02.14.14
Greek mythology tells us that Prometheus gave mankind the gift of fire, bringing many benefits but also unleashing destructive forces. New technologies bring novel benefits. They also, however, often spawn unintended consequences. The tech industry delivers astonishing computing power. This power enables medical device firms—among other businesses—to harness vast computing resources to drive their business plans, manufacturing and device functionality. Unintended consequences often arise—no shock there. To paraphrase a popular bumper sticker, “S**t Happens.” In the case of computers, one unintended consequence is the risk of cyber perils.
We often associate cyber risks with financial institutions—banks, insurance companies, credit card firms. While the financial sector faces cyber risks, it is by no means the only economic niche facing such headaches. Medical device firms also are vulnerable to cyber-liability risks. Device firms often harbor vast chunks of personal data. They must comply with increasingly stringent privacy laws. If you have computers, you have cyber-risk exposures.
To start, let’s define cyber risk. Cyber risk refers to a range of computer-related problems and tech vulnerabilities inherent in information technology and systems, including hacker attacks, phishing, malicious viruses, worms, spybots, inadvertent disclosure of private or proprietary information or equipment malfunction due to intentional sabotage. (Editor’s note: See the sidebar glossary for more details.) These risks can harm medical device companies, which rely on data to test products and bring them to market.
The approval gauntlet of the U.S. Food and Drug Administration (FDA) is data-driven. Without data demonstrating a device’s efficacy and safety, no medical technology company can win the FDA approval needed for commercial viability. Losing and compromising data can devastate a firm’s ability to bring a new device to market. Inability to launch a product, or doing so belatedly, can mean the difference between commanding market share or being an also-ran, between getting venture capital funding or not. It can spell the difference between survival or insolvency. Even if cyber attacks do not cripple a company, they can inflict financial harm through downtime, denial of service, lost production, reputational damage or even product liability from device malfunction.
Recently, I attended a risk management conference in Charlotte, N.C. A featured speaker was a cyber-risk expert. He cited a medical device manufacturer implementing layoffs. A “surviving” employee, upset about the reductions in force, took a company laptop computer to a McDonald’s, ordered coffee, and remotely shut down the company’s manufacturing processes. He did this in retaliation for what he felt were unfair layoffs.
The Federal Bureau of Investigation (FBI) probed the incident and traced the laptop’s IP address to a specific McDonald’s and culled store purchase records for the date in question. Debit card receipts linked a specific company employee to the McDonald’s at the time in question. FBI agents questioned the worker, who confessed. However, the company suffered substantial business interruption, losing a week’s worth of manufacturing.
Medical technology firms harbor vast amounts of data. This includes data on doctors who use and prescribe devices, patients who receive medical products, and clinical trial subjects. Data may include medical histories and financial information. Device firms must use this data responsibly, preserve and protect it so that it does not fall into the hands of unauthorized parties.
Leaving computer systems and high-tech products vulnerable to intrusion and hacking has many adverse consequences. Often, intrusions are due to casual oversight, preoccupation with other risks or the inertia of lax data security procedures. The increasing prevalence of cloud computing also heightens the need to buttress data security.
Product Liability Concerns
In addition, electronic medical equipment may be susceptible to malfunction or hacking through inadvertent or intentional activities. Such scenarios could cause adverse patient outcomes, including injury or death. This also could trigger liability claims against a device manufacturer from attorneys who allege that a manufacturer could have made a device safer by making it impregnable to outside hacking and intrusion. This could buttress a design defect allegation. Thus, cyber liability can intersect with product liability to create substantial financial consequences for a medical device firm.
In a public demonstration that garnered publicity, a tech-savvy individual hacked his own insulin pump, compromising the pump’s performance. If this is doable with an insulin pump, perhaps it can be done with an implantable pacemaker or internal defibrillator. In 2010, former Vice President Dick Cheney received a left ventricular assist device. He ordered that doctors disable the implant’s wireless function, lest terrorists use it in an assassination attempt 1 One need not be a top politician or worried about Al Qaeda to harbor concerns about the security of high-tech medical device software.
