Is Any Body Safe?
Insuring medical devices against cyberattacks
Cybersecurity is a hot topic in every area of business—including insurance—but medical devices may not immediately come to mind when considering immediate or long-term cyber risks.
There have been a number of high-profile lawsuits against hospitals and medical providers involving liability for unintentional access to/disclosure of personally identifiable information (PII) and protected health information (PHI) from patient files and medical records. Hospitals also have been in the news for security breaches—most will recall that nefarious hackers held hospital hard drives hostage worldwide with the Wannacry and SamSam ransomware attacks over the last two years. But cyber risks from personal medical devices are just figments from television writers’ imaginations, right? Frighteningly, the answer in 2019 is “no.”
Personal medical devices like pacemakers and implantable defibrillators; insulin pumps; institutional/networked medical devices and other mobile health technologies like infusion pumps, patient monitors, ventilators, imaging modalities, and other life-sustaining or life-supporting devices; and even seemingly benign devices like hearing aids—which now can be controlled via smartphones—are susceptible to numerous, significant cyber risks that include being hacked, malware infection, and other unauthorized access.
The vulnerabilities threaten the traditional risk of exposure to personal information stored in these devices/networks, and they also pose serious risks to patient safety if the devices are disabled, infected with malware, rendered inaccessible, or are otherwise altered. These risks also raise a number of novel underwriting issues and potential coverage questions under numerous kinds of insurance policies, including general liability, products liability, cyber and professional liability, and, potentially, directors and officers liability.
Underwriting and Pricing
From an underwriting perspective, insurers are taking a very close look at policyholders’ internal IT policies and procedures. Insurance carriers will want to evaluate the prospective insureds’ global asset management, such as controls on how devices are networked, limitations on how each device can communicate within the network, and controls to swiftly identify and isolate devices that malfunction or are breached to minimize exposure to the rest of the network. An insured’s ability to control usernames and passwords and user access to devices that store or transmit patient data is another important factor. The insured’s software update and patch management procedures will also be considered in determining whether regular and timely updates are implemented to minimize hacking risks. A policyholder’s proven compliance with regulatory standards (HIPAA, HITECH, GDPR, and state privacy statutes) is also important when considering risk.
The underwriter’s job requires an understanding of the interplay between various types of coverage purchased (and available to) the prospective insured. Because there are many iterations of cyber policy forms offered in the marketplace, there are significant variations in the scopes of coverage offered to the policyholder depending on the insurer involved and the coverage purchased. Identifying whether a potential loss associated with medical devices can properly be assigned to medical malpractice coverage, cyber/tech errors and omissions (E&O) coverage, or some other type of coverage should be considered when identifying potential exposures to policyholders and insurers.
Properly pricing risk in this arena also presents challenges. An insured facing a breach could encounter a combination of claims involving government fines and penalties, civil lawsuits, and injunctive relief, not to mention first-party loss and expense incurred by that insured. In a legal environment that lacks uniformity when it comes to first-party and third-party damages flowing from a breach, it can be difficult to accurately price policies that would cover breaches relating to medical devices.
Still, underwriters will examine the type of information collected by the device and stored by the prospective insured to evaluate what exposures could flow from a breach. A company that stores sensitive medical information about patients may face increased liability for third-party claims compared to a company that maintains records on patients’ cholesterol levels.
It is also important for the underwriter to consider the number of records stored by the device and connected systems, and the number of individuals who could be impacted by a breach. Finally, factors typically considered in underwriting other lines of coverage (the policyholder’s revenue, size, and location) will be additional pieces of the equation.
What Is Covered Where?
The insurance coverage issues implicated by medical device vulnerabilities are similar to those raised by data breaches from non-medical devices that have occurred in health care settings. Traditional insurance policies were not designed to address these emerging risks; thus, gaps in coverage exist.
In the event of physical harm (bodily injury or death) to patients caused by medical device compromise or failure as a result of a breach (e.g., a hacker accesses a device remotely and changes settings), medical device manufacturers and sellers, and software providers, may have coverage under their CGL/products liability policies. Depending on what defect is alleged to have ultimately caused the harm, coverage issues may include evaluating who is an insured under each policy; priority of coverage; contractual liability exclusions; and business risk exclusions.
