Insight

Insurance Coverage to Protect the Health Care Industry from the Increasing Risks Associated with the Internet of Things

While this connectivity can provide great benefits to patients and physicians, the security issues inherent in these devices are critical.

Insurance for Health Care Industry

Meghan Magruder and Amy Dehnel

December 15, 2017 12:12 PM

This past summer, the world-wide WannaCry ransomware attack marked what many believe was the first instance of ransomware infecting a medical device. This hack, however, was no surprise to experts who have been warning about vulnerabilities in the health care industry for years.

With the world speeding toward a complete internet of things—connected cars, smart homes, and wearable devices tracking people’s biometrics and location—the health care industry is changing at a breakneck speed. Implantable medical devices contain capabilities, such as wireless connectivity, remote monitoring, and other technology allowing professionals and patients to fine-tune devices without invasive procedures. And in U.S. hospitals, there are usually 10 to 15 “connected” devices per hospital bed that perform crucial functions like monitoring vitals and delivering life-sustaining medication.

While this connectivity can provide great benefits to patients and physicians, the security issues inherent in these devices are critical.

The life-threatening consequences for individuals with implanted or wearable medical devices that are vulnerable to cyber attacks may be obvious: a hacker could hijack an insulin pump and program a life-ending dose of insulin to a patient, for example, or cause a pacemaker to malfunction.

Threats like these are not merely hypothetical, and they occur even in medical devices manufactured by some of the biggest and most well-known Fortune 100 companies. In the last few years, multiple life-sustaining medical devices, such as pacemakers and defibrillators, have been identified as vulnerable to “potentially catastrophic attacks.” Former Vice President Dick Cheney ordered that the wireless capability on his pacemaker be disabled to protect it from hackers, and a well-known “white hat” hacker and cybersecurity expert in New Zealand demonstrated that certain pacemakers and insulin pumps can easily be hacked. Earlier this year, almost half a million implantable pacemakers were recalled due to cybersecurity holes, requiring patients to visit their health care provider to receive a firmware update. And this fall, the U.S. Department of Homeland Security found serious flaws in three versions of an infusion pump that would allow cybercriminals to hijack the device.

Vulnerabilities in medical devices in hospitals also pose a significant and more widespread threat. Attackers may access a medical device in a hospital—such as an MRI machine—to infiltrate an entire network and obtain access to personal identifying information and medical records. This data could be used for identity theft or tax fraud, or hackers could use prescription information to order medication and sell it on a black market. In California last year, hackers held data ransom in an attempt to extract a large payment from a health care organization. Similarly, a major hospital chain in the Washington, D.C., area had to shut down its IT systems and use paper records after a hacker infiltrated its systems. And earlier this year, multiple hospitals and health care networks in the United States fell victim to other malware attacks. These are just a few examples of the ever-increasing threats the health care industry is facing.

Medical devices are easy targets for hackers because they often run outdated operating systems, do not receive security patches, and are not monitored for attacks.

Indeed, the security measures in these medical devices have generally been an afterthought for developers and often lag behind security standards for other products and industries. By way of example, while some medical devices have a lifespan of 30 years, their software components are usually only good for two to 10 years and may not get the necessary updates to protect against attacks. Further, one survey suggests that, while two-thirds of medical device manufacturers believe a cyber attack on a medical device built by their organization is “likely” or “very likely,” only 17 percent of manufacturers are actively taking steps to address that threat. And only 9 percent of manufacturers test their medical devices at least annually. Compounding the issue is the fact that many of these medical devices end up in use in health care organizations, without first passing through an IT department and going through screening that other pieces of technology would.[i] In fact, recent investigations found that 85 percent of hospitals do not have a single qualified cybersecurity person on staff.[ii] And another report from 2016 suggests that more than 50 percent of health care organizations spend less than 3 percent of their IT budgets on security.[iii]

In light of these realities, some of the most recent cyber attacks, including the widespread hacks known as Petya and WannaCry, have targeted health care organizations and medical devices. For instance, a device used for MRI imaging was held ransom by the global WannaCry attack. And in the wake of WannaCry, several other medical device manufacturers released security advisories for their customers. In less than a year, “[h]ospitals and health care went to the No. 1 targeted industry” for hackers,[iv] and in the “past three years, the health care sector has been hacked even more than the financial sector.”[v] Security experts expect that the number of breaches related to the internet of things will only grow this year.

