This past summer, the world-wide WannaCry ransomware attack marked what many believe was the first instance of ransomware infecting a medical device. This hack, however, was no surprise to experts who have been warning about vulnerabilities in the
With the world speeding toward a complete internet of things—connected cars, smart homes, and wearable devices tracking people’s biometrics and location—the
The life-threatening consequences for individuals with implanted or wearable medical devices that are vulnerable to cyber attacks may be obvious: a hacker could hijack an insulin pump and program a life-ending dose of insulin to a patient, for example, or cause a pacemaker to malfunction.
Threats like these are not merely hypothetical, and they occur even in medical devices manufactured by some of the biggest and most well-known Fortune 100 companies. In the last few years, multiple life-sustaining medical devices, such as pacemakers and defibrillators, have been identified as vulnerable to “potentially catastrophic attacks.” Former Vice President Dick Cheney ordered that the wireless capability on his pacemaker be disabled to protect it from hackers, and a well-known “white hat” hacker and cybersecurity expert in New Zealand demonstrated that certain pacemakers and insulin pumps can easily be hacked. Earlier this year, almost half a million implantable pacemakers were recalled due to cybersecurity holes, requiring patients to visit their health care provider to receive a firmware update. And this fall, the U.S. Department of Homeland Security found serious flaws in three versions of an infusion pump that would allow cybercriminals to hijack the device.
Vulnerabilities in medical devices in hospitals also pose a significant and more widespread threat. Attackers may access a medical device in a hospital—such as an MRI machine—to infiltrate an entire network and obtain access to personal identifying information and medical records. This data could be used for identity theft or tax fraud, or hackers could use prescription information to order medication and sell it on a black market. In California last year, hackers held data ransom in an attempt to extract a large payment from a
Indeed, the security measures in these medical devices have generally been an afterthought for developers and often lag behind security standards for other products and industries. By way of example, while some medical devices have a lifespan of 30 years, their software components are usually only good for two to 10 years and may not get the necessary updates to protect against attacks. Further, one survey suggests that, while two-thirds of medical device manufacturers believe a cyber attack on a medical device built by their organization is “likely” or “very likely,” only 17 percent of manufacturers are actively taking steps to address that threat. And only 9 percent of manufacturers test their medical devices at least annually. Compounding the issue is the fact that many of these medical devices end up in use in
In light of these realities, some of the most recent cyber attacks, including the widespread hacks known as Petya and WannaCry, have targeted
Lawmakers have recently tried to address these vulnerabilities. In late 2016, the FDA issued guidance on cybersecurity in medical devices and held a webinar in January 2017 on that guidance. And in July 2017, new legislation known as the Medical Device Cybersecurity Act of 2017 was introduced in the Senate with a goal of improving cybersecurity in medical devices. Although these initiatives are moving in the right direction, there are currently no laws or enforcement mechanisms in place to ensure that medical devices contain sufficient security to protect patients and
While other industries may suffer some interruption to business by a cyber attack, an attack in the
Because medical devices touch all aspects of the
First-party costs associated with a cyber attack.
Once a breach occurs, there is a wide array of costs a company will likely incur almost immediately, including
Third-party claims based on
Given the unique usage of data stored on (or accessible through) medical devices, there are also a variety of third-party claims that patients may bring against a medical device manufacturer, a hospital, or a
Within the current insurance landscape, there is no single policy that will adequately cover all of the losses that could potentially arise from a medical device hack. A medical device manufacturer or
Cyber policies vary widely among different insurers, but will often provide broad coverage for first- and third-party losses arising from a cyber attack. Cyber insurance may contain several policy conditions, exclusions, and
Commercial General Liability Insurance
These types of policies will often cover third-party claims such as bodily injury or personal injury, as well as
Errors and Omissions Insurance
E&O policies can provide coverage for companies against data security breaches arising out of the provision of professional services.
Directors and Officers Insurance
D&O policies may protect directors and officers against claims arising out of cyber incidents. These policies may also protect companies against securities and shareholder derivative lawsuits arising out of cyber incidents.
If an employee of a medical device manufacturer or a
If any property used or owned by a
Business Interruption and Contingent Business Interruption Insurance
These coverages are often part of other policies, such as a cyber insurance policy or property policy. Business interruption coverage may protect against losses a health care provider or device manufacturer faces if they cannot conduct business as usual because of a hack. Contingent business interruption coverage can provide protection against losses a device manufacturer may experience if a supplier is hacked and that hack results in loss of revenue to the manufacturer.
Beyond assessing the types of coverage to obtain, companies will also need to carefully evaluate their insurance programs to ensure there are no exclusions or policy conditions that operate across the policies to bar or limit coverage. For example, cyber policies may contain a terrorism exclusion, which excludes coverage for terrorism, hostilities, and claims arising from “acts of foreign enemies.” If a hack is traced back to a state-sponsored actor or a terrorist organization, this exclusion may bar coverage. Other cyber policies may exclude claims for bodily injury and some CGL policies attempt to exclude any claims arising from a cyber incident. Given the unique nature of connected medical devices, these types of exclusions may work together to bar coverage for a
In addition to insurance coverage that may be available for medical device manufacturers and
With the rapidly evolving landscape for medical devices and
[i] Kristen Lee, Cybersecurity of Medical Devices: The New Threat Landscape, TechTarget (Feb. 2017), http://searchhealthit.techtarget.com/feature/Cybersecurity-of-medical-devices-The-new-threat-landscape.
[ii] Harris et al.
[iii] Bill Siwicki, Cybersecurity Special Report: Ransomware Will Get Worse, Hackers Targeting Whales, Medical Devices and IoT Trigger New Vulnerabilities, Healthcare IT News (May 17, 2016, 7:07 AM), http://www.healthcareitnews.com/news/cybersecurity-special-report-ransomware-will-get-worse-hackers-targeting-whales-medical-devices.
[iv] Harris et al.
[vi] Sean Fenske,
Meghan Magruder is a senior partner at King & Spalding and a member of the business litigation practice group. She handles complex litigation matters and is regularly listed in The Best Lawyers in America©, Georgia Super Lawyers, and Top Women Attorneys in Georgia. Ms. Magruder is a fellow in the Litigation Counsel of America and a fellow in the American College of Coverage Counsel for her work representing policyholders in connection with insurance coverage and recovery. She is a member of the American Law Institute, and she is a former officer of the American Bar Association Section of Litigation.
Amy Dehnel is an associate in King & Spalding’s Atlanta office and is a member of the firm’s business litigation practice group. Amy’s practice focuses on representing companies in policyholder insurance coverage litigation, arbitration, and consultation.