Sean Fenske, Editor06.09.16
When developing a medical device, there are a number of considerations companies must keep in mind to ensure the success of the product. Manufacturability, sterilization, reimbursement, and clinical need are just a few of the factors reviewed during this early evolutionary period in the device’s lifecycle. One aspect that doesn’t always come up as a critical element for consideration is the liability issues a device could pose and the insurance a device maker may want to evaluate. At least, not when that device is a wearable. Unfortunately, given the threats against wearable medtech in terms of hacking and data theft, the developers of these devices should be very cognizant of the insurance needs to protect themselves from legal implications arising from such threats.
With this in mind, MPO spoke with Patty Nichols, the 2VP of medical technology underwriting at Travelers. She is responsible for profitability, growth, and strategic direction for that portion of the company. Nichols offers more than 25 years of experience at Travelers, specializing in the needs of the technology and medical technology industries, and holds the Chartered Property Casualty Underwriting (CPCU) designation.
Sean Fenske: What does Travelers do as it relates to medical device manufacturers?
Patty Nichols: Travelers provides coverage options to medical device manufacturers for a number of different risk exposures. As device makers continue to innovate with respect to wearable technology, we’re able to help these companies manage the evolving risks. Our offerings for medical device manufacturers include:
Information security coverage, which provides coverage for critical cyber risks. Coverage options vary, but most include network and information security liability, and communications and media liability. Companies can also opt for many first-party expense reimbursement coverages, including data restoration, business interruption, computer and funds transfer fraud, crisis management, and security.
Product liability coverage, which provides coverage for loss arising from bodily injury risk. Available options cover consumer fitness tracking devices, as well as doctor-prescribed medical wearables.
Errors and omissions liability coverage, which protects against damages that a medical device manufacturer must pay because of economic loss resulting from its products or its work and caused by an error, omission, or negligent act.
Fenske: What’s the potential for wearables in the medical device industry? What’s driving the growth?
Nichols: The wearable technology revolution holds tremendous promise for the medical device industry. In fact, the health and medical sector will likely drive substantial growth in
wearable devices broadly. Specifically, the weight loss and longevity markets have been extremely profitable in recent years, a trend that is likely to continue. In a recent PricewaterhouseCoopers survey, 56 percent of the respondents felt that wearable health devices could extend their life expectancy by 10 years, 46 percent see these devices as a way to help control obesity, and 42 percent expect health wearables to improve their athletic ability.
As hospital stays become shorter, more doctors are sending patients home with wearable health sensors. These devices can capture real-time vital signs and transmit results to doctors or response personnel in the event of an emergency.
The ability of wearables to improve the quality of life and reduce healthcare costs are key factors of growth in the health and medical sector. As a result, an increasing number of technology companies are aggressively pursuing the wearables opportunity in this sector.
Fenske: Why do medical device manufacturers need insurance for their wearable devices? What are the major risks they face?
Nichols: Medical device makers face special challenges as they move into the high-risk/high-reward area of wearable technology and, as a result, need to protect themselves accordingly. Never before have sensors been attached to the human body for prolonged time frames, so the liability threat landscape for device manufacturers moving forward is not clear. Safety features, data protection measures, effective contract risk management, and good design decisions can help companies reduce their exposure to some of the risks we see today. Given the rapid pace of technological change, however, companies involved with wearable technology are unlikely to ever fully understand and eliminate their current or emerging exposures. To help manage these exposures, companies should investigate their insurance options for three main categories of risk:
Cyber Risk—Cyber risk is often defined as the risk of financial loss, business interruption, or reputational damage due to an organization’s failure to properly secure the data held within its information systems. It can occur as a result of a cyber criminal’s attack, an ineffective IT policy, a failure of IT security software, or even a disgruntled employee. Nearly all high-profile data breaches lead to proposed class-action lawsuits and wearable device manufacturers can certainly be among the defendants in such suits if a device is alleged to have played a role in a breach.
