Explore the most recent editions of MPO Magazine, featuring expert commentary, industry trends, and breakthrough technologies.
Access the full digital version of MPO Magazine anytime, anywhere, with interactive content and enhanced features.
Join our community of medical device professionals. Subscribe to MPO Magazine for the latest news and updates delivered straight to your mailbox.
Explore the transformative impact of additive manufacturing on medical devices, including design flexibility and materials.
Learn about outsourcing options in the medical device sector, focusing on quality, compliance, and operational excellence.
Stay updated on the latest electronic components and technologies driving innovation in medical devices.
Discover precision machining and laser processing solutions that enhance the quality and performance of medical devices.
Explore the latest materials and their applications in medical devices, focusing on performance, biocompatibility, and regulatory compliance.
Learn about advanced molding techniques for producing high-quality, complex medical device components.
Stay informed on best practices for packaging and sterilization methods that ensure product safety and compliance.
Explore the latest trends in research and development, as well as design innovations that drive the medical device industry forward.
Discover the role of software and IT solutions in enhancing the design, functionality, and security of medical devices.
Learn about the essential testing methods and standards that ensure the safety and effectiveness of medical devices.
Stay updated on innovations in tubing and extrusion processes for medical applications, focusing on precision and reliability.
Stay ahead with real-time updates on critical news affecting the medical device industry.
Access unique content and insights not available in the print edition of the MPO Magazine.
Explore feature articles that delve into specific topics within the medical device industry, providing in-depth analysis and insights.
Gain perspective from industry experts through regular columns addressing key challenges and innovations in medical devices.
Read the editor’s thoughts on the current state of the medical device industry.
Discover the leading companies in the medical device sector, showcasing their innovations and contributions to the industry.
Explore detailed profiles of medical device contract manufacturing and service provider companies, highlighting their capabilities and offerings.
Learn about the capabilities of medical device contract manufacturing and service provider companies, showcasing their expertise and resources.
Watch informative videos featuring industry leaders discussing trends, technologies, and insights in medical devices.
Short, engaging videos providing quick insights and updates on key topics within the medical device industry.
Tune in to discussions with industry experts sharing their insights on trends, challenges, and innovations in the medical device sector.
Participate in informative webinars led by industry experts, covering various topics relevant to the medical device sector.
Stay informed on the latest press releases and announcements from leading companies in the medical device manufacturing industry.
Access comprehensive eBooks covering a range of topics on medical device manufacturing, design, and innovation.
Highlighting the innovators and entrepreneurs who are shaping the future of medical technology.
Explore sponsored articles and insights from leading companies in the medical device manufacturing sector.
Read in-depth whitepapers that explore key issues, trends, and research findings for the medical device industry.
Discover major industry events, trade shows, and conferences focused on medical devices and technology.
Get real-time updates and insights live from the CompaMed/Medica conference floor.
Join discussions and networking opportunities at the MPO Medtech Forum, focusing on the latest trends and challenges in the industry.
Attend the MPO Summit for insights and strategies from industry leaders shaping the future of medical devices.
Participate in the ODT Forum, focusing on orthopedic device trends and innovations.
Discover advertising opportunities with MPO to reach a targeted audience of medical device professionals.
Review our editorial guidelines for submissions and contributions to MPO.
Read about our commitment to protecting your privacy and personal information.
Familiarize yourself with the terms and conditions governing the use of MPOmag.com.
What are you searching for?
