The intersection of cybersecurity and healthcare industries continues to rapidly accelerate as we move into a more digitized future each day. The COVID-19 pandemic created a dire need for telemedicine as the standard way of healthcare practices. While the convenience of telemedicine and digital health practices seems obvious, the risks for liability and cybersecurity rise. OmniSure’s Executive Vice President Laura Luck Martinez [a](BSN, RN, MS, ARM, CPHRM, FASHRM) was a panelist at the PLUS Webinar this past October.
PLUS (Professional Liability Underwriting Society) is recognized as the primary source of professional liability educational programs and seminars, networking events, educational products, and information regarding professional liability. Martinez was a key speaker and presenter on the panel: The Dawn of Digital Healthcare: Wearable Technology – Risks and Strategies for Liability and Coverage with an esteemed group of other industry leaders. We explore some highlights and major takeaways from this webinar below.
Telemedicine affects everyone
Chris Tellner (Partner, Co-Chair of Healthcare/Managed Care Practice Group, Kaufman Dolowich Voluck, LLP) moderated the panel, and he begins with an excellent point: we are certainly in a new world, and technologies in healthcare have become extremely beneficial on both a personal and professional level. Beyond telemedicine and communication considerations, digital technologies are very personal: this applies to wellness and fitness goals that we commonly track with FitBits and Apple Watches.
This is where the security of digital healthcare gets cumbersome: there are extreme risks and pitfalls both on the professional liability side as well as the cyber insurance side when it applies to wearable technology. Aside from a personal attack and exposure risk of someone capturing confidential information, there’s an inherent risk for the companies to measure the data. Martinez explains the difference between wearable technology and medical technology.
Wearable technology v. medical technology
Telemedicine can be divided into three different modalities: real time, video, and asynchronous (“store and forward”). The latter is most commonly used in common practice (ie. dermatology) and allows for x-rays and video clips to be shared among primary care providers, in consults, etc.
A new form of technology has dominated healthcare: remote patient monitoring (applications and health records are triggered by Artificial Intelligence to create early intervention alerts to monitor and manage chronic health conditions). This significant advance in digital healthcare addresses common (and chronic) issues like: congestive heart failure, diabetes, post-op, oncology, etc. to be monitored.
Although they seem similar, there are differences between remote patient monitoring and telemedicine. They both have multiple capabilities to monitor glucose levels, track blood pressure monitoring, even apps that monitor air quality control (beneficial for anyone with respiratory problems). Laura explains the important differentiating factor: “[with the wearables] while we do see patient and physician self reported data, those devices don’t have medical grade validity in general…the wearables have different risk exposure and A.I. activity from telemedicine modalities…we see a higher risk exposure.”
Laura Luck Martinez elaborated how provider executives are investing massive amounts of money into AI technologies. The intention is for these systems to reduce spending over time and truly help patient outcomes.
However much money continues to be invested in AI, it is Martinez’s belief that not only will the remote patient monitoring devices be at great risk for some sort of breach, but all healthcare is at risk: the data, the systems, the devices we use to monitor and provide care for any patient in the healthcare setting.
Risk Management and Cyber Policies
There’s an incredible amount of risk involving cyber crime and insurance. Hackers could gain access to private and sensitive information. This includes: financial information, location, social security, physical condition, a person’s daily activities, political affiliations, credit risks, and much more.
The panel discusses how in today’s cyber world, we’re seeing all types of industries become victims of cyberattacks. From manufacturing to e-commerce businesses, everyone is at risk. Tamara Ashrin explores the dangers of ransomware in healthcare, and how this triggers so many different coverages under cyber policies and creates a slew of expenses.
In the professional liability realm, Ashrin gave an example of an inadvertent breach of privacy, which is definitely an area where companies need to know the risks and mitigations. She recalled an example of a nurse posting information on social media regarding a patient’s health where they were the victim in a city-wide event. The family of the victim sued the hospital for a privacy breach. One bad judgment can cost a company millions of dollars. Another common example of this social media/marketing use is a plastic surgery center posting “before and after” photographs of clients. Unless they obtain the patient’s consent, litigations may occur in those scenarios.
So, are there any products out there that provide resources to an insured claim without having to trigger coverage? Ashrin explains “…companies now provide training services and risk management services to policyholders that employers can use to train their employees to prevent breaches…these are typically available when you purchase the policy.”
Web of Regulations
A breach could implicate many types of regulations, including those involved with US Treasury Department regulations (office of foreign assets, US Sanctions list, etc.), HIPAA, Federal Trade Commission (important to be careful in obtaining and keeping data from wearable devices), FDA, etc. A recent example of legislation regulating this data is the California Consumer Privacy Act (CCPA) which covers businesses that collect and sell consumer personal information or disclose personal private data relating to California residents. The definitions of “consumer” and “personal information” are broadly defined.
What can policyholders, healthcare providers, or healthcare organizations do to protect?
Laura Luck Martinez emphasizes the absolute need for healthcare providers to include digital healthcare information in staff on-boarding. “…oversight and provider credentialing must be expanded…there’s a need to address the training, competencies, telehealth and remote patient management approachments. Ultimately, it’s incumbent on every single provider to have some knowledge of the credibility of the devices, it’s intended or promised functions. Relying on I.T. or other office personnel to know is not sufficient or adequate.”
This is crucial advice for any healthcare setting. Preparation is key: and this extends to back up plans as well. Martinez reiterates that “cyber security is a patient safety issue not an I.T. problem. We need to have business impact assessments and risk analysis – follow that with a strong development plan and program…there will be times when systems are down and data is unavailable. Preparation is key.”
The panelists advised the insurance companies to create a breach playbook, which identifies key personnel and responsibilities in the event of a breach or a suspected breach. Some other breach essentials include implementing a comprehensive backup plan, among other items of importance. Last but not least, the importance of knowing your cyber coverage resources is another key to mitigating risks.
What should a company do first in the case of a cyber attack?
This is a subjective question, but a few of the PLUS panelists responded to this question in a similar manner: they advised the victim to call a broker or carrier right away, and to not delete any information on servers. That being said, it’s an important reminder for businesses and companies to have data backed up onto other devices as well.
Looking into the future
OmniSure is a proud partner of PLUS, the global community for the professional liability insurance industry. Telemedicine, wearable tech, and the professional liability coverage implications remain at the forefront of the healthcare industry, and OmniSure’s Laura Luck Martinez remains a thought leader in that realm. We are committed to providing all of our partners with the most up to date industry risk mitigation standards and direction. Get in touch today to learn how we can help you and your company manage risk and elevate healthcare.
Full List of panelists
- Laura Luck Martinez (OmniSure Executive Vice President, BSN, RN, MS, ARM, CPHRM, FASHRM)
- Abbye Alexander (Partner, Co-Chair of Healthcare/Managed Care Practice Group, Kaufman Dolowich, LLP)
- Tamara Ashjan (Director, Claims, Cyber & Tech, Tokio Marine HCC)
- Laura Ruettgers (Partner, Chair of Data Privacy & Cybersecurity PRactice Group, Kaufman Dolowich Voluck, LLP)
- Chris Tellner (Partner, Co-Chair of Healthcare/Managed Care Practice Group, Kaufman Dolowich Voluck, LLP)