Bodily Injury Risk—In order for wearable devices to deliver on the quality of life benefits they promise, devices must be used as intended and function properly at all times. Should they ever fail, the device maker could be liable for bodily injury risk or damages from a resulting injury, illness, or even death of a user or patient. Wearable manufacturers should understand and mitigate the risk of a product liability claim.
Technology Errors and Omission Risk—Despite a wearable device maker’s effort to market a reliable product that people can use to enhance their quality of life, things can go very wrong. In addition to bodily injury, a company can be held liable for an economic loss from the failure of a device to work as intended due to an error, omission, or negligent act. Wearable device failures can impact business continuity, reputation, and other factors. Companies that understand the unique nature of this risk category can better protect themselves from liability claims.
Fenske: What types of safeguards might a medical wearables manufacturer examine as a means of potentially avoiding having their device hacked and their data accessed?
Nichols: At Travelers, we’ve certainly considered the potential of a wearable device being hacked, or the health data that’s automatically uploaded to a cloud data store being hacked. It’s important to note that any wearables manufacturer can protect itself by designing simple, yet effect, security features into its devices. This can include:
Bluetooth encryption—Bluetooth offers an encryption API when exchanging data between a device and its target data store, but not all companies take advantage of it because it decreases battery life.
Encrypt critical data elements—The most critical pieces of data transferred between wearable devices and data stores are user IDs, passwords, and PIN numbers. Avoid transferring these data elements in plain text, with no encryption at all.
Secure the cloud—Data is often transmitted from a wearable device to a smartphone and then to a cloud data store. Virtualized clouds can secure data with multiple diverse operating systems, each operating within a different security context. Banks often secure depositor payment details this way; wearables companies should consider similar functionality.
Fenske: How likely is it that a more complex medical device such as an insulin pump or an implantable device like a pacemaker, be hacked and/or reprogrammed?
Nichols: At this point, the FDA [U.S. Food and Drug Administration] is not aware of any patient injuries associated with cybersecurity incidents, nor is it aware of hackers purposely targeting any specific medical devices or systems in clinical use.
Device makers, however, should assess the likely frequency and severity of all identified potential hazards, and by not incorporating cybersecurity in wearable technology at the outset of design and production, they risk facing product liability and other claims if a complex device were ever hacked.
The FDA’s recommendations for medical device manufacturers and healthcare facilities to mitigate and manage cybersecurity threats include:
Nichols: It’s important for medical device manufacturers to recognize that wearable technology creates risks beyond their immediate business operations; it also creates risks for those companies involved in other aspects of the supply chain process. Among those at risk from wearable technology include:
Technology companies directly involved in the development, manufacturing, and distribution of wearable devices. For example, medical technology firms that handle personal health information collected from wearable cardiac monitoring devices could incur significant liability and expenses if they fail to appropriately safeguard such data. Likewise, firms that make holographic devices could be at risk if their products are blamed for highway accidents due to their customers using their products behind the wheel.
Technology companies acting as vendors or suppliers to wearable technology companies. For example, a software company supplying GPS software incorporated into a wearable security device could be held responsible if a user’s location history data is stolen. An electronics manufacturer supplying a component part for a hinge within a wearable prosthetic leg could be blamed if the device fails, resulting in a severe patient injury.
Fenske: Where are we headed with wearable medical devices in five to 10 years?
Nichols: Wearable technology and the Internet of Things are poised to redefine mobility in the coming years. SNS Research estimates that wearable device shipments will account for nearly $30 billion in revenue in 2016, and grow at a compound annual growth rate of 30 percent over the next five years. Swiss research firm Soreon expects the wearables market to top $40 billion by 2020 in the healthcare market alone.
Perhaps some of the biggest quality-of-life improvements will come in the healthcare space, in which wearable technology holds the promise of detection, prevention, and treatment of chronic disease, as well as the ability to reduce healthcare costs. As wearable technology continues to advance in the years to come, these devices have the potential to revolutionize many aspects of the medical and healthcare space. Even today, individuals are already benefiting from medical devices that are currently on the market, such as:
With this in mind, MPO spoke with Patty Nichols, the 2VP of medical technology underwriting at Travelers. She is responsible for profitability, growth, and strategic direction for that portion of the company. Nichols offers more than 25 years of experience at Travelers, specializing in the needs of the technology and medical technology industries, and holds the Chartered Property Casualty Underwriting (CPCU) designation.
