Life SciencesLiability

Medical Device FAQ

What cyber insurance does a medical device company need?

A medical device company needs cyber liability for the patient, clinical, and business data it holds, and - once its devices are connected or it ships software - technology errors and omissions for a failure of that software or connectivity. Cyber covers breach response, HIPAA notification where PHI is involved, ransomware, and business interruption; technology E&O covers claims that the device software or platform failed to perform.

The device dimension is what makes this different from a generic manufacturer. A networked device, a remote-monitoring platform, or a software-as-a-medical-device product creates exposure that sits between traditional products liability and cyber, and FDA now treats device cybersecurity as part of safety with premarket expectations. Underwriters look closely at the security program - multifactor authentication, encryption, patch management - and price on controls more than size.

The gap to close is the seam between cyber and products liability: a hacked or malfunctioning connected device that causes patient injury can fall between a cyber policy that excludes bodily injury and a products policy that excludes cyber-triggered events. Reviewing both together is part of a mature device program.

Primary source

FDA - Cybersecurity in Medical Devices

Related

Medical device coverage review

A specialist will reach out by end of business day.

Request a coverage review