Absent actual bodily injury, CGL policies generally do not cover data breaches under Coverage A unless there is a claim for physical damage to or loss of use of tangible property, which has been held to mean actual damage to, or loss of use of, computer hardware. This is because the ISO CGL policy form has, since 2001, defined “property damage” to exclude damage to, or loss of use of, electronic data. In addition, in 2004, the form was amended to exclude all damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.
Courts are split and case law is still emerging as to whether data breaches are covered under Coverage B of a CGL policy. For example, the court in Travelers Indem. Co. v. Portal Healthcare Solutions LLC held that “publication” includes making information available online even without proof of access or misuse. But the court in Total Recall Information Management Inc. v. Federal Ins. Co. held that “publication” requires proof of third-party access as well as publication or misuse of the data. As such, a central issue in this regard is whether there was mere access to personal information or a subsequent publication or misuse of same.
Entities may also have coverage under cyber policies or programs provided that the cyber policies are customized to address such risks. Technology E&O policies may also provide “contingent bodily injury” coverage for bodily injury caused by digital events otherwise insured under such policies.
Potential Loss Scenarios
The most foreseeable scenario is that medical device software vulnerabilities result in malware attacks that cause business income losses to health care institutions or other providers. In that case, medical device manufacturers and software, service, and component-part providers may be covered for such financial losses under E&O policies or cyber policies under certain circumstances (e.g., if the device is on the manufacturer’s network). The health care provider’s own financial losses from compromised medical devices on its network could potentially be covered under first-party property policies as well as cyber policies.
Health care institutions may also look to medical professional policies, but those may have some limitations in the context of cyber exposures. E&O policies may cover costs of third-party claims resulting from professional services causally connected to data security incidents, provided that the claims or allegations involve “professional” misconduct, and the acts or omissions were undertaken within a “professional” capacity, as defined by the policy.
E&O policies generally do not, however, cover first-party costs (unless added by endorsement) or costs not arising from “professional services.” In the absence of any specific cyber exclusions, policyholders can argue for a broad interpretation of coverage. However, it is unclear whether any particular policy will ultimately be broad enough to cover medical device failures that result from faulty software codes, networks, and computer technology (IT services as opposed to professional services) absent some specific cyber liability or technology E&O coverage provisions, or a separate policy.
Another possible scenario is that medical devices are hacked, allowing patient data to be stolen (like the Anthem breach in 2015, requiring notice under GDPR and multiple states’ statutes and regulations, forensics, and other response costs); or medical devices are commandeered for denial of service or distributed denial of service attacks, resulting in loss of use of third parties’ computer systems. This would lead to potential liability for the health care institutions’ financial losses as well as possible theft or disclosure of patient information.
Here, medical device manufacturers and software and component-part manufacturers may only have coverage under technology E&O policies and true cyber policies. Health care providers may only have coverage under true cyber policies for harm to third parties resulting from security failures for medical devices for which they are responsible (e.g., a security failure caused by the hospital’s failure to apply a software update or protect passwords/IDs as opposed to a defect in the device itself or the manufacturer’s failure to provide the software update).
A health care institution could also be the victim of cyber extortion (ransomware attacks like WannaCry and SamSam, perpetrated through medical device vulnerabilities). Health care institutions lacking adequate advance backup, or whose backup systems were also infiltrated, may face prolonged shutdowns to repair their systems. Device manufacturers and software, service, and component part providers facing potential liability for device failures may have coverage under E&O or cyber policies, but there may be gaps in coverage if the policies are not issued by the same insurer. Health care providers may have coverage under cyber policies or special crime policies for the costs of addressing the extortion threat only. Business interruption claims may be covered separately under first-party property and cyber policies.
While health care institutions can reduce the likelihood that a breach occurs, medical devices and associated software are changing at such a pace that breach prevention is far from certain. Insurers that issue policies to health care providers should understand the regulatory and legal landscapes relevant to a breach originating from a medical device. Novel theories of product liability and professional liability may be pursued by impacted patients. Government regulators could seek penalties for failing to preserve the security of the devices and health care networks. Providers face their own potential loss for reduced productivity and system restoration costs.
Insurers must, therefore, undertake a detail-oriented underwriting process in order to evaluate risks presented by a potential policyholder that utilizes medical devices. Insurers should also look for ways to assist their insureds with risk-mitigation tools and qualified experts to assist in responding to breaches. When policyholders, brokers, insurers, and vendors work together, they can ensure that insureds’ risks are mitigated, the proper coverage is purchased, and the right steps are taken to respond to a breach involving medical devices.