Medical Device Cybersecurity
Gallagher Healthcare :: Industry InsightsBy Gallagher Healthcare | 5/19/2016
The risks of failure of computer network security and unauthorized disclosure of private information are well-established in healthcare. 2015 was a noteworthy year for large breaches in healthcare, with major hacks against payers and providers, including Anthem and UCLA. In early 2016, the threat of intrusion from ransomware came to the foreground, with Hollywood Presbyterian Hospital publicly disclosing a threat against them and paying a ransom, and many other providers announcing that they also routinely face such attacks (while not necessarily paying the ransom demanded). These ransomware demands threaten the ongoing business activities of the provider, but also patient care and reputation as well.
This paper will review the cyber security risks that medical devices may present and how current insurances may respond to bodily injury exposures. We will also examine the current regulatory oversight of medical device software and security and provide a framework to analyze which insurance policies might respond to the breach, the parties that might be implicated in the chain of responsibility and how those policies collectively respond to bodily injury arising out of the failure of security of a medical device.
The Vulnerabilities of Modern Medical Devices
Medical devices are increasingly being connected to networks to provide up-to-the-minute information. This connectivity, wireless or not, exposes the devices to the same vulnerabilities as other connected computing devices – including that an intruder can gain access into the device, breach its security and spread a virus or malware, or access and collect data or alter the proper functioning of the device.
Medical devices of all types are vulnerable – this includes consumer devices, the associated mobile environment and implantable devices, from pedometers to bedside monitoring equipment to insulin pumps pacemakers, and from biomarkers that measure medication adherence to geofencing the elderly. The more connectivity, the greater the risk posed – it is logically easier for an intruder to access a device if it is connected to the internet or a network.
The devices are typically connected to the internet directly or to hospital networks, administrative and clinical IT systems and electronic medical records. The devices themselves commonly run on standard operating systems (such as Windows XP) and are built on open infrastructure standards that hackers already attack in other computer equipment.
Another challenge is that medical device manufacturers do not always provide timely security software updates and patches to medical devices and networks, and there are also security vulnerabilities in off-the-shelf software designed to prevent unauthorized access to the device or network. Many medical devices run outdated, unpatched operating systems that are vulnerable to current malware. The U.S. Food and Drug Administration (FDA), which oversees the safety approval process of medical equipment, has clearly stated that patches themselves do not require recertification of the device (a common misconception by the device manufacturers) permitting manufacturers to swiftly issue patches without approval.
There is also a practical tension between utility and privacy/security that the healthcare industry and manufacturers of medical devices must grapple with – is it more important to have quick and easy access to the device or is the priority to create systems that require strict authorization so that the device will not be hacked?
Actual examples of patient injury are few, although there are well documented examples of hacks that show the potential for access. (1) In 2011, a security expert hacked into his insulin pump at the Black Hat security conference, showing how the device could be accessed remotely with the ability to increase the dose of insulin.(2) In 2015, students at the University of Alabama hacked the pacemaker implanted in an iStan (a robotic dummy patient used to train medical students) and were able to speed up its heart rate.(3) In 2014, the FBI released a warning to hospitals to discontinue use of a certain line of infusion pumps from medical device maker Hospira due to security flaws that could potentially allow an unauthorized user to remotely change medication dosages dispensed by the pumps.(4)
The National Institute of Standards and Technology National Cybersecurity Center of Excellence is working on guidance to address the cyber security of wireless infusion pumps. This follows their white paper that described potential cybersecurity threats affecting wireless medical infusion pumps, including the devices being compromised by malware, hackers or malicious insiders, and suggested implementing a variety of risk mitigation technologies, including encryption and multi-factor authentication.(5)
The FDA has issued two draft guidance documents on medical device cybersecurity and one on design considerations for interoperable devices. The first, in October 2014, (6) finalized the FDA’s guidance containing recommendations for incorporating premarket management of cybersecurity during the design stage of device development. The FDA’s January 2016 (7) guidance looked at vigilant monitoring and remediation in the post/market setting, through routine maintenance and use of best practices, primarily at the hospital level. The draft guidance details the agency’s recommendations for monitoring, identifying and addressing cybersecurity vulnerabilities in medical devices once they have entered the market. Providers should follow the same guidance in support of the medical device manufacturers. Most recently, the FDA issued draft guidance (8) on design considerations when developing interoperable medical devices with recommendations on risk analysis.
