Cyber Attacks on Hospitals for Children Cause More Than Pain
Cyber marauders allegedly attacked the Hospital for Sick Children via digital ransomware on December 18, impacting more than just its information systems. The so-called LockBit ransomware group purported the attack, Moody’s Investor Service reported. The facility’s ability to provide healthcare was impacted, including “delays in medical imaging, longer diagnostics and non-critical treatment wait times,” Moody's noted in a January 10th report.
As such, the investor ratings service deemed the attack as “credit negative,” given the “hospital's exposure to ransomware attacks,” said the authors of the report, Adam Hardi, CFA, vice president and senior analyst, and Steven Libretti, analyst. “This is despite its efforts over the last few years to mitigate cyber risk. However, the hospital’s immediate and transparent public disclosure helps balance the risk.”
Impacts on healthcare and financial security notwithstanding, the attack on the Toronto children’s hospital shows the extent to which cyber criminals are willing to go to benefit illegally and the continued vulnerability of critical infrastructure such as hospitals.
“The attack highlights the importance of strong cyber practices to help prevent future attacks,” Hardi and Libretti stated. “In addition to the costs resulting from the impact on operations, ransomware attacks also expose entities to increased costs from ransom payments, forensic efforts to identify the point of entry and the extent of systems affected, and equipment replacement. In terms of longer-term risks, ransomware attacks can also lead to added regulatory scrutiny, litigation, and a need to boost investment in securing a company's digital systems.”
Moreover, 18 days after the attack, the hospital only had 80% of its priority systems back online-although the facility stressed that “there was no evidence of data being accessed or taken or any effects on personal information or personal health information.”
Going into 2023, Moody's warned that nonprofit hospitals are at “very high risk” of cyber attacks, and the risk of cyber attack against all kinds of hospitals will continue to increase.
“The risk of cyberattack against hospitals continues to grow, with ransomware attacks among the most prevalent types,” the ratings company said. “The number of attacks on non-children's hospitals is increasing, while the attacks themselves are becoming predominantly of ransomware-type. We also see this trend in the United States, where the CommonSpirit and Saint Joseph hospitals were recently attacked by a ransomware. As the demanded ransom is usually in the millions of dollars, or the effects and remedial costs are significant if ransom is not paid, these attacks represent high credit risk.”
Ransomware is expected to be the most prevalent form of cyber warfare against hospitals and other critical infrastructure, Moody's noted.
And although cyber attacks were not the reported cause of the nationwide outage of the Federal Aviation Administration’s (FAA’s) Notice to Air Missions System that grounded and delayed flights across America on January 11—and the FAA is conducting a “thorough review” to determine the root cause—Moody's pointed to the risks of over-dependence on such systems.
“The outage highlights how the minute-to-minute operations of U.S. airports and the U.S. aviation sectors rely on systems that are outside of their control and are exposed to cyber risks,” the ratings company said.