When cyber risk meets healthcare



When cyber risk meets healthcare | Insurance Business America















53% of connected medical devices in hospitals have known critical vulnerabilities


Cyber

By
Nicole Panteloucos

In our increasingly connected world, the Internet of Things (IoT) links everything from household appliances to critical medical devices. While this connectivity enhances patient care, it also exposes healthcare systems to cyber threats.

Threat actors can exploit vulnerabilities in medical devices, such as pacemakers and insulin pumps, or breach hospital records and health-tech systems, putting confidential patient data at risk. This not only endangers patient safety but also threatens the well-being of already vulnerable populations.

The FDA once recalled nearly 500,000 pacemakers due to concerns that lax cybersecurity could allow hackers to drain the devices’ battery power or alter patients’ heartbeats. Recently, software vendor Change Healthcare, a subsidiary of UnitedHealth Group, experienced a breach that compromised a substantial amount of personally identifiable patient and health information, with estimated costs reaching $2.3 billion.

Given this escalating risk landscape, cyber insurance is an increasingly crucial safeguard to protect both patients and providers.

The risk of aging hospital infrastructure

Discussing the threat of hackers gaining access to medical devices and causing harm to patients, Kirstin Simonson (pictured left), cyber lead for technology and life sciences at Travelers, confirmed that while this risk is likely to grow over time, aging infrastructure in hospitals remains a more pressing concern.

Simonson specifically noted that MRI machines are among the most vulnerable to current cybersecurity threats.

“MRIs are very costly for hospitals to replace, so many institutions continue using this capital-intensive equipment for extended periods before upgrading,” she said. “Given the age of these devices, they may lack essential software patches or updates once they reach the end of their lifecycle, which creates significant vulnerabilities.”

Highlighting this risk further, in a report published on the FBI’s Internet Crime Complaint Centre (IC3) it was shared that about 53% of all connected medical devices and other IoT devices in hospitals had known critical vulnerabilities. 

The IC3’s report also cited a statistic that found more than 40% of medical devices are at the end-of-life stage, offering little to no security patches or upgrades.

The importance of supply chain management

Jennifer Ampulski (pictured right), assistant vice president and life sciences practice lead at Travelers, emphasized that addressing cyber risks in life science and medical fields requires not only evaluating vulnerabilities in equipment but also assessing risks throughout the entire supply chain.

Specifically, when advising clients on best cyber hygiene practices, brokers should encourage hospitals, pharmacy chains, and outpatient clinics to closely evaluate the cybersecurity practices of their partners. The importance of this approach is highlighted in a recent report from Data Theorem, which revealed that over 91% of North American organizations surveyed had experienced a software supply chain incident in the past 12 months.

“What happens if a vendor supplying your client’s medical device equipment, or component parts experiences a cyber event? It’s crucial to ensure your clients have backup suppliers and understand how such disruptions could impact their business and obligations,” warned Ampulski.

“A key step agents and brokers can take is ensuring that not only are their clients’ cyber policies robust, but that security requirements are also embedded in the vendor proposal process, ensuring that clients’ partners adhere to high standards,” Ampulski continued.

How brokers can guide life sciences clients on cybersecurity

In addition to helping clients address risks beyond their own operations by mitigating supply chain vulnerabilities, brokers can employ several strategies to enhance cyber protections for clients in the medical and life sciences sectors:

  • Utilize carrier resources: Often, insurance carriers provide simple checklists and tools to guide both agents and insureds. Take advantage of these resources to help navigate and strengthen your clients’ cybersecurity practices.
  • Address common cyber coverage myths: Simonson noted that many clients mistakenly believe that issues related to compromised equipment always fall under property insurance. It is crucial for brokers to clarify that such incidents can fall under a cyber insurance policy if the peril is classified as a cyber event.
  • Leverage FDA guidelines: The life sciences industry is highly regulated, with many medical devices governed by the FDA. Given this regulatory framework, it’s important for brokers and agents to work closely with life sciences companies to ensure that their cybersecurity practices align with these regulatory requirements to avoid legal repercussions.

Related Stories