Implantable Devices: Medical Devices Open to Cyber Threats
SCENARIO: Pay off an anonymous hacker or face the possibility that patients with implantable defibrillators would die. That was the dilemma facing Janet Smith, CEO of Midtowne Community Hospital.
Too late she found out that the computer system of one of the surgical practices employed by the hospital was hacked. It was a simple enough operation. One unthinking click by the administrative staff on a link in an official-looking email, and the system was surreptitiously compromised.
The back-door access to the computer system provided the hackers with a treasure trove of unencrypted patient data including name, medical history, type of medical device implanted, and models and serial numbers of the devices.
While the hackers had a selection of devices to choose from — pacemakers, insulin pumps, cochlear hearing implants, blood glucose monitors and deep brain stimulators, among others — they targeted patients with implantable cardiac defibrillators (ICDs), which monitor and respond to heart activity by sending shocks to the system to restore normal heart rhythm.
The ICDs were designed to be wirelessly connected to external wands and ICD programmers. Data collected in the wands was downloaded to the IT system in the surgical practice so the physicians could review and manage each patient’s medical problems.
The RFID-enabled wands were supposed to be unidirectional, but the hackers were able to reverse-engineer the access after determining the radio frequency used and the engineering specifications of the ICDs and wands, which they found online — mostly in the technical and user manuals published by the manufacturers.
Each of the ICDs contained a small computer chip similar to those found in smart thermostats, televisions and refrigerators, all of which have been hacked recently to send out spam or just annoy users.
The hackers wrote and inserted programming code into the IT system of the surgical practice so that when information from the ICD devices was downloaded, code would be inserted that could induce fatal heart arrhythmia via the patients’ defibrillators.
It only required the hackers to trigger the code to activate it. And that’s what they threatened to do if the ransom was not paid.
While the extortion scheme was similar to the ‘Cryptolocker’ shakedown — which locks organizations out of their own files, forcing them to pay for access — this ICD threat offered a much more deadly outcome. And there was no positive outcome that Smith could see.
ANALYSIS: The hacking threat to implantable cardiac defibrillators has been known since at least 2008, when a team of university researchers proved it was able to reverse-engineer an ICD’s communications protocol to reprogram it to change the operation of the defibrillator, including its therapy settings.
Kevin Fu, an associate professor at the University of Michigan, who was on the team and is a leader in the field of device security research, likened implantable medical devices to unlocked cars during a presentation at Dartmouth University.
“There are people, if given the chance, who will cause harm and we shouldn’t just leave our doors unlocked,” he said.
While hacking is usually done for financial reasons, there have been instances where physical harm was intended, he said, mentioning an attack seven years ago on an epilepsy support group website, where hackers embedded flashing animation that induced seizures in those using the site.
“I think it would be naïve to ignore the fact that some of these people exist so we need to at least have a certain level of protection against this kind of maliciousness,” Fu said.
Michael Thoma, vice president, chief underwriting officer, global technology at Travelers, said he was “not aware of any actual claim or incident beyond what is available in the literature that it can be done,” he said.
“When you stop to think about the environment we are heading into — where hospitals are completely relying upon electronic medical records that are integrated to control medical devices in hospitals and obtain information back from the devices — the scenario exists that something like that could happen.
“You read all the time about attempts to attack all sorts of institutions, and hospitals are not immune to that. When you think about the ‘Cryptolocker’ scenario, not only could it bring a hospital to a complete standstill, but the reputational harm would be huge.
“It would make what happened in Dallas after Ebola at that hospital look minor,” he said.
‘A Hard Line to Cross’
“At the end of the day,” said Todd Lauer, vice president, medtech division, OneBeacon Technology Insurance, “you can sum it up in one sentence: Anything is possible for a determined hacker.”
Even so, he doubts most hackers would target the devices. “Most hackers are not looking to cause bodily injury,” he said. “They are looking to extort money from large corporations. That’s crossing a line. To cause bodily injury or death, that’s a hard line to cross.”
That leaves the possibility, however, that it could become a focus for terrorists looking to create panic and death, Lauer said.
Experts noted that as of now, hacking of implantable devices is only being done by researchers, universities and hackers who identify and expose security weaknesses.
“We are talking about something that certainly is possible, but it’s not an exposure that keeps me up at night as an underwriter.” — Mark Wood, president and CEO, LifeScienceRisk
Mark Wood, president and CEO of LifeScienceRisk, a series of RSG Underwriting Managers, acknowledged that it was “theoretically possible … . Am I aware that it’s happened? I have not yet seen a claim or a report that it’s happened.
