FDA Medical Device Guidance
The Food and Drug Administration has released “long-awaited” guidelines on the cyber security of medical devices.
Obviously, this is a concern for health and life insurers, but it is also relevant to other areas of coverage, such as automobile or any insurance that pays medical claims.
“There is no such thing as a threat-proof medical device,” said Suzanne Schwartz, director of emergency preparedness at the FDA’s Center for Devices and Radiological Health, in an article in “USA Today” on the release of the guidelines.
“…many device manufacturers and software vendors only learn of vulnerabilities in their products after said products have been hacked.”
“It is important for medical device manufacturers to remain vigilant about cyber-security and to appropriately protect patients from those risks.”
Important indeed. One would think that such statements would be followed by some specific safety requirements, or at least by substantive recommendations.
Instead, the article noted, “The agency is recommending that manufacturers consider cyber security risks as they design and develop medical devices.”
And which particular risks might those be? It seems there is again no specificity.
Once having “considered” those risks, however, the FDA says companies should give the FDA information about the potential risks they found, as well as what controls they put in place to mitigate them.
While this is a nice idea, it ignores certain realities in the world of technology development in general and cyber security in particular.
First, many device manufacturers and software vendors only learn of vulnerabilities in their products after said products have been hacked.
Yes, it would be fair to say that manufacturers and vendors should do a better job of testing in order to ferret out potential problems, but it is also fair to say that the number of ways to crack a product’s code are many and that not all of those ways are likely to be anticipated.
And at some point in the product development process, the testing phase must come to an end — unless the vendor is oblivious to the possibilities for profitably marketing a given product.
“Many devices are poorly secured and do not require a lot to hack. If there is sufficient incentive to do so, it will happen, causing harm to patients,” said Shel Sharma, director of product marketing for Cyphort, a threat-detection company, in the published piece.
But why would anyone want to hack into a medical device, implanted or otherwise? One obvious reason might indeed be to do harm to that individual. If an implant suddenly overheats and loses functionality, who is to say it wasn’t an accident, as opposed to attempted murder?
More ominous, however, is the idea that devices of various kinds must, by design, interface with broader medical systems that contain much more data — including confidential data on health and things like Social Security numbers. It might also be that a compromised device would provide a gateway to an entire enterprise, allowing for mischief and significant data loss, and the liability that would accompany same.
And liability is precisely the point for insurers of nearly any stripe. Of course, this whole risk scenario may represent a new area of insurance coverage to be marketed by our carriers.
Even in that case, however, insurers hardly want device makers to make things easy for criminals, because the carriers must then pay the claims. The FDA held a national workshop on medical devices and cyber security in October. Let’s hope the risks and the solutions that emerge from that gathering are more clearly defined.
Court Upholds Reservation of Rights
Wellons Inc. created two thermal oxidation energy systems in 2002 for Langboard Industries in Quitman, Ga., that were designed to generate electricity to be sold to Georgia Power.
During the construction phase in 2004, a “tube bundle” collapsed, causing extensive property damage, but the system was ultimately placed in service by June 2005, at which time leaks were discovered in the “superheater” portion of the system, according to court documents.
To fix the leaks and seal weld the joints, Wellons hired Hunt Construction, which completed the work in March 2006. The superheater was put back into service even though leaks still occurred. Two weeks later, one of the superheater tubes “completely severed.” Wellons claimed Hunt’s faulty repair work was responsible.
Langboard requested a new superheater, at a cost of $850,000, to be designed and installed as the current system was “not conducive to long term operation.” Wellons agreed, but did not immediately notify Lexington Insurance Co., which had issued a commercial general liability policy, with a per occurrence limit of $1 million. Lexington also had issued an umbrella policy, with a per occurrence limit of liability of $10 million.
Two months later, Hunt filed suit against Wellons for monies owed for its work. Lexington was notified through its agent, referencing the CGL policy and not the umbrella policy. Lexington issued a reservation of rights letter, notifying the company it was “investigating this matter.”
Langboard eventually filed suit against Wellons in 2007. Lexington sent another, similar reservation of rights letter.
After a jury trial in 2010, Langboard was awarded $8.4 million for breach of the purchase and construction agreements. A month later, Lexington advised Wellons it had “no obligation” to defend or indemnify it.
Wellons filed suit seeking a court declaration that the verdict was a covered loss under its CGL or umbrella policy. Both it and Lexington sought summary judgments.
