The Risk of Infected Devices
The Food and Drug Administration is warning makers of heart monitors, mammogram machines and other medical devices of the risk of those products being infected with computer viruses — which could endanger patients, according to a recent article in The Wall Street Journal.
That increased danger to patients, of course, is a serious matter to insurers as well, since more problems may mean longer hospital stays, possible serious injuries or fatalities, and even costly lawsuits.
Noting that hundreds of medical devices have been infected by malware, the FDA has recommended that manufacturers submit security plans to help stop cyberattacks, according to the Journal. The FDA also told hospitals to be more vigilant in reporting cybercrime, which can be tough to detect.
Obviously, this is good advice for insurers as well, but it appears most insurers are well aware of attempts — both successful and unsuccessful — to infiltrate their systems.
During a recent panel discussion I moderated at IASA, it was obvious that both panelists and attendees were sensitive to the issue and, whether they wanted to publicly admit it or not, knew of or worked for companies that had been hit.
Unfortunately, hospitals and insurance companies are much less likely to share information about being hacked, because it tarnishes their reputation for safety and security. Thus, it is safe to say that many such attacks on hospitals and insurers go unreported.
The introduction of malware into medical devices themselves, however, brings a whole new dimension to the growing problem of cybersecurity. Malware in critical medical systems is suspected to be widespread, according to the Journal.
At one New Jersey facility, malware infected computer equipment needed for procedures to open blocked arteries after heart attacks, it reported. In another case, a computer virus caused a hospital machine to potentially expose sensitive patient data by sending it to outside servers.
The same article pointed out, quite correctly, that high-tech devices can remain in use for many years and that they are likely, at some point, to run out-of-date software — or software that is more vulnerable to attack than newer versions might be. Even “inadvertent” infections may temporarily render a device ineffective because the virus robs the device of processing power.
What can be said from an insurance point of view? It may be that health insurers will price risks differently based on the perceived vulnerability of a hospital or other facility. That vulnerability will be directly affected by technical reports, bulletins and news reports on the devices used at any given facility, as well as by the age of the software in each device.
A hospital’s overall security profile may also be a key in the pricing picture. According to the Journal, many problems resulted from vendors using infected thumb drives to update device software. This pointed to a very obvious conclusion: Any device that interacts with a facility’s critical systems — even something designed to update security — must be tested to ensure that no malware is downloaded, even by accident.
It seems very likely that insurers will want health care facilities to demonstrate a clear, good-faith effort to bolster online and onsite security, including frequent updates and checks for out-of-date software. But can we really require such detailed examinations of facilities? The real question may be whether or not we can risk not requiring them.