The Risks of IoT in Medicine and Healthcare

From the smallest sensors to entire operating room systems, the Internet of Things (IoT) is helping to save lives and changing the practice of medicine. By remotely capturing medical data, facilitating medication delivery and enabling digital health applications, the IoT delivers greater convenience and functionality to patients and their physicians.

Along with opportunity, the IoT also presents new and emerging risks for technology companies. Should the technology fail to work as intended, a patient could be injured or sensitive personal health information may be exposed. Building in safeguards can help technology companies who produce IoT products, component parts and related software mitigate those risks.

1. Bodily injury. If an IoT device does not operate as planned, technology companies could be liable for resulting injuries, or even the death, of a user or patient. Companies who produce IoT technology should understand their exposure to bodily injury risk due to defective design, a manufacturing defect, product misuse or a failure to warn consumers about a potential danger related to the use of the product.

For example, if a doctor prescribes a pill with a swallowable chip to verify compliance for a patient with a memory impairment, and a flaw prevents the transmitter from sending compliance data to the physician, the doctor may not receive alerts that the patient is not taking the medication. If the patient’s condition worsens and the patient needs expensive surgery, the patient might sue the company that made the connected pill for failure to transmit compliance data in a timely fashion.

2. Technology errors and omissions. The IoT technology may fail to work as intended due to an error, omission or negligent act in the design of the technology. If the purchaser sustains economic losses, such as lost profits or business disruption, they may file a liability claim. Defense expenses alone may be catastrophic to a technology business.

For example, if a health insurer offers an incentive to customers using a fitness tracker, and an error in the tracking software overstates the number of steps, then the company may give more discounts than it should. The insurance company may attribute the financial loss to incorrect step counts as a result of external fitness tracker manipulation.

3. Cyber risk. Thieves find protected medical information an attractive target for cyber attack and are breaking into IoT-based information systems. If that data is exposed, businesses might face financial losses, business interruption or reputational damage for failing to properly secure data held within their information systems.

For example, a company that makes wearable cardiac monitors could have medical readings uploaded to a cloud. If the engineers responsible for cloud security fail to properly configure a security patch, it could create a vulnerability. If hackers gain entry, they could then sell a patient’s sensitive health data.

Managing IoT Risks

Just as new applications continue to be discovered for medical IoT, so are new risks emerging. Companies can be held liable for bodily injury, economic losses to third parties and the failure to properly secure data. But technology companies can take steps to help protect against these three main categories of risk.

Here are actions to consider in minimizing exposure to these risks:

• Evaluate and implement appropriate quality and risk management systems.
• Build in cyber security.
• Evaluate company contract practices.

It can also be helpful to discuss relevant insurance coverage with an agent or broker. Product liability coverage, errors and omissions liability coverage and cyber liability and cyber related first-party coverage can help protect against potential liability.