On October 1, the Federal Drug Administration (FDA) issued a warning about the so-called URGENT/11 cybersecurity flaws that leave certain Wi-Fi-enabled medical devices vulnerable to being remote-controlled by hackers, such as cardiac pacemakers, implantable cardioverter defibrillators (ICDs) or insulin pumps.
The FDA indicated that devices potentially at risk are those utilizing IPnet, a decades-old software application that enables wireless networking. According to the statement, a successful cyberattack could allow a hacker to remotely change a device’s function, cause a denial of service, information leak or logic flaw that could lead the device to malfunction.
Although there have been no reports of such cyberattacks, the FDA pointed to a health risk for patients using one of the affected devices and advised healthcare providers to notify patients of potential risk and address the issue in conjunction with patients and device manufacturers.
Because device manufacturers have incorporated an array of configurations to IPnet and its components, the Department of Homeland Security (DHS) is unable to compile a list of affected devices. Therefore, the DHS has advised manufacturers to evaluate and report to the FDA what, if any, cybersecurity risks are posed by their devices.
“This illustrates a scale of digital risk that could not have been foreseen at the time these devices were manufactured,” said Neil Gurnhill, CEO, Node International, London, England. “Companies need to develop these products with security in the forefront of their minds. This is a potentially life or death situation that companies cannot afford to get wrong.”
A growing demand for implanted medical devices
Although estimates vary, The Pacemaker Club, an online community for those living with implanted cardiac devices, reports that 3 to 4 million people worldwide are living with pacemakers or other implanted cardiac devices. According to a June U.S. News and World Report guide to pacemakers, 400,000 pacemakers or ICDs are implanted in patients in the U.S. annually. The Canadian Institute for Health Information reported that 23,380 pacemakers were implanted in patients in Canada in 2017 and 2018.
The implantation of insulin pumps and glucose monitors has also risen in both the U.S. and Canada. In 2017, more than 30 million Americans and 2.3 million Canadians were living with diabetes. For thousands of those with diabetes, an implantable insulin pump is a necessary and effective means of monitoring and regulating glucose levels.
Advances in technology have enabled medical devices to transmit vital statistics and data to physicians for monitoring. A patient’s heart rate can be assessed and the device adjusted when needed to ensure optimal therapeutic benefits and health benchmarks are achieved. Unfortunately, security flaws in this same technology can also allow hackers to take control of devices or access patients’ confidential medical data.
“With these medical devices, there is such an inherent bodily injury exposure,” said Erica Rangel, Broker, Burns & Wilcox, Chicago, Illinois. “Device manufacturers and software developers should be cautious and implement a few extra steps or procedures to make sure that there are no glitches in the software used in their devices.”
Nathan Rose, Senior Underwriter and Business Development Specialist, Burns & Wilcox Canada, Vancouver, British Columbia, stressed that consulting with insurance brokers and agents to identify and assess medical device risks is essential for both manufacturers and software developers. “The biggest tool we have to fight those exposures is awareness of where there might be vulnerabilities that can be fixed,” he said.
Both Rangel and Rose recommend Cyber & Privacy Liability Insurance coverage that includes robust risk assessment and cybersecurity support to help medical device manufacturers and software developers mitigate and minimize cybersecurity exposures. Manufacturers and developers may also benefit from Errors & Omissions Insurance (E&O) coverage to address costs stemming from situations involving alleged negligence or errors in judgment.
Wireless connectivity carries inherent risks
In June, Medtronic, a world leader in medical device manufacturing, issued a product recall of several models of its MiniMed insulin pumps that use a wireless radio frequency to communicate with other wireless devices, such as blood glucose monitors and sensors. In a letter to affected patients, the company stated that security researchers had identified flaws that could allow hackers to connect wirelessly to the device, alter its settings and control its delivery of insulin.
Because Medtronic could not provide a software patch to address its pump’s security flaws, the company issued a rare product recall for the impacted models and offered the roughly 4,000 affected patients an upgrade to a model with advanced cybersecurity safeguards.
In March, the FDA issued a safety alert detailing the cybersecurity vulnerabilities identified in the Conexus wireless telemetry technology used in at least 20 models of Medtronic’s ICDs and cardiac resynchronization therapy defibrillators (CRT-Ds) as well as clinic programmers and home monitors. The Conexus technology in these models does not utilize encryption, authentication or authorization, which could allow unauthorized individuals to access and manipulate them. An estimated 750,000 devices may be affected by this security flaw.
In its safety warning on the Conexus threat, the DHS classified the devices as “exploitable with adjacent access / low skill level to exploit”; however, Medtronic’s chief medical officer indicated that a hacker would need to be within 20 feet of an implanted device and have highly detailed information and specialized technology to successfully access and control the device.
Medtronic released a security bulletin reporting that while no individuals had been affected by the Conexus vulnerability, the company was working on security updates to address the flaw. Until that update is approved, the company recommended that physicians and patients use the product as intended.
Minimizing the impact of cybersecurity flaws
A range of insurance products are available to help medical device manufacturers and software developers minimize their risks. In addition to Cyber & Privacy Liability Insurance coverage to help reduce and mitigate cybersecurity-related risks and damages, Gurnhill noted, E&O Insurance coverage is an essential part of managing the costs related to hardware or software failures.
Cyber & Privacy Liability Insurance policies can also help address financial and legal fallout related to patients’ private medical information. “Even if you had an intruder or hacker who was not looking to manipulate these devices to cause bodily harm, they could still gain access to personal health information,” Rose stated. “From a cyber perspective, that is a big exposure. Once that information is out there, vulnerable people can be manipulated and extorted.”
According to Rangel, Bodily Injury and Property Damage (BIPD) coverage is a beneficial component of a Cyber & Privacy Liability Insurance policy for claims that involve injury or loss of life. She also pointed to costs related to notification, public relations, forensic and monitoring efforts, which may also be covered under a broad Cyber & Privacy Liability policy.
For device manufacturers, broad Product Recall coverage can help to bear the costs of a recall, even those that are lengthy and wide-ranging. “I think for (medical device) manufacturers, product recall is one of the scariest scenarios for the simple reason that there is such an inordinate cost to get such products back,” Rose asserted. In some instances, the costs of a recall have bankrupted companies.
Broad Product Recall Insurance coverage also benefits affected end users and other stakeholders, Rose asserted, by keeping the bulk of costs off manufacturers’ and developers’ balance sheets and allowing them to remain solvent. “Then, thankfully, end users have recourse to get (their device) fixed.”