Uncategorized

June 24, 2020
By Robert J. Kerwin 

The 2020 global increase in malicious cyberactivity against companies has been well reported. As of March 30, 2020, the FBI’s Internet Crime Complaint Center (IC3) reported it had received and reviewed more than 1,200 complaints related to COVID-19 scams. 

In a previously published report, the global cyber education company, Cybint, noted that 64% of companies experience web-based attacks. Of these companies 43% of the cyber attacks target small business. Despite those threats, only a relatively small percentage of firms have cybersecurity insurance to cover all risks. 

Many companies don’t fully realize the scope and breadth of their cyberpolicies until a cyberattack occurs, which is not the time to determine how good your policies are. Companies need to review their cyberpolicies now. Moreover, a company’s future business may, in part, 

depend upon whether they carry cyber insurance. Recognizing the perilous nature of these cyber threats, more and more hospitals and manufacturers are requiring their vendors to carry cyber insurance. 

Wading into the confusing world of cyber insurance is not easy. There are complicated coverage terms including: Incident response costs, legal and regulatory costs, IT security and forensic costs, crisis communication costs, privacy breach management costs, third party breach management costs, post breach remediation costs, theft of funds in escrow, theft of personal funds, extortion, corporate identity theft, push payment fraud and unauthorized use of computer resources, system damage and rectification costs, income loss, business interruption, reputational harm, claim preparation, hardware replacement costs, fines, intellectual property infringement. 

Navigating all of the above is no walk in the park — especially after completing an extensive application form which requires disclosure of all controls and policies currently in place. The questions will vary from insurer to insurer, but they will all want to know if you had an independent third party cybersecurity audit and an account of any remediation that was performed. Candor is important, especially with respect to the training being given to employees in cybersecurity and whether your policies and procedures are being followed. Will an insurer pay claims submitted if they come to learn that the application disclosed policies and procedures that were never followed? 

So where do you begin? Cyber insurance is not like any other insurance. Several acknowledged authorities encourage simplifying the coverage inquiry to: Why do you need it? Are your biggest vulnerability concerns privacy obligations (PII or PHI)? Is your concern loss of data? One must begin with data mapping: where does your data sit? If it’s in the cloud with a third-party, you will want to have third-party coverage. If your company uses a social media platform, you may want to look into media liability coverage. Can you obtain coverage retroactively? You want to have a vulnerability assessment conducted, and of course undertaken remediation. That is the point you can assess: what coverages are needed? You should have a solid data governance program. What are your document retention and destruction policies? Most states have long required that you maintain a written information security plan (WISP) so when incidents occur, you can use your WISP to respond in real time to the threats. Most importantly, you need within the company an “owner”. 

Tip: don’t base the owner of the data governance policy on the “org” chart. Appoint someone whose real job it is to manage the data privacy and governance concerns. She or he should have good data from inside the company to establish continuity plans and to modify plans as times and threats change. While many will want to use outside consultants to quickly get up to speed, don’t forget your insurance libraries. I use the Insurance Library Association of Boston. Yearly membership costs are relatively modest, and they respond to my emails on various insurance topics. 

Always ask to see the cyber policy ahead of time. Don’t rely on summaries or websites. You will need to read the fine print. The old adage “don’t judge a book by its cover” is so applicable to the cyber insurance policies. 

Recently, I reviewed the proposed 30-page Policy Document for Cyber Insurance for a small company. The Declarations page displayed cyber incident response limitations of liability which, at first blush, looked ample. The document offered “Limit of Liability: $1,000,000 for each and every claim; legal and regulatory costs:$1,000,000,” and so on. 

The definitions told the real story. You likely don’t need a $1,000,000 coverage limit if it only pertains to the financial cost of contacting the insurer’s 24/7 cyber incident response line. The same goes for legal and regulatory costs if all that means is that you are able to use the insurer for drafting data breach notifications to governmental entities and customers. Wading through the 8 point font, it seemed that real losses were capped at $50,000. I guess I should have been tipped off when the premium quote for 12 months coverage was so low. 

