Data Breach Risk Now a Factor in credit Ratings Ratings agency, Moody’s, introduced a new factor into its ratings of healthcare providers: data breach risk. This will add another matter to the list of responsibilities of directors of hospital management. One of the key considerations in deciding on a rating for a healthcare company will be the quality of its cyber security. "While we do not explicitly incorporate cyber risk as a principal credit factor today, our fundamental credit analysis incorporates numerous stress-testing scenarios, and a cyber event could be the trigger for one of those stress scenarios," in a statement realised on the matter, Jim Hempstead, Associate Managing Director at Moody’s said.
Moody’s laid out details of the new criteria in a report, "Cross Sector -- Global: Cyber Risk of Growing Importance to Credit Analysis," which stipulates key factors in the evaluation process. They include:
• • •
Nature and scope of the targeted institution or assets How long services were interrupted Length of time it took to restore normal operations.
"More cyber security expertise is being added to boards and trustee governance. We expect many issuers will create distinct cyber security subcommittees, which is a material credit positive," Hempstead said. "Cross Sector -- Global: Cyber Risk of Growing Importance to Credit Analysis" focuses on other key points such as the different types of cyber attacks that occur and the incidence of data breaches. It says that any company or organisation that deals with high volumes of personal hospital IT data is more vulnerable to the possibility of a mayor cyber attack. The rating agency aligned data breach risks with what it terms "extraordinary event risks" like natural disasters. Some recent headline healthcare data breach stories include the following:
•
•
•
The University of Washington Medicine had to pay $750,000 in settlement charges for potential violation of the HIPAA Security Rule that dictates implementation of policies and procedures aimed at preventing, detecting, containing and correcting violations of security. Triple-S Management Corp. were ordered to pay $3.5 million in order to settle HIPAA violations with the U.S. Department of Health and Human Services' Office of Civil Rights. This was after the company failed time after time to implement safeguards that would protect the healthcare data of beneficiaries. Lahey Hospital and Medical Centre settled with the U.S. Department of Health and Human Services' Office for Civil Rights over potential HIPAA violations for security that was not up to standard.