“We are talking about something that certainly is possible, but it’s not an exposure that keeps me up at night as an underwriter.”
It’s more likely that instead of the sophisticated scenario portrayed above, hackers would simply use RFID to jam the devices with a denial-of-service attack, said Jerry Irvine, CIO of Prescient Solutions, who is also on the National Cybersecurity Task Force.
“They could basically overburden it so much that it can no longer react, so people will die or equipment will malfunction or give an overdose of medication,” he said.
“That’s the easiest thing you can do. You can do that from 100 to 300 yards away with targeted antennas or high-powered antennas. These are things that are not difficult to do.”
In addition, researchers have noted that many hospital IT systems lack cutting-edge cyber security.
“Unfortunately, computer security in many hospitals and similar providers reminds me of the very early days of computer security when security was the domain of system administrators and network security types,” said Gary McGraw, chief technology officer at software security consultancy Cigital Inc., in an article on SearchSecurity.com, a site of “Information Security” magazine.
McGraw likened hospital network security administrators to “plumbers who make sure that infrastructure is properly designed and operates smoothly. Generally speaking, though they are certainly important, plumbers are not very strategic thinkers and neither are system administrators.”
Federal Government Action
In 2012, the U.S. Government Accountability Office found that in controlled settings that did not involve actual patients, security researchers “recently manipulated two medical devices with wireless capabilities — a defibrillator and an insulin pump, a type of infusion pump — demonstrating their vulnerabilities to information security threats.”
It concluded that implantable medical devices (IMDs) are “susceptible to unintentional and intentional threats … . Information security risks resulting from certain threats and vulnerabilities could affect the safety and effectiveness of medical devices. These risks include unauthorized changes of device settings resulting from a lack of appropriate access controls.”
The report also noted that the “growing use of wireless capabilities and software has raised questions about how well [IMDs] are protected against information security risks, as these risks might affect devices’ safety and effectiveness.”
That prompted a review by the U.S. Food and Drug Administration, which two years later, in 2014, offered guidance to strengthen the safety of medical devices to better manage cyber security risks.
“There is no such thing as a threat-proof medical device,” Dr. Suzanne Schwartz, director of emergency preparedness/operations and medical countermeasures at the FDA’s Center for Devices and Radiological Health, said at the time. “It is important for medical device manufacturers to remain vigilant about cyber security and to appropriately protect patients from those risks.”
Top concerns included malware infections on network-connected medical devices or computers, smartphones and tablets used to access patient data; and failure to provide timely security software updates or patches to devices or networks.
The guidance recommended to manufacturers that they consider cyber security risks as part of the design and implementation of medical devices, and submit documentation to the FDA about the risks they identified and the controls put in place to mitigate those risks.
It also recommended that manufacturers submit plans for providing patches and updates to operating systems and medical software.
Still, said Jay Radcliffe during a presentation at the 2013 Black Hat Conference, cyber security concerns have not been cited by the FDA as a reason for rejecting any implantable medical devices.
And, said OneBeacon’s Lauer, patching implanted devices is difficult, as it often requires surgery.
Manufacturers rarely seek to enhance devices via patching because it requires “an onerous regulatory process” with the FDA, said Tam Woodron, a software executive at GE Healthcare, in an article in “MIT Technology Review.”
The article also noted that reporting of incidents is not required by the FDA unless a patient is harmed.
A study by researchers at MIT and the University of Massachusetts at Amherst found that there are millions of people with wireless implantable medical devices, and about 300,000 such IMDs are implanted every year. The life of such a device can last up to 10 years.
Wood of LifeScienceRisk said that if a device malfunctions and results in bodily injury, regardless of the reason, there would likely be an allegation of product liability.
“There wouldn’t be any limitation, at least in the coverage we write, about whether a software error created the problem,” he said. “The malfunction in and of itself would trigger coverage if it caused bodily injury.”
If a carrier’s coverage did exclude software issues, the insured’s E&O policy would probably be triggered, he said.
As for who would be involved in such a claim, the list could be a long one, including the hospital, physician, caregivers, device manufacturer, Internet provider, cloud provider, and anyone who provided consulting services to anyone involved in the process, plus all of their insurance companies.
Lauer noted that when claims involve device manufacturers, a U.S. Supreme Court ruling prevents plaintiffs from relying on state negligence or liability rulings; the High Court determined that such laws cannot pre-empt federal laws and the FDA’s safety determinations.
