Mitigate the risks that the IoT poses to medicine and healthcare
Help clients understand key risk categories and available protections
From the smallest sensors to entire operating room systems, the Internet of Things (IoT) is transforming the practice of medicine. By remotely capturing medical data, facilitating medication delivery and enabling digital health applications, the IoT delivers greater convenience and functionality to patients and their physicians – helping to compensate for staffing shortages and high patient demand. In the UK and elsewhere, the IoT allows hospitals to track and monitor patients from the moment they arrive at hospital — and at home — with real-time data being added automatically to patient records without the need for nurses to take readings.
But along with opportunity, the IoT presents risks for technology companies. One-third of the UK’s NHS Trusts have no method for tracking IoT devices. This could potentially expose data and services to significant security problems. Should the technology fail to work as intended, a patient could be injured or sensitive personal health information exposed.
Such vulnerabilities are more common than we’d like to believe. Wired reported last year that researchers from the healthcare security firm CyberMDX found seven easily exploited vulnerabilities in a remote access platform that has been especially popular in medical equipment. A breach of the platform could impact the security of hundreds of thousands of devices as a result. Specifically, there is potential for an attacker to exfiltrate data from medical equipment or other healthcare devices, possibly tamper with lab results, make critical devices unavailable, or even take them over altogether.
Anticipating the hazards
Even though it isn’t possible to eliminate all of the risks of IoT, technology companies can reinforce their security by remaining vigilant in the face of evolving risks – and by anticipating what hazards could be possible. These are the important IoT risk categories to keep in mind:
1. Bodily injury. If an IoT device operates incorrectly, technology companies could be liable for the resulting injury or death of a user or patient. Companies producing IoT technology should understand their exposure to bodily-injury risk due to defects in design or manufacturing, product misuse, or failure to warn consumers about potential dangers in the product’s use.
For example, if a doctor prescribes a pill with a swallowable chip to verify compliance for a patient with a memory impairment, and a flaw prevents the transmission of compliance data to the physician, the doctor may not receive alerts that the patient is not taking the medication. If the patient’s condition worsens, the patient might sue the company that made the connected pill for failure to transmit compliance data.
2. Technology errors and omissions. The IoT technology may fail to work as intended due to an error, omission, or negligent act in its design. If the purchaser sustains economic losses, they may file a liability claim against the developer of the device. Defence expenses alone could devastate a technology business.
For example, if a health insurer offers an incentive to customers using a fitness tracker and an error in the tracking software overstates the number of steps, then the company may issue too many discounts. The insurer may attribute the financial loss to incorrect step counts due to external manipulation of the device.
3. Cyber risk. If thieves breach IoT-based information systems and expose data, businesses might face financial losses, interruption or reputational damage for failing to properly secure their information systems.
For example, a company that makes wearable cardiac monitors could have medical readings uploaded to a cloud. If the engineers responsible for cloud security fail to properly configure a security patch, hackers could gain entry, then sell and threaten to expose a patient’s sensitive health data.
Protecting against IoT risks
Just as new medical IoT applications continue to be discovered, new risks are emerging. In the process, technology companies can be held liable for bodily injury, economic losses to third parties and failure to properly secure data. But they can also protect against these categories of risk. Brokers and insurers can be valuable partners here by helping companies evaluate and implement appropriate quality and risk management systems, advising them about how to build in effective cyber security controls, and reviewing company contract practices.
Medical technology insurance is an important part of a company’s risk management strategy too. Travelers’ Technology and Medical Technology Cyber insurance offers broad, flexible coverage options to help protect clients from damages associated with an IoT security breach. It includes cover for many medical technology-specific exposures, including cyber extortion, data restoration, breach notification, business interruption, and reputational harm.
Airtight protection may not be possible in an environment of rapidly evolving technology, but medical technology companies can take steps to become more difficult targets for cybercrime. In doing so, they can place themselves in a stronger position to capitalise on the rewards of IoT and mitigate its hazards.
Authored by Craig Mounser (pictured), Practice Leader for Med Tech & Life Science