2015 Most Dangerous Emerging Risks

Implantable Devices: Medical Devices Open to Cyber Threats

The threat of hacking implantable defibrillators and other devices is already growing.
By: | April 8, 2015 • 9 min read

SCENARIO: Pay off an anonymous hacker or face the possibility that patients with implantable defibrillators would die. That was the dilemma facing Janet Smith, CEO of Midtowne Community Hospital.

Advertisement




Too late she found out that the computer system of one of the surgical practices employed by the hospital was hacked. It was a simple enough operation. One unthinking click by the administrative staff on a link in an official-looking email, and the system was surreptitiously compromised.

The back-door access to the computer system provided the hackers with a treasure trove of unencrypted patient data including name, medical history, type of medical device implanted, and models and serial numbers of the devices.

While the hackers had a selection of devices to choose from — pacemakers, insulin pumps, cochlear hearing implants, blood glucose monitors and deep brain stimulators, among others — they targeted patients with implantable cardiac defibrillators (ICDs), which monitor and respond to heart activity by sending shocks to the system to restore normal heart rhythm.

The ICDs were designed to be wirelessly connected to external wands and ICD programmers. Data collected in the wands was downloaded to the IT system in the surgical practice so the physicians could review and manage each patient’s medical problems.

The RFID-enabled wands were supposed to be unidirectional, but the hackers were able to reverse-engineer the access after determining the radio frequency used and the engineering specifications of the ICDs and wands, which they found online — mostly in the technical and user manuals published by the manufacturers.

Each of the ICDs contained a small computer chip similar to those found in smart thermostats, televisions and refrigerators, all of which have been hacked recently to send out spam or just annoy users.

The hackers wrote and inserted programming code into the IT system of the surgical practice so that when information from the ICD devices was downloaded, code would be inserted that could induce fatal heart arrhythmia via the patients’ defibrillators.

It only required the hackers to trigger the code to activate it. And that’s what they threatened to do if the ransom was not paid.

While the extortion scheme was similar to the ‘Cryptolocker’ shakedown — which locks organizations out of their own files, forcing them to pay for access — this ICD threat offered a much more deadly outcome. And there was no positive outcome that Smith could see.

ANALYSIS: The hacking threat to implantable cardiac defibrillators has been known since at least 2008, when a team of university researchers proved it was able to reverse-engineer an ICD’s communications protocol to reprogram it to change the operation of the defibrillator, including its therapy settings.

Kevin Fu, an associate professor at the University of Michigan, who was on the team and is a leader in the field of device security research, likened implantable medical devices to unlocked cars during a presentation at Dartmouth University.

“There are people, if given the chance, who will cause harm and we shouldn’t just leave our doors unlocked,” he said.

While hacking is usually done for financial reasons, there have been instances where physical harm was intended, he said, mentioning an attack seven years ago on an epilepsy support group website, where hackers embedded flashing animation that induced seizures in those using the site.

“I think it would be naïve to ignore the fact that some of these people exist so we need to at least have a certain level of protection against this kind of maliciousness,” Fu said.

Michael Thoma, vice president, chief underwriting officer, global technology, Travelers

Michael Thoma, vice president, chief underwriting officer, global technology at Travelers, said he was “not aware of any actual claim or incident beyond what is available in the literature that it can be done,” he said.

“When you stop to think about the environment we are heading into — where hospitals are completely relying upon electronic medical records that are integrated to control medical devices in hospitals and obtain information back from the devices — the scenario exists that something like that could happen.

“You read all the time about attempts to attack all sorts of institutions, and hospitals are not immune to that. When you think about the ‘Cryptolocker’ scenario, not only could it bring a hospital to a complete standstill, but the reputational harm would be huge.

“It would make what happened in Dallas after Ebola at that hospital look minor,” he said.

‘A Hard Line to Cross’

“At the end of the day,” said Todd Lauer, vice president, medtech division, OneBeacon Technology Insurance, “you can sum it up in one sentence: Anything is possible for a determined hacker.”

Advertisement




Even so, he doubts most hackers would target the devices. “Most hackers are not looking to cause bodily injury,” he said. “They are looking to extort money from large corporations. That’s crossing a line. To cause bodily injury or death, that’s a hard line to cross.”

That leaves the possibility, however, that it could become a focus for terrorists looking to create panic and death, Lauer said.