The U.S. District Court for the Northern District of Georgia ruled in Lexington’s favor. On appeal to the U.S. 11th Circuit Court of Appeals, Wellons argued the reservation of rights notification needed to be more specific to comply with Georgia law.
The appeals court disagreed in May, saying that Lexington’s “defenses of noncoverage were not known … until it concluded its investigation… .” The court also found that Wellons had never notified the company of a claim under the umbrella policy.
Scorecard: Lexington Insurance did not have to cover an $8 million jury verdict resulting from faulty construction of an energy system.
Takeaway: Insurers “must” give insureds notification of a reservation of rights, but Georgia law only recommends that specific policy terms be part of that notification.
Imitation is Not Disparagement
In 2010, Gary-Michael Dahl, manufacturer of the Multi-Cart, filed a lawsuit against Ultimate Support Systems claiming that Ultimate’s Ulti-Cart infringed on Dahl’s patent and trademark, and damaged its business and reputation, among other issues.
Both the Multi-Cart and Ulti-Cart are collapsible carts designed for the musical industry to transport music, sound and video equipment.
Ultimate sought defense under its commercial liability policy issued by Hartford Casualty Insurance Co., which denied coverage, claiming that “disparagement” was not covered by the personal and advertising injury policy terms.
The insurance company also said the policy did not cover violations of intellectual property rights.
After Ultimate sued for coverage, the California Superior Court dismissed the lawsuit. That decision was affirmed by the Court of Appeal, and on further appeal to the California Supreme Court, Ultimate lost once again.
The state’s high court ruled in June there was no disparagement, either explicit or inferred.
The possible confusion between the two products does not imply inferiority of the Multi-Cart, the court ruled. In addition, Dahl’s claim that Ulti-Cart was a “knock-off” of the Multi-Cart, and thus derogatory of the Multi-Cart, was disputed by Dahl’s own claim that the two products were “nearly identical.”
Scorecard: Hartford did not have to provide a defense to Ultimate Support Systems in a trademark infringement lawsuit.
Takeaway: The ruling limits the scope of an insurer’s duty to defend a policyholder when the allegations involve disparagement.
Court Rules on Additional Insureds
On Sept. 13, 2010, workers of Fast Trek Steel were tightening safety cables on steel beams at Yale University’s Science Area Chilled Water Plant Shell when the unsecured beams dislodged and collapsed. One ironworker, Robert Adrian, fell to his death. Three others were injured by the falling beams.
Adrian’s estate and the injured men filed suit alleging negligence against, among others, Shawmut Woodworking & Supply Inc., general contractor of the construction project, and Shepard Steel Co., a steel fabrication subcontractor.
Because of workers’ compensation laws, there were no lawsuits filed against Fast Trek, which, as required by its contract with Shepard, had obtained a general liability policy from First Mercury Insurance Co. with a $1 million per occurrence coverage limitation, and an excess liability policy from National Union Fire Insurance Co., with up to $10 million of coverage.
Both Shepard and Shawmut sought defense and indemnification from First Mercury as “additional insureds” of that Fast Trek policy. Liberty Mutual — which had issued a liability policy to Shepard and is currently providing a defense to Shepard and Shawmut under a reservation of rights — also demanded that First Mercury assume that defense.
First Mercury demurred, contending, among other reasons, that Shawmut was not included in the definition of additional insured, and that even if Shawmut and Shepard were included, there was no coverage because Fast Trek was not named in the underlying lawsuits.
The U.S. District Court for the District of Connecticut disagreed.
It ruled that when Shepard hired Fast Trek as its subcontractor — and as Shawmut’s sub-subcontractor — the agreement expressly incorporated the Shawmut-Shepard contract, and that it was “immaterial” that there was not a “direct contractual relationship” between Shawmut and Fast Trek.
In addition, it ruled that the accident was arguably caused by Fast Trek and that the reason Fast Trek was not named in the underlying lawsuits was due to the exclusive remedy rule of workers’ compensation law.
Scorecard: First Mercury must defend and indemnify the general contractor and subcontractor in the workplace death and injury lawsuit.
Takeaway: A sub-subcontractor need not be explicitly included in a contract for coverage to be extended.
3 + 3: Theory of Risk
Anthony Valsamakis doesn’t just practice risk management, he wrote a book about it. And he doesn’t just consult with quants, he is one.
“Risk management has been in my blood for so long that I have to stop myself, otherwise I could go into a two-hour monologue,” said Valsamakis, whose career in the discipline goes back almost 35 years, to his first job with the Standard General Insurance Company.
