Healthcare organizations are extremely vulnerable to cyber threats because of the valuable nature of the data they collect. Cyber criminals can generate more profit selling static healthcare information on the dark web that they can selling payment card information because the window of opportunity (before fraud is flagged and details are changed) is often much greater.
The increasing migration of healthcare data outside of organizations (to cloud providers, connected devices and patient portals etc.) as well as the increasing reliance on electronic systems and processes are further expanding the healthcare industry’s cyber exposure landscape.
A new frontier of cyber risk causing headaches for the healthcare industry revolves around Internet of Things (IoT)-connected medical devices and what happens when those devices are impacted by a cyber issue.
“Medical device protection is becoming a very important topic of conversation in the healthcare industry,” said Adam Cottini, managing director of Gallagher’s cyber liability practice. “One area we’re looking at is what can be done to overlay security on connected healthcare devices.
“There’s lots of discussion at the moment about new generation anti-virus, which is behavioral-based rather than signature-based, and uses machine-learning algorithms to detect behavioral anomalies within a system. That has been tried and tested for computer systems as a whole, but it’s very important to see how it can be attached to medical devices to protect them further.”
A key question when it comes to connected medical devices is: who should provide indemnity when something goes wrong? The chain of responsibility relative to medical device provision is quite complex. A primary area of debate is whether a medical device should be categorized as a medical provision of service or a technological provision, whereby the creator or re-seller of the technology will hold more accountability.
“One area we try to drill down on is whether or not the healthcare organization can get some form of indemnity from the technology product provider,” Cottini told Insurance Business. “At the end of the chain, [indemnity] tends to be a conversation about ‘who is your end client?’ For a healthcare organization with an end client receiving some sort of connected medical device, we would look to see if the technology provider would offer indemnity to the healthcare organization to get them more comfortable with that purchase.
“In reality, there’s not a lot of that going on right now. There’s a lot of acceptance of technology without a huge pushback on indemnity. Sometimes the product provider is unwilling to offer indemnity because they’re widely exposed and don’t want to take on the risk, and sometimes they’re actually unable to offer indemnity because they don’t have the scale.”
Another emerging conversation is evolving around what happens if a cyberattack-related technology flaw results in bodily injury or property damage. This touches on many grey areas in multiple different insurance policies and is causing confusion around potential claims.
Cottini advises insurers, brokers and claims adjusters to be holistic and open-minded in their approaches to this risk, just like the cyber liability team at Gallagher.
“We know that not every concern stemming from a cyberattack will be covered under a traditional cyber policy,” he said. “That’s why we’re taking the added steps to do gap analysis and look at all policies purchased to figure out where coverage might fall when a cyber event happens.”