Lawmakers have recently tried to address these vulnerabilities. In late 2016, the FDA issued guidance on cybersecurity in medical devices and held a webinar in January 2017 on that guidance. And in July 2017, new legislation known as the Medical Device Cybersecurity Act of 2017 was introduced in the Senate with a goal of improving cybersecurity in medical devices. Although these initiatives are moving in the right direction, there are currently no laws or enforcement mechanisms in place to ensure that medical devices contain sufficient security to protect patients and heath organizations.

While other industries may suffer some interruption to business by a cyber attack, an attack in the health care industry potentially impacts health and well-being of patients. Medical device manufacturers and health care organizations are stepping up to fully understand and address the cyber risks they face. These entities will also need to rethink their insurance coverage to address their constantly evolving exposure. One underwriter has explained that these advanced medical devices are a “high-risk/high-reward area” and the “liability threat landscape moving forward … is not clear.”[vi]

Because medical devices touch all aspects of the health care industry and a security breach can have wide-ranging effects, it will be crucial for health care organizations and medical device manufacturers to consider the interplay of their various insurance policies to ensure there are no gaps in coverage. These industries should work with their brokers and experienced coverage counsel to ensure that their insurance policies work together to cover the following risks that can arise with the increasing use of connected health care devices.

First-party costs associated with a cyber attack.

Once a breach occurs, there is a wide array of costs a company will likely incur almost immediately, including: (i) forensic investigation costs; (ii) legal costs associated with a breach response; (iii) crisis management/PR costs; (iv) costs relating to mailing notifications to consumers; (v) credit monitoring costs; (vi) costs for setting up a call center to handle consumer calls; (vii) costs for restoration of systems; (viii) business interruption and contingent business interruption losses; (ix) remediation costs; and (x) product recall losses.

Third-party claims based on data breach.

Given the unique usage of data stored on (or accessible through) medical devices, there are also a variety of third-party claims that patients may bring against a medical device manufacturer, a hospital, or a health care provider in the event of a medical device hack, including medical malpractice claims, product liability claims, bodily injury claims, invasion of privacy claims, and personal injury claims. Similarly, it is likely that a medical device manufacturer or health care organization will be subject to a regulatory investigation by at least one, if not several, state and federal agencies in the event of a hack.

Within the current insurance landscape, there is no single policy that will adequately cover all of the losses that could potentially arise from a medical device hack. A medical device manufacturer or health care organization will need to obtain and negotiate a number of different types of policies to ensure the various risks associated with modern medical devices are covered. By way of illustration, the following types of policies could be implicated by a data breach in a medical device.

Cyber Insurance

Cyber policies vary widely among different insurers, but will often provide broad coverage for first- and third-party losses arising from a cyber attack. Cyber insurance may contain several policy conditions, exclusions, and sublimits that can limit coverage.

Commercial General Liability Insurance

These types of policies will often cover third-party claims such as bodily injury or personal injury, as well as financial loss arising from the use of a covered product.

Errors and Omissions Insurance

E&O policies can provide coverage for companies against data security breaches arising out of the provision of professional services.

Directors and Officers Insurance

D&O policies may protect directors and officers against claims arising out of cyber incidents. These policies may also protect companies against securities and shareholder derivative lawsuits arising out of cyber incidents.

Crime Insurance

If an employee of a medical device manufacturer or a health care organization is involved in a data security breach, then there may be coverage for any resulting losses under crime insurance policy.

