“Why Risk Sharing Is the Future of Cybersecurity in Healthcare”
Post Summary
Healthcare faces mounting cybersecurity challenges: rising cyberattacks, outdated defenses, and stretched resources. In 2022 alone, medical data breaches surged 94%, with an average cost of $10.1M per incident - double the cost in other industries. Traditional, isolated approaches are no longer enough to protect sensitive systems and patient data.
Risk sharing is emerging as a solution. By distributing cybersecurity responsibilities across IT teams, clinicians, vendors, insurers, and others, healthcare organizations can better manage threats and financial risks. This collaborative approach includes partnerships with vendors, cyber insurance, and intelligence-sharing networks to improve resilience.
Key takeaways:
- Healthcare is a prime target: Ransomware hit 66% of organizations in 2021; breaches take 11 months to detect.
- Traditional methods fail: Outdated tools and siloed efforts leave gaps in defenses.
- Risk sharing works: Shared accountability spreads costs, improves threat response, and strengthens overall security.
This model isn't without challenges - coordination, trust, and regulatory compliance require careful planning. However, with structured frameworks, clear roles, and collaborative platforms, risk sharing offers a sustainable path forward for healthcare cybersecurity.
HIPAA 2.0, Minimum Viable Hospitals, and Strategies for Cyber Resilience within Healthcare
Key Elements of Risk Sharing in Healthcare Cybersecurity
Effective risk sharing in healthcare cybersecurity hinges on three main components: distributing responsibilities, creating collaborative risk systems, and ensuring coordinated actions among stakeholders. Let’s dive into how these elements contribute to stronger cybersecurity practices.
Distributing Cybersecurity Responsibilities
Traditionally, the burden of cybersecurity often fell entirely on IT departments, leaving critical gaps. A risk-sharing approach, however, spreads responsibilities across all stakeholders, assigning tasks based on their roles and capabilities.
In this model, IT teams focus on securing technical infrastructure, clinicians stay vigilant for potential threats during care, executives offer strategic direction, and vendors ensure the security of their systems. Clearly defining these roles ensures accountability at every level.
"Exposure of common vulnerabilities and insecure configurations can result in detrimental cyber activity for U.S. healthcare organizations, such as ransomware, data breaches, or denial-of-service. The intent of this advisory is to help organizations maintain the availability, confidentiality, and integrity of their critical healthcare and public health systems, functions, and data." [1]
Furthermore, vendors and third-party partners play a vital role, bound by contracts that establish security standards, incident response protocols, and liability terms. This interconnected accountability strengthens the overall security framework of the healthcare system.
While assigning roles is essential, having structured systems in place to support collaboration is equally important.
Building Collaborative Risk Management Systems
Risk sharing thrives on structured frameworks that bring stakeholders together to handle both daily operations and emergencies. These frameworks include joint incident response plans, shared liability agreements, and protocols for cross-organization coordination.
Joint incident response plans streamline communication, clarify decision-making authority, and allocate resources efficiently during crises, minimizing damage. Shared liability agreements distribute financial and operational risks based on each party's role, while coordinated threat intelligence sharing helps organizations stay proactive against emerging risks.
"Cybersecurity responsibility in the health sector is a shared responsibility." [2]
By integrating these systems, healthcare organizations can respond more effectively to threats while fostering a culture of shared responsibility.
Coordinating Stakeholders for Better Cybersecurity
Effective coordination relies on clear communication channels and decision-making frameworks that align resources and strategies across all stakeholders. Breaking down silos between IT teams and clinical staff is particularly critical to balance security with usability.
Regularly scheduled communication ensures everyone stays informed about potential threats and system updates. These channels also allow clinicians to report usability concerns and IT teams to explain security protocols in a way that everyone can understand.
Collaboration doesn’t stop internally. Working with vendors, insurers, regulators, and other healthcare organizations enables the sharing of best practices, joint purchasing of security solutions, and united responses to industry-wide challenges. Strong leadership is the glue that holds these efforts together - when leaders prioritize cybersecurity and allocate resources, they empower everyone to contribute to a secure healthcare ecosystem.
Practical Models for Risk Sharing Implementation
For healthcare organizations to tackle cybersecurity challenges effectively, they need actionable frameworks that align with real-world practices. Below, we explore how partnerships, insurance strategies, and intelligence networks are shaping stronger defenses in the healthcare sector.
Healthcare-Vendor Partnership Models
Collaborations between healthcare providers and vendors go beyond the typical buyer-seller relationship. These partnerships create shared accountability frameworks that enhance security for both parties.