As medical devices become more complex, complications and risks accentuate. In his recent book, “The Book of Immorality,” author Adam Gollner notes,“Every technological appliance... has glitches. They don’t always work properly. Do we really want tiny robots malfunctioning in our bodies? Computers are fragile, not foolproof. Imagine having to fix an intracellular motherboard crash. What about computer viruses infiltrating our bloodstream? They can already be programmed to contaminate chips and pacemakers, defibrillators and cochlear implants.”2
While many cyber risks arise from within organizations, others come from outside. Various motivations drive deliberate cyber attacks. These include gathering patient information, harming a patient’s health, perpetrator’s ego gratification or undermining competitors through adverse publicity.
FDA Enters the Picture
The FDA addressed concerns when, in June last year, it issued a safety communication on cyber security for medical devices and hospital networks. The FDA places the onus on manufacturers to identify and mitigate cyber security risks.
When medical devices interface with hospital IT systems, data breaches and unauthorized patient information disclosure can result. This can significantly harm a device firm’s financial health. If an attacker penetrates a hospital’s network via unpatched or unprotected medical devices, patient safety and privacy breach worries exacerbate.
Firms should see that devices are running on up-to-date software, that the software is encrypted, and that devices relying on software have antivirus protection. Further, manufacturers must apply timely patches or fixes to software exhibiting vulnerabilities to security breaches.
Risk Management Strategies
Device firms can adopt four major risk management strategies to address cyber perils: Avoidance, retention, control and transfer.
Let’s briefly look at each.
Avoidance means that the device firm decides not to engage in activities that create cyber perils. Since using computers runs the risk of cyber perils, it is unrealistic to expect medical device firms—many of them high-tech—to forgo standard features of today’s business infrastructure. Since cyber risks are inherent in using computers and the Internet, this is an unrealistic option.
Retention means consciously and intentionally setting funds aside to address financial consequences from cyber risk. Self-insurance is one option. Another is to have a deductible or self-insured retention with an insurance policy.
Retention should be a conscious process. A company that overlooks risk and suddenly faces uninsured losses has not embraced retention as a risk management approach. Sleep walking into a “self-pay” situation is not true retention.
Control means preventing cyber risk in the first place. Control also includes loss mitigation, cushioning the impact of cyber perils. For example, to boost company vehicle safety, firms keep a well-maintained car fleet and upgrade driver training. To curb lifting accidents and workers compensation costs, a device firm might provide safety belts and instruction on safe lifting techniques. With cyber losses, astute device firms can adopt various control measures.
Transfer shifts the financial consequences of cyber perils to another party, usually a professional risk-bearer, i.e. an insurance company. Buying coverage for cyber perils is an example of financial transfer. This could be through a standalone insurance policy. Firms also adopt transfer by adding cyber peril coverage to an existing insurance policy.
Loss Control Strategies
Since control and transfer are the most viable risk management strategies, let’s spotlight these two. Loss control tactics to thwart cyber risks include any one or combination of the following:
Contingency plan. Prepare incident response and business continuity contingency plans well in advance of any crisis. Calendar these for regular review and updating, in light of technological and organizational advances.
Self-assess and include vendors. Conduct self-assessments of internal systems to prevent data breaches. Verify that vendors and business partners with whom you exchange information have sound internal systems designed to address perils.
Brainstorm. As a management discipline, periodically make time to brainstorm the worst possible data breaches. Map out
potential consequences.
Include information technology (IT) but go beyond IT. With the management team—including but not limited to IT—walk through the steps a company would take to respond to and mitigate a loss. Better still, conduct “after-action reviews” of such hypotheticals to determine preventive measures that reduce the odds of such scenarios.
The best strategy: Boost prevention as the first line of defense. View insurance as a “Plan B option.” Device firms that leverage the best deals on cyber-coverage are those who demonstrate to underwriters the existence of well-thought-out systems and protocols that prevent breaches in the first place.