Property Insurance

If any property used or owned by a health care organization or medical device manufacturer is physically damaged as a result of a cyber attack, there may be coverage under a property insurance policy.

Business Interruption and Contingent Business Interruption Insurance

These coverages are often part of other policies, such as a cyber insurance policy or property policy. Business interruption coverage may protect against losses a health care provider or device manufacturer faces if they cannot conduct business as usual because of a hack. Contingent business interruption coverage can provide protection against losses a device manufacturer may experience if a supplier is hacked and that hack results in loss of revenue to the manufacturer.

Beyond assessing the types of coverage to obtain, companies will also need to carefully evaluate their insurance programs to ensure there are no exclusions or policy conditions that operate across the policies to bar or limit coverage. For example, cyber policies may contain a terrorism exclusion, which excludes coverage for terrorism, hostilities, and claims arising from “acts of foreign enemies.” If a hack is traced back to a state-sponsored actor or a terrorist organization, this exclusion may bar coverage. Other cyber policies may exclude claims for bodily injury and some CGL policies attempt to exclude any claims arising from a cyber incident. Given the unique nature of connected medical devices, these types of exclusions may work together to bar coverage for a cyber attack that causes injury to patients.

In addition to insurance coverage that may be available for medical device manufacturers and health care organizations, there may also be protections in third-party agreements. For example, indemnification provisions may include language regarding additional insurance coverage or circumstances under which a third-party will pay for certain losses arising from a breach. These third-party agreements, such as agreements with vendors for cloud-based service agreements or supply agreements, should be carefully reviewed to ensure that they provide protection for manufacturers and health care organizations.

With the rapidly evolving landscape for medical devices and health care organizations, as well as the widely recognized security vulnerabilities, companies throughout the industry need to carefully evaluate their exposure. Recent developments in device technology and cyber attacks highlight that there is no one-size-fits-all insurance coverage for the current risks. In fact, for now, many companies in the industry should have an array of policies selected by their brokers and reviewed by coverage counsel to ensure all such risks and exposures are covered. As the health care industry and the internet of things continue to develop, insurers will likely start to modify the coverages and policies they offer to address the new risks associated with an (almost) all-connected world.

-------------------------------

[i] Kristen Lee, Cybersecurity of Medical Devices: The New Threat Landscape, TechTarget (Feb. 2017), http://searchhealthit.techtarget.com/feature/Cybersecurity-of-medical-devices-The-new-threat-landscape.

[ii] Harris et al.

[iii] Bill Siwicki, Cybersecurity Special Report: Ransomware Will Get Worse, Hackers Targeting Whales, Medical Devices and IoT Trigger New Vulnerabilities, Healthcare IT News (May 17, 2016, 7:07 AM), http://www.healthcareitnews.com/news/cybersecurity-special-report-ransomware-will-get-worse-hackers-targeting-whales-medical-devices.

[iv] Harris et al.

[v] Newman.

[vi] Sean Fenske, Insuring Medical Device Wearables Are Covered, Medical Product Outsourcing (June 9, 2016), https://www.mpo-mag.com/issues/2016-06-01/view_columns/insuring-medical-device-wearables-are-covered/.

-------------------------------

Meghan Magruder is a senior partner at King & Spalding and a member of the business litigation practice group. She handles complex litigation matters and is regularly listed in The Best Lawyers in America©, Georgia Super Lawyers, and Top Women Attorneys in Georgia. Ms. Magruder is a fellow in the Litigation Counsel of America and a fellow in the American College of Coverage Counsel for her work representing policyholders in connection with insurance coverage and recovery. She is a member of the American Law Institute, and she is a former officer of the American Bar Association Section of Litigation.

Amy Dehnel is an associate in King & Spalding’s Atlanta office and is a member of the firm’s business litigation practice group. Amy’s practice focuses on representing companies in policyholder insurance coverage litigation, arbitration, and consultation.

