NASHVILLE, Tenn. — Medical devices such as insulin pumps and heart monitors can save lives but also present “scary” cyber security risks that must be addressed in an “internet of things” world, experts say.

“Medical devices are something that drive me crazy,” Dr. Lewis Kohl, chief medical information officer and senior medical director at CareMount Medical in Carmel, New York, said at the American Society for Health Care Risk Management’s annual conference in Nashville on Monday. “They are a big risk to you, and you don’t even know they’re there.”

Embedded medical devices are the emerging concern in the health care space, but the bigger existing threat is the network-attached medical devices in health care provider settings such as diagnostic imaging systems, treatment devices and surgical machinery, Josh Ladeau, executive vice president and global head of cyber for Aspen Insurance Holdings Ltd. based in Rocky Hill, Connecticut, said at a separate ASHRM session on cyber issues Monday.

“All of those devices are currently in the system today and a lot of those devices are upwards of 10, 20 years old … long before we were thinking about connectivity to the internet,” he said.

Vendors bring in medical devices to hospitals, but they do not manage the devices, which often have access to the internet, Dr. Kohl said, advising risk managers to return to their health care facilities and ask to be shown every medical device.

“You’re going to find something that nobody’s patched and nobody’s thinking about,” he said. “There’s a great way to manage them these days — you can isolate all these devices on the domain so if they go rogue they can’t go out of their little states on your network.”

The internet of things offers the ability to connect devices and program them to report information to a central location, Dr. Kohl said.

“It’s up to you if you want to do that, but in a hospital, it’s really a scary concept,” he said. The connectivity is “great, except every hacker in the world is drooling over this. They’re all working on being able to access these devices.”

There have been several cyber security incidents or concerns in relation to medical devices in the last three years, including an August 2017 recall by the U.S. Food and Drug Administration in relation to potential exploitation of cyber security vulnerabilities for certain Abbott — formerly St. Jude Medical — pacemakers. These and other medical devices, as the FDA noted, contain configurable embedded computer systems that can be vulnerable to cyber security intrusions and exploits. As medical devices become increasingly interconnected via the internet, hospital networks, other medical devices and smartphones, there is an increased risk of exploitation of cyber security vulnerabilities, some of which could affect how a medical device operates, according to the recall notice.

“Be very afraid of the internet of things,” Dr. Kohl said. “It’s really the hacker’s paradise.”

The heightened exposure environment has led to a shift in the underwriting criteria for health care organizations, with insurers asking a number of questions related to the safety of these devices, Mr. Ladeau said.

“Asset management — do you know what you have? — that’s a start,” he said. “Are you limiting the amount of communication they can have within the network? Can they only speak to the other devices that are absolutely necessary? In other words, you don’t want your devices having open communication to the internet.”

“Patch management is really critical,” he continued, noting that the WannaCry ransomware attack was an example of “unpatched systems being taken advantage of. That’s something that’s easily preventable or at least easily addressed. What we’re looking for is a robust patch management process. Are you addressing it down to the device level in the organization?”

Taking these types of steps is particularly critical as the regulatory environment continues to evolve, experts say. For example, the EU’s wide-ranging General Data Protection Regulation regime took effect in May and carries with it the potential for substantial fines for violations — up to 4% of annual revenue for the most serious breaches. It is also expected to instigate a surge in data breach and other security failure claims, according to a May report by American International Group Inc.

The GDPR has implications for medical device companies, particularly when it comes to the “quick” notification requirement for breaches of within 72 hours, said attorney Dominic Paluzzi, co-chair of the national data and cyber security practice group of McDonald Hopkins PLC in Bloomfield, Michigan.

“It is not a breach until we forensically and legally call it a breach,” he said. “We have incidents. We have events. We have situations. When you call it something, stay away from the ‘b’ word because we can try and play around with that clock a little bit. Not six months, but a whole day is what we can kind of buy you.”

“If you have one patient, one client anywhere in the EU, you’d better comply,” said Howard Panensky, senior broker for cyber product solutions in the FINEX cyber and errors and omissions practice for Willis Towers Watson PLC in New York. “And America’s laws are coming around.”

California has adopted a stringent privacy law that takes effect in January 2020 and would grant consumers the right to discover what information data firms collect about them, who is collecting it and to whom it is selling it, and request the information’s deletion. Consumers would have the right of private action under the law, but the state attorney general would also enforce it, with violators subject to a civil penalty of up to $7,500 for each violation.

“In this space of cyber security data breach, once one state comes up with something, the next just take it over and make it even more complex,” Mr. Paluzzi said.