Medical devices open door to cyber risksPosted On: Nov. 4, 2018 12:00 AM CST
Advancements in technology have propelled development of medical devices being utilized for life-saving treatments, but the ability of hackers to access such devices in a connected world is raising the bar on the need to identify and prevent cyber attacks that can compromise patient safety, experts say.
However, soft pricing in the cyber insurance market could give risk managers unexpected sources of coverage if the manufacture or use of devices such as insulin pumps and heart monitors leads to claims, including traditional policies such as medical malpractice.
“Medical devices are something that drive me crazy,” Dr. Lewis Kohl, chief medical information officer and senior medical director at CareMount Medical in Carmel, New York, said at the American Society for Health Care Risk Management’s annual conference in Nashville, Tennessee, last month. “They are a big risk to you, and you don’t even know they’re there.”
Embedded medical devices are an emerging concern in the health care sector, but a bigger existing threat is the network-attached medical devices in health care provider settings such as diagnostic imaging systems, treatment devices and surgical machinery, said Josh Ladeau, executive vice president and global head of cyber for Aspen Insurance Holdings Ltd. based in Rocky Hill, Connecticut.
“Every device that you have can be connected to the ’net and if it can be connected to the ’net, I can hack into it,” said Bill Hardin, a Chicago-based vice president with Charles River Associates Inc. who conducts forensic assessments on data breach and cyber incident response, including hacking into hospital systems to test them. “It’s only a matter of time because the software code that’s associated with it will eventually outdate itself.”
There have been several cyber security incidents or concerns in relation to medical devices in the past three years, including an August 2017 recall by the U.S. Food and Drug Administration in relation to potential exploitation of cyber security vulnerabilities for certain Abbott — formerly St. Jude Medical — pacemakers.
These and other medical devices, the FDA noted, contain configurable embedded computer systems that can be vulnerable to cyber security intrusions and exploits. As medical devices become increasingly interconnected via the internet, hospital networks, other medical devices and smartphones, there is an increased risk of exploitation of cyber security vulnerabilities, some of which could affect how a medical device operates, according to the recall notice.
In October, medical device maker Medtronic PLC disabled internet updates for some 34,000 CareLink programming devices that health care providers around the world use to access implanted pacemakers, saying the system was vulnerable to cyber attacks. The company said it knew of no cases where hackers exploited the vulnerability, but that it “could result in harm to a patient depending on the extent and intent of a malicious cyber attack and the patient’s underlying condition,” according to a letter seen by Reuters.
“Be very afraid of the ‘internet of things,’” Dr. Kohl said. “It’s really the hacker’s paradise.”
The heightened exposure environment has led to a shift in the underwriting criteria for health care organizations, with insurers asking a number of questions related to the safety of these devices, Mr. Ladeau said.
“Asset management — do you know what you have? — that’s a start,” he said. “Are you limiting the amount of communication they can have within the network? Can they only speak to the other devices that are absolutely necessary? In other words, you don’t want your devices having open communication to the internet.”
“Patch management is really critical,” he continued, noting that the WannaCry ransomware attack was an example of “unpatched systems being taken advantage of. That’s something that’s easily preventable or at least easily addressed. What we’re looking for is a robust patch management process. Are you addressing it down to the device level in the organization?”
Risk managers should also understand where their different policies dovetail when it comes to coverage for incidents involving medical devices, Mr. Ladeau said.
“Most medical malpractice policies don’t have an exclusion for cyber,” he said. “In other words, if there is some failure to care (or) an injury to a patient based off of one of these hacks, there’s ostensibly liability coverage in that, and I don’t think most people are thinking about it from that perspective.”
“I do believe the bodily injuries are coming,” Mr. Ladeau said. “That is an unfortunate reality that I think we’re going to see in just the next few years. When that comes, you’re going to have medical malpractice losses being implicated.”
“The bodily injury piece specifically is more often covered under your traditional medical malpractice policy,” Ben Maidment, leader of Brit Ltd.’s cyber underwriting division in London, said of bodily injury resulting from cyber incidents. “That said, there is a movement to position all the cyber exposure” in one place.
Risk managers can utilize the soft market to their advantage right now by building cyber programs with high excess limits and coverage across multiple policies so that if there are major incidents that lead to mass patient casualties and the pricing environment shifts, they will be in a better position to sustain their coverage, Mr. Ladeau said.
“Be very thoughtful in the way you look at your programs right now,” he said. “Cyber is illogically priced, particularly in the excess. You have an opportunity to achieve high excess.”
And testing their risk management programs as much as possible is critical, experts say.
“From a risk management perspective, understand your threat landscape,” Mr. Hardin said. “This world is interconnected to where anyone in the world can hack into anything at any time if it’s online. Test your vulnerabilities ahead of time, and you’ll make yourself stronger and smarter.”