Estimated reading time: 5 minutes
A new Omega Systems report shows most practices trust vendors they never monitor. For underwriters, the louder medical practice cyber risk alarm is what leaders admit about their own compliance. Most healthcare practices suffered a vendor-driven disruption last year. And on that third-party risk in healthcare. Few are watching the vendors that caused it. A new survey puts hard numbers on a gap underwriters have long suspected.
Omega Systems surveyed 200 US healthcare leaders for its 2026 Healthcare IT Landscape Report. The findings describe a sector exposed through its supply chain. They also surface a disclosure problem that should concern any cyber underwriter.
Third-Party Risk In Healthcare Risk
The report found 85% of practices faced at least one operational disruption from a third-party or “vendor-of-a-vendor” failure in the past year. Yet 70% of leaders say they feel confident in their vendors’ security.
That confidence rarely rests on evidence. Some 63% of practices do not continuously monitor their digital supply chains. Confidence and visibility are different things. Attackers understand the difference.
Separate research on healthcare resilience, as breaches multiply, found the same blind spot. Only 4% of those leaders felt very confident that their vendor risk assessments reflected reality.
For underwriters, the math is familiar. Vendor concentration drives correlated loss. One compromised platform can strike many insureds at once. A practice that cannot see its vendors cannot answer an application honestly.
The scale is not hypothetical. Recent healthcare data breaches show the cascade. The Change Healthcare attack alone hit roughly 100 million people.
The Self-Attestation Problem
The report’s sharpest finding sits in the compliance data. Six in 10 leaders admit they self-attest to HIPAA compliance. They knew their own risk assessments flagged unresolved vulnerabilities.
This carries direct coverage consequences. Insurers price policies on application answers and warranties. An insured who attests to controls it lacks may face a denied claim. In some cases, the carrier can rescind the policy outright.
The exposure widens elsewhere in the survey. Some 21% of leaders say they deliberately downplay cyberattack risk to protect their reputation. Brokers placing these accounts inherit that optimism. Claims teams meet the reality later.
When the EMR Goes Dark
Downtime in healthcare carries costs far beyond lost data. The report found 53% of leaders say billing and scheduling would stop instantly if their EMR (Electronic Health Record) failed. Cash flow freezes at the worst moment.
Some 47% say staff would lose access to patient histories and medication lists. That creates safety and malpractice exposure. Another 25% say a serious incident could force temporary or permanent closure.
A striking 61% of leaders believe a cyberattack will kill a US patient within five years. The same Omega survey put that figure at 52% a year earlier. The trajectory is the real signal. Bodily injury from a cyber event raises a hard coverage question. This medical practice cyber risk lies at the intersection of cyber, general liability, and medical malpractice policies.
AI Adds Connections Faster Than Governance
The survey found 93% of practices already use AI in clinical or administrative work. Each new AI vendor is a new door into patient data. Some 22% cannot confirm their AI tools meet emerging HIPAA expectations. The revenue case is pulling adoption ahead of oversight.
A Rule That Could Reset the Baseline
Omega frames the proposed 2026 HIPAA Security Rule as a closing window. The status deserves precision. As of June 2026, the rule remains proposed. OCR published the proposal in January 2025. It has not issued a final rule. A coalition of more than 100 provider groups has asked HHS to withdraw it.
The current Security Rule still applies. OCR is enforcing it more aggressively. If finalized, the proposal would make controls like multi-factor authentication and business associate verification mandatory. Underwriters tracking this rule are tracking their own future minimum controls.
A Governance Story for Carriers
Omega is a managed security provider. Its report makes a case for outside partners. The underlying data still matters to the insurance market.
The survey found 52% of practices have no managed security partner. Some 39% run cybersecurity entirely in-house. Another 35% call their teams understaffed. These are the accounts that fill loss runs.
“This data tells a governance story as much as a security one,” said Mike Fuhrman, CEO of Omega Systems.
For carriers and brokers, the lesson is underwriting discipline. Confidence is not a control. Attestation is not evidence. The accounts that price well will be the ones that can prove what they claim.
FAQ – Healthcare Cyber Insurance Risk
The report surveyed 200 US healthcare leaders. It found 85% suffered a vendor-related disruption in the past year. It also found wide gaps in monitoring, recovery, and compliance.
Vendor concentration creates correlated loss. One compromised platform can hit many insureds at once. Underwriters price the aggregation risks into healthcare accounts.
This can impact HIPAA cyber liability. Insurers rely on application answers and warranties. An insured who attests to controls it does not have may face a denied claim or a rescinded policy.
No. As of June 2026, it remains a proposed rule. OCR has not issued a final version. The current Security Rule still applies, and OCR continues to enforce it.
The data is US-only. The principal travels. UK and EU insurers face the same warranty and disclosure questions under their own frameworks, including the UK Insurance Act 2015 and EU NIS2 obligations for health entities.
Related Cyber Insurance Posts
- Marsh’s New Endorsement Targets Cyber Insurance’s Slowest Payout
- HIPAA Violations For Profit: Why Cyber Liability Teams Should Worry(Opens in a new browser tab)
- Lafourche Medical Group Settles with HHS in First-Ever Phishing Case(Opens in a new browser tab)
- Healthcare Industry Cybersecurity Earns ‘B+’ in SecurityScorecard Report.(Opens in a new browser tab)
- Omega Systems Expands Cybersecurity with Enterprise Password Management Solution(Opens in a new browser tab)