“The exposure is going to be different for any set of facts,” Wood said. “The more complicated the loss scenario, the more potential for coverage issues in trying to figure out whether and how a claim should be covered.”
Complete coverage of 2015’s Most Dangerous Emerging Risks:
Corporate Privacy: Nowhere to Hide. Rapid advances in technology are ushering in an era of hyper-transparency.
Implantable Devices: Medical Devices Open to Cyber Threats. The threat of hacking implantable defibrillators and other devices is growing.
Athletic Head Injuries: An Increasing Liability. Liability for brain injury and disease isn’t limited to professional sports organizations.
Vaping: Smoking Gun. As e-cigarette usage rises, danger lies in the lack of regulations and unknown long-term health effects.
Aquifer: Nothing in the Bank. Once we deplete our aquifers, there is nothing helping us get through extended droughts.
Most Dangerous Emerging Risks: A Look Back. Each year since 2011, we identified and reported on the Most Dangerous Emerging Risks. Here’s how we did on some of them.
Insurer Has Duty to Defend Marker Maker
On April 25, 2012, Too Market Products Inc. filed suit against Creation Supply Inc. in U.S. District Court in Oregon.
In its lawsuit, Too Market alleged trademark infringement, violation of trade dress (the image or appearance of the product), and unfair competition against Creation Supply, when it imported and sold a competing line of markers in a similar shape. Too Market sought a permanent nationwide injunction against the sale of Creation Supply’s markers.
Creation Supply sought a defense from Selective Insurance Co. of the Southeast, which had issued it a business owners’ policy on Aug. 19, 2011. The policy excluded personal and advertising injury “arising out of infringement of copyright, patent, trademark, trade secret or other intellectual property rights.”
The exclusion related to the “use of another’s advertising idea in your ‘advertisement.’ ” But it did not apply to infringement “in your ‘advertisement,’ of copyright, trade dress or slogan.”
The U.S. District Court ruled Selective had a duty to defend, while denying allegations of breach of contract and bad faith. The insurer appealed the case to the Appellate Court of Illinois, First Judicial District. A Feb. 9 ruling upheld the lower court decision.
The appeals court ruled that retail store displays of that type of marker, in which the “shape and design of the marker is prominently displayed” constituted an advertisement under the policy.
Scorecard: Selective must defend Creation Supply in a trademark infringement case.
Takeaway: While the court ruled the in-store display was an advertisement, the opinion warned that its conclusion “does not mean that all retail product displays constitute advertising activity … .”
Claims Following Explosion Are Denied
On Dec. 7, 2009, a large pressure chamber used to grow synthetic quartz crystal exploded, throwing a four-ton fragment hundreds of feet. Other flying debris killed a man walking to his truck one-quarter mile away.
The owners of the pressure chamber, NDK America and NDK Crystal Inc. knew there were some concerns with its pressure chambers, which displayed some signs of cracking and future cracking when the contents were under pressure of 29,000 pounds per square inch.
Two years earlier, when NDK was in litigation with EPSI, the designer and manufacturer of the pressure chamber, EPSI and one of NDK’s experts warned against continued operation of the pressure chambers without performing inspections. As part of that litigation, NDK alleged that the pressure chambers, known as autoclaves, were “were defectively or negligently manufactured and showed signs of cracking and leaking.”
That case settled a few months prior to the 2009 explosion. After the explosion, Nipponkoa Insurance Co., Ltd., which had issued an “all risk” property insurance policy to NDK, filed suit, seeking a declaratory judgment that the policy did not cover the insured’s property or business interruption losses because it had been warned about the possibility of an explosion but continued to use the autoclaves anyway.
Thus, it argued, the explosion was not “fortuitous,” and that the autoclaves were not damaged by the explosion because they were valueless.
NDK argued that defects and cracking were not the cause of the explosion, and that its insurer acted with bad faith and breached its insurance contract.
The U.S. District Court for the Northern District of Illinois ruled that the explosion, while possible, was not inevitable and thus was a “fortuitous” event. However, the court also ruled that the autoclaves were “inherently dangerous and defective,” and that NDK provided no evidence that the machinery had any “actual cash value” other than as scrap metal.
In fact, it noted that the company argued in the earlier litigation against EPSI that the autoclaves were “unreasonably dangerous and defective … and were in need of replacement.”
The court also ruled that business interruption losses were not covered because the expected profits submitted by NDK were “an ‘expected’ or target goal, and not an actual projection of profits.”
Scorecard: Nipponkoa did not have to pay nearly $10 million for the autoclaves or for any business interruption losses.