Insuring Against Cyber Risks
Since insurance protection for cyber risks is relatively new, do not assume that existing insurance policies address the risk. Many property and liability insurance policies may ignore the problem, exclude it or are silent regarding the protection.
Many commercial general liability insurance policies, for example, provide scant cyber risk coverage. Such contracts often limit reimbursement to physical loss to tangible property. That is fine if a manufacturing plant is damaged by fire or a company car is dented. Some courts have held that computer data—bits and bytes—are not tangible property. Work with your insurance broker to scan the marketplace for the broadest coverage at the most reasonable price.
Device firms seeking financial protection for cyber perils need coverage that specifically addresses these relatively new risks. Insurance buyers can pose these questions to their insurance agent, broker or even the insurance underwriter:
In evaluating applications seeking insurance coverage for cyber-risks, underwriters may seek the following information:
Given the scope of cyber risks, this column must suffice as a brief overview rather than an exhaustive discussion. While the Greek god Prometheus gave mankind the gift of fire, that gift was not rescinded in the face of fire’s occasionally destructive power.
Likewise, the tech industry has given medical device firms computing power via the Internet. The “blessings” come with certain perils, however. Computing technology and Internet connectivity are features of the business landscape that are here to stay. The proverbial genie is out of the bottle and won’t go back in. The trick of effective risk management is to harness the assets and mitigate cyber risks, using strategies cited here.
References:
Kevin Quinley, CPCU is principal of Quinley Risk Associates, a risk management consulting firm in the Richmond, Va., area. He has more than 25 years of risk management experience with medical device companies. You can reach him at www.kevinquinley.com or at kevin@kevinquinley.com.
We often associate cyber risks with financial institutions—banks, insurance companies, credit card firms. While the financial sector faces cyber risks, it is by no means the only economic niche facing such headaches. Medical device firms also are vulnerable to cyber-liability risks. Device firms often harbor vast chunks of personal data. They must comply with increasingly stringent privacy laws. If you have computers, you have cyber-risk exposures.
To start, let’s define cyber risk. Cyber risk refers to a range of computer-related problems and tech vulnerabilities inherent in information technology and systems, including hacker attacks, phishing, malicious viruses, worms, spybots, inadvertent disclosure of private or proprietary information or equipment malfunction due to intentional sabotage. (Editor’s note: See the sidebar glossary for more details.) These risks can harm medical device companies, which rely on data to test products and bring them to market.
The approval gauntlet of the U.S. Food and Drug Administration (FDA) is data-driven. Without data demonstrating a device’s efficacy and safety, no medical technology company can win the FDA approval needed for commercial viability. Losing and compromising data can devastate a firm’s ability to bring a new device to market. Inability to launch a product, or doing so belatedly, can mean the difference between commanding market share or being an also-ran, between getting venture capital funding or not. It can spell the difference between survival or insolvency. Even if cyber attacks do not cripple a company, they can inflict financial harm through downtime, denial of service, lost production, reputational damage or even product liability from device malfunction.
Recently, I attended a risk management conference in Charlotte, N.C. A featured speaker was a cyber-risk expert. He cited a medical device manufacturer implementing layoffs. A “surviving” employee, upset about the reductions in force, took a company laptop computer to a McDonald’s, ordered coffee, and remotely shut down the company’s manufacturing processes. He did this in retaliation for what he felt were unfair layoffs.
The Federal Bureau of Investigation (FBI) probed the incident and traced the laptop’s IP address to a specific McDonald’s and culled store purchase records for the date in question. Debit card receipts linked a specific company employee to the McDonald’s at the time in question. FBI agents questioned the worker, who confessed. However, the company suffered substantial business interruption, losing a week’s worth of manufacturing.
Medical technology firms harbor vast amounts of data. This includes data on doctors who use and prescribe devices, patients who receive medical products, and clinical trial subjects. Data may include medical histories and financial information. Device firms must use this data responsibly, preserve and protect it so that it does not fall into the hands of unauthorized parties.
