Attacking your sensors: cyber and tech risks and wearables
The days of sitting in a doctor’s waiting room for hours, often surrounded by other coughing and viral patients, is already becoming a thing of the past.
As well as becoming more comfortable and open to the more “traditional” telehealth services, patients today are also taking a more active role in managing their health using various forms of personal technology, which can complement both remote and in-person consultations. These range from health & wellness apps used on smartphones to wearables and smart-sensors that can be used to monitor even some complex medical conditions. The vast mHealth app market is growing rapidly and is estimated to be worth more than $12bn with an expected growth of nearly 45% until 2026. This growth has only accelerated during the COVID-19 pandemic as entrants rush to bring digital solutions to market to meet demand.
These present huge benefits for individuals and healthcare in general, empowering patients and enabling ongoing health monitoring, however, there are also added considerations to take into account around data privacy and security. Consumer confidence and the reputation of these growth sectors depend on the robustness of the efficacy and security of their systems and devices.
As both patients and healthcare professionals head towards a digital future, the industry needs to understand and manage the risks that come with this shift.
Making it work
The responsibility for making this marriage between healthcare and smart technology a successful one largely rests with the tech providers. Much of this manifests in how they approach and manage risk, with perhaps the most obvious threats being a result of a cyber-event or tech failure. There is an acceptance nowadays that if you hold data, it is a matter of when, rather than if, you suffer a cyber-attack. And statistics bear this out – it has been estimated that over four billion records were exposed due to data breaches in the first six months of 2019.
The financial, reputational, and regulatory impact of such attacks, from prevention of access to a company’s systems to paying a ransom for the return of sensitive client data, can be devastating. But in the wearables sector, particularly those companies involved in healthcare, there is a risk of more concerning consequences.
Wearables may have initially made their mark in the world of fitness, but in recent years, they have started to penetrate deeper into the healthcare sector. They are now used to track basic vitals from blood pressure and heart rate to acting as biosensors and wearable ECG monitors. As providers continue to push the boundaries of what is possible, the risks they are exposed to increase in lockstep.
Garmin, a well-known leader specializing in wearable fitness technology, recently discovered how vulnerable this technology can be to cyber-attacks. It was hit by a ransomware attack in 2020, which took its website, apps, devices, and call center offline for several days.
Although Garmin confirmed that no personal identifying information was accessed in this case, such incidents can take a significant reputational, financial, and operational toll.
As significant as that experience may have been for Garmin, replace “fitness app” with a bio-sensing wearable device presenting critical patient information to a healthcare professional, and you have an entirely different scenario.
In the health & wellness space, the malfunction or loss of service to a piece of technology could result in serious harm to the patient, leaving the tech provider subject to a tech E&O claim resulting from bodily injury. This scenario is not infrequent. Over the period we have been insuring Virtual Care risks, we have seen several multi-million-dollar claims made against tech providers that, while providing no direct patient care, can be held liable for bodily injury to patients using their technology.
This is a relatively new area of risk, so there is an understandable lack of awareness when it comes to appropriately insuring these firms. It is clear that attempting to fill potential coverage gaps with a patchwork of existing policies likely will not provide the protection that mHealth and medtech firms require.
These firms need insurance coverage that meets the unique needs that come with their complex and interconnected risks. It is vital that the coverage will respond to a bodily injury claim – whether it is a result of provider malpractice, tech failure, or a cyber-breach.
Even the highest quality, thoroughly tested technology can experience outages and failures, so having insurance in place can provide the financial safety net to make things right should something go wrong. As the digital health sector grows and matures so too does the understanding and approach among practitioners to risk. However in an ever-changing risk landscape it remains critically important to have the right level of insurance and risk management support.
 Grand View Research, June 2019. https://www.grandviewresearch.com/industry-analysis/mhealth-app-market
About the author:
Kyle joined Beazley in January 2017 as an underwriter on our Private Enterprise team, specializing in Miscellaneous Medical risks. Prior to working with us, he previously underwrote small non-profit business at United States Liability Insurance and mid-market/large healthcare accounts at AIG. Kyle received his bachelor’s degree in Finance from Saint Joseph’s University in Philadelphia where he was also a member of their Division 1 Track & Field Team.