In 1990, the London-based chairman of the Eikos Group received a doctorate in Business Economics. In 1992, “The Theory & Principles of Risk Management” was published, with Valsamakis the principal author, and is now in its 4th edition.
Valsamakis worked first with a carrier, then as a commodities broker, before taking up an academic post. The company he started in 1999, the Eikos Group, has a risk consulting arm, with clients in most industrial sectors, including the food, mining, forestry, industrial paper and packaging and banking industries. The group also includes a transportation risk brokerage and a Bermuda-based carrier.
“I think the idea of having a secure data base that everyone can access and can update at any moment is by far the best innovation that I can see happening in the information game.”
– Anthony Valsamakis, Chairman, Risk Financing Strategy, Eikos Group
For as long as he can remember, Valsamakis sought ways to get better information on the risks he underwrites, brokers or consults on.
“Over many years we’ve tried hard to increase the quality and timeliness of the information that enables us to do just that,” Valsamakis said.
Finally, it looks like Valsamakis has found a risk management information systems platform that enables him to do just that.
For the past year and a half, Valsamakis has been using a system developed by Riskonnect.
“What’s useful for me is that the platform basically resides within the client’s systems,” he said.
The information he needs to prioritize, depends on which client he is working with.
“By definition, depending on where I am working and what I am doing, risk management priorities are very different,” Valsamakis said.
The Riskonnect platform provides the necessary flexibility.
A mine, for example, could be in a location in Africa or South America with a high degree of political risk. A key risk for a furniture maker might be around trade secrets, the possibility that a disgruntled employee would leak a pricing catalogue to competitors. For a packaging manufacturer, their material supply chain is of the utmost importance, and so on.
For each client, Valsamakis can use Riskonnect platform and work with the client to compile the information that is most relevant to that client and its industry and enter that into a secure system.
“All of these are template facts that you can easily put into the Riskonnect system,” Valsamakis said.
The Riskonnect platform is housed within the client’s information technology system, and it is transparent enough, to give Valsamakis and his client access to the same sets of data.
“I think the idea of having a secure data base that everyone can access and can update at any moment is by far the best innovation that I can see happening in the information game,” he said.
Whose System Is It?
Valsamakis has been around long enough to know a few things about data and risk transfer. He’s seen a number of risk information management systems put out by brokers, for example, that he thinks are set up more for the broker’s business model than for the sharing of information.
Generally speaking, information about an insured’s risks come from the broker and the insured. The Riskonnect system works, according to Valsamakis, because it is designed to be adapted to the client, not the broker.
“I have seen efforts by brokers, for example, over the years to produce a type of risk information platform that becomes theirs,” Valsamakis said.
“It’s been a perennial problem in the industry, where depending on which broker you end up with, you’ll end up with system A, B or C,” he said.
The Underwriter Needs to Know
Using Riskonnect, Valsamakis encourages clients to be as transparent as possible, in order to give the most complete information to underwriters.
“For me the question is, ‘What is the volatility around the asset and can there be an impact on the balance sheet of our clients?’” he said.
“We need to describe this exposure in various contexts so that the underwriters know what they are covering,” he said.
It’s basic human psychology. If an underwriter doesn’t feel they are getting enough information about a particular risk, they will take a negative view of that risk.
The more accurate the information Valsamakis has about a client’s exposures, the better the pricing he gets from underwriters.
“If you were an underwriter putting your capital and risk and I gave you little information, you would actually be less inclined to look at the risk in favorable terms. There will be a natural inclination to downgrade it,” he said.
Where Valsamakis sees enormous value is in the Riskonnect system ability to tag which can be revisited at a later stage.
“It’s amazing how clients forget, in the passage of time, that there are profiles that have changed for better or worse.”
A Long-Term Investment
The Eikos Group invested significantly in the Riskonnect product and are taking it to a number of clients. The transparency of the system and the advantage it gives the Eikos Group and its clients with underwriters is in itself a business advantage over the competition.
“We made a decision as a small company, relatively speaking, to invest a lot of money in Riskonnect and be very proactive about it,” Valsamakis said.
“When I talk to executives I say we invested in it because it’s going to save our clients money. Better information will lead to a lower cost of risk,” he said.
“If I’m talking to someone at a high level, that’s fairly easily understood.”
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Riskonnect. The editorial staff of Risk & Insurance had no role in its preparation.