Cyber risk, staffing challenges squeeze health care sector
The number of U.S. patients whose health care data was exposed to a data breach more than doubled in just one year between 2022 and 2023 from 37 million to 87 million.
Even as health care expenditures are projected to top $7 trillion by 2031, according to the Centers for Medicare & Medicaid Services, hospitals and health care providers are grappling with financial challenges driven by wage and benefits expenses and other factors, including the growing cost of litigation. In addition, an influx of private capital into the space is changing the risk landscape for providers.
Costs related to medical malpractice amount to about $60 billion for the health care industry. Medical errors are the No. 3 cause of death in the United States, and social inflation on top of economic inflation have pushed medical liability premiums steadily higher over the past decade. Medical professional liability E&S direct premiums grew to $3.21 billion in 2023, an increase of 6.9% from the previous year, and accounted for 26.3% of the total medical professional liability market in 2023, according to S&P Global.
To add to these concerns, cyberattacks and data breaches are disrupting the healthcare industry and increasing costs. In fact, cyber risks topped the list of concerns among healthcare respondents to AON’s most recent Global Risk Management Survey.
Cybersecurity risks
The statistics surrounding data security and breaches within the health care industry are alarming, especially considering not only the sensitive financial and personal data that is targeted, but also the health data that is gathered and stored by devices like heart rate monitors.
The number of U.S. patients whose health care data was exposed to a data breach more than doubled in just one year between 2022 and 2023 from 37 million to 87 million. Health care organizations averaged nearly 1,500 cyberattacks per week worldwide in 2022, according to AON.
Health care organizations have distinct cyber risk profiles because they are subject to regulation, they transmit and store extensive personally identifiable information and protected health information, they widely use digital devices and networked systems, and they rely heavily on outsourced service providers, such as payment processors and test processing laboratories, said AON.
“Health care companies have sensitive data of patients and rely on computers to run their businesses and provide what can become life-saving services,” said John Menefee, CyberRisk Product Manager at Travelers Insurance. “Cyber criminals seek network vulnerabilities to exploit, knowing that if they access a company’s system it can result in a large payout. These criminals will use any means necessary to cash in on that access, such as ransomware attacks, data breaches, social engineering fraud and phishing schemes.”
Menefee said health care companies can increase their risk mitigation efforts and decrease the likelihood of suffering a cyber event by regularly changing passwords, patching and making employees aware of cyber threats. Other steps healthcare companies can take include utilizing multifactor authentication, endpoint detection and response, and creating an incident response plan to react to a cyberattack. Cyber insurance policies, specifically designed to respond to threat actors and hacking events, social engineering fraud and system failures due to administrative errors, are important for health care providers.
“If there is a lawsuit, or a regulatory investigation relative to a cyber event, most cyber policies will also respond depending on the facts of the event,” said Menefee. “Limits are important; having enough coverage so a company can withstand a cyber event with minimal disruptions is always the expectation. Insurance carriers can offer cyber policies that respond quickly to cyber events and help cover most costs associated with it, from forensic investigations to regulatory notification requirements, even business interruption expenses.”
Staffing concerns
Workforce shortages and failure to attract or retain top talent were also major risk concerns for health care organizations responding to AON’s risk survey. Health care providers continue to struggle to attract and retain nurses and other health professionals and many employers have been relying on short-term contract workers to fill the gaps.
Workforce burnout is a significant concern throughout the healthcare industry, according to AON. Worker shortages often lead to high provider-to-patient ratios and excessive administrative tasks. Left unchecked, these pressures can lead to nurses and other workers exiting the profession, which exacerbates the worker shortage and burnout problems and can lead to diminished patient care and the potential for more frequent medical errors.
The COVID-19 pandemic compounded staffing problems, said Tonya Rose, a partner in Thompson Coburn’s Health Care Practice Group, which focuses on regulatory compliance and risk management for health care systems.
“A lot of people who were in the health care industry said, ‘I don’t want to do this anymore. This feels too risky,’” noted Rose. In addition, healthcare workers can sometimes get so mired down in administrative tasks and complying with regulations that they don’t feel the job is about taking care of people anymore.
“Those pressures then cause more people to leave, which creates this vicious cycle,” said Rose.
Related: Average cost of data breach climbed to record $4.45 million last year, research finds
Artificial intelligence
Artificial intelligence is making its way into the health care industry, with the promise of simplifying and streamlining some processes that can help control costs, reduce staff burnout and improve decision-making. However, AI also may introduce new risks, including compounding cybersecurity exposures.
AI has lots of promise and has the potential to be helpful,” said Rose. “But there’s also a lot of new ways that things could go wrong on a grander scale or more quickly.”
Rose said it is unclear how factors like bias and discrimination that may be introduced into AI models will be viewed in the face of liability and lawsuits. Health care organizations considering AI products will have to carefully negotiate contracts and understand what data was used to train the AI tool, what its error rate percentage is, and what recourse there is if the tool makes a mistake. Many AI developers are startups and don’t have the financial wherewithal to assume much risk.
“That may be an opportunity where insurance could play a role,” said Rose. “If you’re not able to get your full protection from the vendor who created this AI product, is there an insurance product that could provide that?”
Will medical malpractice insurance cover a potential error made as a result of using an AI-based clinical decision support tool? How does it work with D&O insurance and cyber coverage? These are all questions healthcare organizations will need to ask to find out where they have gaps, said Rose.
Regulatory and compliance
Rose said another major area of risk for health care organizations is billing noncompliance and other regulatory concerns. The health care industry is highly regulated, particularly for government payers, and the rules and requirements for coding and billing are highly specific and constantly changing. A simple mistake can lead to millions of dollars in penalties.
“Even when people are doing their very best to get it right, there are going to be errors,” said Rose. “It is a huge area of risk, because it’s expensive, it’s hard to do, and even innocent mistakes in some instances, can really lead to disproportionately astronomical outcomes.”
Kristen Beckman is a seasoned business journalist based in Colorado.