3D Printing Offers New Risk Challenges
As commercial 3D printing advances from occasional to routine use, the product liability landscape will shift around it. Defective and counterfeit product exposures, among others, will arise for all participants along the manufacturing continuum, industry experts said.
In an adverse incident, said Rob Gaus, product risk leader, Marsh, liability will be apportioned among participants in the manufacturing and distribution stream: product manufacturer, printer manufacturer, software designer, feedstock supplier, distributor (especially if it modifies the product) and retailer (if the manufacturer is not well capitalized). No case law exists yet.
In 3D printing, a computer sends the software containing a product design to one or more printers, which builds the product, layer by layer, from many kinds of materials — plastics, metals, drugs, paints and even human tissue.
David Carlson, U.S. manufacturing and automotive practice leader, Marsh, said 3D-printed products are treated the same as any other new operation that poses new risks.
Underwriters and brokers must first assess the company’s risk management profile and risk appetite. When production, research and development teams look at technology, “they should loop in risk management. Risk management should be part of the continuum, or the company could get into sticky situations.”
The emerging risks include unregulated manufacturing, said Mark Schonfeld, a partner at Burns & Levinson LLP in Boston specializing in business and intellectual property law.
If 3D printing enables production of, say, just 100 hip implants or 100 hearing aids, such work will generally take place outside of a traditional mass-production factory, which is subject to government regulation and inspection.
“Insurance companies like FDA oversight of manufacturing because it makes products safer and helps identify responsibility when things go wrong,” Schonfeld said.
To protect themselves and their clients, Schonfeld advises insurers to keep abreast of technological developments, consult with a creative and knowledgeable attorney about how to address liability exposure, and adjust existing policies to be fair to consumers and prevent injury to the insurance company.
3D printing also raises the risk of counterfeit products, said Peter Dion, line of business director-product liability, Zurich Insurance. The digital “recipe” in the software design, and is vulnerable to capture, he said.
Although there is no encryption mechanism for the software, one solution might be to transfer the digital file in pieces only as they are needed by the printer to prevent capture of the entire design signature, Dion said.
Manufacturers have always struggled with counterfeit products, but 3D printing magnifies the risks because it can slash the time from product development to market-ready product to a matter of hours and requires no molds or prototypes. “Hackers can take the proprietary blueprint or software, send it to a third-world country, and have the product ready for market tomorrow,” said Carlson. “That’s a business disruption issue. Counterfeiters can put a company out of business.”
Drug manufacturers may subvert counterfeiters by adding tracer elements and watermarks to their formulations, which protects their reputations, profits and public health. “If the counterfeiters get the recipe wrong, they might not produce high-quality drugs for public consumption,” Carlson said.
Other manufacturers can also use watermarks and digital rights management (DRM) software to prevent file sharing. Still, Carlson said, counterfeiting is an old problem. “Bad guys have always exploited new technologies for their personal gain.”
The materials used by manufacturers present a greater potential loss exposure than the 3D printer itself, said Dion, noting that it is just another piece of equipment, like a pencil or a lathe.
For example, if a 3D printer is used to replicate a cupcake, the manufacturer should be as careful of contaminants in the mix as traditional bakers need to be. “When 3D printer manufacturers purchase materials from suppliers, they need to perform due diligence on their supplier’s products also.”
Out of Control in the Driver’s Seat
You’re tooling down the highway when suddenly your car’s A/C turns on to full blast. Then the radio fires up and switches to a Hip-Hop station.
You’re startled when the wipers turn on, wiper fluid obscuring your view of the road for a moment.
You’re frantically trying to turn it all off when your car loses power completely, leaving you stranded on a busy stretch of road with no shoulder, a semi closing in fast from behind you.
That sounds a little a scene from a spy thriller or maybe even the “X-Files,” but it happened to the driver of a 2014 Jeep Cherokee as researchers Charlie Miller and Chris Valasek hacked into and took control of it.
The duo found a way to hack in wirelessly, exploiting a widely used onboard entertainment system to take over a vehicle’s dashboard functions, brakes, steering and transmission.
Miller and Valasek first made headlines in 2013, when they publicized their success hacking into Ford and Toyota models. At that time, they only managed to accomplish the attacks while their PC was plugged into the vehicles’ diagnostic ports.
Only two years later, the duo found a way to hack in wirelessly, exploiting a widely used onboard entertainment system to take over a vehicle’s dashboard functions, brakes, steering and transmission.
They found they could do it from absolutely anywhere, so long as they had an internet connection. Most disturbing of all, they identified a loophole that could be used to attack multiple cars at once — creating a wirelessly controlled automotive botnet encompassing hundreds of thousands of vehicles.
