According to the Centers for Medicare & Medicaid Services, health care spending is projected to exceed $7 trillion by 2031, yet hospitals and providers are grappling with financial challenges caused by factors such as rising wages, benefit costs and litigation expenses. Additionally, the influx of private capital into the sector is changing the risk environment for providers.
Costs associated with medical malpractice amount to approximately $60 billion across the healthcare industry. Medical malpractice is the third leading cause of death in the United States, and medical liability insurance premiums have risen steadily over the past decade due to social as well as economic inflation. According to S&P Global, medical professional liability E&S direct premiums will grow to $3.21 billion in 2023, up 6.9% year over year, and will account for 26.3% of the total medical professional liability market in 2023.
Cybersecurity Risk
Statistics regarding data security and breaches in the healthcare industry are alarming, especially considering the sensitive financial and personal data that is targeted, as well as the health data that is collected and stored by devices such as heart rate monitors.
The number of U.S. patients whose health care data was exposed in a data breach more than doubled in just one year, from 37 million to 87 million, from 2022 to 2023. Healthcare organizations around the world suffered an average of about 1,500 cyber attacks per week in 2022, according to AON.
Healthcare organizations have a unique cyber risk profile because they are subject to regulation, transmit and store significant amounts of personally identifiable information and protected health information, make extensive use of digital devices and networked systems, and rely heavily on outsourced service providers such as payment processors and test processing laboratories, AON said.
“Healthcare companies hold sensitive patient data and rely on computers to run their businesses and deliver what can be life-saving services,” said John Menefee, cyber risk product manager at Travelers Insurance. “Cybercriminals seek to exploit network vulnerabilities, knowing that there is a lot of money to be made if they gain access to a company’s systems. These criminals will do anything to leverage their access to make money, including ransomware attacks, data breaches, social engineering scams and phishing scams.”
Menefee said healthcare companies can increase their risk mitigation efforts and reduce the likelihood of experiencing a cyber event by regularly changing passwords, patching and making employees aware of cyber threats. Other measures healthcare companies can take include multi-factor authentication, endpoint detection and response, and creating incident response plans to respond to cyber attacks. Cyber insurance policies designed specifically to address threat actors, hacking events, social engineering scams and system failures due to administrative errors are important for healthcare providers.
“In the event of litigation or regulatory investigations related to a cyber event, most cyber policies will also respond depending on the facts of the event,” Menefee says. “Limits are important, and you’ll always want to have enough coverage in place to enable your business to survive a cyber event with minimal disruption. Insurers can offer cyber policies that allow you to respond quickly to a cyber event and cover most costs associated with a cyber event, from forensic investigations to regulatory notification requirements and even business interruption costs.”
Staffing concerns
Workforce shortages and failure to attract and retain talented personnel were also major risk concerns for healthcare organizations responding to AON’s risk survey. Healthcare providers continue to struggle to attract and retain nurses and other healthcare professionals, with many employers turning to short-term contract workers to fill the gap.
According to AON, workforce burnout is a major concern across the healthcare industry. Workforce shortages lead to high healthcare worker-to-patient ratios and excess administrative work. If left unchecked, these pressures can lead to nurses and other workers leaving the profession, exacerbating the workforce shortage and burnout issues, leading to lower quality patient care and more frequent medical errors.
The COVID-19 pandemic has exacerbated staffing issues, said Tonya Rose, a partner in Thompson Coburn’s health care practice group, who focuses on regulatory compliance and risk management for health systems.
“A lot of people in the health care industry said, ‘I don’t want to do this anymore. It’s too risky,'” Rose says. What’s more, health care workers can become so swamped with paperwork and regulatory compliance that it feels like they’re no longer in the business of caring for people.
“These pressures create a vicious cycle where even more people leave the company,” Rose said.
artificial intelligence
Artificial intelligence is making its way into the healthcare industry, promising to simplify and streamline processes to help control costs, reduce staff burnout, and improve decision-making. But AI can also bring new risks, including increased cybersecurity vulnerabilities.
“AI has great potential and the potential to be useful,” Rose says, “but there are also lots of new ways things can go wrong on a larger scale and more rapidly.”
Rose said it’s unclear how factors such as bias and discrimination that may be introduced into AI models will be viewed in the face of liability and litigation. Healthcare organizations considering AI products should carefully negotiate contracts and understand what data was used to train the AI tool, its error rate, and what remedies are available if the tool makes a mistake. Many AI developers are startups that don’t have the financial resources to take big risks.
“This may be an opportunity for insurance to play a role,” Rose said. “If you’re not getting full protection from the vendor that developed this AI product, are there insurance products that can provide that?”
Does medical malpractice insurance cover mistakes that may result from using AI-based clinical decision support tools? How does it work with D&O insurance and cyber coverage? These are all questions healthcare organizations need to ask to find the gaps, says Rose.
Regulation and Compliance
Rose said another big area of risk for healthcare organizations is billing non-compliance and other regulatory concerns. The healthcare industry, especially government payers, is highly regulated, and the rules and requirements for coding and billing are very specific and constantly changing. Simple mistakes can lead to millions of dollars in fines.
“Despite people’s best efforts to do it right, mistakes will happen,” Rose says. “This is a very high-stakes undertaking because it’s expensive, difficult to execute, and even unconscious mistakes can have disproportionately astronomical consequences.”
Kristen Beckman is a veteran business journalist based in Colorado.