Most IoT-enabled medical devices were manufactured without understanding the full implications of cyber-security. While there have been no reported incidents of harm caused by such an activity, the potential definitely exists. Johnson & Johnson announced on October 4th, 2016 that cyber security vulnerabilities could allow a perpetrator to remotely control a One Touch Ping insulin pump they manufacture. St. Jude Medical released a security patch on January 9, 2017 that addresses the possibility of hacking their implantable cardiac defibrillator devices. In addition, there have been reports of these devices being used as an entry point to infect healthcare provider networks which could potentially expose them to a costly data breach. In short, an IoT enabled medical device can expose a person, hospital as well as its’ manufacturer to many risks.
Challenges
While device manufacturers have taken a lot of criticism for vulnerabilities, they face a number of challenges unique to healthcare. To begin with, medical devices could be used in different configurations:
- In the home
- Embedded in the patient’s body or
- Across networks in hospitals.
Within hospitals, medical networks are fairly complex with devices of all classes and capabilities put together in different configurations. Considering that some of the medical devices stay in the healthcare provider networks for 15 to 20 years, manufacturers have to consider what technologies and software will be like in 20 years. In addition to these challenges, there are strict FDA regulations on re-certifying certain categories of life critical devices if any changes are made to it. The FDA has stated that in light of some of these issues “The Least Burdensome Approach” can be taken with the appropriate protocol. In certain cases, the oldest devices may not be capable of providing adequate security based on current or future standards.
Insurance Coverage
The costs associated with a serious design flaw could be staggering given a single negligence award can be in the millions. There are many standard insurance products that would provide indemnification to both the medical device manufacturer and healthcare provider. Product Recall coverage can be purchased which would indemnify the manufacturer for the costs associated with any recall effort. If a compromised device causes an injury, Product Liability coverage protects manufacturers against third-party lawsuits including legal defense costs. Hospital General Liability coverage would respond to potential liability exposure emanating from a compromised medical device. For a practicing physician, his Medical Malpractice Coverage would provide indemnification against third-party lawsuits as well. Good risk management consisting of establishing cyber-secure medical devices along with proper insurance coverage significantly mitigates the risk manufacturers and healthcare providers face.
Recommendations for IOT medical device providers
There are steps that manufacturers can take to help mitigate the problem. For the newer devices, there is a range of solutions available such as
- Defining the identity of the device
- Authenticating the device
- Code signing the device and
- Putting an additional layer of security solution in the device.
These solutions can work from the lowest end devices to the high-end devices and work within the constraints such as difficult updating procedures and devices with limited available memory. Generic security monitoring tools also exist which can provide a basic level of security. Over time, we believe monitoring tools catered to healthcare will emerge to provide a more robust security posture. For older devices, where possible, some of these solutions can be implemented. There are device security solutions, which can secure legacy devices with really old operating systems and hardware architectures. At a minimum, certain changes can be made such as default passwords on the devices can be changed. Educating the customer to be careful when connecting older devices to the network or USB ports is another effective risk measure. While some of this education can cost resources, it will create a safer environment and also save the manufacturer money in the long term by securing their brand and customer loyalty.
Recommendations for Insurers
- Any insurer that provides coverage to medical device companies needs to have an understanding of the IoT security embedded in those devices as a part of their underwriting process.
- Insurers with exposure to medical device companies need to understand the aggregation risk embedded in their portfolios due to the IoT risk.
Symantec protects over a billion IoT devices and offers the most comprehensive family of security technologies for medical equipment manufacturers.
For more information visit: https://www.symantec.com/solutions/internet-of-things
Symantec is using its aggregated data, intelligence and cyber expertise to help insurers understand the cyber risks in their portfolios, including cyber aggregation modeling.
For more information visit: https://www.symantec.com/solutions/insurance