Framework-Based Partnership Assessments are the backbone of successful vendor relationships. For instance, in October 2024, Clearwater and Guidehouse teamed up to address cybersecurity risks using six key solutions rooted in established frameworks, such as the NIST Cybersecurity Framework 2.0, NIST Privacy Framework, HHS 405(d) Health Industry Cybersecurity Practices, and HITRUST Cybersecurity Framework [3].
"Healthcare organizations are facing unprecedented cybersecurity risks requiring solutions specifically tailored to the industry's unique regulatory environment and provider operating models. Together, we're creating a holistic approach to cyber risk management to help organizations strengthen their security posture while maintaining focus on their core mission of optimal patient care." - Matt Onesko, Guidehouse Partner [3]
AI-Powered Risk Management Partnerships are reshaping how healthcare organizations assess vendor risks. In February 2025, Censinet and AWS introduced AI-driven enhancements to streamline governance, risk, and compliance (GRC) processes. These tools, delivered via Censinet RiskOps, help organizations manage risks faster and more effectively [5].
"With ransomware growing more pervasive every day, and AI adoption outpacing our ability to manage it, healthcare organizations need faster and more effective solutions than ever before to protect care delivery from disruption. Our collaboration with AWS enables us to deliver Censinet AI to streamline risk management while ensuring responsible, secure AI deployment and use." - Ed Gaudet, CEO and founder of Censinet [5]
Medical Device Security Partnerships focus on securing connected healthcare technology. For example, in April 2024, CloudWave and the FDA renewed their Memorandum of Understanding (MOU) to share threat intelligence, develop vendor assessment frameworks, and strengthen medical device security policies.
These partnerships succeed by establishing clear accountability. Healthcare organizations should implement risk-based controls, require cyber insurance for vendors, and ensure internal communication of third-party risk management policies [4].
How Cyber Insurance Enables Risk Sharing
Cyber insurance has emerged as a critical tool for redistributing financial risks and integrating incident response capabilities into healthcare organizations' cybersecurity strategies.
Financial Risk Distribution is one of the primary benefits of cyber insurance. With the average cost of a data breach hitting $4.88 million in 2023, and ransomware losses averaging $265,000 per incident, insurance helps organizations manage these substantial financial burdens [7][8].
Incident Response Integration is another key advantage. Modern cyber insurance policies often include access to incident response teams, forensic specialists, and legal advisors. Coverage typically extends to costs related to data breach responses, business interruptions, cyber extortion, data recovery, and regulatory fines [6][7].
Tailored Healthcare Coverage ensures compliance with industry regulations like HIPAA and GDPR. Some policies also include risk management services, helping organizations assess vulnerabilities and prepare mitigation strategies while covering third-party risks [9].
"Cyber insurance is a great risk treatment strategy within an organization's risk management program. Health care organizations can prevent missing out on potential cyber policy benefits by reading their policy first, followed by performing rigorous periodic cyber assessments to challenge the organization's cyber posture." - Jason Pymento, Manager, cyber strategy, risk and compliance at RSM US LLP [9]
Premium Considerations vary widely, with costs ranging from several thousand to hundreds of thousands of dollars annually. Factors influencing premiums include organization size, industry sector, past cyber incidents, and existing cybersecurity measures. Regularly reviewing coverage is crucial as threats evolve [9].
While cyber insurance offers financial protection, sharing threat intelligence strengthens collective defenses across the sector.
Threat Intelligence Sharing Networks
Sharing threat intelligence fosters a collective defense system, enabling healthcare organizations to tackle cybersecurity threats more effectively.
Information Sharing and Analysis Centers (ISACs) play a central role in this effort. Health-ISAC, for example, acts as a "virtual neighborhood watch", providing timely threat intelligence and supporting the development of industry-wide security standards [11][12].
Real-Time Threat Alerts offer immediate value. For instance, in August 2024, the U.S. government warned about the Iran-based threat actor Lemon Sandstorm, which targeted healthcare organizations to facilitate ransomware attacks. Such alerts allow organizations to take proactive measures [10].
Regional Partnership Networks extend this collaboration locally. Smaller healthcare organizations, often without dedicated cybersecurity teams, benefit from shared resources and expertise during ransomware attacks [11].