In a related matter, the New York City Department of Consumer Affairs launched an investigation of baby monitors in January 2016 to determine if manufacturers have corrected known security vulnerabilities in their devices. Subpoenas were issued to several major manufacturers demanding evidence of back up claims that the companies made about the security of their devices, their use of encryption on the devices, and their history of handling vulnerabilities discovered in the devices, including alerting customers, releasing patches and whether those patches were actually implemented by the devices’ owners. (9)
This leaves devices and their users/owners open to illegal and intentional activity, whether targeted or not, which can impact the security of patient data, the safety of patient care and the successful operation of the healthcare business. Patients will hold their healthcare provider responsible for security breaches in devices that are recommended or used by their physicians. The consequences to the provider of security breaches include liability for financial loss and bodily injury, and their own business interruption and damage to reputation.
It is always possible that liability will be claimed against all persons and entities in the chain of distribution, from manufacturer to testing laboratory, software vendor/consultant, medical sales representative, doctor, hospital/clinic and any retailer.
Insurers and insurance policies respond in various ways to the developing exposures to manufacturers and providers from hacked medical devices. Coverage (for providers) may exist under many different coverages, including cyber insurance, medical professional liability, general liability and property insurances. Manufacturers should look to their product liability and recall policies for coverage.
We will begin by reviewing the manufacturer’s position, but other parties are likely to be in the chain of responsibility, including the provider itself and any IT vendors that provide services relating to the devices, from specification to software, maintenance and patching.
Manufacturer’s Product Liability Insurance
Product liability insurance may be purchased by medical device manufacturers to cover claims alleging injury through defective design/manufacture/production/marketing of the product. The policy will cover claims alleging bodily injury along with the consequent economic damages.
Any claim against the manufacturer will likely allege bodily injury to the patient arising out of use of the medical device, financial loss to the provider arising out of any medical malpractice claim against the provider, additional costs incurred by the provider to rectify, replace or repair the device and possibly business interruption costs incurred by the provider.
Manufacturer’s Professional Liability Insurance
While products liability insurance addresses injury caused by defective products, it is recommended that manufacturers also purchase professional liability insurance to respond to liability to third parties for their financial loss arising out of defective products. This insurance is typically purchased in conjunction with the product liability coverage, often from the same insurer.
A growing number of device manufacturers are purchasing professional liability insurance to protect against suits alleging inadequate training. Manufacturers’ employees often train surgeons and other medical professionals on how to use these devices. When malpractice occurs, the manufacturer’s trainers and training protocols come into question.
Manufacturer’s Product Recall Insurance
Manufacturers of medical devices may purchase product recall insurance to indemnify them for financial losses (such as the actual physical recall expenses, loss of profit, product replacement costs, extra expenses and rehabilitation expenses) arising from an event where use of the product has caused (or poses actual and imminent danger of causing) bodily injury or property damage or has impaired property.
The coverage may also include an option to insure third-party losses, such as a customer’s (hospital) loss of gross profits, rehabilitation and/or extra expenses incurred as a result of the recall of products sold or stocked by the provider.
IT/System/Data Services Vendors Technology Professional Liability Insurance (E&O)
As mentioned above, patients who are injured through failure of network security and breach of private information, may look for recovery from all parties within the chain of distribution, and this will likely include not just the manufacturer of the medical device, but also the provider’s own technology consultants/ vendors who have advised on, specified, installed or integrated the medical device into the provider’s computer system/network.
As a result, it is important for the provider to require the consultant/vendor to purchase and maintain substantial technology errors
& omissions (E&O) insurance limits and ensure that the policy covers claims arising out of bodily injury.
While technology E&O insurers typically exclude bodily injury and property damage in their policy forms, intending their coverage to be for financial loss only, there are scenarios where the technology consultant can be in the chain of responsibility for bodily injury or property damage arising out of their professional services relating to medical devices. Insurers can be persuaded to provide some coverage, although their responses and approaches differ.
Consider the following scenarios:
- Consultant makes a programming error that stops a pacemaker from working, resulting in death.
- Consultant makes a programming error in a pharmacy robot such that the wrong drug is dispensed, causing bodily injury.
- Consultant fails to apply a patch with the result that computer security can be compromised and a hacker gains access and causes bodily injury to a patient.
In each of the above situations, the consultant’s error/omission has contributed to the bodily injury, but in different ways and with different proximity. E&O insurers can agree to provide coverage for each of these scenarios above, but insurers’ responses will vary depending on the circumstances and their underwriting approach. Some insurers will agree to cover bodily injury arising out of the rendering or failure to render the covered professional services (first example above) but typically only if there is no other policy that responds – typically the general liability policy, if it covers professional services, in which case this coverage grant might be of limited value.
E&O insurers are more likely to cover the second scenario above, often called “contingent” or “indirect” bodily injury. In this case, the insurer is effectively covering the financial loss claim (against the consultant) by the (client) provider who is defending the actual bodily injury claim (by the patient).
The third scenario can be more difficult to insure, since E&O insurers perceive that the relevant act is the breach of the provider’s network security by the hacker and not the original error by the consultant, in which case the cyber insurance should respond first.