Related Articles

Cybersecurity Awareness for Lawyers


by Jordan Donich

Law firms are at an even greater cybersecurity risk as they move more into the digital age of working from home. Here are some methods of attack and ways to reduce and prevent such attacks to your firm.

Cybersecurity Tips for Lawyers and Law Firms

Don’t Let Insurance Companies Take Advantage of You


by Christopher J. Marzzacco

Find out how you can avoid being taken advantage of by insurance companies. Learn the tactics they use to underpay injured victims and what you can do to fight back.

Don’t Let Insurance Companies Take Advantage

When Do You Need To Hire a Car Accident Attorney


by Jay S. Knispel

Injured in a car accident? Here are seven major signs you need to hire a car accident lawyer for your case.

Seven Signs To Hire a Car Accident Attorney

A Legal Guide for Businesses During COVID-19


by Roy D. Oppenheim

Oppenheim Law creates a useful guide for problems small to medium-sized businesses may face during this time of uncertainty.

COVID-19 Legal Information for Businesses

Uninsured Flying Objects


by Claire O'Rourke, Laura Beth Cohen and Marialuisa S. Gallozzi

As drones and other “unmanned aerial vehicles” increasingly crowd the skies, the law—and insurance policies—will have to figure out how best to bring them back safely to terra firma.

Insurance Regulations for Drones

A Cohesive Team


by Best Lawyers

How Bentley & More LLP Combined Forces

A Cohesive Team

In the News: Texas 2019


by Best Lawyers

A roundup of relevant news from lawyers listed in Texas.

Legal News Roundup Texas

ECIJA on Revolutions in Spanish Information Technology Law


by Best Lawyers

Alejandro Touriño looks at the policy changes impacting information technology law in Spain in this "Law Firm of the Year" interview with Phillip Greer.

ECIJA Information Technology Law Interview

Targeted Cyber Attacks Are Rapidly Increasing in 2019


by James L. Pray

Targeted cyber attacks, spear-phishing attacks, and ransomware attacks are increasing and could put your business's security on the line.

Cyber Attacks Are Increasing

A Startup Accelerator Program Sets Cuatrecasas Apart


by Best Lawyers

Miguel de Almada and Frederico Bettencourt Ferreira from the Portuguese firm discuss their 2019 "Law Firm of the Year" award for Litigation and Arbitration.

Cuatrecasas "Law Firm of the Year"

Health Care Prime


by Jonathan K. Henderson, Kevin McDonell, Robert A. Guy, Jr. and Andrew Kinworthy

How will M&A shape the American health industry going forward? By adhering to the Amazon model.

Health Care on Demand

The Power of Two


by Dale Van Demark and Kerrin B. Slattery

More health care companies than ever see the value of robust partnerships in a constantly changing industry.

Health Care and the Private Sector

Six Things to Know When Injured at Work


by Nicholas Pothitakis

Work injuries result in many questions and concerns by employees who may be facing the situation for the first time

Six Things to Know When Injured at Work

South African “Law Firm of the Year”: Norton Rose Fulbright


by Best Lawyers

A Q&A with Maria Philippides and Craig Woolley of South Africa “Law Firm of the Year” Norton Rose Fulbright.

Norton Rose Fulbright "Law Firm of the Year"

The New Era for Health Care Services in the United States


by Bobby Guy & Brook Bailey

The future of Obamacare is unclear, and what U.S. health care will look like when the political fuss is over is an inquiry punctuated by a very large question mark.

Health Care Services

Virtual Worlds: A Legal Wild West


by Tam Harbert

As these technologies develop and their use becomes more widespread, attorneys expect to encounter novel legal challenges.

Virtual Worlds

Trending Articles

Announcing the 2023 The Best Lawyers in America Honorees


by Best Lawyers

Only the top 5.3% of all practicing lawyers in the U.S. were selected by their peers for inclusion in the 29th edition of The Best Lawyers in America®.

