Matt Zagwoski, Product Leader, Global Life Sciences at Beazley tells Insurtech Insights about the challenges and opportunities that lie ahead.
The dangers posed by today’s cyber crime landscape are numerous and immeasurable. As cyber incidents increase in number and ferocity, companies that rely on data feeds via the IoT, are facing their greatest fight yet in the protection of operability and data protection.
Terrorist acts happen across networks that are plagued with vulnerabilities due to equipment that has not been able to handle the latest software updates. There are billions of these devices in circulation – and many of them are being used by insurers in industries that cater to the needs of the most vulnerable individuals – the healthcare sector.
The potential for hackers to infiltrate personal medical devices and enact fatal terror events are certainly not beyond the realms of possibility. Think pacemakers being reprogrammed to induce heart attacks, and diabetes devices administering deadly doses of insulin following a cyber device-hack. While such scenarios have not yet been reported, infiltration of healthcare systems are now commonplace.
Earlier this month, two hospitals in New York were hit with a cyberattack and had to divert patients to other facilities.
According to reports, the cyberattack affected computer systems at HealthAlliance Hospital in Kingston along with Margaretville Hospital and Mountainside Residential Care Center — all part of the Westchester Medical Center Health Network.
The health care network planned to shut down IT systems at the three facilities “to address the threat and take necessary steps to fully restore our secure network,” network officials said in a statement.
Additionally, leading provider American Family Insurance also shut down “several business systems” after the insurer said it “detected unusual activity in a portion of its network.”
The Madison, Wisconsin-based insurer released a public statement following the cessation of services as it initiated an ongoing investigation to decipher the nature and full extent of the breach.
As a way to ‘plug the data dam’ the Consolidated Appropriations Act of 2023 was signed into US law earlier this year by the FDA and Congress. The new regulation states that all IoT connected devices across all industries must comply with rigorous cybersecurity measures that enable them to receive updates to protect users against the threat of cyber terrorism.
Matt Zagwoski, Product Leader, Global Life Sciences at Beazley has spent over 20 years in the insurance industry and now oversees the growth of Life Sciences at Beazley. He also guides underwriters, negotiates reinsurance treaties, and leads the analysis, development, and deployment of diverse products worldwide in a role that is ever expanding and fitting into developing regulations. Insurtech Insights caught up with him to discuss the implications, challenges and opportunities the new regulations will usher in for the insurance industry.
Introduce yourself and tell us about your journey into the insurance industry
So, I started university as a computer engineering major but ended up with a degree in psychology. Surprisingly, I found my way into real estate insurance, focusing on title insurance. Later, I transitioned to the commercial insurance realm, specialising as a life sciences underwriter. I briefly explored general commercial mid-market, handling both property and casualty. After managing a large program business for a few years, mainly in golf, recreation, and resort hospitality, I returned to life sciences and stuck with it.
At Chubb, I spent a total of 11 years, reaching the position of specialist underwriter. In 2018, I joined Beazley to contribute to the growth of their developing life sciences practice. Starting as an underwriter, I played a key role in expanding the book and establishing new guidelines. Over the past five years, I progressed through various levels, serving as a senior manager and managing the US Life Science operations. In the last year and a half, I’ve taken on the role of global product leader. My journey has been dynamic and fulfilling.
Regarding psychology, I believe it’s been beneficial in managing people, understanding them, and fostering self-awareness. These skills are crucial in the insurance industry, where building trust is essential. Psychology has given me insights into the human aspect of our business, making me better equipped to navigate the complexities and establish trust with brokers and clients.
Tell us about the new FDA regulations in more detail – and why they have been introduced.
The Consolidated Appropriations Act of 2023, signed by Congress last December, reflects President Biden’s push for comprehensive cybersecurity in medical devices connected to the internet. This act adds a section to the Food, Drug, and Cosmetics Act, mandating medical device manufacturers to maintain a robust cybersecurity risk management programme for devices connected to the internet or capable of wireless information transfer.
In essence, manufacturers must reasonably ensure that each device can identify, assess, and manage cybersecurity risks throughout its entire life cycle. This includes addressing vulnerabilities through patches, a practice not consistently followed by many devices currently. The regulation emphasises early planning in the design process to meet these cybersecurity requirements.
Why is this important now? The act introduces the “refuse to accept” policy, giving the FDA the authority to reject device approval if cybersecurity measures aren’t adequately demonstrated. This policy adds teeth to the regulation, ensuring that devices meet cybersecurity standards before gaining approval.
The act also strengthens post-market monitoring and recall procedures for these devices, acknowledging the potential risks in a landscape where devices can be used for extended periods. The impetus behind these regulations came from FBI analysis, focusing on the vulnerability of healthcare institutions to cyber threats. The integration of various devices in healthcare settings, such as electronic health record systems, MRI machines, IV pumps, insulin pumps, and pacemakers, creates potential threat vectors that need proper cybersecurity measures.
