Cyber Guidelines Target Medical Devices

Why has the FDA released this new iteration of its cybersecurity regulations?

The FDA really started putting guidance out for the industry—in terms of how to manage cybersecurity threats when you have devices that are connected to the internet—back in the early 2000s. But in recent years, cybersecurity issues have become more in the forefront because, every day, there’s an attack on a healthcare provider who had to shut down. So the FDA asked for an FBI review of a number of industries, and specifically healthcare, to assess cybersecurity vulnerabilities.

What came out of that was an understanding of healthcare institutions and how they’re integrating technology, using all of these connected devices, and then looking at the threat vectors. This created the realization that, while we have great regulations in terms of the safety and the efficacy of medical devices, we really don’t have anything hardwired in place that the FDA can look at and say, “Alright, now we know they’re cybersecure.” That’s becoming a much bigger issue now. With the analysis that the FBI did, it’s easy to see that anybody can hack into this stuff and potentially cause harm—reprogram a pacemaker, change some settings on a radiology machine. All the IV drips run through these new wireless devices so they can be controlled from the nurses’ station. If someone can get in and change these settings to cause harm, either directly to the patient or from a terrorist standpoint, that is a pretty big risk.

What do these new requirements do to help ensure medical device manufacturers create products that are more cybersecure?

Through the Consolidated Appropriations Act of 2023, they put a new section into the Food and Drug Consumer Protection Act addressing this vulnerability. One could say that it’s been a long time coming in terms of addressing some of these vulnerabilities, but I think the time is right for it. That’s what spawned this whole new evolution, which gives the FDA more power in terms of making sure that the devices that are out there are actually secured and will remain secure throughout their life cycle. The FDA said, as of Oct. 1, if you want to release any new device on the market that is wireless or has a way of connecting to the internet to transfer data, you have to “reasonably assure” us that the device is cybersecure. That’s a subjective comment, “reasonably assure.” But the FDA has an 80-page list of all these things manufacturers should endeavor to do to assure them [the FDA] that a device will not only be cybersecure but they can patch it and maintain it after it’s been put in place. Companies have to track it, assess it and patch it through the life cycle of the entire device.

I would think this could mean a lot of money that device manufacturers will have to spend on cybersecurity, correct?

Yes. If I’m a company making an insulin pump, my focus is always on making a better insulin pump—one that does everything better than my competitor. But I’m not necessarily focused on it being the most cybersecure insulin pump in the marketplace. So I’m not putting as much effort behind that part of it as I probably should. But now the FDA can refuse to accept any device that they claim is not cybersecure.

That will cause a lot of companies to take a step back and say, “I’m developing these things, but how do I make sure I have a product that is sellable before I put $100 million into development? How do I make that money work the right way?” A lot of the time you have to look at redesigning your whole development plan for that. Some companies might be so small they may have one person who understands, like their IT guy, but they don’t necessarily have a troop of cybersecurity experts that understand it. I read something that said between 2020 and 2025 the average cost of cybersecurity will go up 15% on average, for the entire world, every year. In certain industries like healthcare, I can see that being a lot more.

What kind of impact could that have on costs in the rest of the market?

I don’t think companies are going to eat that money. I also don’t think it’s going to stand out enough that you can say your healthcare costs went up X percent because of this regulation. I think it will just be swept up in the totality of it all. We’re in an inflationary market right now, and I still talk to clients who struggle to get the raw materials they need to make their products. That has had an indirect cost on everything. This is just one aspect of a multitude of things that’s just going to keep feeding that machine, unfortunately. One could hope that making the switch now costs a bit more but that, down the line, it should balance out because we’re not seeing as many hacks or issues we otherwise would have.

If these changes are on devices coming to the market now, could healthcare organizations choose to keep ones they have and not incur some of the costs of newer devices?

I think that’s going to be interesting to see how that plays out. In the new appropriations act, there was nothing that deals with the existing devices that are already in the market. There wasn’t a time frame to phase out old devices. So, if I’m a healthcare institution, do I spend the tens of millions of dollars to update all of these things that I already have if I don’t have to? But then if I don’t update and am hacked, there’s going to be a cost that comes from that. If a hospital did have a big event and people were injured, someone could say the hospital specifically kept devices that were not as maintained as the new regulations so they created an environment that caused someone bodily injury. And then they could sue in civil court for that.

Should hospitals or device makers be thinking about different insurance coverage to cover these kinds of scenarios?

One of the biggest issues that we’ve seen is looking at what insurance coverage exists and for what. These companies are taking on risk by developing products and selling them. But the insurance risk gets a little muffled when you look at your traditional casualty coverage or your product liability coverage or even your E&O coverage. Then you have your cybersecurity coverage over here. They try to dovetail each other, but it leaves an area in that middle ground; if I have a bodily injury as a result of a cyber attack, is that going be covered under my product?

There are gaps now in the industry for cyber coverage in healthcare?

What we’ve been doing at Beazley is thinking about that. We have a big cyber unit, and we’re also really big in the healthcare field. So we’ve been combining those sectors and looking at how to create a product that’s backfilled to make sure there’s no gray area in terms of coverage.

What are the issues out there, and what kind of products should brokers be looking for that can mitigate risk from the cyber and health sides?

We created one product called Virtual Care for telemedicine risks. Interestingly enough, we developed it about two years before the pandemic hit, so it was the perfect time to get that product up and running. That product caters to the cyber aspect of telemedicine, where the transfer risk is different because of different regulations and laws around how doctors should and should not engage with patients without seeing them in person.

Beazley has a very big cyber presence as well with our Beazley Breach Response Team that jumps in when our clients have a breach. There is a coverage gap that we can see because we’re being asked to help with risks from our clients. A lot of the time, people come to Beazley for our ability to create cover where none otherwise exists. We were starting to get asked to create these coverages for a cyber incident and bodily injury in concert with other products and policies that exist out there. About a year ago, we launched our life sciences product we call WellTech. It does the same as our Virtual Care product, but it’s built off of our platform that we write for life science companies that are making the medical devices or coming up with technology-driven platforms to analyze the metadata out of an MRI machine or the wearables and things of that nature.

This kind of product integrates the cyber and health sides into one?

We linked third-party cyber on a cyber policy. You can also get it on our policy as well. When you have companies selling platforms that they create and develop as a service, if there’s a breach, was it a result of your product or your service? Or was it a result of the client not implementing it right? Who’s responsible? Our E&O is written to cover not just the product and services but the technology related to E&O claims that might come up that would rarely have been covered beforehand.

How has WellTech been received so far? Do brokers see a need for it among their clients?

Right now, the buy-in is coming from brokers that straddle both worlds or are a little bit more generalist. In life sciences, you often see brokers that are siloed and don’t deal with something like cyber, which goes elsewhere. It is difficult to understand, and it requires a broker audience that’s broader that doesn’t just say, “Oh, I’m a casualty broker.” Brokers need to be really adept at looking at what kind of products they’re suggesting for their clients in this space.

Bringing this product out, we also wanted to educate brokers that they shouldn’t assume cyber might be covered somewhere else and leave other brokers to deal with that. They don’t know whether there’s necessarily a gap in there that they could fill. If I were a broker, I would love an integrated product where I could reasonably see A to Z how it works. If something happens and you shrug your shoulders and think you did everything you could have done, then you’re not really servicing your client. It’s all about making sure you are building relationships with clients, giving them good products, and making sure they work the way you intend them to. That’s literally the triad of making sure you have a good business model in place.