Provider’s Cyber Insurance
Cyber insurance for providers generally covers their liability for breach of confidential data, failure of the network security of their computer systems and the first party costs of related business interruption, notification and cyber extortion.
However, these cyber policies typically exclude claims arising out of bodily injury, sickness, disease or death of any person (and, for cyber extortion, the threat of physical harm to a person) and property damage. Additionally, cyber insurers may specifically exclude medical malpractice claims. No doubt, cyber insurers are aware of the potential for an aggregation of bodily injury claims from one type of medical device – and they are not rating for this risk. Cyber insurers (of healthcare providers) typically do not cover the financial consequences of bodily injury, such as the cost of care following bodily injury, although such coverage is advertised by at least one insurer.
The third-party liability coverage is therefore typically only for financial loss, not bodily injury. In the case of medical devices, this means that cyber insurance will respond to a claim that hackers accessed personal health information (PHI) through the device, but not to the claim that failure of the provider’s computer security in the medical device allowed bodily injury to the patient.
Consider different types of devices, in different locations and under different degrees of control by the provider, and how coverage could apply:
- A device such as bedside monitor in a hospital and connected to the hospital’s network, should be considered part of the insured’s computer system for the purposes network security coverage. In this way, coverage should apply to liability for failure of the hospital’s computer security to prevent a security breach that results in alteration, destruction, and corruption of data on the computer system, or for failure to prevent transmission of malicious code to computer systems or network systems that are not operated or controlled by the insured.
- A connected device that has been implanted at the hospital should apply similar coverage. However, it is unlikely that coverage will apply once the patient leaves the hospital (with pacemaker) and is no longer “connected” to the hospital’s computer system, especially given that pacemakers are usually owned by the patient, not the provider. The insurance policy’s definition of computer system typically only extends to devices that are operated and owned/leased by the provider or by a third party services entity for the purpose of hosting applications or processing, maintaining, hosting or storing the provider’s data.
- If a device is hacked and results in theft/loss/unauthorized disclosure of PHI, the issue will be whether the data is in the care, custody or control of the provider – if so, then coverage will apply.
This is a developing area for cyber insurers, but typically they rely upon bodily injury exclusions to restrict coverage to direct financial loss and to separate coverage from the bodily injury cover in the provider’s professional liability and general liability insurance policies. Coverage is clearer for breach of confidential data, than for the failure of computer security trigger. Clarity as to when a device is part of the insured’s computer system will be important in determining whether coverage applies.
If the provider’s cyber policy includes coverage for cyber extortion, then the policy will respond to threats such as a breach of computer security, theft or misuse of data and introduction of malicious code, but will not typically cover threats to physically harm (kidnap) any person nor any bodily injury resulting from the impact of ransomware/malware. The cyber extortion coverage in the cyber policy is designed to cover payments to terminate the threat (and the fees of security consultants), as opposed to compensation for bodily injury or financial loss. See analysis below regarding cover under kidnap and ransom policies for bodily injury arising out of cyber extortion.
Provider’s Hospital/Medical Professional Liability Insurance
Professional liability (PL) covers the provider for liability arising out of its errors in the performance of its professional services, including bodily injury.
It would certainly be expected that the PL policy would respond if the provider incorrectly calibrates a bed-side infusion pump or wrongly specifies a pacemaker, which results in bodily injury. The question here is how far is the provider responsible, in its provision of care, for bodily injury relating to unauthorized access to medical devices?
Will there be coverage under the PL policy if the provider, in the course of providing medical services, fails to implement the provided software patches to the equipment/device, and as a result a hacker gains access and injures the patient? The contrasts with the device manufacturer not issuing patches with the same results – in this case the manufacturer will likely be liable ultimately, with the provider’s PL responsible for (first-line) defense (probably joining the device manufacturer in that defense).
Increasingly, PL policies contain exclusions relating to HIPAA and/or cyber/malware, in which case coverage would not apply to bodily injury to patients receiving care in a hospital if the injury is facilitated by a failure of computer network security that permits unauthorized access to and tampering with a medical device resulting in injury to the patient.
Additionally, PL policies typically exclude situations where the provider knows that harm is possible, which might be the case if the provider knows that the equipment has been infected by malware or the provider fails to apply issued patches and continues to use it knowing that it might cause harm.
Questions of location and connectivity of the medical device will likely also come into play. Generally speaking, patients own their pacemakers (not the provider), but is the provider liable if the pacemaker is on-site at the hospital or even simply connected (perhaps, wirelessly) to the provider’s network?
Provider’s General Liability Insurance
General liability (GL) covers the provider for liability arising out of bodily injury other than from professional services, complementing the bodily injury coverage under the PL policy.
