Over the last 20 years, cyber insurance policies has evolved to provide a wide market for healthcare providers and technology companies supporting healthcare services, including medical device manufacturers and distributors. Today’s cyber market covers the most critical cyber exposures, such as equipment failures, large-scale manufacturing outages and bodily injury claims. This handbook discusses insurance coverage for cyber risks arising from medical devices and related services and addresses opportunities to fill gaps in coverage.

Introduction to Insurance for Medical Devices: Existing Coverage Gaps and Market Availability

Companies that manufacture and distribute medical devices have a range of choices to insure risks that arise from cyberattacks and reliance on technology systems. Professional liability, medical malpractice, product liability, special crime and property insurance may provide some protection against cyber exposures. Cyber insurance policies have added cyber-caused property damage and bodily injury, as well as expanded with differences in conditions and limits umbrellas, to broaden coverage and ensure gaps are filled.

Medical devices that are internet and network-connected can potentially cause physical harm to patients. The most effective and protective type of insurance depends upon the organization seeking to be insured, its systems’ configurations, its interactions and contracts with partners and to what extent outsourced vendors are used. All parties involved in providing medical services or products —hospitals, individual healthcare providers, manufacturers of devices, providers of software, etc. — might be held responsible for a breach or failure of a medical device. It is critical to implement a coordinated insurance program for all conceivable cyber risks with an understanding of the interactions between professional, product, property, cyber and other insurance policies.

Cyber Risks

Companies that supply or use medical devices face various cyber risks that can regularly change. The following discussion provides a brief overview of possible cyber risk scenarios.

Cyber Caused Bodily Harm to Patients

If an attacker can access devices and change settings remotely, they can physically harm patients.

Healthcare Provider

Medical professional coverage can help protect healthcare providers in cases of patient physical injury from failure of medical devices. A broad policy may not have exclusions for cyber related events. Although a cyber insurance policy can fill in gaps, adding bodily injury to forms is uncommon and must be specifically manuscripted. The necessary limits are likely unavailable.

Medical Device Manufacturers/Software, Services or Parts Providers

Patient physical harm caused by compromised or failed devices can be insured under a general liability and products liability (GL/products) policy. Technology errors and omissions (E&O) policies can be amended to provide contingent bodily injury coverage: bodily injury caused by digital events otherwise insured under the policy. Coverage under these policies should be aligned if they are purchased together.

Medical Device Seller

Patient physical harm caused by compromised or failed devices can also be insured under a GL/products policy for sellers of those devices. Such coverage can be selectively incorporated into cyber insurance programs with insufficient GL/products coverage, but customization is required. Sellers should also look to contract indemnifications from their distributors or manufacturers for protection.

Medical Device Exploit Causing Business Income Loss

Cyberattacks on devices are becoming increasingly common. Malware can include wiper viruses that “brick” equipment, which requires expensive replacements and lengthy outages that can result in income loss.

Healthcare Provider

For healthcare providers, traditional property programs can cover revenue loss due to devices compromised in cyberattacks; however, there are typically notable limitations and restrictions. Cyber insurance provides broader protection at higher limits and enhanced terms that can align with any available property coverage.

Medical Device Manufacturers/Software, Services or Parts Providers

Liability for financial losses caused by compromised or failed devices can be covered under E&O policies. Cyber policies can cover devices on the manufacturer’s network and the manufacturer’s direct losses. Contract terms will often provide protection.

Medical Device Seller

Liability for financial losses caused by compromised or failed devices can be covered under E&O policies. Contract terms can limit the ability to recover and provide further protection.

Christopher Keegan

Senior Managing Director