How cyber risk is affecting medical professional liability
As far back as 2013, insurers were warning about the exposure that hospitals and providers had related to medical professional liability from attacks on medical devices and software.
In the rush of daily life, it’s easy to forget how many incidents and warning flags have emerged in only the last five years. In looking at them in aggregate, it’s clear that these risks can impact organizations’ liability for care and services.
It’s arguable that cyber risks present a new form of medical professional liability for healthcare delivery organizations. Providers need to review the vulnerabilities that have been discovered in the past five years and then commit to action to protect themselves.
In 2013, the Hartford published an industry perspective on the impact of changes in enforcement possibilities for the Office for Civil Rights (in HIPAA because of the HITECH Act) and the Food and Drug Administration. The Department of Health and Human Services extended privacy and security rules to business associates, and the FDA issued guidelines to ensure appropriate safeguards to reduce the risk of the compromise of confidentiality, integrity and availability for medical devices and healthcare facilities because of a cyberattack.
“Regardless of how the data is transmitted, it should be secured, so it cannot be accessed or tampered with,” warned Joe Coray, who was then vice president and global practice leader of technology and life science for the Hartford. “If a patient’s protected information is breached, … there is potential for civil action against the doctor, the network, device makers, the software developer or other businesses that support those entities.”
In 2015, the Department of Homeland Security, issued an advisory regarding cybersecurity vulnerabilities of the Hospira’s Symbiq Infusion System, a computerized pump that provided continuous medication delivery, communicating with a hospital information system through a wireless or networked-wired connection. Ten days later, the FDA issued an alert advising healthcare providers to discontinue use of a medical device because of this cybersecurity vulnerability.
In 2016, Gallagher Healthcare posted a blog on medical device cybersecurity. Pointing at the number and size of healthcare breaches resulting from hackers in 2015 and from ransomware in early 2016, the organization warned that such activities, including those associated with medical devices, “threaten [not only] the ongoing business activities of the provider, but also patient care and reputation.”
Following a discussion of the vulnerabilities and challenges of medical devices (including “outdated and unpatched operating systems”), the blog detailed three examples of “white hat” hacks that reflected the potential for access through an insulin pump, a pacemaker and infusion pumps. “Patients will hold their healthcare provider responsible for security breaches in devices that are recommended or used by their physicians," the article noted. "The consequences to the provider of security breaches include liability for financial loss and bodily injury, and their own business interruption and damage to reputation.”
Gallagher’s blog also stated that, “It is always possible that liability will be claimed against all persons and entities in the chain of distribution, from manufacturer to testing laboratory, software vendor/consultant, medical sales representative, doctor, hospital/clinic and any retailer,” noting that current coverage for providers may exist under “many different coverages, including cyber insurance, medical professional liability, general liability and property insurances.”
In October 2016, Johnson & Johnson issued a warning to patients about a security vulnerability in one of its insulin pumps that used a proprietary wireless management protocol through an unencrypted radio frequency communication. Because the key used to pair the pump and the meter was transmitted in clear text, the insulin could be dispensed remotely by a hacker, causing a hypoglycemic reaction.
Later in 2016, Partner Re joined with Advisen to conduct a survey of the evolution of the cyber insurance market—it revealed that healthcare, followed by professional services, was the leading source of new buyers of cyber insurance, surpassing retail and financial services. “While the security of health information is a major public and private sector concern, less than a quarter of underwriters or producers indicated that they endorsed cyber coverage onto a medical professional liability.”
In August 2017, the FDA and Homeland Security recalled 465,000 pacemakers over hacking fears. Six types of pacemakers, all radio-frequency enabled, made it possible for hackers to reprogram the devices to run the batteries down or even modify the patient’s heartbeat.
In a paper entitled, “Know Your Enemy: Characteristics of Cyber Attacks on Medical Imaging Devices, researchers warned that MRIs and computed tomography (CT ) machines, are “increasingly connected to hospital networks, making them vulnerable to sophisticated cyber-attacks targeting the devices’ infrastructure and components, disrupting digital patient records and potentially jeopardizing patients’ health.”
The most vulnerable component in the CT ecosystem is the host control PC, which is the most difficult to maintain regular updates because of regulatory requirements. The FDA must approve any change in a medical imaging device, which can be a lengthy process.
In an article this March in the Minneapolis Star Tribune, author Joe Carlson wrote, “Security experts say there will always be tension between the cyber protections in heart devices and the health benefits of wireless access to them. Mark Lanterman, chief technology officer with Computer Forensic Services in Minnetonka, said gains in convenience often mean small losses of security, which is why vigilance is needed.”
According to Aon and ASHRM’s 2017-2018 Hospital and Physician Professional Liability Benchmark Report, “The changing environment and increased use of technology within the healthcare field makes cyber risk one of the top concerns for health care risk managers.” And although almost all of respondents acknowledged that they do purchase cyber insurance, more than one in five “rely on an established captive to support their cyber insurance coverage.”
It’s clear that cyber risks involving medical devices have become clear and need proactive steps to prevent risks. Executives of organizations who hold this view should work in cross-functional teams to proactively identify their risks.
To do so, they should take actions including, but not limited to:
- Starting internal discussions to connect the dots between cyber risk and patient safety.
- Looking beyond traditional IT assets to biomedical devices and the Internet of Things (IoT) to identify cyber risks.
- Considering their captive programs as a risk-financing vehicle for cyber risks and to fund risk identification/risk assessment programs.
- Treating cyber risk management as an Enterprise Risk Management issue, not just an “IT problem.”