- HIMSS Highlights Evolving HIT Cybersecurity Threats, Improvements
"We view cyber risk as event risk that can have material impact on sectors and individual issuers," said Moody's Managing Director Derek Vadala. "Data disclosure and business disruption are the two primary types of cyber event risk that we view as having the potential for material impact on issuers' financial profiles and business prospects," he added.
Moody's developed a cyber risk framework that focuses on “1) vulnerability to the type of attack or event to which entities in a given sector are exposed, and 2) potential impact of cyber events via disruption of critical businesses processes or negative reputational effects that lead to a loss of revenue as a result of customer attrition.”
Based on that framework, Moody's classified sectors into high-risk, medium-high risk, medium-low risk and low-risk sectors and quantified total rated debt outstanding for each classification. Moody's ranked 35 total sectors and over $70 trillion total debt outstanding in terms of cyber risk.
An earlier report by Cisco/Cybersecurity Ventures attributed the higher cyber risks faced by hospitals to outdated health IT infrastructure.
In addition, lack of experienced cybersecurity personnel, highly valuable data, and vulnerability to ransomware attacks were factors that attracted attackers to hospitals, the report toed.
Healthcare has been the most attacked industry by hackers over the last five years, followed by manufacturing, financial services, government, and transportation, according to the report.
Personal medical information is 50 times more valuable than financial information, with patient medical records going for as much as $60 per record.
A health data breach costs an organization an average of $408 per record, nearly three times higher than the cross-industry average of $148 per record, according to the 2018 Cost of a Data Breach published by IBM and the Ponemon Institute.
The study found that the average cost of a data breach across industries and countries is $3.86 million, a 6.4 percent increase from 2017 and a nearly 10 percent net increase over the past five years.
The Cisco/Cybersecurity Ventures report predicted that ransomware attacks on healthcare organizations would quadruple by 2020 and that the industry will spend more than $65 billion on cybersecurity products and services between 2017 and 2021.
Deploying countermeasures, such as network segregation and network segmentation, can help to mitigate the risks from ransomware attacks.
Network segregation is the separation of critical networks from the Internet and other internal, less sensitive networks.
“When you have a potential risk to life or physical harm to people when a system goes offline, we recommend putting those assets on a separate network. There's much less of a chance of a ransomware incident affecting those systems,” observed Kaspersky Lab Senior Security Researcher Brian Bartholomew.
Network segmentation, which involves splitting the larger network into smaller network segments, can be accomplished through firewall, virtual local area networks, and other separation techniques.
Network segmentation places internal boundaries in the network. “This is especially important because of how ransomware operates. Ransomware gets a foothold in an organization and then goes around and actively scans and leapfrogs its way into other things,” explained BlackRidge CTO John Hayes.
Both strategies have the potential to prevent ransomware attacks which encrypt files on the network, block access to those files, and then direct the victim to a webpage with instructions on how to pay a ransom in bitcoin to unlock the files.