The team published part of the project online and later demonstrated their “progress” at the 2015 Black Hat conference.
Without question, the more technologically sophisticated and connected vehicles become, the more vulnerable they get.
After Miller and Valasek published their results, Fiat Chrysler issued a recall for 1.4 million vehicles affected by the vulnerability exploited by the team. The automotive industry has been on high alert ever since, even while they simultaneously boast about models equipped with more and better technology.
Without question, the more technologically sophisticated and connected vehicles become, the more vulnerable they get. The push toward autonomous vehicles will only increase those vulnerabilities.
“We are a long way from securing the non-autonomous vehicles, let alone the autonomous ones,” said Stefan Savage, a computer science professor at the University of California, San Diego, during an Enigma security conference early this year.
Autonomous isn’t necessarily synonymous with “connected,” however, even for early entrants to the commercial autonomous vehicle space.
Daimler’s Freightliner Inspiration, the world’s first road-ready self-driving truck, “doesn’t rely on ‘connectivity’ or wireless communication to/from the outside world to drive itself,” said Dan Holden, manager of corporate risk and insurance for Daimler Trucks North America.
“Rather, the system is self-contained, meaning it uses production cameras and radars as inputs to determine the vehicle position and keep it centered in its lane. Therefore the Inspiration truck is as secure from a cyber perspective as production vehicles today.”
More Frightening Than Fiction
Until cyber vulnerabilities can be addressed, it doesn’t take a broad stretch of the imagination to see what the future implications could be for this type of attack. Consider a few scenarios:
- The vehicle of a courier transporting sensitive documents is disabled in a remote location, where armed thieves are waiting to steal the documents.
- A high-level executive receives a message alerting him that ransomers have control of his teen daughter’s car — with her in it — and will drive it off of a bridge if he doesn’t pay $10 million in Bitcoin.
- A ring of thieves finds a way into the systems of a trucking fleet’s rigs through its onboard camera system, enabling it to stop the trucks remotely so teams can hijack the cargo.
- An extreme hactivist group decides to “brick” every car in Los Angeles, disrupting businesses and lives until its demands are met.
- An attacker hacking into a commercial truck’s system disables the brakes, sending the truck careening into a school bus in the middle of an intersection.
Keep in mind that even less extreme types of hacking could create vulnerabilities for both individuals and businesses.
Miller and Valasek proved their ability to wirelessly hack a vehicle for surveillance, tracking GPS coordinates, measuring speed, and tracing routes. When a vehicle’s onboard systems are connected to the driver’s smartphone, the smartphone is also at risk for attack, and any data stored in it is fair game, including passwords and credit card information.
Government and Industry Respond
Miller and Valasek’s work is part of what inspired the drafting of an automotive security bill introduced last year. The Security and Privacy In Your Car Act (the SPY Car Act) would require cars sold in the U.S. to meet certain standards of protection against digital attacks and privacy.
The bill’s creators surveyed 20 carmakers and discovered that only seven used independent security testing to check their vehicles’ security, and only two had tools in place to stop a hacker intrusion.
Several Japanese companies are working on automotive cyber security technology.
In March, the FBI, along with the Department of Transportation and the National Highway Traffic and Safety Administration, published an advisory on the realities of hackable vehicles and making recommendations to increase security.
Several Japanese companies are working on automotive cyber security technology. Panasonic is developing a device that can detect unauthorized network signals and cancel them out. Fujitsu Laboratories and a researcher from Yokohama National University are developing technology that detect an attack, notify the driver, and encrypt signals to allow the vehicle to be stopped safely.
However these technologies are still five years away from commercial availability, as are fully encrypted next-generation automotive networks.
Transportation companies, their clients and every organization with a fleet of its own should be asking questions about the security of the vehicles that are used in the course of their daily operations — and whether they have cover that will respond if their vehicles fall prey to cyber tampering.
“Having insurance coverage in place that would address bodily injury and property damage is something companies should seriously consider as this risk matures,” said William A. Boeck, senior vice president. and insurance and claims counsel for Lockton’s cyber risk practice.
Advocacy: The Impact of Continuous Triage
In the world of workers’ compensation, timing is everything. Many studies have shown that the earlier a workplace incident or injury is acted upon, the more successful the results*. However, there is further evidence indicating there is even more of an impact seen when a claim is not only filed promptly, but also effective triage is conducted and management of the claim takes place consistently through closure.
Typically, every program incorporates a form of early intervention. But then what? While it is common knowledge that early claims reporting and medical treatment are the most critical parts of a claim, if left alone after management, an injured worker could – and often does – fall through the cracks.
