Tag: Hospitals

Interpretation of Financial Ratios (Hospitals)

Financial ratio analysis is one critical component of assessing a hospital’s financial condition. The following metrics are examined in CHIA’s quarterly and annual acute hospital financial reports: 

Interpretation of Financial Ratio

Table of Contents

Financial ratio analysis is one critical component of assessing a hospital’s financial condition. The following metrics are examined in CHIA’s quarterly and annual acute hospital financial reports: 

Profitability

This category evaluates the ability of a hospital to generate a surplus.

  • Operating Margin (ratio of operating income to total revenue)
    Definition: Operating Income/Total Revenue
    Operating income is income from normal operations of a hospital, including patient care and other activities, such as research, gift shops, parking and cafeteria, minus the expenses associated with such activities. Operating Margin is a critical ratio that measures how profitable the hospital is when looking at the performance of its primary activities. A negative Operating Margin is usually an early sign of financial difficulty.
  • Non-Operating margin (ratio of non-operating income to total revenue)
    Definition: Non-Operating Income/Total Revenue
    Non-operating income includes items not related to operations, such as investment income, contributions, gains from the sale of assets and other unrelated business activities.
  • Total Margin (ratio of total income to total revenue)
    Definition: Total Income/Total Revenue
    This ratio evaluates the overall profitability of the hospital using both operating surplus (loss) and non-operating surplus (loss).

Liquidity

This category evaluates the ability of the hospital to generate cash for normal business operations. A worsening liquidity position is usually a primary indication that a hospital is experiencing financial distress.

  • Current Ratio (ratio of current assets to current liabilities)
    Definition: Total Current Assets/Total Current Liabilities
    This ratio measures the hospital’s ability to meet its current liabilities with its current assets (assets expected to be realized in cash during the fiscal year). A ratio of 1.0 or higher indicates that all current liabilities could be adequately covered by the hospital’s existing current assets.
  • Average Days in Accounts Receivable (ratio of net patient accounts receivable to total revenue/365)
    Definition: Net Patient Accounts Receivable/(Net Patient Service Revenue/365)
    This ratio measures the average number of days in the collection period. A larger number of days represent cash that is unavailable for use in operations.
  • Average Payment Period (ratio of current liabilities less estimated 3rd party settlements to total expenses less depreciation and amortization/365)
    Definition: (Total Current Liabilities-Estimated 3rd Party Settlements)/ [(Total Expenses-(Depreciation Expense + Amortization Expense))/365)]
    This ratio measures the average number of days it takes a hospital to pay its bills.

Solvency/Capital Structure

This category evaluates the health of a hospital’s capital structure, measuring how a hospital’s assets are financed and how able the hospital is to take on more debt. Both measures are critical to the hospital’s long-term solvency.

  • Debt Service Coverage Ratio-Total (ratio of total income plus interest expense plus depreciation and amortization to interest expense and current portion of long term debt)
    Definition: (Total Income + Interest Expense + Depreciation Expense + Amortization Expense)/(Interest Expense + Current Portion of Long-Term Debt)
    This ratio measures the ability of a hospital to cover current debt obligation with funds derived from both operating and non-operating activity. Higher ratios indicate a hospital is better able to meet its financing commitments. A ratio of 1.0 indicates that average income would just cover current interest and principal payments on long-term debt.
  • Cash Flow to Total Debt (ratio of total income plus depreciation and amortization to total current liabilities plus total long-term debt)
    Definition: (Total Income + Depreciation Expense + Amortization Expense)/(Current Liabilities + Long-Term Debt)
    This ratio reflects the amount of cash flow being applied to total outstanding debt (all current liabilities in addition to long-term debt) and reflects how much cash can be applied to debt repayment. The lower this ratio, the more likely a hospital will be unable to meet debt payments of interest and principal and the higher the likelihood of violating any debt covenants.
  • Equity Financing (ratio of net assets to total assets)
    Definition: Total Net Assets/Total Assets
    This ratio reflects the ability of a hospital to take on more debt and is measured by the proportion of total assets financed by equity. Low values indicate a hospital has used substantial debt financing to fund asset acquisition and, therefore, may have difficulty taking on more debt to finance further asset acquisition.