Experts noted that as of now, hacking of implantable devices is only being done by researchers, universities and hackers who identify and expose security weaknesses.

“We are talking about something that certainly is possible, but it’s not an exposure that keeps me up at night as an underwriter.” — Mark Wood, president and CEO, LifeScienceRisk

Mark Wood, president and CEO of LifeScienceRisk, a series of RSG Underwriting Managers, acknowledged that it was “theoretically possible … . Am I aware that it’s happened? I have not yet seen a claim or a report that it’s happened.

“We are talking about something that certainly is possible, but it’s not an exposure that keeps me up at night as an underwriter.”

It’s more likely that instead of the sophisticated scenario portrayed above, hackers would simply use RFID to jam the devices with a denial-of-service attack, said Jerry Irvine, CIO of Prescient Solutions, who is also on the National Cybersecurity Task Force.

“They could basically overburden it so much that it can no longer react, so people will die or equipment will malfunction or give an overdose of medication,” he said.

“That’s the easiest thing you can do. You can do that from 100 to 300 yards away with targeted antennas or high-powered antennas. These are things that are not difficult to do.”

In addition, researchers have noted that many hospital IT systems lack cutting-edge cyber security.

“Unfortunately, computer security in many hospitals and similar providers reminds me of the very early days of computer security when security was the domain of system administrators and network security types,” said Gary McGraw, chief technology officer at software security consultancy Cigital Inc., in an article on SearchSecurity.com, a site of “Information Security” magazine.

McGraw likened hospital network security administrators to “plumbers who make sure that infrastructure is properly designed and operates smoothly. Generally speaking, though they are certainly important, plumbers are not very strategic thinkers and neither are system administrators.”

Federal Government Action

In 2012, the U.S. Government Accountability Office found that in controlled settings that did not involve actual patients, security researchers “recently manipulated two medical devices with wireless capabilities — a defibrillator and an insulin pump, a type of infusion pump — demonstrating their vulnerabilities to information security threats.”

04012015_04B_implant_devices_sidebarIt concluded that implantable medical devices (IMDs) are “susceptible to unintentional and intentional threats … . Information security risks resulting from certain threats and vulnerabilities could affect the safety and effectiveness of medical devices. These risks include unauthorized changes of device settings resulting from a lack of appropriate access controls.”

The report also noted that the “growing use of wireless capabilities and software has raised questions about how well [IMDs] are protected against information security risks, as these risks might affect devices’ safety and effectiveness.”

That prompted a review by the U.S. Food and Drug Administration, which two years later, in 2014, offered guidance to strengthen the safety of medical devices to better manage cyber security risks.

Advertisement




“There is no such thing as a threat-proof medical device,” Dr. Suzanne Schwartz, director of emergency preparedness/operations and medical countermeasures at the FDA’s Center for Devices and Radiological Health, said at the time. “It is important for medical device manufacturers to remain vigilant about cyber security and to appropriately protect patients from those risks.”

Top concerns included malware infections on network-connected medical devices or computers, smartphones and tablets used to access patient data; and failure to provide timely security software updates or patches to devices or networks.

The guidance recommended to manufacturers that they consider cyber security risks as part of the design and implementation of medical devices, and submit documentation to the FDA about the risks they identified and the controls put in place to mitigate those risks.

It also recommended that manufacturers submit plans for providing patches and updates to operating systems and medical software.

Still, said Jay Radcliffe during a presentation at the 2013 Black Hat Conference, cyber security concerns have not been cited by the FDA as a reason for rejecting any implantable medical devices.

And, said OneBeacon’s Lauer, patching implanted devices is difficult, as it often requires surgery.

Manufacturers rarely seek to enhance devices via patching because it requires “an onerous regulatory process” with the FDA, said Tam Woodron, a software executive at GE Healthcare, in an article in “MIT Technology Review.”

The article also noted that reporting of incidents is not required by the FDA unless a patient is harmed.

A study by researchers at MIT and the University of Massachusetts at Amherst found that there are millions of people with wireless implantable medical devices, and about 300,000 such IMDs are implanted every year. The life of such a device can last up to 10 years.

Liability Concerns

Wood of LifeScienceRisk said that if a device malfunctions and results in bodily injury, regardless of the reason, there would likely be an allegation of product liability.

“There wouldn’t be any limitation, at least in the coverage we write, about whether a software error created the problem,” he said. “The malfunction in and of itself would trigger coverage if it caused bodily injury.”

