Universal Health Services Inc. (BB+/Stable/--) |
Ransomware disrupted standard operating procedures, affecting ambulance traffic, elective surgeries, and scheduled surgeries. | Pre-tax adverse impact of $67 million to the full-year 2020 results, mostly due to lost operating income from the related decrease in patient volume |
Health care services | May 2021 |
Scripps Health (AA/Stable/--) |
Ransomware created operational and financial disruption for the organization. The event was significant, requiring Scripps to use paper charts and manual processes for a period of time. Due to the downtime of IT systems, Scripps experienced some challenges with its accounts receivable. | $93 million in one-time expenses in 2021, net of insurance recoveries, and approximately $25 million in additional expenses in 2022. |
Health care services | June 2017 |
Princeton Community Hospital (PCH) of West Virginia (BBB/Developing/--) |
Ransomware froze PCH’s systems, including electronic medical records, billing, and accounting. The ransomware attack had a meaningful impact on operations as the hospital had to limit its services and divert ambulances for approximately seven weeks. PCH also had to replace certain IT systems. | The cyberattack, coupled with other one-time events, weakened unrestricted reserves and caused operating losses and consistently negative financial performance, contributing to an eventual downgrade. |
Medical devices | Dec. 2, 2022 |
Becton Dickinson & Co. (BBB/Stable/--) |
Cybersecurity vulnerabilities in several models of BodyGuard infusion pumps. The vulnerability could allow an unauthorized access to the device through a physical connection to the serial port. Successful exploitation of these vulnerabilities could result in alteration of the device’s settings or interruption in the proper flow of treatments to a patient. | The incident was self-reported. To date no known hacking efforts that specifically targeted the vulnerability. The company has determined that there is a low probability of harm occurring from the identified issue. |
Medical devices | Sept. 20, 2022 |
Medtronic PLC (A/Stable/--) |
Cybersecurity vulnerabilities in MiniMed 600 Series Insulin Pump System. A potential issue was associated with the communication protocol for the pump system. Successful exploitation of these vulnerabilities could result in alteration of the device’s settings or disruption in the proper flow of insulin to a patient. | The incident was self-reported. No known unauthorized use. Minimal financial impact. |
Medical devices | Sept. 8, 2022 |
Baxter International Inc. (BBB/Negative/--) |
Cybersecurity vulnerabilities in several models of Sigma Spectrum infusion pumps, related to devices’ internet-connected software. Successful exploitation of these vulnerabilities could result in access to sensitive data and alteration of system configuration. | The incident was uncovered by cybersecurity researchers and reported by the company. To date no known exploits specifically targeting the vulnerabilities. Low financial impact. |
Medical devices | May 31, 2022 |
Becton Dickinson & Co. (BBB/Stable/--) |
Vulnerabilities were reported in Pyxis systems for medication management and dispensing. If exploited (by tracking down the default login info and breaching a facility’s network), the vulnerability could result in the unauthorized access to the confidential health information and other sensitive data stored in the Pyxis platform’s underlying file system. | The incident was self-reported. To date no known hacking efforts that specifically targeted the vulnerability. Low financial impact. |
Pharma | February 2022 |
Novartis AG (AA-/Stable/--) |
Information was allegedly stolen from a lab environment which was later listed for sale in an online marketplace. Novartis has reported that no sensitive data was compromised. | Minimal financial impact. |
Pharma | July 2020 |
Pfizer Inc. (A+/Stable/--) and AstraZeneca PLC (A-/Stable/--) |
An Advanced Persistent Threat with links to Russia targeted organizations involved in developing COVID-19 vaccines in the U.K., U.S., and Canada. In December 2020, the European Medicines Agency (EMA) reported a data breach, in which unlawfully accessed documents related to COVID-19 medicines and vaccines had been leaked on the internet and manipulated prior to publication in a way that could undermine trust in vaccines. | Minimal financial impact. |
Pharma | September 2020 |
Goldcup Holdings Inc. (B-/Stable/--) |
eResearchTechnology (Goldcup Holdings), a software-enabled clinical research solutions provider, fell victim to a ransomware attack while supporting COVID-19 vaccine and treatment trials. | Minimal financial impact. |
Pharma | June 2017 |
Merck & Co. Inc. (A+/Stable/--) |
NotPetya malware essentially shutdown Merck & Co. for two weeks in 2017, infecting about 40,000 computers. | About $1.4 billion in losses, eventually recovered following dispute with ACE America Insurance. |
Related Research
- Perspectives On Cyber Risk Across Corporates: The Potential Impact Of Cyber Threats Is Growing, Nov. 7, 2022
- Cyber Risk Management Is Credit Risk Management, Says Seminar, Nov. 1, 2022
- Cyber Security Is Integral To Credit Risk Management, Says Report, Oct. 25, 2022
- Cyber Trends and Credit Risks, Oct. 25, 2022
- Cyber Risk In A New Era: The Rocky Road To A Mature Cyber Insurance Market, July 26, 2022
- ESG Brief: Cyber Risk Management In USPF, June 28, 2021
This report does not constitute a rating action.
Primary Credit Analysts: | Alice Kedem, Boston + 1 (617) 530 8315; Alice.Kedem@spglobal.com |
Patrick Bell, New York (1) 212-438-2082; patrick.bell@spglobal.com | |
David P Peknay, New York + 1 (212) 438 7852; david.peknay@spglobal.com | |
Aamna Shah, San Francisco + 1 (415) 371 5034; aamna.shah@spglobal.com | |
Suzie R Desai, Chicago + 1 (312) 233 7046; suzie.desai@spglobal.com | |
Secondary Contacts: | Michael P Altberg, New York + 1 (212) 438 3950; michael.altberg@spglobal.com |
Tiffany Tribbitt, New York + 1 (212) 438 8218; Tiffany.Tribbitt@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.