"These IT generalists, often just someone proficient in network and computer management, are used to dealing with things like, 'I can't print, I can't log in, what's my password?' They're not cybersecurity experts. They don't have the staff, they don't have the budget, and they don't even know where to start." - Doctors Christian Dameff and Jeff Tully, Co-Directors and Co-Founders of the University of California San Diego Center for Healthcare Cybersecurity [11]
Attack Vector Intelligence helps organizations identify and prepare for common threats. Email remains a major entry point for malware and phishing attacks, responsible for 40% of cyberattacks. Phishing-related breaches cost the healthcare sector an average of $9.77 million per incident in 2024 [8][12].
The scale of these threats highlights the need for collaboration. In 2024, healthcare data breaches affected nearly 70% of the U.S. population, with 237,986,282 residents impacted. The sector also experienced 1,710 security incidents in 2025, including 1,542 confirmed data disclosures [12].
Ransomware-as-a-Service (RaaS) Intelligence sharing is critical for understanding evolving attack methods. As Microsoft Threat Intelligence expert Jack Mott explains, "RaaS platforms have democratized access to sophisticated ransomware tools, allowing even those with minimal technical skills to launch highly effective attacks" [11]. By sharing insights, organizations can better anticipate and counter these threats.
sbb-itb-535baee
Technology Platforms That Enable Risk Sharing
Modern healthcare relies on advanced platforms to simplify cybersecurity risk management. These tools reshape how organizations assess, monitor, and collaborate on risks by fostering secure data-sharing ecosystems among healthcare providers, vendors, and other stakeholders. This technology forms the backbone of the collaborative risk-sharing framework discussed earlier.
Improving Risk Assessments with Censinet RiskOps™
Censinet RiskOps™ is designed to streamline third-party risk assessments, cutting out redundancy and speeding up the process. It enables healthcare delivery organizations (HDOs) to quickly assess all their third parties across their entire lifecycle, ensuring no vendor is overlooked [13]. This aligns with the shared accountability model previously highlighted.
The Digital Risk Catalog™ is a repository of over 50,000 vendors and products that have already been assessed and scored. Instead of starting assessments from scratch, organizations can rely on these pre-existing evaluations, validated by other members of the network [13]. This shared resource saves time and effort when assessing vendors.
Workflow automation is another key feature, enhancing efficiency in risk management. The platform's Delta-Based Reassessments notify assessors of any changes in vendor responses, cutting reassessment times to under a day on average [13]. This ensures organizations maintain full risk coverage across their vendor lifecycle without overburdening their security teams.
"Censinet RiskOps allowed 3 FTEs to go back to their real jobs! Now we do a lot more risk assessments with only 2 FTEs required." - Terry Grogan, CISO, Tower Health [14]
The Cybersecurity Data Room™ and Censinet Connect™ further enhance secure data sharing. Vendors complete standardized questionnaires once, which can then be shared with unlimited customers. Connect™ also allows sharing with out-of-network organizations [13]. This approach promotes transparency and breaks down silos, enabling better collaboration across the healthcare ecosystem.
Additionally, the platform provides visibility into fourth-party risks, such as those posed by cloud service providers, helping healthcare organizations monitor the extended supply chain that supports their key vendors [13].
Using AI for Collaborative Risk Management
Building on automation, artificial intelligence (AI) takes collaborative risk management to the next level. Censinet AI™ introduces AI-driven features that speed up assessment processes while maintaining human oversight and control. These capabilities handle complex tasks that traditionally required significant manual effort.
With AI, vendors can complete security questionnaires in seconds, as the system analyzes their security posture and generates appropriate responses. It also summarizes vendor evidence, captures integration details, identifies fourth-party risks, and creates detailed risk summary reports based on assessment data.
Human oversight remains central to this process. Risk teams can configure rules and review procedures, ensuring AI supports decision-making without replacing it. This balance allows organizations to scale operations while addressing the unique challenges of healthcare risk management.
AI also directs critical findings to the appropriate stakeholders, including AI governance committees tasked with evaluating AI-related risks and ensuring compliance with emerging regulations in healthcare.
A centralized AI risk dashboard aggregates real-time data, creating a hub for managing AI policies, risks, and tasks. This approach ensures that the right teams address the right issues promptly, maintaining accountability and governance across the organization.
Creating Collaborative Risk Networks
Expanding on the idea of shared responsibility, collaborative networks strengthen collective cybersecurity defenses. Technology platforms create connected ecosystems where healthcare organizations, vendors, and other stakeholders share intelligence and coordinate strategies. Censinet's Risk Network, for example, includes over 100 provider and payer facilities actively participating in this model [13].