Sean Fenske: What does Travelers do as it relates to medical device manufacturers?
Patty Nichols: Travelers provides coverage options to medical device manufacturers for a number of different risk exposures. As device makers continue to innovate with respect to wearable technology, we’re able to help these companies manage the evolving risks. Our offerings for medical device manufacturers include:
Information security coverage, which provides coverage for critical cyber risks. Coverage options vary, but most include network and information security liability, and communications and media liability. Companies can also opt for many first-party expense reimbursement coverages, including data restoration, business interruption, computer and funds transfer fraud, crisis management, and security.
Product liability coverage, which provides coverage for loss arising from bodily injury risk. Available options cover consumer fitness tracking devices, as well as doctor-prescribed medical wearables.
Errors and omissions liability coverage, which protects against damages that a medical device manufacturer must pay because of economic loss resulting from its products or its work and caused by an error, omission, or negligent act.
Fenske: What’s the potential for wearables in the medical device industry? What’s driving the growth?
Nichols: The wearable technology revolution holds tremendous promise for the medical device industry. In fact, the health and medical sector will likely drive substantial growth in
wearable devices broadly. Specifically, the weight loss and longevity markets have been extremely profitable in recent years, a trend that is likely to continue. In a recent PricewaterhouseCoopers survey, 56 percent of the respondents felt that wearable health devices could extend their life expectancy by 10 years, 46 percent see these devices as a way to help control obesity, and 42 percent expect health wearables to improve their athletic ability.
As hospital stays become shorter, more doctors are sending patients home with wearable health sensors. These devices can capture real-time vital signs and transmit results to doctors or response personnel in the event of an emergency.
The ability of wearables to improve the quality of life and reduce healthcare costs are key factors of growth in the health and medical sector. As a result, an increasing number of technology companies are aggressively pursuing the wearables opportunity in this sector.
Fenske: Why do medical device manufacturers need insurance for their wearable devices? What are the major risks they face?
Nichols: Medical device makers face special challenges as they move into the high-risk/high-reward area of wearable technology and, as a result, need to protect themselves accordingly. Never before have sensors been attached to the human body for prolonged time frames, so the liability threat landscape for device manufacturers moving forward is not clear. Safety features, data protection measures, effective contract risk management, and good design decisions can help companies reduce their exposure to some of the risks we see today. Given the rapid pace of technological change, however, companies involved with wearable technology are unlikely to ever fully understand and eliminate their current or emerging exposures. To help manage these exposures, companies should investigate their insurance options for three main categories of risk:
Cyber Risk—Cyber risk is often defined as the risk of financial loss, business interruption, or reputational damage due to an organization’s failure to properly secure the data held within its information systems. It can occur as a result of a cyber criminal’s attack, an ineffective IT policy, a failure of IT security software, or even a disgruntled employee. Nearly all high-profile data breaches lead to proposed class-action lawsuits and wearable device manufacturers can certainly be among the defendants in such suits if a device is alleged to have played a role in a breach.
Bodily Injury Risk—In order for wearable devices to deliver on the quality of life benefits they promise, devices must be used as intended and function properly at all times. Should they ever fail, the device maker could be liable for bodily injury risk or damages from a resulting injury, illness, or even death of a user or patient. Wearable manufacturers should understand and mitigate the risk of a product liability claim.
Technology Errors and Omission Risk—Despite a wearable device maker’s effort to market a reliable product that people can use to enhance their quality of life, things can go very wrong. In addition to bodily injury, a company can be held liable for an economic loss from the failure of a device to work as intended due to an error, omission, or negligent act. Wearable device failures can impact business continuity, reputation, and other factors. Companies that understand the unique nature of this risk category can better protect themselves from liability claims.
Fenske: What types of safeguards might a medical wearables manufacturer examine as a means of potentially avoiding having their device hacked and their data accessed?