If a carrier’s coverage did exclude software issues, the insured’s E&O policy would probably be triggered, he said.

As for who would be involved in such a claim, the list could be a long one, including the hospital, physician, caregivers, device manufacturer, Internet provider, cloud provider, and anyone who provided consulting services to anyone involved in the process, plus all of their insurance companies.

Lauer noted that when claims involve device manufacturers, a U.S. Supreme Court ruling prevents plaintiffs from relying on state negligence or liability rulings; the High Court determined that such laws cannot pre-empt federal laws and the FDA’s safety determinations.

Advertisement




“The exposure is going to be different for any set of facts,” Wood said. “The more complicated the loss scenario, the more potential for coverage issues in trying to figure out whether and how a claim should be covered.”

If extortion or crime is involved, it’s unclear if that would be an insured loss, he said.
BlackBar

Complete coverage of 2015’s Most Dangerous Emerging Risks:

Corporate Privacy: Nowhere to Hide. Rapid advances in technology are ushering in an era of hyper-transparency.

04012015_04B_implant_devices_150px_mainImplantable Devices: Medical Devices Open to Cyber Threats. The threat of hacking implantable defibrillators and other devices is growing.

04012015_03_concussions_150px_mainAthletic Head Injuries: An Increasing Liability. Liability for brain injury and disease isn’t limited to professional sports organizations.

04012015_04_vaping_150px_mainVaping: Smoking Gun. As e-cigarette usage rises, danger lies in the lack of regulations and unknown long-term health effects.

04012015_05_aquifer_depletion_150px_main

Aquifer: Nothing in the Bank. Once we deplete our aquifers, there is nothing helping us get through extended droughts.

04012015_01_CS_superbugs50x50

Most Dangerous Emerging Risks: A Look Back. Each year since 2011, we identified and reported on the Most Dangerous Emerging Risks. Here’s how we did on some of them.

Anne Freedman is managing editor of Risk & Insurance. She can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

Property

Insurers Take to the Skies

This year’s hurricane season sees the use of drones and other aerial intelligence gathering systems as insurers seek to estimate claims costs.
By: | November 1, 2017 • 6 min read

For Southern communities, current recovery efforts in the wake of Hurricane Harvey will recall the painful devastation of 2005, when Katrina and Wilma struck. But those who look skyward will notice one conspicuous difference this time around: drones.

Advertisement




Much has changed since Katrina and Wilma, both economically and technologically. The insurance industry evolved as well. Drones and other visual intelligence systems (VIS) are set to play an increasing role in loss assessment, claims handling and underwriting.

Farmers Insurance, which announced in August it launched a fleet of drones to enhance weather-related property damage claim assessment, confirmed it deployed its fleet in the aftermath of Harvey.

“The pent-up demand for drones, particularly from a claims-processing standpoint, has been accumulating for almost two years now,” said George Mathew, CEO of Kespry, Farmers’ drone and aerial intelligence platform provider partner.

“The current wind and hail damage season that we are entering is when many of the insurance carriers are switching from proof of concept work to full production rollout.”

 According to Mathew, Farmers’ fleet focused on wind damage in and around Corpus Christi, Texas, at the time of this writing. “Additional work is already underway in the greater Houston area and will expand in the coming weeks and months,” he added.

No doubt other carriers have fleets in the air. AIG, for example, occupied the forefront of VIS since winning its drone operation license in 2015. It deployed drones to inspections sites in the U.S. and abroad, including stadiums, hotels, office buildings, private homes, construction sites and energy plants.

Claims Response

At present, insurers are primarily using VIS for CAT loss assessment. After a catastrophe, access is often prohibited or impossible. Drones allow access for assessing damage over potentially vast areas in a more cost-effective and time-sensitive manner than sending human inspectors with clipboards and cameras.

“Drones improve risk analysis by providing a more efficient alternative to capturing aerial photos from a sky-view. They allow insurers to rapidly assess the scope of damages and provide access that may not otherwise be available,” explained Chris Luck, national practice leader of Advocacy at JLT Specialty USA.

“The pent-up demand for drones, particularly from a claims-processing standpoint, has been accumulating for almost two years now.” — George Mathew, CEO, Kespry

“In our experience, competitive advantage is gained mostly by claims departments and third-party administrators. Having the capability to provide exact measurements and details from photos taken by drones allows insurers to expedite the claim processing time,” he added.