All Claims Paths are Not Created Equal
Even with early intervention and the best intentions of the adjuster, things can still go wrong. What if we could follow one injury down two paths, resulting in two entirely different outcomes? This case study illustrates the difference between two claims management processes – one of proactive, continuous claims triage and one of inactivity after initial intervention – and the impact, or lack thereof, it can have on the outcome of a claim. By addressing all indicators, effective triage can drastically change the trajectory of a claim.
While working at a factory, David, a 40-year-old employee, experienced sudden shoulder pain while lifting a heavy box. He reported the incident to his supervisor, who contacted their 24/7 triage call center to report the incident. After speaking with a triage nurse, the nurse recommended he go to an occupational medicine clinic for further evaluation, based on his self-reported symptoms of significant swelling, a lack of range of motion and a pain level described as greater than “8.”
The physician diagnosed David with a shoulder sprain and prescribed two weeks of rest, ice and prescription strength ibuprofen. He restricted David from any lifting over his head.
By all accounts, early intervention was working. Utilizing 24/7 nurse triage, there was no lag time between the incident and care. David received timely medical attention and had a treatment plan in place within one day.
A critical factor in any program is a return to work date, yet David was not given a return to work date from the physician at the occupational medicine clinic; therefore, no date was entered in the system.
One small, crucial detail needs just as much attention as when an incident is initially reported. What happens the third week of a claim is just as important as what happens on the day the injury occurs. Involvement with a claim must take place through claim closure and not just at initial triage.
The Same Old Story
After three weeks of physical therapy, no further medical interventions and a lack of communication from his adjuster, David returned to his physician complaining of continued pain. The physician encouraged him to continue physical therapy to improve his mobility and added an opioid prescription to help with his pain.
At home, with no return to work in sight, David became depressed and continued to experience pain in his shoulder. He scheduled an appointment with the physician months later, stating physical therapy was not helping. Since David’s pain had not subsided, the physician ordered an MRI, which came back negative, and wrote David a prescription for medication to manage his depression. The physician referred him to an orthopedic specialist and wrote him a new prescription for additional opioids to address his pain…
Costly medical interventions continued to accrue for the employer and the surmounting risk of the claim continued to go unmanaged. His claim was much more severe than anyone knew.
What if his injury had been managed?
A Model Example
Using a claims system that incorporated a predictive modeling rules engine, the adjuster was immediately prompted to retrieve a return to work date from the physician. Therefore, David’s file was flagged and submitted for a further level of nurse triage intervention and validation. A nurse contacted the physician and verified that there was no return to work date listed on the medical file because the physician’s initial assessment restricted David to no lifting.
As a result of these triage validations, further interventions were needed and a telephonic case manager was assigned to help coordinate care and pursue a proactive return to work plan. Working with the physical therapist and treating physician resulted in a change in David’s medication and a modified physical therapy regimen.
After a few weeks, David reported an improvement in his mobility and his pain level was a “3,” thus prompting the case manager’s request for a re-evaluation. After his assessment, the physician lifted the restriction, allowing David to lift 10 pounds overhead. With this revision, David was able to return to work at modified duty right away. Within six weeks he returned to full duty.
With access to all of the David’s data and a rules engine to keep adjusters on top of the claim, the medical interventions that were needed for his recovery were validated, therefore effectively managing his recovery by continuing to triage his claim. By coordinating care plans with the physician and the physical therapist, and involving a case manager early on, the active management of David’s claim enabled him to remain engaged in his recovery. There was no lapse in communication, treatment or activity.
After 24/7 nurse triage is conducted and an injured worker receives initial care, CorVel’s claims system, CareMC, conducts continuous triage of all data points collected at claim inception and throughout the life of a claim utilizing its integrated rules engine. Predictive indicators send alerts to prompt the adjuster to take action when needed until the claim is closed – not just at the beginning of the claim.
This predictive modeling tool flags potentially complex claims with the risk for high exposure, marking claims that need intervention so that CorVel can assign appropriate resources to mitigate risk.
Claims triage is constant – that is the necessary model. Even on an adjuster’s best day, humans aren’t perfect. A rules engine helps flag things that people can miss. A combination of predictive systems and human intervention ensures claims management is never stagnant – that there is no lapse in communication, activity or treatment. With an advocacy team in the form of an adjuster empowered by a powerful rules engine and a case manager looking out for the best care, injured employees remain engaged in their recovery. By perpetuating patient advocacy, continuous triage reduces claim severity and improves claim outcomes, returning injured workers to the workforce and reducing payors’ risk.