Greek mythology tells us that Prometheus gave mankind the gift of fire, bringing many benefits but also unleashing destructive forces. New technologies bring novel benefits. They also, however, often spawn unintended consequences. The tech industry delivers astonishing computing power. This power enables medical device firms—among other businesses—to harness vast computing resources to drive their business plans, manufacturing and device functionality. Unintended consequences often arise—no shock there. To paraphrase a popular bumper sticker, “S**t Happens.” In the case of computers, one unintended consequence is the risk of cyber perils. We often associate cyber risks with financial institutions—banks, insurance companies, credit card firms. While the financial sector faces cyber risks, it is by no means the only economic niche facing such headaches. Medical device firms also are vulnerable to cyber-liability risks. Device firms often harbor vast chunks of personal data. They must comply with increasingly stringent privacy laws. If you have computers, you have cyber-risk exposures. To start, let’s define cyber risk. Cyber risk refers to a range of computer-related problems and tech vulnerabilities inherent in information technology and systems, including hacker attacks, phishing, malicious viruses, worms, spybots, inadvertent disclosure of private or proprietary information or equipment malfunction due to intentional sabotage. (Editor’s note: See the sidebar glossary for more details.) These risks can harm medical device companies, which rely on data to test products and bring them to market. The approval gauntlet of the U.S. Food and Drug Administration (FDA) is data-driven. Without data demonstrating a device’s efficacy and safety, no medical technology company can win the FDA approval needed for commercial viability. Losing and compromising data can devastate a firm’s ability to bring a new device to market. Inability to launch a product, or doing so belatedly, can mean the difference between commanding market share or being an also-ran, between getting venture capital funding or not. It can spell the difference between survival or insolvency. Even if cyber attacks do not cripple a company, they can inflict financial harm through downtime, denial of service, lost production, reputational damage or even product liability from device malfunction. Recently, I attended a risk management conference in Charlotte, N.C. A featured speaker was a cyber-risk expert. He cited a medical device manufacturer implementing layoffs. A “surviving” employee, upset about the reductions in force, took a company laptop computer to a McDonald’s, ordered coffee, and remotely shut down the company’s manufacturing processes. He did this in retaliation for what he felt were unfair layoffs. The Federal Bureau of Investigation (FBI) probed the incident and traced the laptop’s IP address to a specific McDonald’s and culled store purchase records for the date in question. Debit card receipts linked a specific company employee to the McDonald’s at the time in question. FBI agents questioned the worker, who confessed. However, the company suffered substantial business interruption, losing a week’s worth of manufacturing. Medical technology firms harbor vast amounts of data. This includes data on doctors who use and prescribe devices, patients who receive medical products, and clinical trial subjects. Data may include medical histories and financial information. Device firms must use this data responsibly, preserve and protect it so that it does not fall into the hands of unauthorized parties. Leaving computer systems and high-tech products vulnerable to intrusion and hacking has many adverse consequences. Often, intrusions are due to casual oversight, preoccupation with other risks or the inertia of lax data security procedures. The increasing prevalence of cloud computing also heightens the need to buttress data security. Product Liability Concerns In addition, electronic medical equipment may be susceptible to malfunction or hacking through inadvertent or intentional activities. Such scenarios could cause adverse patient outcomes, including injury or death. This also could trigger liability claims against a device manufacturer from attorneys who allege that a manufacturer could have made a device safer by making it impregnable to outside hacking and intrusion. This could buttress a design defect allegation. Thus, cyber liability can intersect with product liability to create substantial financial consequences for a medical device firm. In a public demonstration that garnered publicity, a tech-savvy individual hacked his own insulin pump, compromising the pump’s performance. If this is doable with an insulin pump, perhaps it can be done with an implantable pacemaker or internal defibrillator. In 2010, former Vice President Dick Cheney received a left ventricular assist device. He ordered that doctors disable the implant’s wireless function, lest terrorists use it in an assassination attempt 1 One need not be a top politician or worried about Al Qaeda to harbor concerns about the security of high-tech medical device software. As medical devices become more complex, complications and risks accentuate. In his recent book, “The Book of Immorality,” author Adam Gollner notes,“Every technological appliance… has glitches. They don’t always work properly. Do we really want tiny robots malfunctioning in our bodies? Computers are fragile, not foolproof. Imagine having to fix an intracellular motherboard crash. What about computer viruses infiltrating our bloodstream? They can already be programmed to contaminate chips and pacemakers, defibrillators and cochlear