What insurance does a SaMD (software-as-a-medical-device) operator need?

For traditional medical devices, the products liability tower is the primary product-liability vehicle and cyber is supplementary. For SaMD operators, the dynamic flips - the software IS the device, so cyber becomes the primary product-liability vehicle and traditional products liability is the supplementary layer.

This structural difference means generic medical device insurance is materially under-sized for SaMD operators. Standard products liability forms do not cover algorithm errors, model output failures, or cyber-induced clinical decision support errors - the policy form needs SaMD-specific endorsements.

Cyber tower at $10M-$50M sized to patient impact - patient count under management, sensitivity of the clinical decision, and severity of the underlying indication.

Algorithm liability endorsement covering AI/ML decision support output errors. Training data provenance coverage where training data is sensitive PHI.

HIPAA Business Associate scope on every customer relationship - the SaMD operator is typically a BA to each healthcare provider customer.

HITECH civil monetary penalty coverage.

Tech E&O for non-product professional services (implementation, training, customer success scope).

Multi-tenant SaaS cyber for hosted platforms.

API integration cyber where the SaMD integrates with EHR systems (Epic, Cerner, athenahealth).

Continuous deployment cyber risk - frequent software updates introduce vulnerability windows the policy needs to address.

SaMD insurance underwriters in 2026 typically require SOC 2 Type II or HITRUST certification as a baseline expectation for placement at competitive terms.

Model governance documentation: validation studies, retraining cadence, drift monitoring, performance reporting.

FDA cybersecurity guidance compliance: pre-market and post-market cybersecurity submissions, SBOM (software bill of materials), coordinated vulnerability disclosure (CVD) program.

Customer contract review: BA agreements, EHR integration agreements, hospital purchase contract insurance schedules.

Typical SaMD insurance program annual cost: $50K-$300K for $5M-$100M revenue operators. The biggest drivers: patient count under management, indication severity, SOC 2 / HITRUST status, prior cyber events, and customer count.