Article

Assessing Cyber Implications for Future Medical Technology Developments

Opportunities, risks and the way forward

Technology is fundamentally altering the way medical interactions and processes are conducted. It is critical during this evolution that the cyber and technology insurance industry ensures it is keeping pace with both the technological progression and the concurrent threats it presents.

The Metaverse is widely regarded as the next iteration of the internet and its evolution is accelerating due to the coupling of our current online behaviour and the Covid pandemic. Already, the majority of us hold meetings remotely and with the integration of  virtual reality (VR) and augmented reality (AR) we are beginning to see further enhancements to employee collaboration. The Metaverse will continue to facilitate the merging of our physical and digital lives in healthcare.  

The past 18 months of reduced limits, coverage restrictions, and significant rate increases in the cyber insurance markets is showing early signs of softening. But, as technology continues to evolve, where and how does the industry position itself to ensure its continued relevance to organisations seeking to transfer cyber risk?

 

The opportunity

The medical industry is beginning to benefit from these innovations and there is a clear ethical argument to embrace the possibilities presented. Opportunities include shortening waiting times, improving diagnostics, and better-quality training for all doctors.

There are already well-documented successes of how early iterations of the Metaverse have provided revolutionary advantages to medical professionals. For example, surgeons operating in Brazil successfully separated conjoined twins after using VR to both practice the procedure and collaborate with experienced doctors in London remotely. Digital twin technology is another area where developers can improve health outcomes. This burgeoning concept uses a combination of a patient's data to form a physiological copy, or 'avatar', of the patient to facilitate better-informed clinical decision-making. To safely implement all interactions between the virtual and the physical, the security of data is imperative.

 

The dark side 

While the opportunities associated with the Metaverse within the healthcare industry are significant, substantial threats persist. Healthcare providers across the UK, USA, and Europe are battling various cyber security incidents. A recent report from Sophos, the cyber threat intelligence company, found that ransomware attacks on healthcare almost doubled in 2021. 66% of the healthcare organisations surveyed were hit by ransomware in 2021; up from 34% in 2020. The combination of stretched resources, an aggregation of sensitive data, and the unceasing elongating of legacy systems results in the sector suffering from insurer scepticism. Additional medical devices involved, with internet connection, considerably broadens the attack surface for an adversary to exploit. All of these devices will need to be registered, managed, and updated.  

Reassuringly, this has undoubtedly become a C-suite priority in the private sector driving organisations to address the issue. Healthcare providers are now proactively strengthening their baseline cyber security and adopting cyber hygiene controls to ensure they can find broad coverage.

Regrettably, these cyber risks will persist, driven by threat actors looking for financial reward while assuming minimal risk. It will also simultaneously proliferate engagement with and the presence of third party providers across the healthcare technology landscape. Many of these third party providers are small and medium enterprises (SMEs) and it is these companies who are often the most susceptible to attack. SMEs usually have limited budgets for cyber security and cannot maintain the baseline controls previously referenced. While third party due-diligence is always considered during the underwriting process, improvements can always be made. Large companies should work closely with their third party providers, providing support throughout their cyber security journey.

Data also presents another significant challenge. Substantial volumes of data are required for digital twin models to be effective and consumers will need to trust that their data is kept secure. It is vitally important that the synthetic environment and access to it is secured. Regulators must balance protecting the consumer's privacy, encouraging innovation, and regulating a digital health ecosystem simultaneously. Risk managers and brokers must ensure they understand the risks associated and insurers must provide varied coverage tailored to the client's unique needs. Beazley's new Virtual Care product is a good example of how insurers are beginning to consider this issue.

 

Blockchain – the key

The ability to efficiently move and share medical data is crucial to the successful adoption of advanced technologies. However, data security regulators are unconvinced of these technological development. Healthcare providers constructing increasingly higher walls around their data are also not assuaging this issue either. Blockchain technology is potentially the key to breaking this stalemate. Blockchain is a distributed and secure digital record-keeping system where data, once recorded, is impervious to both modification and deletion. The healthcare industry can reap many advantages through understanding and embracing blockchain and insurers must start comprehending this in order to support those that are seeking to implement and advance it.

 

The way forward 

Despite the risks, the Metaverse is poised to offer benefits to consumers across the healthcare industry. For timely, appropriate, patient-centred care, and value-based initiatives to thrive effectively, seamless health information mobility, devices, and systems interoperability are all crucial. Interoperability efforts and regulations are already taking shape. This adequately demonstrates that the industry is currently progressing toward a secure, standards-based application programming interface (API) framework. Nevertheless, a legacy of inconsistent processes and information remains. It is vital cyber security controls continue developing and that medical providers consistently evaluate their cyber exposure to mitigate existing threats.  

In the legislative space, both the UK government and the EU have proposed to bolster cyber resilience; which should come to fruition within the next few years. It is vital healthcare providers continue enhancing their cyber security controls. Marsh’s deep-dive into the 12 recommended cyber security controls is a useful tool for companies to baseline their cyber resilience and insurability. Investments in these controls have the potential to supplement cost-reduction efforts through the efficiencies of new medical technology. Insurers must continue to guarantee that cyber and technology coverage provides both ample value while sufficiently transferring the related risk.

Marsh is at the forefront of this conversation. We endeavour to drive the discussions between Chief Information Security Officers, Risk Managers, and Insurers to ensure that the path to cyber resilience is both structured and attainable.