Soaring cyber insurance costs highlight need for better records security
With growing awareness of the damage that can be wrought by hackers, provider organizations are looking for standardized ways to achieve better cybersecurity.
Healthcare delivery organizations are struggling to defend themselves against the soaring rate of cyberattacks. Rapid digitalization has forced health IT leaders to quickly adopt new technologies. This has dramatically changed the digital environment and led to fragmentation, exposing gaps in the system that threat actors seek to exploit.
Since this past January, healthcare organizations have experienced 200 cybersecurity incidents. When the public health system is at this level of risk, cyber insurance becomes imperative. And yet, high insurance premiums, vague security guidelines and a lack of government incentives are slowing down defenses just as cyberattacks are picking up speed.
Healthcare is one of the most vulnerable industries to cybersecurity attacks, in part because of the appeal of sensitive patient data and the level of destruction one breach could cause. Protection is clearly a necessity, but reports from 2022 show that the average price for cyber insurance in the U.S. rose 79 percent in the second quarter, after more than doubling during each of the previous two quarters. Premiums are getting higher and coverage is arriving slower, often to the point where healthcare providers wonder if an investment in cyber insurance is worth it.
The investment becomes even less appealing when it’s unclear whether an insurance company’s cybersecurity requirements are effective in protecting the organization. Some may consider implementing limited liability insurance as an alternative, but with that comes a limited safety net.
A cybersecurity breach could dismantle a hospital’s entire network, sending an already high-stakes workplace into chaos and putting patients at risk. Recent research shows that 32 percent of healthcare organizations diverted patients to other facilities following an attack, with 31 percent delaying procedures and tests that resulted in poor patient outcomes.
Insurance providers have increased coverage, recognizing the financial stakes at hand. One breach could lead to a slew of lawsuits if patient lives are impacted, never mind the fines from HIPAA and compliance violations. But not every organization can afford coverage, and this is especially true of understaffed and budget-constrained healthcare organizations already desperate to cut spending. What will it take for healthcare providers to break down the barriers standing in the way of this essential coverage?
Don’t let insurance slow down security
Insurance companies are not in the business of losing money, so they are making the process of qualifying for coverage more difficult for healthcare organizations.
With lengthy checklists and vague requirements, completing the renewal or application process is becoming more time-consuming and confusing than ever before. It can be a challenge to distinguish between what’s most important to your cybersecurity strategy and the superfluous requisites that only bring extra steps and little value to your organization.
That said, the healthcare industry should not rely on the demands of insurance companies when building a cybersecurity strategy. Our health system needs a set of agreed-upon, established, and vetted standards to bring about greater cybersecurity, as well as resources to implement those standards and mitigate these vulnerabilities.
But until then, cybersecurity remains a top priority. Although knowing where and how to start building a strategy can be a challenge, there are steps healthcare organizations can take today to secure their environment, with or without cybersecurity insurance.
Building better cybersecurity now
One of the earliest hurdles an organization faces when modernizing its cybersecurity is assessing its identity management framework. Healthcare organizations need to outline the access entitlements and sources for each digital identity’s unique role, addressing both IT and HR specifications.
This is an important step to building a mature digital identity framework, which could clear a path to a more secure, streamlined IT infrastructure and help organizations identify which applications are worth keeping and which have become outdated.
The healthcare industry should take advantage of comprehensive digital identity technology, ensuring that information is only accessible to the right people at the right times. This not only satisfies one of the many insurance requirements but can maintain and solve one of a hospital’s greatest challenges – adhering to privacy compliance while maintaining workflow efficiency.
Policymakers can step in
The onus of better cybersecurity should not rest solely on healthcare providers or cyber insurance companies, especially considering the evolution of the threat landscape. The federal government has an opportunity to establish clearer standards for cybersecurity maturity and provide incentives for healthcare organizations to meet those requirements.
This would be particularly beneficial to small and rural hospitals with little funding for advanced IT systems or solutions, making them some of the most vulnerable entities. Among the many stakeholders in need of federal support, small hospitals have the greatest need for financial government intervention.
As Congress begins to consider health cybersecurity legislation, they will hopefully see that a preventative investment into not just rural hospitals but our entire public health system would protect huge losses downstream. This might include federal subsidies, grants, incentivization and even penalties for noncompliance. Perhaps a program similar to the Meaningful Use initiative would spark the transition needed to reduce cybersecurity risk. This initiative was included in the HITECH Act of 2009, which provided incentives for healthcare organizations to switch from paper to electronic health records.
The increasing number of bad actors targeting healthcare institutions presents a growing threat to public health. Modernizing and standardizing cybersecurity will also come with financial benefits by preventing costly cyberattacks in the future. There’s a pathway to making a real difference in many people’s lives, both industry stakeholders and patients. Reducing cybersecurity risks in healthcare protects us all. Insurance companies, healthcare organizations and policymakers each have a part to play.
Sean Kelly, MD, is chief medical officer and senior vice president of customer strategy for Imprivata. Skip Rollins is CIO and CISO of Freeman Health.