Cyber Risk Gets Tangible: FDA Guidance on Cyber Security in Medical Devices

It's no secret that cyber security threats have been increasing around the globe in recent years. While the fallout from most cyber attacks is focused on intangible assets such as data and interruption to business operations, it is a matter of time before the rise of internet-of-things (IoT) devices brings the risk to the physical world. This is becoming an acute risk in the medical device market, as recently demonstrated in the recall of Medtronic insulin pumps due to cyber security concerns.

Medtronic's Cyber Security Recall 

In June 2019, the FDA warned patients of cybersecurity vulnerabilities in the Medtronic MiniMed insulin pumps and other devices used with these pumps. Noting that they were not aware of any patients actually affected by this cyber security vulnerability, the FDA still issued the warning due to the potentially life-threatening consequences of the risk. The insulin pumps contained software which allowed a connection through wireless technology in order to allow a user to send and receive data on their insulin levels from the pump and monitoring system to a nearby computer or phone, increase or decrease the amount of insulin distributed at any one time, and share information with healthcare providers. The FDA concerns included the ability of a malicious third party to change the settings on the insulin pump, resulting in potentially dangerous bodily injury to the patient. 

The FDA is concerned that, due to cyber security vulnerabilities identified in the device, someone other than a patient, caregiver, or health care provider could potentially connect wirelessly to a nearby MiniMed insulin pump and change the pump's settings.

FDA Draft Guidance on Cyber Security in Medical Devices

With the increase in digitally enabled and interconnected medical devices entering the market, we have to ask: could your medical device come with a cyber security warning? It's possible. Under the Draft Guidance posted by the FDA, the labeling requirements on medical devices, which must outline intended use and warnings, may soon include a list of 14 network and security-related warnings.

That makes sense when we consider the trend in the number of connected devices. At a recent medical device conference, 40% of companies pitching investors had a degree of connectivity embedded in their device that would have pushed them into the proposed Tier 1 category, classifying them as a "High Cyber Security Risk" for devices with everything from remote patient monitoring to microcomputers transplanted in vital organs. 

When to Assess Your Cyber Security

In the past, cyber security assessments were on a company's radar as they approached commercialization. Now, as a best practice, the cyber risk assessment on any new product offerings should take place throughout the product development lifecycle, and certainly before a company approaches the FDA for 510(k) clearance. The guidance applies to premarket submissions for devices that contain software (including firmware) or programmable logic as well as software that is a medical device.

To make it easy for consumers to understand, the FDA is taking a bold and proactive stance on the diligence they want to see on all devices coming to market, assigning a cyber risk tier to every medical device company looking for pre-market approval. While the FDA's recommendations are not "statutory" or required in most cases, the draft documentation makes it clear that all medical device companies considering a pre-market submission cannot expect to be granted approval without performing a full cybersecurity risk assessment. 

Read more on Cyber Liability insurance and how New York’s new cyber insurance guidance may impact your insurance program.

Where Coverage Lies

The Medtronic example at the beginning of the blog post illustrates an evolving threat. Up to this point, concerns about cyber vulnerabilities in medical devices centered around cyber-related bodily injury and property damage (BIPD). One traditional example would be if a hospital system was breached, leading to a shutdown. The hospital would be unable to remotely monitor patients, and as a result, lifesaving treatments would not be administered. If, during the same time, a handful of patients slipped into insulin-induced comas or deceased, their bodily injury (and the reparations their family members would seek) could be attributed to cyber-related BIPD. 

This traditional way of thinking about cyber liability in medical devices is complicated. While coverage for cyber-related BIPD liability is necessary, cyber and privacy insurance policies typically exclude coverage for liability resulting from direct bodily injury and property damage caused by cyber intrusions. To further complicate the matter, in recent years the hospital in our example may have been afforded coverage for claims of this nature through “silent cyber,” or traditional insurance policies such as property liability, general liability, or directors and officers insurance being silent on whether they will cover the consequences of a cyber attack. However, as the frequency and severity of cyber claims continues to grow, the policies that had silently assumed coverage are beginning to explicitly exclude cyber-related claims. Fortunately, there are insurance brokers to help navigate the nuances in this rapidly changing space. 

As the threat grows against not only companies, but directly against consumers with electronically or interconnected medical devices implanted, so does the diligence required of the medical device community and their overarching regulators.

What You Can Do Now to Address Your Risk

While a full software and cyber risk assessment may seem daunting for a pre-market company, there are resources that the insurance market, amongst others, offer as solutions. At Woodruff Sawyer, we provide guidance through the cyber risk assessment offerings available through our Cyber Services Network, or through true risk transfer in the products liability or cyber liability insurance markets. A proactive stance on this evolving cyber threat will pay off in the long run. At the end of the day, it’s easier to build a company on a stable foundation than it is to repair the cracks and vulnerabilities that are inevitably exposed through growth and commercialization.