Leaving computer systems and high-tech products vulnerable to intrusion and hacking has many adverse consequences. Often, intrusions are due to casual oversight, preoccupation with other risks or the inertia of lax data security procedures. The increasing prevalence of cloud computing also heightens the need to buttress data security.
Product Liability Concerns
In addition, electronic medical equipment may be susceptible to malfunction or hacking through inadvertent or intentional activities. Such scenarios could cause adverse patient outcomes, including injury or death. This also could trigger liability claims against a device manufacturer from attorneys who allege that a manufacturer could have made a device safer by making it impregnable to outside hacking and intrusion. This could buttress a design defect allegation. Thus, cyber liability can intersect with product liability to create substantial financial consequences for a medical device firm.
In a public demonstration that garnered publicity, a tech-savvy individual hacked his own insulin pump, compromising the pump’s performance. If this is doable with an insulin pump, perhaps it can be done with an implantable pacemaker or internal defibrillator. In 2010, former Vice President Dick Cheney received a left ventricular assist device. He ordered that doctors disable the implant’s wireless function, lest terrorists use it in an assassination attempt 1 One need not be a top politician or worried about Al Qaeda to harbor concerns about the security of high-tech medical device software.
As medical devices become more complex, complications and risks accentuate. In his recent book, “The Book of Immorality,” author Adam Gollner notes,“Every technological appliance... has glitches. They don’t always work properly. Do we really want tiny robots malfunctioning in our bodies? Computers are fragile, not foolproof. Imagine having to fix an intracellular motherboard crash. What about computer viruses infiltrating our bloodstream? They can already be programmed to contaminate chips and pacemakers, defibrillators and cochlear implants.”2
While many cyber risks arise from within organizations, others come from outside. Various motivations drive deliberate cyber attacks. These include gathering patient information, harming a patient’s health, perpetrator’s ego gratification or undermining competitors through adverse publicity.
FDA Enters the Picture
The FDA addressed concerns when, in June last year, it issued a safety communication on cyber security for medical devices and hospital networks. The FDA places the onus on manufacturers to identify and mitigate cyber security risks.
When medical devices interface with hospital IT systems, data breaches and unauthorized patient information disclosure can result. This can significantly harm a device firm’s financial health. If an attacker penetrates a hospital’s network via unpatched or unprotected medical devices, patient safety and privacy breach worries exacerbate.
Firms should see that devices are running on up-to-date software, that the software is encrypted, and that devices relying on software have antivirus protection. Further, manufacturers must apply timely patches or fixes to software exhibiting vulnerabilities to security breaches.
Risk Management Strategies
Device firms can adopt four major risk management strategies to address cyber perils: Avoidance, retention, control and transfer.
Let’s briefly look at each.
Avoidance means that the device firm decides not to engage in activities that create cyber perils. Since using computers runs the risk of cyber perils, it is unrealistic to expect medical device firms—many of them high-tech—to forgo standard features of today’s business infrastructure. Since cyber risks are inherent in using computers and the Internet, this is an unrealistic option.
Retention means consciously and intentionally setting funds aside to address financial consequences from cyber risk. Self-insurance is one option. Another is to have a deductible or self-insured retention with an insurance policy.
Retention should be a conscious process. A company that overlooks risk and suddenly faces uninsured losses has not embraced retention as a risk management approach. Sleep walking into a “self-pay” situation is not true retention.
Control means preventing cyber risk in the first place. Control also includes loss mitigation, cushioning the impact of cyber perils. For example, to boost company vehicle safety, firms keep a well-maintained car fleet and upgrade driver training. To curb lifting accidents and workers compensation costs, a device firm might provide safety belts and instruction on safe lifting techniques. With cyber losses, astute device firms can adopt various control measures.