implants.”2 While many cyber risks arise from within organizations, others come from outside. Various motivations drive deliberate cyber attacks. These include gathering patient information, harming a patient’s health, perpetrator’s ego gratification or undermining competitors through adverse publicity. FDA Enters the Picture The FDA addressed concerns when, in June last year, it issued a safety communication on cyber security for medical devices and hospital networks. The FDA places the onus on manufacturers to identify and mitigate cyber security risks. When medical devices interface with hospital IT systems, data breaches and unauthorized patient information disclosure can result. This can significantly harm a device firm’s financial health. If an attacker penetrates a hospital’s network via unpatched or unprotected medical devices, patient safety and privacy breach worries exacerbate. Firms should see that devices are running on up-to-date software, that the software is encrypted, and that devices relying on software have antivirus protection. Further, manufacturers must apply timely patches or fixes to software exhibiting vulnerabilities to security breaches. Risk Management Strategies Device firms can adopt four major risk management strategies to address cyber perils: Avoidance, retention, control and transfer. Let’s briefly look at each. Avoidance means that the device firm decides not to engage in activities that create cyber perils. Since using computers runs the risk of cyber perils, it is unrealistic to expect medical device firms—many of them high-tech—to forgo standard features of today’s business infrastructure. Since cyber risks are inherent in using computers and the Internet, this is an unrealistic option. Retention means consciously and intentionally setting funds aside to address financial consequences from cyber risk. Self-insurance is one option. Another is to have a deductible or self-insured retention with an insurance policy. Retention should be a conscious process. A company that overlooks risk and suddenly faces uninsured losses has not embraced retention as a risk management approach. Sleep walking into a “self-pay” situation is not true retention. Control means preventing cyber risk in the first place. Control also includes loss mitigation, cushioning the impact of cyber perils. For example, to boost company vehicle safety, firms keep a well-maintained car fleet and upgrade driver training. To curb lifting accidents and workers compensation costs, a device firm might provide safety belts and instruction on safe lifting techniques. With cyber losses, astute device firms can adopt various control measures. Transfer shifts the financial consequences of cyber perils to another party, usually a professional risk-bearer, i.e. an insurance company. Buying coverage for cyber perils is an example of financial transfer. This could be through a standalone insurance policy. Firms also adopt transfer by adding cyber peril coverage to an existing insurance policy. Loss Control Strategies Since control and transfer are the most viable risk management strategies, let’s spotlight these two. Loss control tactics to thwart cyber risks include any one or combination of the following: Contingency plan. Prepare incident response and business continuity contingency plans well in advance of any crisis. Calendar these for regular review and updating, in light of technological and organizational advances. Self-assess and include vendors. Conduct self-assessments of internal systems to prevent data breaches. Verify that vendors and business partners with whom you exchange information have sound internal systems designed to address perils. Brainstorm. As a management discipline, periodically make time to brainstorm the worst possible data breaches. Map out potential consequences. Include information technology (IT) but go beyond IT. With the management team—including but not limited to IT—walk through the steps a company would take to respond to and mitigate a loss. Better still, conduct “after-action reviews” of such hypotheticals to determine preventive measures that reduce the odds of such scenarios. The best strategy: Boost prevention as the first line of defense. View insurance as a “Plan B option.” Device firms that leverage the best deals on cyber-coverage are those who demonstrate to underwriters the existence of well-thought-out systems and protocols that prevent breaches in the first place. Insuring Against Cyber Risks Since insurance protection for cyber risks is relatively new, do not assume that existing insurance policies address the risk. Many property and liability insurance policies may ignore the problem, exclude it or are silent regarding the protection. Many commercial general liability insurance policies, for example, provide scant cyber risk coverage. Such contracts often limit reimbursement to physical loss to tangible property. That is fine if a manufacturing plant is damaged by fire or a company car is dented. Some courts have held that computer data—bits and bytes—are not tangible property. Work with your insurance broker to scan the marketplace for the broadest coverage at the most reasonable price. Device firms seeking financial protection for cyber perils need coverage that specifically addresses these relatively new risks. Insurance buyers can pose these questions to their insurance agent, broker or even the insurance underwriter:
Enter your account email.
A verification code was sent to your email, Enter the 6-digit code sent to your mail.
Didn't get the code? Check your spam folder or resend code
Set a new password for signing in and accessing your data.
Your Password has been Updated !