Good cyber insurance is expensive compared to other policies. In part, the higher premium costs are reflective of the reality that cyber claims are now routine. Consider whether it makes sense to seek longer-term coverage if possible. Some insurers are contemplating exiting the market because of the high number of claims and the sad reality exists that cyberthreats are now a permanent business threat. 

About the author: Robert J. Kerwin is general counsel for IAMERS, the International Association of Medical Equipment Remarketers and Servicers Inc. and a member of the HSCC Legacy Medical Device Task Force.

This article is reprinted with permission of DOTmed HealthCare Business News and can be read online in its original format at: https://www.dotmed.com/news/story/51640

June 4, 2020
By Robert J. Kerwin

In the wake of the enormous increase in cybersecurity incidents, medical device regulators world-wide have been engaged in the development of pre-market and post-market guidance outlining cybersecurity expectations. In March, the International Medical Device Regulators Forum (“IMDRF”) released the guidance, “Principles and Practices for Medical Device Cybersecurity”.

It is the first IMDRF guidance document which focused exclusively on medical device cybersecurity. Where it is a consensus document produced by an IMDRF Working Group, it is expected to contribute greatly to much of the ongoing industry cyber standards work.

In 2011, following the cessation of the Global Harmonization Task Force, the IMDRF was conceived as a forum to discuss future directions of regulatory harmonization and convergence. It is a voluntary group composed of regulators. The regulators are committed to accelerating strategically the international harmonization of medical device regulations. The IMDRF members include the United States, Europe, China, Japan, Russia, Canada, Brazil, and Australia. Official Observers include the World Health Organization.

The March IMDRF Guidance now provides recommendations to stakeholders on the general principles and best practices for medical device cybersecurity. The IMDRF Working Group chairs for the project were Suzanne Schwartz of the FDA and Marc Lamoureux of Health Canada. The Guidance includes recommendations to minimize cybersecurity risks and to ensure maintenance and continuity of device safety and performance. Note: with respect to safe and effective design/manufacture of medical devices, the March IMDRF Guidance acknowledges that this Guidance should be considered in conjunction with the IMDRF Essential Principles Guidance.

The March IMDRF Guidance addresses cybersecurity in the context of devices that either contain software or exist as software only. The scope of the Guidance is expressly limited to consideration of the “potential for patient harm.” While recognizing the importance of cybersecurity for a manufacturer’s enterprise and for harms associated with breaches of data privacy, these are not considered in the scope of this Guidance. Among the key takeaways:

• Total product lifecycle risks. Risks associated with cybersecurity threats and vulnerabilities should be considered throughout all phases in the TPLC (initial conception to end of support);
• Shared responsibility. Device cybersecurity is a shared responsibility between the manufacturer, healthcare provider, users, regulator, and vulnerability finders. All stakeholders are expected to “understand their responsibilities to work with other stakeholders to continuously monitor, assess, mitigate, communicate and respond to potential cybersecurity risks and threats throughout the life cycle of the medical device.”
• Information sharing. The Guidance notes: “[c]ybersecurity information sharing is a foundational principle in the TPLC approach to safe and secure medical devices”. The Guidance specifically encourages stakeholders to participate in Information Sharing Analysis Organizations to foster collaboration and communication as to cybersecurity incidents and threats.

Of particular interest and concern, the guidance addresses a conceptual framework where legacy medical devices that cannot be protected are decommissioned/phased out of existence. The Guidance provides that no cyber support should be expected for medical device past the established cybersecurity ‘End of Support’ date.

The Guidance does acknowledge importantly that “compensating controls may be able to provide some level of protection. In the presence of available and successfully deployed compensating controls the medical device would not be considered legacy per this framework.” This is an important clarification as there are reportedly available nano-segmentation and other solutions which may prevent health data security risks.

Several other important takeaways are provided in the Guidance including the recommendation to establish clear points of contact with device manufacturers on vulnerabilities. This 46-page IMDRF guidance is an important read for those searching for a crystal ball to better understand regulator cybersecurity expectations.