Takeaway: As long as the explosion was merely a risk, even if a heightened risk, it was an insurable event.
Claims-Made Reporting Requirement Upheld
On Dec. 23, 2009, attorney Thomas Aul was notified by clients Melissa and Kenneth Anderson that they were “dissatisfied” with the legal representation he offered in the Andersons’ purchase of a commercial property in Delafield, Wis.
In a letter to Aul, the Anderson’s new attorney informed Aul that the terms of the transaction were “unfair and unreasonable,” that Aul had a conflict of interest in the matter, and that the transaction violated “the rules of attorney professional responsibility.” It sought payment of $117,125.
Although Aul had a claims-made-and-reported policy with Wisconsin Lawyers Mutual Insurance Co. (WILMIC) at that time, he did not report the claim until March 2011, nearly a year after the policy expired on April 1, 2010.
In March 2012, the Andersons filed suit against Aul and several real estate and investment companies owned by Aul, alleging breach of fiduciary duty, legal malpractice (negligence), breach of contract and misrepresentation contrary to Wisconsin state law.
In addition to compensatory damages, the lawsuit also sought punitive damages for “malicious” conduct and “intentional disregard of [their] rights.”
In May 2012, WILMIC intervened in the lawsuit, and defended Aul under a reservation of rights. It sought and received a summary judgment, declaring that the policy did not provide coverage for the claim.
An appeals court reversed that decision, determining that Wisconsin’s “notice-prejudice statutes” superseded the policy’s notice requirement. The notice-prejudice statutes state that an insured’s failure to furnish timely notice of a claim will not bar coverage unless timely notice was “reasonably possible” and the insurer was “prejudiced” by the delay.
A four-judge panel on the Supreme Court of Wisconsin reversed the case again, ruling that the policy’s requirements should be upheld.
“We conclude that the legislature did not intend to .. make the strict reporting requirement underlying claims-made-and-reported policies unenforceable in this state,” the panel ruled on Feb. 25.
Scorecard: The insurance company was not required to indemnify its insured following claims of legal malpractice, breach of fiduciary duty and other allegations.
Takeaway: A ruling upholding the claim would have converted all claims-made-and-reported policies into pure claims-made policies or occurrence policies.
Case Explores ‘Duty to Advise’
A legal case in Indiana is highlighting when an insurance broker has a “special relationship” that requires the firm to advise an insured about coverage.
In a unanimous decision by the state’s high court, the case between Indiana Restorative Dentistry (IRD) and The Laven Insurance Agency and ProAssurance Indemnity Co. Inc. was returned to a trial court for a determination of whether there was a “special relationship that created a duty to advise.”
The dispute arose after an October 2009 fire destroyed the dental office, causing $704,394 in damage and lost contents. IRD’s insurance policy, which included coverage for office contents, had a limit of $204,371, leaving a shortfall of about $500,000.
The court also noted that in more than 30 years, the state has only found a special relationship between an agent and an insured in one case.
IRD sued Laven, saying the 30-year-plus “special relationship” between the organizations meant it should have advised the dental firm of inadequate coverage; breach of contract for failing to obtain full coverage for the loss; and alleging that ProAssurance was “vicariously liable” for Laven’s omissions.
The trial court concluded, among other issues, that Lavin had no duty to advise because the parties had “an arms-length relationship,” which included a yearly questionnaire on insurance needs when coverage was set to renew.
The Indiana Supreme Court reversed that decision and remanded the case to the lower court for a hearing into the nature of the relationship.
It noted that a special relationship is determined by its nature, not by its length.
In determining the nature of the relationship, the Indiana Supreme Court said evidence is needed that the broker exercised a level of discretion about the insured’s needs; that it counseled the insured on specialized insurance coverage; and that it held itself out as a highly skilled insurance expert coupled with the insured’s reliance upon the expertise.
The court also noted that in more than 30 years, the state has only found a special relationship between an agent and an insured in one case.
In the IRD/Laven case, the court ruled there were “conflicting reasonable inferences” about the nature of the relationship. It noted the brokerage’s touting of its specialization with dental offices, its endorsement by the Indiana Dental Association, and marketing materials that proclaimed “expertise,” as well as the fact that the policy protected specialized equipment.
“The designated evidence here paints an inconclusive picture regarding the nature of Laven’s and IRD’s relationship,” according to the March 12 opinion written by Justice Loretta H. Rush. “Thus, genuine issues of material fact remain regarding the existence of a special relationship, and consequently a duty to advise.”