Transfer shifts the financial consequences of cyber perils to another party, usually a professional risk-bearer, i.e. an insurance company. Buying coverage for cyber perils is an example of financial transfer. This could be through a standalone insurance policy. Firms also adopt transfer by adding cyber peril coverage to an existing insurance policy.
Loss Control Strategies
Since control and transfer are the most viable risk management strategies, let’s spotlight these two. Loss control tactics to thwart cyber risks include any one or combination of the following:
Contingency plan. Prepare incident response and business continuity contingency plans well in advance of any crisis. Calendar these for regular review and updating, in light of technological and organizational advances.
Self-assess and include vendors. Conduct self-assessments of internal systems to prevent data breaches. Verify that vendors and business partners with whom you exchange information have sound internal systems designed to address perils.
Brainstorm. As a management discipline, periodically make time to brainstorm the worst possible data breaches. Map out
potential consequences.
Include information technology (IT) but go beyond IT. With the management team—including but not limited to IT—walk through the steps a company would take to respond to and mitigate a loss. Better still, conduct “after-action reviews” of such hypotheticals to determine preventive measures that reduce the odds of such scenarios.
The best strategy: Boost prevention as the first line of defense. View insurance as a “Plan B option.” Device firms that leverage the best deals on cyber-coverage are those who demonstrate to underwriters the existence of well-thought-out systems and protocols that prevent breaches in the first place.
Insuring Against Cyber Risks
Since insurance protection for cyber risks is relatively new, do not assume that existing insurance policies address the risk. Many property and liability insurance policies may ignore the problem, exclude it or are silent regarding the protection.
Many commercial general liability insurance policies, for example, provide scant cyber risk coverage. Such contracts often limit reimbursement to physical loss to tangible property. That is fine if a manufacturing plant is damaged by fire or a company car is dented. Some courts have held that computer data—bits and bytes—are not tangible property. Work with your insurance broker to scan the marketplace for the broadest coverage at the most reasonable price.
Device firms seeking financial protection for cyber perils need coverage that specifically addresses these relatively new risks. Insurance buyers can pose these questions to their insurance agent, broker or even the insurance underwriter:
- If a product liability claim arises because a device was hacked, will the policy respond?
- Will the policy cover liability and claims arising from unauthorized data disclosure, access or use of protected personal information?
- How much insurance coverage is afforded for cyber perils? Do any sub-limits “cap” the coverage? Can I increase the sub-limit for additional premium?
- Does the policy cover extra expenses incurred in minimizing losses from a data breach?
In evaluating applications seeking insurance coverage for cyber-risks, underwriters may seek the following information:
- What priority has the device company placed on protecting its databases? What specific steps reflect such a commitment?
- Who can access the company’s information systems? Are there restricted authority levels?
- Has the company hired qualified outside experts to both assess and bolster IT security procedures?
- Does the organizational chart reflect a dedicated team or group assigned to protect data integrity?
- What is the status of password procedures, data encryption, off-site data backup, intrusion prevention systems, disaster recovery plans and anti-virus systems?
Given the scope of cyber risks, this column must suffice as a brief overview rather than an exhaustive discussion. While the Greek god Prometheus gave mankind the gift of fire, that gift was not rescinded in the face of fire’s occasionally destructive power.
Likewise, the tech industry has given medical device firms computing power via the Internet. The “blessings” come with certain perils, however. Computing technology and Internet connectivity are features of the business landscape that are here to stay. The proverbial genie is out of the bottle and won’t go back in. The trick of effective risk management is to harness the assets and mitigate cyber risks, using strategies cited here.
References:
- “Implants Might Supplant Transplants,” Washington Post, 10/29/13, p. E6.
- “The Book of Immortality,” Adam Leith Gollner, Scribner, 2013, p. 272.
Kevin Quinley, CPCU is principal of Quinley Risk Associates, a risk management consulting firm in the Richmond, Va., area. He has more than 25 years of risk management experience with medical device companies. You can reach him at www.kevinquinley.com or at kevin@kevinquinley.com.