About the author: Robert J. Kerwin the general counsel for IAMERS, the International Association of Medical Equipment Remarketers and Servicers.

This article is reprinted with permission of DOTmed HealthCare Business News and can be read online in its original format at: https://www.dotmed.com/news/story/51420

May 27, 2020
By Robert J. Kerwin 

With the gradual reopening nationwide of the economy, we are understandably focused on getting back to business, while ensuring the health and safety of our families. Raising a discussion of new ‘refurbishing standards’ for certain non-imaging medical equipment may provoke the question: how could this be relevant to my business? 

Standards are essential tools for technology and business. One day the draft standard may become the industry standard or… a regulatory requirement. Standards offer important opportunities for consensus. Standards may provide key rules and metrics for technology and trade. The American National Standards Institute requires in its ‘Essential Requirements’ that the standards development process not be dominated by any single interest, category, or organization. It requires a balancing of interests and good faith efforts to harmonize. There should be no undue barriers to participation. 

The International Electrotechnical Commission (IEC) is another highly respected standards organization. Many consider the IEC to be the leading organization that prepares international standards for electrical, electronic, and related technologies. The IEC provides a platform for discussion and development of international standards. During its prestigious history, the IEC technical committees have considered devices ranging from instruments used in connection with ionizing radiation to MP3 players. 

One draft IEC standard, IEC 63120, which was prepared by an IEC Working Group and circulated for comment is titled ‘Refurbishment of medical electrical equipment, medical electrical systems and sub-assemblies and reuse of components as part of the extended life-cycle’. The standard does not cover medical imaging equipment which is addressed by a separate IEC standard. Many aspects of the IEC 63120 refurbishment process are very carefully considered and specify necessary risk management steps. The sections covered range from safety to the establishment of a refurbishment plan. Under the standard, refurbishment must be conducted under a certified quality management system such as ISO 13485:2016 or the equivalent. The refurbishment process of sub-assemblies is also addressed. 

The IEC draft reviewed includes language that may change, if ultimately adopted, who may refurbish and the requirements when the refurbishment is not performed by the manufacturer. Section 4.1 of the General Requirements for Refurbishment provides the refurbisher: 

• should be qualified by the Manufacturer prior to authorization; 

• should be authorized by the Manufacturer; 

• should be controlled by the manufacturer in an appropriate way; 

• should be accountable to provide feedback to the manufacturer; and 

• there should be a quality assurance agreement regarding post market information between the refurbisher and the manufacturer. 

While other requirements in the standard appropriately address important knowledge areas such as sterilization, disinfection and testing, the standard does not identify why those who refurbish must be qualified, approved and accountable to a manufacturer. Parenthetically, I am not aware of manufacturers who would voluntarily approve refurbishers who are not otherwise involved in a manufacturer joint venture or parent/subsidiary business arrangement. Such standard requirements seem inconsistent with appropriate balancing of interests and other requirements for adoption of a national or international standard. We hope that the highly respected IEC would not issue final approval on a standard which apparently requires manufacturers to vet, approve and control the refurbishing process. Perhaps there is another draft in the offing which omits this requirement. Compliance with QMS and safety requirements does not always necessitate that only those approved by the manufacturer may refurbish. 

About the author: Robert J. Kerwin the general counsel for IAMERS, the International Association of Medical Equipment Remarketers and Servicers.

This article is reprinted with permission of DOTmed HealthCare Business News and can be read online in its original format at: https://www.dotmed.com/news/story/51349 

May 20, 2020
by Gus Iversen, Editor in Chief  DOTmed

In a setback for improved cooperation between different medical equipment service stakeholders, two of the leading manufacturer trade groups, the Medical Imaging & Technology Alliance (MITA) and AdvaMed, have announced they will no longer be participating with in-house and independent service organizations in FDA-recommended Medical Device Servicing Collaborative Communities (MDSCC). 