Nichols: At Travelers, we’ve certainly considered the potential of a wearable device being hacked, or the health data that’s automatically uploaded to a cloud data store being hacked. It’s important to note that any wearables manufacturer can protect itself by designing simple, yet effect, security features into its devices. This can include:
Bluetooth encryption—Bluetooth offers an encryption API when exchanging data between a device and its target data store, but not all companies take advantage of it because it decreases battery life.
Encrypt critical data elements—The most critical pieces of data transferred between wearable devices and data stores are user IDs, passwords, and PIN numbers. Avoid transferring these data elements in plain text, with no encryption at all.
Secure the cloud—Data is often transmitted from a wearable device to a smartphone and then to a cloud data store. Virtualized clouds can secure data with multiple diverse operating systems, each operating within a different security context. Banks often secure depositor payment details this way; wearables companies should consider similar functionality.
Fenske: How likely is it that a more complex medical device such as an insulin pump or an implantable device like a pacemaker, be hacked and/or reprogrammed?
Nichols: At this point, the FDA [U.S. Food and Drug Administration] is not aware of any patient injuries associated with cybersecurity incidents, nor is it aware of hackers purposely targeting any specific medical devices or systems in clinical use.
Device makers, however, should assess the likely frequency and severity of all identified potential hazards, and by not incorporating cybersecurity in wearable technology at the outset of design and production, they risk facing product liability and other claims if a complex device were ever hacked.
The FDA’s recommendations for medical device manufacturers and healthcare facilities to mitigate and manage cybersecurity threats include:
- Remain vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity, and put appropriate mitigations in place to address patient safety risks and ensure proper device performance.
- Hospitals and healthcare facilities should evaluate their network security and protect their hospital systems.
Nichols: It’s important for medical device manufacturers to recognize that wearable technology creates risks beyond their immediate business operations; it also creates risks for those companies involved in other aspects of the supply chain process. Among those at risk from wearable technology include:
Technology companies directly involved in the development, manufacturing, and distribution of wearable devices. For example, medical technology firms that handle personal health information collected from wearable cardiac monitoring devices could incur significant liability and expenses if they fail to appropriately safeguard such data. Likewise, firms that make holographic devices could be at risk if their products are blamed for highway accidents due to their customers using their products behind the wheel.
Technology companies acting as vendors or suppliers to wearable technology companies. For example, a software company supplying GPS software incorporated into a wearable security device could be held responsible if a user’s location history data is stolen. An electronics manufacturer supplying a component part for a hinge within a wearable prosthetic leg could be blamed if the device fails, resulting in a severe patient injury.
Fenske: Where are we headed with wearable medical devices in five to 10 years?
Nichols: Wearable technology and the Internet of Things are poised to redefine mobility in the coming years. SNS Research estimates that wearable device shipments will account for nearly $30 billion in revenue in 2016, and grow at a compound annual growth rate of 30 percent over the next five years. Swiss research firm Soreon expects the wearables market to top $40 billion by 2020 in the healthcare market alone.
Perhaps some of the biggest quality-of-life improvements will come in the healthcare space, in which wearable technology holds the promise of detection, prevention, and treatment of chronic disease, as well as the ability to reduce healthcare costs. As wearable technology continues to advance in the years to come, these devices have the potential to revolutionize many aspects of the medical and healthcare space. Even today, individuals are already benefiting from medical devices that are currently on the market, such as:
- For diabetics, the Medtronic Continuous Glucose Monitoring System measures blood sugar levels through electronic sensors placed slightly under the skin. A wireless transmitter attached to the patient’s belt processes the data and transmits it to cloud data stores for later analysis. It even decreases fingerstick requirements to only two per day. An optional insulin pump delivers insulin as needed.
- Cardiac patients can benefit from wearable heart monitors. The ZIO Wireless Patch detects irregularities in cardiac rhythm, and is far less bulky to wear than the legacy Holter monitor. For more severe cardiac cases, the ZOLL LifeVest Wearable Defibrillator can detect life-threatening abnormal heart rhythms and deliver a treatment shock to restore healthy cardiac rhythm.