The healthcare sector has been a favoured target of hackers ever since cyber criminals realised the value of personal data. But, while data breaches are still a major concern for hospitals and healthcare providers, recent events have exposed a new cyber threat, this time associated medical devices.
Whether its pacemakers, life support systems or the latest smart bandages (they monitor the progress of healing), medical devices are increasingly connected to hospital networks, the cloud or wireless networks in the home.
Such devices hold great promise, making hospital care more effective and home care more practical. Doctors are able to remotely monitor patients regardless of their location, while wireless devices free up patients from regular appointments or uncomfortable procedures.
While the benefits are clear, recent incidents have laid bare the potential for cyber security issues for medical devices.
In August Jude Medical recalled some 745,000 pacemakers after security flaws left them vulnerable to hacking. The incident was said to be the first cyber recall for an implanted medical device.
Just few weeks later, the US Department of Homeland Security warned of security flaws in wireless syringe infusion pumps manufactured by Smiths Medical. Recent years have seen similar warnings issued for wireless syringe pumps, including infusion pumps using Hospira software.
Manufacturers have been working on improving security of new products, but older devices are thought to be the most vulnerable. Medical devices take many years to develop and authorise, so many products on the market today were developed before cyber security was even a consideration.
Recent incidents also highlight the challenges of keeping medical devices up to date and hospital networks secure. It will not always be possible to disconnect devices or take them off line if vulnerabilities become evident. Updating devices is also not as straight forward as patching a home PC as patients may need to visit their doctor, while critical updates need to be tested before they are rolled out.
Miller's healthcare capabilities
Cyber security vulnerabilities, as well as potential bugs and faulty updates, bring a risk of bodily injury and third party liabilities. In the case of the recent pacemaker recall, the regulator was concerned about the potential for hackers to control the ‘pace’ and power of the device.
Vulnerabilities in medical devices also pose a threat beyond the patient.
In 2015, cyber security firm TrapX revealed that hackers had used vulnerabilities in X-ray equipment and blood gas analysers to compromise IT systems at three hospitals, accessing patient data. When the WannaCry ransomware crippled hospital networks and cloud-based IT systems in the UK and US in May 2017, it also infected medical devices - Bayer confirmed that hospitals had reported that a number of its devices had been affected by the ransomware attack.
Unsurprisingly, cyber security is now a point of concern for regulators of medical devices, as well as manufacturers and hospitals.
The Food and Drug Administration (which oversees medical devices in the US) says increased connectivity of medical devices comes with an increased cyber security risk. The regulator has been stepping up its work on cyber security and recently published guidance on both the pre-market and post-market management of medical device cyber security.
The FDA has made it clear that it expects manufacturers to address cyber security risk throughout a product’s lifespan – during development and then continually once the product is out in the market.
Millers cyber risks capabilities
Connected medical devices raise difficult questions for liability and insurance. Cyber security flaws in medical devices can result in substantial financial losses from bodily injury, third party liabilities, business interruption and first party costs associated with a data breach.
Exposures created by connected technology in the healthcare sector touch on a wide range of insurance coverages, including products liability, professional liability, errors and omissions and general liability. While some cover may be available under these policies, typically they will not have been designed with cyber losses in mind or they may even include cyber related exclusions.
Standalone cyber insurance can pick up many potential losses, but there will typically be notable exclusions, such as bodily injury. However, there are some specialist markets that will consider bodily injury cover arising from a cyber attack while other industries have worked with brokers to structure cyber insurance that have included cover for product recall.