A panel at a cybersecurity forum said cyber insurance may determine whether a hospital is part of the "cyber haves" or "have-nots." (Air Force)

BOSTON- This year will have one the highest percentage of U.S. hospitals at or approaching bankruptcy, further compounding the financial constraints long facing the healthcare sector and widening the gap between the “cyber haves and have-nots,” said Christian Dameff, a physician at the University of California San Diego, during the 2022 HIMSS Cybersecurity Forum on Monday.

“It’s likely we represent the 1%, the cyber-haves,” Dameff opened. The event is diving into the nuances of advanced technology and cybersecurity programs focused on improving cyber resiliency. But, “who's not in this room?”

How many hospitals or providers don’t have their voice heard on their specific struggles and issues with industry leaders able to help them?

Dameff led the discussion on the risk posed by resource and knowledge gaps, as well as possible solutions, alongside M. Eric Johnson, dean of Vanderbilt University’s Owen Graduate School of Management, Anahi Santiago, ChristianaCare CISO, and Costis Toregas, director of The George Washington University Cyber Security and Privacy Research Institute.

Perhaps the furthest divide for the have-nots is with cyber insurance coverage, or lack thereof.

While all industries are facing concerns about the growing costs of cyber insurance premiums and possible coverage loss, arguably healthcare is facing one of the biggest uphill challenges. According to Santiago, the increase in premium costs in the healthcare industry is about 103%, on average, “as opposed to the other industries where the average was a little bit below 40%.”

ChristianaCare, in the 1% of cyber haves, went through the renewal process earlier this year. The changes in the process — and costs — are drastic.

“I’ve been in healthcare cybersecurity for the last 18 years and have seen the questionnaire grow from a one-pager to a three-pager, plus supplementals, plus multiple phone calls in the span of three months,” plus coordinating with relevant team members to align on the security measures in place,” she explained.

“Based on a very healthy budget, we were able to check every box and keep our premiums to an increase of only 46% as opposed to the 103%,” Santiago added. The reality is, “based on what's being asked of us, I know that there's absolutely no way that the 99% other healthcare organizations can afford the investments that are being asked.”

As SC Media previously reported, the seismic shift in cyber insurance has translated into increased scrutiny during the application process. It’s clear that this untenable situation will affect the overwhelming majority of healthcare providers that can’t afford the investments in the required technologies needed to obtain coverage, or the premiums they’ll face if they can't afford to implement the needed tech.

At the same time, these are the organizations at a “greater risk of suffering a breach,” explained Santiago. If they’re exploited, “they probably will not be able to recover financially from those breaches, therefore potentially having to go bankrupt or shut down.”

Many of these “organizations are probably in critical access areas or in underserved communities where access to healthcare is ever so important,” she added. It’s possible the sector will see a lack of healthcare services for patients because of this evolving financial crisis.

For Toregas, “a second strategy at the local level for small and the 99% is self insurance.” 

These entities can pool risk through the creation of self-insurance pools to “actually find a way forward. It doesn't relieve the responsibility that the insurance carriers” place on entities, but leaders must begin to take action, “because otherwise I see no way forward, except a disaster on my hands.”

A call for greater transparency on cyber incidents

The lack of data and willingness to provide transparency into incidents is only worsening the chasm and raising cyber insurance premiums and coverage requirements in the process “because we don't have the data on which to make the sound actuarial decisions,” said Toregas.

Healthcare entities are notoriously tight-lipped after a cyber incident or data breach, with well-crafted notifications that omit the fine details that could benefit others in the sector. Compared with the cyberattack post-mortem shared by the Ireland Health Service Executive with step-by-step details on their mistakes and the attackers’ entry points, it’s easy to see why this information would be paramount to successfully mounting an effective defense.

“The health industry has to begin to communicate with people who care about insurance,” said Toregas.

Notably, the have-nots are not just the smaller organizations, which actually may have a strong posture due to their limited attack surface. Johnson noted that “the weakest link in our own research right now is some of the medium-size hospitals.” 

“They're big enough to be above the radar and have a brand and a big enough attack surface to be interesting to attackers,” he added. “But they often don't have the resources of the really large players, and in some ways, they are the poorest in terms of cyber risk.”

However, it’s very difficult to find good data — data that could help inform these important discussions and support congressional efforts to provide the sector with much needed support, explained Toregas. The mandatory reporting on the federal level that goes into effect in a few years may help to change the current state of communication.

For now, gaps in transparency and threat sharing are affecting how the industry responds.

The good news is that there are a host of resources available. The unfortunate news is some of the smaller- or mid-sized organizations aren’t aware of it, even though they need it the most.

As an example, the Healthcare Coordinating Council’s cybersecurity working group created a number of different test scores focused on providing resources to support healthcare entities “so they don't have to start from scratch,” explained Santiago.

“I think the important thing is for us to find ways to communicate this, socialize these things out there that are and easily available to healthcare systems across the industry,” she added.