"Not only did we get rid of spreadsheets, but we have that larger community [of hospitals] to partner and work with." - James Case, VP & CISO, Baptist Health [14]
These networks grow stronger as more organizations join. When one member identifies a new threat or vendor vulnerability, that information is shared across the network, creating a collective intelligence system that benefits everyone involved.
Standardized questionnaires ensure consistency and align with established security frameworks [13]. This standardization allows organizations to compare vendors effectively and benchmark their security measures against industry peers.
"Healthcare is the most complex industry... You can't just take a tool and apply it to healthcare if it wasn't built specifically for healthcare." - Matt Christensen, Sr. Director GRC, Intermountain Health [14]
The platform's active portfolio management features include breach alerts, risk tiering, and automated reassessments across third-party portfolios [13]. Tools like Risk Flags & Filters notify organizations of missing evidence, such as Business Associate Agreements (BAAs), and highlight known exploits like Log4j vulnerabilities [13]. This proactive approach helps identify and address compliance gaps or security risks before they escalate.
Real-time risk scoring further enhances monitoring, automatically updating residual risk ratings as vendor data changes [13].
Benefits and Obstacles of Healthcare Risk Sharing
Risk sharing is changing the game for healthcare cybersecurity by combining resources and intelligence across organizations. However, this approach isn't without its hurdles, requiring careful planning to navigate. Here's a closer look at the benefits and challenges this model brings to the table.
Benefits of Risk Sharing
Stronger Defenses Across the Board
When healthcare organizations join forces, they create a more resilient defense against cyber threats. By focusing on shared risks and critical vulnerabilities, they can better protect the entire ecosystem.
"Risk alignment ensures that cybersecurity efforts are communicated in terms that business leaders and stakeholders can understand, linking them directly to potential business impacts." – Obrela [15]
Lower Individual Risk
Sharing the load means no single organization bears the full brunt of a cyberattack. This is crucial, especially when data breaches in 2024 affected over 237 million U.S. residents [12].
Cutting Costs
Pooling resources helps organizations save money by avoiding redundant security measures, sharing tools, and negotiating better deals for cybersecurity services. This can help offset the hefty fines, like the $12.84 million in HIPAA penalties issued in 2024 [12].
Quicker Responses to Threats
Collaboration allows for faster detection and response to cyber incidents. This is critical, as over 90% of organizations reported attacks that disrupted patient care at 70% of facilities [16].
Better Threat Intelligence
Networks built on risk sharing enable faster and more effective sharing of threat data, giving participants a heads-up on potential dangers.
Common Challenges and Solutions
Complex Coordination
Aligning different systems and priorities can be a headache. Standardized frameworks, clear governance structures, and regular coordination meetings can help smooth things out.
Regulatory Hurdles
Healthcare regulations like HIPAA make sharing information tricky. Setting up clear data-sharing agreements and conducting regular compliance checks can help ensure that collaboration stays within legal boundaries.
Trust Issues
Some organizations hesitate to share information, fearing exposure of vulnerabilities or competitive disadvantages. Starting with low-risk data sharing and implementing strong governance policies and non-disclosure agreements can help build trust.
Tech Compatibility Problems
Different cybersecurity tools and platforms can make collaboration difficult. Prioritizing interoperable solutions and choosing platforms that support a wide range of integrations is essential.
Disputes Over Resources
Unequal contributions can lead to disagreements. Tiered participation models and transparent metrics for measuring contributions and benefits can help ensure fairness.
Benefits vs. Challenges Comparison
The table below highlights the key benefits of risk sharing alongside the challenges organizations may face.
| Benefits | Challenges |
|---|---|
| Stronger Defenses: Collective intelligence creates better protection [15] | Coordination Issues: Aligning different systems and priorities is tough |
| Lower Liability: Spreads risk across participants | Regulatory Barriers: Balancing HIPAA and other rules with collaboration |
| Cost Savings: Shared resources reduce expenses | Trust Concerns: Fear of exposing vulnerabilities or competitive data |
| Faster Response: Quicker threat detection and action [16] | Tech Mismatches: Incompatible systems slow collaboration |
| Better Intelligence: Threat data shared quickly across the network | Resource Disputes: Uneven contributions can create friction |
| Shared Compliance Expertise: Collective knowledge helps meet regulatory demands | Governance Challenges: Establishing accountability and clear decision-making processes |
| Vendor Oversight: Joint pressure to improve supplier security standards | Privacy Risks: Balancing transparency with patient confidentiality |
This comparison shows that while risk sharing can bring immense benefits, its success depends on addressing challenges like coordination, compliance, and trust. Organizations that commit to clear governance and collaboration frameworks are more likely to see meaningful results from these initiatives.
