EC JAN 2017

Cyber Healthcare Snapshot VOLUME 1, JANUARY 2017

CA Lic. #0414108

With all the ID Theft coverage offerings these days, if you mention healthcare and cyber liability in the same breath, quite often the reaction will be “another story about Identity Theft”. This inaugural edition of the Worldwide Facilities Cyber Healthcare Snapshot will offer some interesting risks—well beyond the realm of ID Theft—for brokers, agents and risk managers to consider when Cyber Liability and Healthcare E&O intersect in space and time for their clients. Protection through properly negotiated insurance wording is critical for the very real potential for Bodily Injury and Property Damage claims arising out of the incidents and new product offerings discussed in this issue.

One such notorious intersection of Healthcare E&O and Cyber Liability occurred in February 2016. Most observers of trends and news in both the Cyber and Healthcare worlds are familiar with the “ransomware” event at the Hollywood Presbyterian Medical Center in Los Angeles. Systems and administrative functions were held hostage for two weeks until a deal was made between the hospital and the cybercriminals who perpetrated the malware attack. After a reported initial demand for $3.4MM, the hospital agreed to a $17,000 bitcoin ransom payment to obtain the decryption key and thereby regain access to its data and restore normal operations.

Ransomware will continue to be a cyber-threat for all industry sectors; however, clearly an event at a hospital or other medical facility – in patient or ambulatory – presents a more threatening risk with stakes potentially much higher than economic loss to the business. With systems being

held hostage, the liability exposure during that two-week period included:

• Hospital workers being unable to gain access to important documents, patient data, and emails, as full access to patient records was cut off; and,

• Procedures such as CT scans and other diagnostic tests were unable to be carried out.

• Both of these scenarios potentially give rise to claims for undiagnosed conditions or misdiagnosis.

• In some of the more critical cases, patients were ferried to nearby medical facilities for treatment. This exposes patients to additional bodily injury during the course of their transportation, loading and unloading into and out of ambulances.

Or consider a hypothetical dialysis center being infected with ransomware where again, all systems are down. Patients still need to have their blood cleansed of impurities that the non-functioning kidney(s) are not able to accomplish. The alternative is for staff to use back-up hand pump options without any mechanical controls. The result of too fast a rate of blood filtration includes bilateral deafness, seizures and potentially even death. [See first news report below]

Our goal is that this Cyber Healthcare Snapshot will be thought-provoking and useful as you explore providing the best coverage for your clients.

HACKERS HIJACKING MEDICAL DEVICES TO CREATE BACKDOORS IN HOSPITAL NETWORKS

EDITOR’S INTRODUCTION

After the Office of Personnel Management breach in June 2015, medical data was labeled as the “holy grail” for cybercriminals intent on espionage. “Medical information can be worth 10 times as much as a credit card number,” reported Reuters. And now to steal such information, hospital networks are being accessed by malware-infected medical devices. TrapX, a deception-based cybersecurity firm has coined the term “MEDJACK”.

Attackers are infecting medical devices with malware and then moving laterally through hospital networks to steal confidential data, according to TrapX’s MEDJACK report.

In three separate hospitals, TrapX found “extensive compromise of a variety of medical devices which included X-ray equipment, picture archive and communications systems (PACS) and blood gas analyzers (BGA).” Blood gas analyzers are often used in critical care situations or during surgery. Clearly, there are many other devices that present targets for MEDJACK. This includes diagnostic equipment (PET scanners, CT scanners, MRI machines, etc.), therapeutic equipment (infusion pumps, medical lasers and LASIK surgical machines), and life support equipment (heart - lung machines, medical ventilators, extracorporeal membrane oxygenation machines and dialysis machines) to name a few. Sources: Reuters; Computerworld

EC JAN 2017

“Experience a World of Difference”

CA Lic. #0414108

SMARTWATCH TO MONITOR GLUCOSE LEVELS IN DIABETICS

Biotech firm PKVitality, a subsidiary of start-up PK Paris, has created a wearable for diabetes sufferers that can track their glucose levels. The K’Track is worn on the wrist and features a ‘skin taste’ sensor and 0.5mm needles to analyze "interstitial fluid surrounding tissue cells" which

absorb glucose from the bloodstream. The data is then sent to users’ Android or iPhones, where an app analyzes the results, in a process which takes less than 60 seconds. PKVitality said its system will cost $150, with an additional $100 per month for sensors. Source: Engadget

GRAIL AIMS TO RAISE $1BN IN SERIES B IN LIQUID BIOPSY PLAY

Early cancer screening start-up GRAIL aims to raise between $1bn and $1.8bn in Series B financing "primarily from undisclosed private and strategic investors", according to a company release. GRAIL, spun out of genetic sequencing giant Illumina, previously raised $100m in a Series A round which featured investors including Microsoft co-founder Bill Gates and Amazon founder Jeff Bezos. The new funds would be used to continue work on GRAIL’s Circulating Cell-free Genome Atlas study, taking in 10,000 people, as well as other large-scale clinical trials.

GRAIL was formed to enable it to focus on cancer screening from a simple blood test. Powered by Illumina sequencing technology, GRAIL will develop a screening test by directly measuring circulating nucleic acids in blood. Liquid biopsy represents early diagnosis, and early diagnosis represents lower health costs and enhanced treatment results. Source: Techcrunch

U.S. HEALTH INSURER OFFERS CUSTOMER INCENTIVES VIA FITBIT

United Healthcare’s wellness program, Motion, is to offer financial incentives to customers using Fitbit’s Charge 2 wearable device. Participants can earn up to $4 a day in credits by reaching goals on Motion’s Frequency, Intensity and Tenacity program. Efforts can add up to $1,500 in Health Savings Account or Health Reimbursement Account

credits per year. Powered by Qualcomm Life’s 2net platform, the partnership exemplifies how “fundamental economics of an entire health plan are built and underwritten by data coming from a wearable device,” according to Dr. James Mault, Qualcomm’s Chief Medical Officer. Source: Mobihealthnews

FITNESS TRACKING INSTALLED IN NEW SMART RING

San Francisco-based health tech start-up Motiv showcased its fitness tracker ring at this year’s Consumer Electronics Show in Las Vegas (January 5-8). The 8mm-wide ring is made from ultra-light titanium, is waterproof to 10 meters, boasts a custom lithium-ion battery, Bluetooth,

a three-axis accelerometer and LED indication lights for charging and synching. Once worn, it will monitor a user’s heart rate, steps taken and sleep. The Motiv Ring release date is Spring 2017. Source: Tech Radar

SMART SOCKS TRACK DIABETICS' HEALTH

Health tracking start-up Siren Care has launched smart socks that monitor inflammation in diabetic patients using temperature sensors. Type 1 and 2 diabetes sufferers often experience swollen feet and other issues that can lead to infection and even cause for amputation if symptoms are undetected. The socks’ sensors are woven into the fabric and the data collected uploaded to a smartphone app which informs users of any issues via an alert. The machine-washable socks do not

require charging, and last a full six months, only being “on” when the user is wearing them.

Using sensors in clothing to monitor health, illness progression and/or patients’ recovery is gathering pace with numerous reports of advances in this area likely to impact healthcare and related insurances. Source: Techcrunch

Editor: Robert M. Parker, J.D., RPLUFinancial Services Practice Group Counsel