St. Jude Saga Raises Interesting Cyber Liability Questions

Last Monday morning, I logged into my computer to find an urgent email from a hedge fund in London, asking me to provide “expert consulting” on a cyber security matter.  The email felt like a sales pitch or possibly a scam, but was personalized enough that I decided to politely respond and decline, saying that I did not have the expertise they appeared to be seeking.

Several hours later, another urgent email appeared with a similar request.  Assuming it was from the same organization, I forwarded my earlier reply.  Moments later, my phone rang.  Turns out this second email was a different firm, but they were indeed seeking my “expert consulting” on a cyber liability issue.  The caller worked for a firm who represented a short seller, and they were looking to invest in a medical device manufacturer facing a serious cyber security issue.  “I’m sure you’re aware of the crisis at St. Jude?” asked the caller.

I wasn’t, but a few clicks later I had plenty of information.  St. Jude Medical manufactures a pacemaker device that generates more than $2 billion in revenue.  They are in the process of completing a $25 billion merger with Abbott Laboratories.  In August, they were hit with a wave of bad press when short selling firm Muddy Waters and cyber security firm MedSec Holdings released a report claiming that the pacemaker had a security flaw which would allow someone to hack into the device. They claim to have demonstrated an ability to shut the pacemaker down remotely.  St. Jude attempted to defend itself, arguing that the device had actually responded properly to the attack, and that the shutdown was in fact a defense mechanism.

Whether the security flaw is real is not clear.  The damage was done, however.  The FDA has announced a “thorough investigation” of the allegations.  St. Jude’s stock fell 5% on the news and has not fully recovered, and it is not yet clear if the crisis will impact the pending merger.  And a troubling aspect to this story is that the firm exposing the “flaw” in the device was a short seller, who stands to benefit from the stock drop and a failed merger.  St. Jude has since sued the short seller for spreading false information in a “willful and malicious scheme”.

As we spoke, I learned that the caller had found my name on the agenda for the May 2016 MEDSec conference organized by the Diabetes Technology Society and OpenSystems Media on the topic of cyber liability for medical devices [note: the MEDSec conference was not related to the MedSec security firm involved in the St. Jude case].  My presentation was focused on the topic of how commercial insurance policies can and should respond to the risk of cyber attacks on medical devices.

Connectivity for medical devices can provide greater convenience – for a doctor to remotely monitor a patient, for new features to be added as soon as they are able, for a patient to adjust a device using a nearby phone or tablet.  But those conveniences are accompanied by some scary new scenarios:

Data Breach

As medical devices collect and transmit more data (PHI, or Protected Health Information) about a patient, could someone intercept that data?  Who is storing or handling that data?  How are they protecting it?  Who is responsible for notifying the patient (and regulators) if the data is improperly or accidentally exposed?

Device Failure

Does the increasing complexity of a device create more ways for it to fail?  If the network is down or has limited capacity, will the device still function?  Will the patient know that the insulin pump is not functioning properly or that their doctor is not getting alerts?

Sabotage

The scenario everyone fears is a malicious attack that causes harm to a patient.  In the St. Jude case, the implication was that a bad guy could take control of a pacemaker and cause it to stop working. Hollywood has already explored this exact scenario, and former Vice President Dick Cheney reportedly had the wireless functionality disabled in his pacemaker to guard against a terrorist attack.

Corporate Governance

Like in the St. Jude case, what impact could adverse publicity about cyber risks have on a company?  Could it impact M&A activity?  Will it lead to a loss of revenue or severe stock drop?  Will the board of directors be sued for failed oversight”?

Would insurance help?  At the MEDSec conference, my goal was to help medical device companies understand how their existing insurance and risk management strategies protected them from these new cyber risks.  Key insurance policies to consider include:

• Products Liability policies should protect a medical device maker if a patient is harmed as a result of a cyber attack on their device, but insurers are increasingly asking questions about a device’s cyber risk as part of their underwriting. Companies need to stay on top of this topic, as insurers may start to add new exclusions for cyber exposures if they don’t have confidence in how a company is addressing the risk.

• Cyber Insurance might be important for companies that are storing or transmitting PHI, to address risks related to a data breach. (Refer to our Cyber 101 series for more detail on insurance coverage for data breaches).

• D&O Insurance will respond to lawsuits against directors and officers for the failed oversight, but here again, underwriters are starting to ask more questions about how active boards are in managing cyber risk.

One of the great challenges in cyber security is that all organizations need competency in it, not just technology companies. Medical device manufacturers have expertise in medical science -- creating technology that solves amazing medical challenges like reminding a weak heart to keep pumping, or delivering insulin to a pancreas that isn’t able to regulate itself.  Cyber security may not have been the first priority in designing the device, and adding it after the fact might cause unforeseen complications.

The FDA has stepped up efforts to require manufacturers to identify and address cybersecurity vulnerabilities, both in product design and once devices are in circulation. Their most recent guidance issued in January 2016 outlines their expectations for manufacturers to continually monitor cybersecurity risks and update devices once they have entered the market.

We’ve seen the same challenge for hospitals struggling to update their computer systems to provide secure access to patient records, or retail and restaurant chains looking to secure outdated payment card systems.  Cyber security is not their core competency.  It’s not easy to hire talented cyber security expertise in the current market.  And when attacks happen even at sophisticated technology companies like Adobe and eBay, what hope is there for a non-technology company to secure their systems?

I declined to help the hedge funds and short sellers with their St. Jude question – providing investment advice is not my core competency.  But the St. Jude story illustrates that more and more industries have exposure to cyber liability, and the risks go well beyond the data breaches that have been dominating the headlines for the past few years.