Initially, the FDA provided guidance, urging manufacturers to consider cybersecurity. However, the new act formalises these requirements and empowers the FDA to enforce them. From October 1st onwards, the FDA can refuse to accept devices that don’t meet cybersecurity standards, marking a significant shift in the regulatory landscape for medical devices.
What kinds of threats do compromised devices pose to people, other than data leaks?
In my opinion, the current wave of ransomware attacks primarily aims for financial gain rather than causing intentional harm. The typical approach involves hijacking health institutions or hospitals to disrupt their operations. The actors behind these attacks seem more focused on monetary extortion rather than engaging in truly malicious activities. However, it’s crucial to acknowledge the potential for more nefarious intentions.
The concern arises from the possibility of causing direct harm by gaining access to critical medical devices like pacemakers. If a hacker were to reprogram such a device, it could lead to life-threatening consequences, such as inducing heart attacks potentially resulting in death. This potential for intentional harm raises questions about the broader implications, including the potential for targeted attacks to eliminate specific individuals or orchestrate large-scale disruptions akin to terrorist attacks.
Once access is gained to one device, the interconnected nature of these technologies through interoperability becomes a significant worry. The weak points in the system created by these devices could serve as entry points for hackers seeking to wirelessly infiltrate the system, steal data, or hold it for ransom. While we haven’t witnessed direct attacks causing harm through these devices yet, ransomware incidents have led to facility shutdowns, impacting essential services like radiology. This delay in care highlights the vulnerabilities in health institutions that rely heavily on technologically advanced devices.
Although we haven’t experienced a large-scale, intentionally harmful attack, it doesn’t negate the possibility of such events occurring. The alarming potential for reprogramming lifesaving devices underscores the need for heightened cybersecurity measures. The integration of advanced technology in healthcare offers significant benefits, but it also exposes us to vulnerabilities that could be exploited for malicious purposes. The simultaneous progress and risks associated with technological advancements necessitate a comprehensive and proactive approach to cybersecurity in the healthcare sector.
What strategies can companies use to ease themselves into this new situation and ensure a smooth transition?
The implementation of cybersecurity measures in the healthcare industry, particularly for medical devices, is not an abrupt development. The awareness of cybersecurity risks dates back to the early 2000s when initial drafts of guidance were issued by the FDA. The evolving landscape of cyber threats, ransomware attacks, and technological advancements hinted at the inevitability of increased regulations over time.
Insurers who were forward-looking and cognizant of the industry trends anticipated the need for enhanced cybersecurity measures. The gradual evolution of cybersecurity standards was seen as an essential aspect of ensuring the safety and security of medical devices. Many in the industry welcomed the regulatory changes as they provided a framework for underwriters, like myself, to reasonably assure the safety of products.
However, challenges arise for companies that may not have prioritised robust cybersecurity risk management programs in their operations. Smaller entities, such as those formed by a group of doctors with a focus on innovation, might not have considered the potential nefarious aspects of cybersecurity threats. Larger companies with existing comprehensive programs are well-positioned for the regulatory changes.
Disruption is expected for companies with fragmented manufacturing processes, insufficient lifecycle management capabilities, and limited understanding of post-market monitoring. Budgetary concerns also loom large, as implementing and maintaining effective cybersecurity programs incurs additional costs. While some companies may face challenges in adapting to these changes, the overarching sentiment is that the regulations were long overdue and represent a crucial step toward ensuring the safety and integrity of medical devices in the evolving technological landscape.
So, the overriding impact of these regulations will be hard, but at the same time they are going to be a force for good?
Device manufacturers can view the new cybersecurity regulations optimistically as an opportunity to market their products. The introduction of stringent cybersecurity requirements provides manufacturers with a chance to showcase their commitment to security. Having a dedicated cybersecurity risk team in place becomes a selling point for these manufacturers. While the initial challenges may be significant, the regulations create a market demand for products that comply with the new standards.
Hospitals and healthcare institutions are likely to prefer products that adhere to the regulations, considering the potential implications for their internal networks. Despite the initial difficulty in adapting to regulatory changes, the long-term outlook is positive. The regulations, by giving teeth to the FDA, ensure accountability in the manufacturing process and contribute to the production of safer and more well-protected products.
Acknowledging that technology is still in its infancy, with rapid developments occurring every day, the regulations provide a necessary foundation for managing and regulating the evolving landscape of medical devices. Embracing these changes can be a strategic advantage for smaller companies, allowing them to design products with solid cybersecurity programs from inception, potentially gaining a competitive edge in the market.
