Cyber Guidelines Target Medical Devices
The Food and Drug Administration recently passed standards to increase cybersecurity on medical devices. Matthew Zagwoski discusses the recommendations and how they could impact healthcare costs and insurance coverage.
The FDA really started putting guidance out for the industry—in terms of how to manage cybersecurity threats when you have devices that are connected to the internet—back in the early 2000s. But in recent years, cybersecurity issues have become more in the forefront because, every day, there’s an attack on a healthcare provider who had to shut down. So the FDA asked for an FBI review of a number of industries, and specifically healthcare, to assess cybersecurity vulnerabilities.
What came out of that was an understanding of healthcare institutions and how they’re integrating technology, using all of these connected devices, and then looking at the threat vectors. This created the realization that, while we have great regulations in terms of the safety and the efficacy of medical devices, we really don’t have anything hardwired in place that the FDA can look at and say, “Alright, now we know they’re cybersecure.” That’s becoming a much bigger issue now. With the analysis that the FBI did, it’s easy to see that anybody can hack into this stuff and potentially cause harm—reprogram a pacemaker, change some settings on a radiology machine. All the IV drips run through these new wireless devices so they can be controlled from the nurses’ station. If someone can get in and change these settings to cause harm, either directly to the patient or from a terrorist standpoint, that is a pretty big risk.
Yes. If I’m a company making an insulin pump, my focus is always on making a better insulin pump—one that does everything better than my competitor. But I’m not necessarily focused on it being the most cybersecure insulin pump in the marketplace. So I’m not putting as much effort behind that part of it as I probably should. But now the FDA can refuse to accept any device that they claim is not cybersecure.
That will cause a lot of companies to take a step back and say, “I’m developing these things, but how do I make sure I have a product that is sellable before I put $100 million into development? How do I make that money work the right way?” A lot of the time you have to look at redesigning your whole development plan for that. Some companies might be so small they may have one person who understands, like their IT guy, but they don’t necessarily have a troop of cybersecurity experts that understand it. I read something that said between 2020 and 2025 the average cost of cybersecurity will go up 15% on average, for the entire world, every year. In certain industries like healthcare, I can see that being a lot more.
We created one product called Virtual Care for telemedicine risks. Interestingly enough, we developed it about two years before the pandemic hit, so it was the perfect time to get that product up and running. That product caters to the cyber aspect of telemedicine, where the transfer risk is different because of different regulations and laws around how doctors should and should not engage with patients without seeing them in person.
Beazley has a very big cyber presence as well with our Beazley Breach Response Team that jumps in when our clients have a breach. There is a coverage gap that we can see because we’re being asked to help with risks from our clients. A lot of the time, people come to Beazley for our ability to create cover where none otherwise exists. We were starting to get asked to create these coverages for a cyber incident and bodily injury in concert with other products and policies that exist out there. About a year ago, we launched our life sciences product we call WellTech. It does the same as our Virtual Care product, but it’s built off of our platform that we write for life science companies that are making the medical devices or coming up with technology-driven platforms to analyze the metadata out of an MRI machine or the wearables and things of that nature.
Right now, the buy-in is coming from brokers that straddle both worlds or are a little bit more generalist. In life sciences, you often see brokers that are siloed and don’t deal with something like cyber, which goes elsewhere. It is difficult to understand, and it requires a broker audience that’s broader that doesn’t just say, “Oh, I’m a casualty broker.” Brokers need to be really adept at looking at what kind of products they’re suggesting for their clients in this space.
Bringing this product out, we also wanted to educate brokers that they shouldn’t assume cyber might be covered somewhere else and leave other brokers to deal with that. They don’t know whether there’s necessarily a gap in there that they could fill. If I were a broker, I would love an integrated product where I could reasonably see A to Z how it works. If something happens and you shrug your shoulders and think you did everything you could have done, then you’re not really servicing your client. It’s all about making sure you are building relationships with clients, giving them good products, and making sure they work the way you intend them to. That’s literally the triad of making sure you have a good business model in place.