Other Measures

The following items are individual line items from the Quarterly Financial Statements.

  • Total Surplus (Loss): Total dollar amount of surplus or loss derived from all operating and non-operating activities.
  • Total Net Assets: The difference between the Assets and Liabilities of a hospital. Comprised of retained earnings from operations and contributions from donors. Changes from year to year are attributable to two major categories (1) increases (decreases) in Unrestricted Net Assets (affected by operations) and (2) changes in Restricted Net Assets (restricted contributions).
  • Assets Whose Use is Limited: The current and non-current monies set aside for specific purposes, such as debt repayment, funded depreciation and other board designated purposes. Board-designated funds are most readily available to the organization as the board has the ability to make these funds available if needed. This is a valuable measure because it reveals potential resources that the hospital may have available for cash flow if necessary.
  • Net Patient Service Revenue (NPSR): Revenue a hospital would expect to collect for services provided less contractual allowances. Net Patient Service Revenue is the primary source of revenue for a hospital.

Pandemic Creates Extra Cyber Risk For Health Care Providers

Unfortunately, it is in these times of dogged, urgent focus on patient care that health care organizations may be most vulnerable to another invisible danger: cybercrimes targeting the very hospitals tasked with protecting us.

A recent report estimates that, in 2019 alone, cybercriminals compromised over 41 million patient records, costing the health care industry billions of dollars. (Protenus Inc. & DataBreaches.net, 2020 Breach Barometer (2020); HIPAA Journal, Healthcare Data Breaches Predicted to Cost Industry $4 Billion in 2019 (Nov. 7, 2019).) We also know that health data breaches have increased steadily year over year, and can be expected to increase sharply in times of political or social turmoil.

In short, the global health crisis creates an opportunity for cybercriminals, and health care organizations and hospitals should consider taking steps now to minimize the risk to their systems, their data and, most importantly, their patients.Hospitals as Targets

The health care industry is a favorite target of cybercriminals, and hospitals are particularly vulnerable. There are numerous reasons for this.

Owing to their commendable focus on patient care, many health care organizations have invested less in technology and cybersecurity than other major industries. Recent digitization of patient health records has left many hospitals without robust security infrastructure vulnerable.

In addition, hospitals increasingly are using interconnected medical devices that sometimes have limited security protection. In 2013, these security considerations led doctors for former Vice President Dick Cheney to disable the wireless feature in his pacemaker, for fear that hackers could otherwise access the device. (Dana Ford, Cheney’s defibrillator was modified to prevent hacking, CNN.com (Oct. 24, 2013).)

Further, doctors and nurses on the front lines of patient care sometimes do not receive robust training on cybersecurity measures. Compounding the threat is the enormous value of electronic health records on the black market: Stolen records reportedly can fetch prices of up to $1,000 each. (Mariya Yao, Your Electronic Medical Records Could Be Worth $1000 To Hackers, Forbes (April 14, 2017).)

In short, hospitals and health care organizations are particularly exposed, even in the best of times.Crisis Creates Opportunity

In more challenging times, the picture is darker. In the few short weeks since the World Health Organization declared COVID-19 a global pandemic, cybercriminals already have sought to capitalize on the crisis.

The Wall Street Journal recently reported that hackers targeted two hospital systems, one in the U.S. and another in the Czech Republic — the latter attack compromising the country’s second largest hospital for almost two weeks. (Wall Street Journal, Cybercriminals Sweep In to Take Advantage of Coronavirus (March 24, 2020).)

Although cybercriminals have a number of tools at their disposal, ransomware attacks are perhaps the most concerning in the current climate because they have the potential to lock hospital administrators and staff out of their own systems for lengthy periods of time, compromising patient health. Late last year, for example, a ransomware attack on a cancer center disabled its systems and forced it to halt radiation treatment for cancer patients. (Jessica Davis, Ransomware Attacks Disrupts Patient Care at Hawaii, NJ Hospitals, HealthITSecurity.com (Dec. 16, 2019).) Hospitals often are asked to pay attackers hefty ransoms to resolve such attacks.