The Future of Shared Cyber Risk Management
The days of healthcare relying solely on isolated cybersecurity measures are over. With the average cost of a data breach in the sector exceeding $9.7 million and 21% of ransomware attacks targeting public health and government healthcare facilities[18], a more collaborative approach to managing cyber risks has become essential.
Shared risk management marks a critical departure from standalone defense strategies. Instead, it emphasizes collaborative networks that pool resources and intelligence. This shift is driven by stark realities: 51% of ransomware attacks aimed at healthcare target US-based organizations[18]. It’s clear that no single entity can tackle these threats alone. This new approach paves the way for advanced platforms capable of unifying risk data across the entire healthcare ecosystem.
Collaborative platforms are transforming the way healthcare organizations manage risks. By offering real-time visibility and automated workflows, these platforms streamline operations across the entire supply chain. One leading example is Censinet RiskOps™, a cloud-based risk exchange that connects over 50,000 vendors and products within the healthcare industry[29, 36].
"Censinet RiskOps™ dramatically reduces cybersecurity risk in healthcare by helping providers, payers, and vendors achieve amplified expertise and coverage through the network effects of its collaborative risk network." [17]
Organizations that have adopted these platforms report smoother operations and a reduction in full-time employee (FTE) requirements. With 45% of cyberattacks exploiting public-facing applications[18], tools offering automated risk assessments and continuous monitoring are becoming indispensable for securing complex healthcare supply chains.
Automation and AI play a key role by speeding up threat detection and reducing reliance on manual processes. The more organizations that join these networks, the greater the collective value they generate. For instance, Faith Regional Health has leveraged benchmarking through collaborative platforms to align with industry standards, advocate for necessary resources, and strengthen its cybersecurity posture[14].
"Healthcare is the most complex industry... You can't just take a tool and apply it to healthcare if it wasn't built specifically for healthcare." - Matt Christensen, Sr. Director GRC, Intermountain Health [14]
The future belongs to healthcare organizations that embrace collaborative risk networks, adopt platforms tailored to the sector's unique needs, and prioritize collective intelligence over isolated efforts. As cyber threats grow increasingly sophisticated, treating cybersecurity as a shared responsibility will be critical for protecting patient data, ensuring operational stability, and building stronger defenses.
This shift toward collective cyber risk management is quickly becoming the standard for healthcare organizations committed to safeguarding against an ever-evolving threat landscape.
FAQs
How does risk sharing improve cybersecurity in healthcare compared to traditional approaches?
In healthcare, risk sharing is a game-changer for improving cybersecurity. It encourages collaboration among healthcare organizations, vendors, and insurers, shifting the focus from isolated efforts to a more collective approach. By spreading risks across multiple parties, no single entity bears the full weight of potential cyber threats.
This collaborative strategy enables organizations to create joint incident response plans, establish shared liability agreements, and use cyber insurance models specifically designed for the healthcare sector. The result? Stronger defenses, improved resilience, and quicker, more coordinated responses to cyberattacks - far more effective than traditional, siloed approaches.
What challenges could healthcare organizations face when adopting a risk-sharing model for cybersecurity?
Healthcare organizations face several hurdles when adopting a risk-sharing model for cybersecurity. A major challenge is integrating modern cybersecurity measures with legacy systems, which often lack the flexibility needed to accommodate new frameworks. On top of that, ensuring compliance with regulations like HIPAA adds complexity, as shared responsibilities must meet stringent legal standards.
Other obstacles include managing third-party risks from vendors or partners, addressing employee training gaps, and dealing with resource limitations - whether it's tight budgets or a lack of in-house cybersecurity expertise. These challenges underscore the need for thoughtful planning and strong collaboration to navigate the transition effectively.
How can healthcare organizations stay HIPAA-compliant while engaging in risk-sharing partnerships?
Healthcare organizations can uphold HIPAA compliance in risk-sharing partnerships by prioritizing the protection of electronic protected health information (ePHI). This starts with regular risk assessments to pinpoint potential vulnerabilities. On top of that, implementing technical safeguards such as network segmentation and maintaining strong data privacy and security policies are crucial steps.
It's also essential to have clear breach notification procedures in place and to ensure that every partner in the network aligns with HIPAA standards. By promoting transparency and accountability across the board, healthcare providers can work together effectively while keeping sensitive patient information secure.
