The IoT—the network of everyday objects equipped with sensors that can record, send, and receive data over the Internet without human intervention—has spurred the development of health-monitoring technologies that capture and transmit key patient data such as vital signs, activity levels, and medication compliance in real time or near-real time.
These new sources of patient data are providing valuable insights, improving clinical care, and reducing healthcare costs. But they are also presenting hospitals, device manufacturers, and other stakeholders with numerous complex challenges and risks: risks associated with relying on these data sources to make clinical decisions, and with sharing and storing the health data.
Accordingly, organizations using these technologies need to adopt risk-management strategies, or expand the ones already in place. "Risk management helps businesses avoid serious financial losses or mitigate financial loss through preparation," explains Debra Fox, vice president of The Hartford’s Technology & Life Science Practice. "It also allows hospitals, device manufacturers, and other health-care industry players to take a proactive approach to reducing or preventing potential financial losses from adverse events—for example, device errors, security breaches, and other malfunctions." Ultimately, by preventing and reducing financial loss and liability, risk management supports innovation.
Medical Devices, the IoT, and Risk Management
Increasingly, hospitals and other care providers are making critical decisions using real-time or near-real-time patient data generated by medical devices via the IoT. However, hospitals, device manufacturers, clinicians, and others need to be aware of new risks as they develop, invest in, and adopt these new sources of information. “Traditionally, risk management for medical devices is about the possibility that the device would not function and, as a result, would injure the patient or disrupt treatment in some way,” Fox says. “Insurers would typically think of that as a product-liability situation that arises out of bodily injury or a device malfunction that is injurious."
That's changed in today's increasingly connected environment. "When you bring in connectivity, you also bring new risks, such as data security and the complexity of a device malfunctioning," Fox notes. "That's not just because of poor design. You have software embedded so that the physical or the mechanical part of the devices could be working, but the software that’s driving it could fail." In addition, malware, including viruses, could be exchanged on hospital networks in the course of monitoring or treating a patient with a medical device.
New risk-management considerations include:
• Data-security issues, including compliance with the Health Insurance Portability and Accountability Act (HIPAA)
• Malware threats
• U.S. Food and Drug Administration (FDA) approval, reimbursement approval by the Centers for Medicare & Medicaid Services (part of the U.S. Department of Health & Human Services), and other regulatory requirements
• Interoperability between IT systems and software applications and other
It’s challenging to obtain FDA approval for any new device, and to get the Centers for Medicare & Medicaid Services to reimburse patients or clinicians for its use. But now the FDA is also poised to add regulations for cybersecurity and quality control. In January 2016, the FDA released draft guidance urging medical-device manufacturers to create comprehensive cybersecurity risk management programs to address “vulnerabilities which may permit unauthorized access” and “may impact patient safety.” The FDA also mandates that breaches and vulnerabilities must be “promptly corrected and reported."
In addition, the FDA is working with the National Institutes of Health to improve quality control, transparency, and tracking of medical devices by establishing AccessGUDID, an online database for medical devices. This will require many manufacturers to add a unique device identifier (UDI) to their products.
But there’s good news: These risks, challenges, and requirements are manageable.
Seek Expertise in Adopting a Risk-Management Strategy
Hospitals, device manufacturers, clinicians, and other stakeholders rely on insurance companies with health and life-sciences industry expertise to help them establish or expand their risk-management strategies. Insurers such as The Hartford help technology and life-sciences companies economically manage adverse events through insurance coverage and risk management. “Our prudent approach to risk management is to support the proactive development of a plan,” Fox explains. “Risk management is about being prepared and, if an adverse event happens, determining how you prevail—meaning 'not collapse'—under its weight."
Insurance companies aren't engineers or hands-on developers. Instead, their role is to contribute deep understanding of the unique risks associated with IoT-enabled medical devices—an understanding that can help insulate their clients or stakeholders from devastating liability and economic exposure. They partner with their clients to anticipate risks and to map out specific steps that clients need to take to reduce and even eliminate such risks.
The Hartford's stake in the conversation is one of advocacy: "We help protect companies that make and use these solutions, and we continually seek ways to evolve our services to address unique risks" such as product and clinical-trial liability and data breaches, she says. "We use our breadth of knowledge to help protect businesses and keep companies at the forefront of innovation. We work with our customers to identify the benefits for innovation and to provide risk management that will facilitate and support innovation.”
Summing Up the Benefits of a Proactive Plan
There's no question that many new medical devices and mobile applications are enhancing patient care while reducing costs. But it's equally clear that such innovations often bring along disruption and risk. For that reason, device developers, clinicians, hospitals, and others must be proactive and collaborate with insurance partners to adopt strategies for reducing the risks associated with medical devices and the IoT.
For example, insurance partners and risk managers can use predictive modeling and business intelligence to help identify potential risks. Risk managers—both inside client organizations and at insurance companies—already use those same approaches to help improve reliability and effectiveness of new devices throughout the innovation process, from initial development through market launch to implementation in a hospital or other setting.
By enlisting risk-management experts, stakeholders may not only reduce and even prevent potential financial losses and brand exposure, but also find themselves competing more effectively in the marketplace while continuing to innovate.
For additional perspective, please see "Big Data and Corporate Responsibility," The Hartford's presentation from the MIT Technology Review's 2015 EmTech conference. For more information about The Hartford’s technology industry solutions, please visit thehartford.com/technology.