The rapidly evolving global health crisis caused by the spread of COVID-19 is also creating new windows of opportunity for cybercrime. The increase in telemedicine and makeshift hospital facilities, in addition to overcrowded conditions in hospitals and emergency rooms across the country, mean that hospital IT systems are at maximum capacity.

Under the circumstances, just one click on an email or attachment by an unsuspecting and exhausted hospital worker could unleash malware that compromises an entire hospital’s financial and clinical information systems, as well as its interconnected medical devices. The global pandemic is a crisis — but without functioning hospital systems and critical care, it could become a disaster.Litigation Risks Abound

Adding to the burdens already faced by health care organizations, cybercrime victimizes health care targets on several fronts, and could lead not only to substantial business costs, but also to potential third-party claims from affected patients.

In one example, a ransomware attack on a Wyoming-based health care company disabled hospital systems, resulting in service disruptions to the organization’s outpatient lab, respiratory therapy and radiological exams. Surgeries were canceled, new patients were turned away, and emergency room patients were transferred to other hospitals. (Jessica Davis, Campbell County Health Ransomware Attack Disrupting Patient Care, HealthITSecurity.com (Sept. 23, 2019).) Plaintiffs lawyers began advertising a potential class action shortly thereafter.

Such lawsuits have become increasingly common in the aftermath of health-care-related cyberattacks. (See, e.g., Aranowitz v. Hackensack Meridian Health Inc., 2:20-CV-01409 (D.N.J. Feb. 10, 2020); Quintero v. Metro Santuce Inc., Case No. 20-1075 (D. Puerto Rico, Feb. 11, 2020); Edwards v. Univ. of Washington, Case No. 19-2-12285-4 (Wash. Super. Ct., Oct. 21, 2019).) Moreover, as cybercriminals become more sophisticated, and the internet of things is extended to include interconnected medical devices, a new wave of product liability lawsuits stemming from malware attacks that compromise patient-worn medical devices or wired devices used for patient care may be on the horizon.

Hospitals and health care organizations are urged think now about how to mitigate the consequences of such attacks, if not prevent them altogether.Critical Care Requires Cybersecurity

The health care industry will require long-term investment, regulatory compliance, and cybersecurity prophylaxis to slow the tide of cyberattacks. But there are several short-term steps all health care organizations can take to protect themselves in this time of crisis.

First, health care companies should consider dusting off their cybersecurity contingency plans and, if necessary, hire outside professionals to update and implement those plans across facilities that are on the front lines of fighting the pandemic.

Second, hospitals should, where possible, provide updated training to emergency personnel on handling electronic health records. This is especially true where patients are being treated remotely or in temporary hospital facilities, where access to core IT systems may not be available.

Third, medical device manufacturers should be mindful of guidance from the U.S. Food and Drug Administration on the post-market cybersecurity in medical devices, particularly as regards updates and patches, and continuously work to improve device security as new technology becomes available. (See FDA, Postmarket Management of Cybersecurity in Medical Devices: Guidance for Industry and Food and Drug Administration Staff (Dec. 2016), available at https://fda.gov/media/95862/download.)

Further, medical device manufacturers and hospitals alike can revisit indemnity provisions in any agreements providing for the sale and distribution of wired medical devices. This will ensure that all parties know who is responsible in the event of a cyberattack affecting those devices.

Finally, all companies operating in the health care space should consider comprehensive cyber-liability insurance. The policies available are not one-size-fits-all, and can be negotiated to include both direct expenses resulting from a cyberattack (e.g., expenses associated with a malware infection, ransomware or business email compromise) as well as expenses resulting from third-party claims (e.g., litigation involving privacy breaches and product liability).

The bottom line is that consistent, reliable patient care requires secure health care systems. Hospitals and health care organizations can take precautions now to prevent cyberattacks from disabling critical systems and compromising patient care as the global health care crisis evolves.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.