Zero Trust: Better Cybersecurity Insurance and Lower Healthcare Costs

Van Houweling shared his story with the audience at the recent ViVE digital health and healthcare technology conference in Nashville at which cybersecurity was among the hottest topics. And he was not the only healthcare leader with a growing concern in this area. 

The recent Healthcare Information and Management Systems Society (HIMSS) conference also provided an enhanced focus on the evolving cybersecurity insurance landscape.

It’s no secret that the healthcare industry is among the top targets for cybercriminals, as recent breaches like Killnet have shown. But patients — and not only those whose data is compromised — may ultimately also pay the price should such attacks continue. 

“Across industries, 60 percent of organizations said they had to raise prices to cover the expense of a breach — and the regulatory compliance and legal costs can extend over years for those in healthcare,” notes Politico. 

What makes healthcare a particularly attractive target for threat actors is its higher propensity to pay than other leading industries, and healthcare organizations typically include a large volume of third-party vendors and/or legacy technology. The average healthcare breach now tops US$10 million, according to IBM.

That puts pressure on underwriters to curtail costs and apply stricter protocols, leading to rising premiums, declining coverages, and increased scrutiny into policyholders’ existing security measures. 

Dan Garcia-Diaz, managing director of the U.S. Government Accounting Office, notes in a recent report that the rising cost of cyber insurance is based on the costs, severity, and frequency of attacks. The situation is particularly irksome in healthcare. In fact, a new report from Porter Research finds that the severity and frequency of cyberattacks across healthcare payer, provider, and life sciences spaces are growing rapidly. 

“The uncertainty about future threats also plays a role, and insurers have become more selective about who and what gets covered,” Garcia-Diaz told CNBC. “It’s possible that attacked entities — which could include critical services such as hospitals, financial services, and energy services — would suffer such large losses as to not be able to continue operating without cyber insurance.” 

Moving beyond basic coverage

In the infancy of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), security evaluation criteria was so generic that it didn’t lead to better postures, just heightened awareness. But that was more than a decade before the introduction of the iPhone, the explosion of the Internet of Medical Things (IoMT), and the Health Information Technology for Economic and Clinical Health Act to digitize medical records. 

Since then, audit criteria are much longer than one or two pages, and basic insurance coverages have expanded beyond financial losses from data breaches, hacking, viruses, malware, and denial-of-service attacks. Recognized Security Practices can be in the dozens of dozens of pages, and landscape analysis tools, like the multichapter public and private Hospital Cyber Resilience Initiative, can take weeks to evaluate, nevermind initiate. 

Still, organizations need to move beyond basic coverages to defend against the sophistication of hackers motivated by money and politics who have made a business of data extraction.

It’s a delicate balance between providing patient care, and caring for their data in real time. Early in 2023, a large multistate healthcare organization was ordered to pay US$1.25 million over HIPAA noncompliance for a 2016 hack that exposed the protected health information of nearly 3 million people. 

According to the Department of Health and Human Services’ Office for Civil Rights, the penalties assessed six years after the breach addressed:

• A lack of analysis to determine risks and vulnerabilities to electronic protected health information
• Insufficient monitoring of health information systems’ activity to protect against a cyberattack
• Failure to implement an authentication process to safeguard its protected electronic health information
• Failure to have security measures in place to protect electronic protected health information from unauthorized access when it was being transmitted electronically 

Implementing such measures are just a few ways to control the estimated global cyber insurance market, which will balloon from US$7.8 billion in 2020 to a forecasted US$20 billion industry by 2025. Gartner notes that cybersecurity is the healthcare area with the most increased investment — a solid assertion given the burgeoning list of attacks and attack surfaces. 

Implementing the right processes and technology now will keep hacked organizations — and their patients — from paying the price in the future. In healthcare, the proliferation of Internet of Things devices has broadened the ecosystem (and its vulnerabilities) along with expanding the perspective when it comes to an outside-in approach.

Data exchange and communication across the ecosystem requires monitoring and validating the efficacy of communication processes that are not only data-centric but also human-focused. As the medical ecosystem grows, it’s important to preserve the same broader recognition and view, adopting an outside-in approach that level-sets against other healthcare organizations. 

The increasingly competitive nature of securing a cyber insurance policy means that healthcare organizations can no longer simply check boxes to meet regulatory requirements. Having the best protections in place will not only make it easier to secure a better insurance policy, but also ensure organizational resilience. 

The best ways to do that? Partnering with an organization that offers observation and evaluations of what’s happening in myriad environments (including those in the IoMT space), and provides security gap analyses and threat modeling. 

Hardening the outside of an organization’s structure with a distributed denial-of-service protection tool to mitigate the effects of the next Killnet group, and thinking more internally by following Zero Trust policies are both complementary and necessary. 

Building resiliency requires a multifaceted approach. Having the proper security infrastructure in place to prevent attacks, and investing in cyber insurance, are ways to keep both patients and their healthcare organizations safer. 

U.S. Senator Mark R. Warner of Virginia says, “Unfortunately, the healthcare sector is uniquely vulnerable to cyberattacks and the transition to better cybersecurity has been painfully slow and inadequate."

His recent Cybersecurity Is Patient Safety report proposes tying hospital Medicare payments to cybersecurity standards. He writes, “Hospitals must have active programs to prevent the spread of hospital-acquired infections. Hospitals must have emergency and standby power systems. Many stakeholders believe cybersecurity is as important as those two examples, and that some minimum level of cybersecurity hygiene practices should be included in regulations."