The collaborative community was called for in a highly anticipated 2018 FDA report, which capped off a two-year investigation finding evidence “not sufficient” to warrant increased regulation of non-OEM medical equipment service organizations. The communities were intended as an opportunity for different groups to forge ahead addressing the unique challenges they face, working together to resolve them. 

“While we appreciated and supported FDA’s aim of bringing together third-party servicers and manufacturers to address issues surrounding the safety of third-party servicing of medical 

devices, ultimately we did not feel the group made sufficient progress in basic organizational or other areas to justify AdvaMed’s continued participation,” an AdvaMed spokesperson told HCB News. 

In response to that statement, David Francoeur, senior vice president of marketing and sales at Tech Knowledge Associates, and a member of the MDSCC representing the non-OEM service viewpoint, said AdvaMed’s reason for leaving mischaracterizes the FDA’s aim in forming the collaboration to begin with, noting that the FDA was addressing quality and safety related to maintaining medical equipment as a whole — not third-party specifically. 

In its own statement, MITA also commended the FDA’s efforts, but added that “despite over a year of regular meetings and numerous attempts to find consensus, It has become clear that progress is unlikely any time soon, given the divergence of opinions held by participants, as well as the time constraints imposed on industry by the COVID-19 pandemic.” 

The divergence of opinion referenced by MITA has been well documented since 2016, when the FDA first launched its investigation. 

By and large, OEMs have taken the position that non-OEM service lacks oversight and represents a safety hazard. In a 2018 opinion piece for HCB News, Patrick Hope, the executive director of MITA, wrote, “While we agree with many FDA findings, we reach a far different conclusion on this one,” and called for ending the “regulatory void” by passing legislation in Congress that would increase third-party oversight. 

In-house and independent service groups, on the other hand, generally argue that the biggest threat to safety is the lack of cooperation they get from OEMs regarding access to manuals, passcodes and other necessary information. In a response to Hope’s article, Arif Subhan, then president of the American College of Clinical Engineering (ACCE), observed that reporting of adverse events is the job of facilities (not servicers) and asserted, “it is grossly misleading to suggest servicers are held to a lower standard when clearly it makes no sense to hold servicers to manufacturing-specific regulations.” 

The clashing viewpoints are comparable to high-profile right-to-repair controversies concerning consumer products like smartphones and tractor-trailers, where manufacturers like Apple and John Deere have argued that a robust service market for their products would open the door to safety and security concerns. 

“In reality, AdvaMed and MITA have been stalemating progress in the collaborative communities for over a year,” said Francoeur. “They couldn’t agree on antitrust-focused language, and they couldn’t agree on voting rights.” 

Although COVID-19 has put the MDSCC on hold, Francoeur said that “mini groups” have been formed within the alliance to concentrate on specific topics (training materials, definitions, QMS solutions, and key performance indicators) and he expects those groups to continue their work despite the departure of MITA and AdvaMed. 

The International Association of Medical Equipment Remarketers and Servicers (IAMERS), another MDSCC member representing non-OEM viewpoints, echoed that sentiment. “IAMERS is disappointed that AdvaMed and MITA will not be continuing with the Medical Device Servicing Collaborative Communities initiative,” Robert Kerwin, general counsel for the organization, told HCB News. “Like other stakeholders, we have devoted many hours to the MDSCC initiative and will continue to pursue this and other collaborative initiatives.” 

The need for better partnerships between medical equipment OEMs and service teams has been highlighted by the COVID-19 pandemic. In April, five state treasurers called upon device manufacturers to increase the availability of ventilator service manuals for service technicians on the front lines. “In a public health crisis, every second counts. There shouldn’t be a single ventilator sitting in a closet because a hospital, already under extreme pressure, isn’t able to make necessary repairs to it,” wrote Pennsylvania State Treasurer, Joe Torsella. “I call on manufacturers of this lifesaving equipment to release this information and remove this barrier that hospitals are facing.”

This article is reprinted with permission of DOTmed HealthCare Business News and can be read online in its original format at: https://www.dotmed.com/news/story/51242