The risks of failure of computer network security and unauthorized disclosure of private information are well-established in healthcare. 2015 was a noteworthy year for large breaches in healthcare, with major hacks against payers and providers, including Anthem and UCLA. In early 2016, the threat of intrusion from ransomware came to the foreground, with Hollywood Presbyterian Hospital publicly disclosing a threat against them and paying a ransom, and many other providers announcing that they also routinely face such attacks (while not necessarily paying the ransom demanded). These ransomware demands threaten the ongoing business activities of the provider, but also patient care and reputation as well.
This paper will review the cyber security risks that medical devices may present and how current insurances may respond to bodily injury exposures. We will also examine the current regulatory oversight of medical device software and security and provide a framework to analyze which insurance policies might respond to the breach, the parties that might be implicated in the chain of responsibility and how those policies collectively respond to bodily injury arising out of the failure of security of a medical device. [More]