While cyber security is a hot topic in every area of business including insurance, medical devices generally are not the first thing that come to mind when assessing immediate or long term cyber risks. Surely there have been a number of high profile lawsuits against hospitals and medical providers involving liability for unintentional access to/disclosure of PII and PHI from patient files and medical records. Yes, hospitals have been in the news for security breaches — everyone recalls that nefarious hackers held hospital hard drives hostage worldwide with the WannaCry and SamSam ransomware attacks within the last two years. But cyber risks from personal medical devices are just TV stuff, right? (Remember the 2012 season finale of Homeland, where the fictional United States Vice President was assassinated by terrorists who hacked his wireless pacemaker using the serial number and reprogrammed it?) Frighteningly, the answer in 2019 is likely no.
Personal medical devices (like pacemakers and implantable defibrillators), other wireless technologies (like insulin pumps), institutional/networked medical devices and other mobile health technologies (including infusion pumps, patient monitors, ventilators, imaging modalities and other life-sustaining or life-supporting devices), and even seemingly benign devices like hearing aids (which can now be controlled via smartphones), pose numerous, significant cyber risks from being hacked, to malware, to unauthorized access. The vulnerabilities threaten not only the traditional risk of exposure to personal information stored in these devices/networks, but pose serious risks to patient safety if the devices are disabled, infected with malware, rendered inaccessible or otherwise altered. These risks, in turn, raise a number of novel liability questions and potential coverage questions under numerous kinds of insurance policies, including GL, products liability, cyber and professional liability, and potentially D&O.