Ultimately, the industry-wide acceptance and adherence to these regulations contribute to patient safety, fostering trust between consumers and manufacturers. Companies that embrace and incorporate these regulations into their practices may not only meet compliance standards but also build a positive image in the eyes of consumers, emphasising the importance of prioritising safety over profits.
What impact is the Act having on insureds specifically – how will this play out?
One crucial aspect that often gets overlooked is the need for tailored insurance coverage that aligns with the evolving risks in this dynamic landscape.
In this rapidly changing environment, where legal precedents are yet to be established, having comprehensive insurance coverage becomes paramount. I’d emphasise the importance of companies not only focusing on their cybersecurity measures but also integrating insurance discussions into their overall risk management strategy.
At Beazley, we’ve developed products that address the integrated cyber aspect, encompassing product liability, errors and omissions, and first-party cyber coverage. This approach ensures that companies are not only proactive in their cybersecurity efforts but also protected in the event of unforeseen incidents.
In the insurance realm, it’s crucial for companies to engage with brokers who understand the intricacies of cyber risks and can connect them with carriers specialising in this field. The goal is to provide integrated solutions that cover all aspects of potential risks, preventing uncovered claims that could be financially detrimental.
As the landscape continues to evolve, fostering conversations about the right insurance coverage and solutions is not just timely but essential for mitigating risks effectively. It’s about creating a robust risk management framework that encompasses both proactive cybersecurity measures and comprehensive insurance coverage.
Just to clarify, where do legacy devices – those in place prior to the Act – stand in all this?
The issue of legacy devices and the lack of a clear timeline for their replacement is a critical point. It adds a layer of complexity to the implementation of new regulations. The challenge lies in balancing the need for enhanced cybersecurity with the practicality of replacing existing devices, especially when healthcare institutions have already invested significantly in them.
The grey area surrounding recalls and the responsibility for ensuring cybersecurity in interconnected health networks further complicates matters. It becomes a nuanced decision for healthcare institutions on whether to reinvest in more secure devices and navigate the complexities of interoperability.
From an insurance perspective, this complexity is mirrored in the difficulty of determining liability and culpability. The scenario where the manufacturer made a device before new standards were in place, raises questions about responsibility. The intricate web of potential liabilities, from manufacturers to health networks, plays a significant role in shaping insurance coverage.
Having comprehensive coverage in place, coupled with the expertise to navigate these intricate scenarios, is crucial. Insurance becomes not just a financial safeguard but a strategic component of the overall risk management framework. The interplay between cyber coverage, product liability, errors and omissions, and other coverages becomes vital in addressing the multifaceted nature of cyber risks.
Having a responsive cyber services team in the event of a breach is becoming increasingly important. The unpredictable nature of lawsuits and the evolving landscape of cyber threats make it imperative for companies to be proactive in securing robust insurance coverage.
It’s a complex and evolving landscape and these are nuanced considerations that both healthcare institutions and insurers must navigate.
What additional regulations related to the Act could we see introduced in the near future?
In the next few months, substantial regulatory changes in the cybersecurity realm are unlikely. The recent introduction of comprehensive cybersecurity regulations, such as those related to medical devices, is a significant development that will require time for the industry to fully acclimate. The complexity of moving formal regulations globally, especially when they have significant implications for corporations, suggests a gradual implementation process.
It is essential to avoid piling additional regulatory changes on top of the recent ones, as this could potentially stifle innovation. Companies need confidence to innovate within a framework that ensures safety. Overloading them with rapid regulatory changes may lead to a regression rather than progress in terms of innovation.
Looking ahead, areas where future regulations might emerge include artificial intelligence (AI) integration in the healthcare sector. AI has the potential to revolutionise diagnostics and treatment planning. However, appropriate regulatory structures need to be established to govern the ethical and safe use of AI in healthcare. Concerns about reliance on AI systems without robust backups may lead to regulations ensuring a contingency plan for system failures.
Additionally, regulations around software as a medical device could see more attention. Defining and reinforcing the criteria for software to be considered a medical device is likely to become a focus, addressing the ambiguities in this area.
While not expected to be as monumental as recent changes, these amendments aim to clarify and strengthen the regulatory landscape surrounding emerging technologies in the healthcare sector.
Interview by Joanna England
Joanna England is an award-winning journalist and the Editor-in-Chief for Insurtech Insights. She has worked for 25 years in both the consumer and business space, and also spent 15 years in the Middle East, on national newspapers as well as leading events and lifestyle publications. Prior to Insurtech Insights, Joanna was the Editor-in-Chief for Fintech Magazine and Insurtech Digital. She was also listed by MPVR as one of the Top 30 journalist in Fintech and Insurtech in 2023.