Gold strings and dots connecting to form US map

Announcing the 2022 Best Lawyers® in the United States


by Best Lawyers

The results include an elite field of top lawyers listed in the 28th Edition of The Best Lawyers in America® and in the 2nd Edition of Best Lawyers: Ones to Watch in America for 2022.

2022 Best Lawyers Listings for United States

2021 Best Lawyers: The Global Issue


by Best Lawyers

The 2021 Global Issue features top legal talent from the most recent editions of Best Lawyers and Best Lawyers: Ones to Watch worldwide.

2021 Best Lawyers: The Global Issue

The U.S. Best Lawyers Voting Season Is Open


by Best Lawyers

The voting season for the 31st edition of The Best Lawyers in America® and the 5th edition of Best Lawyers: Ones to Watch® in America is officially underway, and we are offering some helpful advice to this year’s voters.

Golden figures of people standing on blue surface connected by white lines

How To Find A Pro Bono Lawyer


by Best Lawyers

Best Lawyers dives into the vital role pro bono lawyers play in ensuring access to justice for all and the transformative impact they have on communities.

Hands joined around a table with phone, paper, pen and glasses

What the Courts Say About Recording in the Classroom


by Christina Henagen Peer and Peter Zawadski

Students and parents are increasingly asking to use audio devices to record what's being said in the classroom. But is it legal? A recent ruling offer gives the answer to a question confusing parents and administrators alike.

Is It Legal for Students to Record Teachers?

How Palworld Is Testing the Limits of Nintendo’s Legal Power


by Gregory Sirico

Many are calling the new game Palworld “Pokémon GO with guns,” noting the games striking similarities. Experts speculate how Nintendo could take legal action.

Animated figures with guns stand on top of creatures

The Best Lawyers in Australia™ 2024 Launch


by Best Lawyers

Best Lawyers is excited to announce The Best Lawyers in Australia™ for 2023, including the top lawyers and law firms from Australia.

Australian Parliament beside water at sunset

Inflation Escalation


by Ashley S. Wagner

Inflation and rising costs are at the forefront of everyone’s mind as we enter 2023. The current volatile market makes it more important than ever to understand the rent escalation clauses in current and future commercial lease agreements.

Suited figure in front of rising market and inflated balloon

Best Lawyers: Ones to Watch in America for 2023


by Best Lawyers

The third edition of Best Lawyers: Ones to Watch in America™ highlights the legal talent of lawyers who have been in practice less than 10 years.

Three arrows made of lines and dots on blue background

A Celebration of Excellence: The Best Lawyers in Canada 2024 Awards


by Best Lawyers

As we embark on the 18th edition of The Best Lawyers in Canada™, we are excited to highlight excellence and top legal talent across the country.

Abstract image of red and white Canada flag in triangles

8 Different Types of Criminal Defenses in Law


by Best Lawyers

Learn about the different types of criminal defenses available in law, including innocence, self-defense, insanity and more. Protect your rights today.

Silver handcuffs laying on finger printed papers

Wage and Overtime Laws for Truck Drivers


by Greg Mansell

For truck drivers nationwide, underpayment and overtime violations are just the beginning of a long list of problems. Below we explore the wages you are entitled to but may not be receiving.

Truck Driver Wage and Overtime Laws in the US

The Upcycle Conundrum


by Karen Kreider Gaunt

Laudable or litigious? What you need to know about potential copyright and trademark infringement when repurposing products.

Repurposed Products and Copyright Infringemen

Choosing a Title Company: What a Seller Should Expect


by Roy D. Oppenheim

When it comes to choosing a title company, how much power exactly does a seller have?

Choosing the Title Company As Seller

The 2024 Best Lawyers in Spain™


by Best Lawyers

Best Lawyers is honored to announce the 16th edition of The Best Lawyers in Spain™ and the third edition of Best Lawyers: Ones to Watch in Spain™ for 2024.

Tall buildings and rushing traffic against clouds and sun in sky