Indeed, as tech becomes more disruptive, insurers will increasingly seek to take advantage of VIS technologies to help them provide faster, more accurate and more efficient insurance solutions.

Duncan Ellis, U.S. property practice leader, Marsh

One way Farmers is differentiating its drone program is by employing its own FAA-licensed drone operators, who are also Farmers-trained claim representatives.

Keith Daly, E.V.P. and chief claims officer for Farmers Insurance, said when launching the program that this sets Farmers apart from most carriers, who typically engage third-party drone pilots to conduct evaluations.

“In the end, it’s all about the experience for the policyholder who has their claim adjudicated in the most expeditious manner possible,” said Mathew.

“The technology should simply work and just melt away into the background. That’s why we don’t just focus on building an industrial-grade drone, but a complete aerial intelligence platform for — in this case — claims management.”

Insurance Applications

Duncan Ellis, U.S. property practice leader at Marsh, believes that, while currently employed primarily to assess catastrophic damage, VIS will increasingly be employed to inspect standard property damage claims.

However, he admitted that at this stage they are better at identifying binary factors such as the area affected by a peril rather than complex assessments, since VIS cannot look inside structures nor assess their structural integrity.

“If a chemical plant suffers an explosion, it might be difficult to say whether the plant is fully or partially out of operation, for example, which would affect a business interruption claim dramatically.

Advertisement




“But for simpler assessments, such as identifying how many houses or industrial units have been destroyed by a tornado, or how many rental cars in a lot have suffered hail damage from a storm, a VIS drone could do this easily, and the insurer can calculate its estimated losses from there,” he said.

In addition,VIS possess powerful applications for pre-loss risk assessment and underwriting. The high-end drones used by insurers can capture not just visual images, but mapping heat, moisture or 3D topography, among other variables.

This has clear applications in the assessment and completion of claims, but also in potentially mitigating risk before an event happens, and pricing insurance accordingly.

“VIS and drones will play an increasing underwriting support role as they can help underwriters get a better idea of the risk — a picture tells a thousand words and is so much better than a report,” said Ellis.

VIS images allow underwriters to see risks in real time, and to visually spot risk factors that could get overlooked using traditional checks or even mature visual technologies like satellites. For example, VIS could map thermal hotspots that could signal danger or poor maintenance at a chemical plant.

Chris Luck, national practice leader of Advocacy, JLT Specialty USA

“Risk and underwriting are very natural adjacencies, especially when high risk/high value policies are being underwritten,” said Mathew.

“We are in a transformational moment in insurance where claims processing, risk management and underwriting can be reimagined with entirely new sources of data. The drone just happens to be one of most compelling of those sources.”

Ellis added that drones also could be employed to monitor supplies in the marine, agriculture or oil sectors, for example, to ensure shipments, inventories and supply chains are running uninterrupted.

“However, we’re still mainly seeing insurers using VIS drones for loss assessment and estimates, and it’s not even clear how extensively they are using drones for that purpose at this point,” he noted.

“Insurers are experimenting with this technology, but given that some of the laws around drone use are still developing and restrictions are often placed on using drones [after] a CAT event, the extent to which VIS is being used is not made overly public.”

Drone inspections could raise liability risks of their own, particularly if undertaken in busy spaces in which they could cause human injury.

Privacy issues also are a potential stumbling block, so insurers are dipping their toes into the water carefully.

Risk Improvement

There is no doubt, however, that VIS use will increase among insurers.

Advertisement




“Although our clients do not have tremendous experience utilizing drones, this technology is beneficial in many ways, from providing security monitoring of their perimeter to loss control inspections of areas that would otherwise require more costly inspections using heavy equipment or climbers,” said Luck.

In other words, drones could help insurance buyers spot weaknesses, mitigate risk and ultimately win more favorable coverage from their insurers.

“Some risks will see pricing and coverage improvements because the information and data provided by drones will put underwriters at ease and reduce uncertainty,” said Ellis.

The flip-side, he noted, is that there will be fewer places to hide for companies with poor risk management that may have been benefiting from underwriters not being able to access the full picture.

Either way, drones will increasingly help insurers differentiate good risks from bad. In time, they may also help insurance buyers differentiate between carriers, too. &

Antony Ireland is a London-based financial journalist. He can be reached at [email protected]