In the past, GL policies have not specifically excluded cyber claims but, in an effort to clarify the (intended lack of ) coverage, the Insurance Services Office (ISO) has issued several exclusions to its GL program relating to data and unauthorized access that are increasingly applied by GL insurers. Those exclusions delete cover to varying extent, ranging from only excluding bodily injury under the personal injury and advertising injury (Coverage B) but not the bodily injury/property damage (Part A), to applying to both coverages A and B but with a bodily injury carve back for damages arising out of access to or disclosure of any person’s or organization’s confidential or personal information, to applying fully to both coverages A and B.
Additionally, when the GL and PL are both in the same policy, the GL coverage section typically excludes claims by patients (although preferably with a carve back for non-patient care claims such as injury caused by a building collapse). Standalone GL policies should not contain an exclusion of claims by patients.
Umbrella and excess layer insurers will also underwrite the bodily injury risk arising out of cyber security for medical devices and may apply their own (additional) exclusions.
Provider’s Kidnap and Ransom Policy (Cyber) Extortion
The provider’s kidnap and ransom policy can include extortion as an insured event to cover a threat to the provider or an insured person (by someone demanding a ransom not to carry out the threat), to kill or injure an insured person or to insert malicious code into the computer system.
This differs from the cyber extortion coverage in a cyber policy which typically does not cover any liability for bodily injury, in that the kidnap and ransom policy covers the ransom payment, legal liability of the organization arising out of the extortion (including for bodily injury) and specific payments for death, dismemberment or disability of the insured person.
An additional point is that the definition of insured person should, ideally, specifically include patients (and not merely customers on the premises).
Provider’s Directors & Officers Insurance
The provider’s directors & officers (D&O) policy will cover claims against the directors and officers themselves, to the extent that the claim alleges a wrongful act committed in their capacity as such or by reason of their status as such. For example, a failure in their duties as directors that led to the failure of computer security. This applies whether the claim is indemnifiable (Side B claim) or non-indemnifiable (Side A claim).
The private/not-for-profit D&O policy form can cover claims against the entity (Side C claim) alleging breach of duty, neglect, error or omission by the organization. This could address allegations that the entity failed to secure data or systems.
However, D&O policies should be reviewed in detail as exclusions relating to bodily injury, property damage, cyber risk, medical or professional services might deny or limit coverage. Additionally, it is important to understand whether these exclusions apply to claims only “for” or comprehensively “arising out of” cyber or other claims.
Other Insurance Clauses
Lastly, it will be important to consider how the other insurance clauses apply across all the implicated policies, taking into account self-insured retention and deductible levels, breadth of coverage and defense provisions. Ideally, the provider will work with their advisors to determine which policies should respond and in which order and to tailor the language of the other insurance clause in each policy to achieve those results.
We expect current medical devices to remain in use for years to come (with their comparatively weak operating systems and patching) and no doubt the replacements will also contend with the same moving threats that the rest of the wider data/network security world will continue to encounter. As cyber security in medical devices develops, improves and becomes regulated, it will remain important that providers ensure that their insurances will respond to these developing threats. This will involve a detailed understanding of healthcare, the provider’s business, its contracts and insurance policies, as well as of the insurances that should be required of vendors such as consultants and the medical device manufacturers themselves.
Risk managers can advance the effectiveness of their protection through a proactive review of policies, understanding of how the various coverages apply to a breach of cybersecurity of medical devices and determining how the policies fit together and the order in which they will respond. From this process, risk managers and their advisors will be able to find the gaps, press insurers to tailor their offerings accordingly and require vendors to maintain the appropriate coverage.
About the Author
Trevor Weyland is an Area Senior Vice President in the Arthur J. Gallagher & Co.’s Western Region, specializing in executive and management liability issues with cyber expertise for Gallagher’s Healthcare Practice. This practice focuses on providing insurance and risk management solutions to meet the unique needs of healthcare providers and facilities across the continuum of care.
For more information, contact:
Trevor Weyland Gallagher Healthcare Practice 818.539.1224
- Device Hacking Continues: Medtronic, Others ‘Lacked Foresight’
- SC Magazine Black Hat: Insulin Pumps can be hacked
- Motherboard: Hackers Killed a Simulated Human by Turning Off Its Pacemaker
- Vulnerabilities of Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems: FDA Safety Communication
- Infusion Pump Security: NIST Refining Guidance
- FDA News Release “FDA takes steps to strengthen cybersecurity of medical devices” October 14, 2014.
- FDA News Release “FDA outlines cybersecurity recommendations for medical device manufacturers” January 15, 2016.
- FDA Draft Guidance “Design Considerations and Pre-market Submission Recommendations for Interoperable Medical Devices”
- New York City Department of Consumer Affairs News Release “Consumer Alert: Consumer Affairs Warns Parents to Secure Video Baby Monitors.”