Andrew Zarkowsky - Head of Technology Industry Practice - The Hartford
Brad John - Head of Life Sciences Industry Practice - The Hartford
Consider this: an ingestible pill with an embedded sensor that transmits a digital message from within a patient’s stomach to an app on their smartphone. It’s the stuff of science fiction but may soon be reality.
A Florida-based digital health company recently received approval by the U.S. Food and Drug Administration (FDA) for its patented ingestible event marker, which according to the company is the first to transmit digital messages from within the body to an external receiver without the need for direct skin contact for the purpose of recording ingestion events such as food, liquid or medicine breakdown in the stomach and intestines.
While it is still unclear what specific medications will be used with the technology, the marker will help address a growing issue in the healthcare field: medication adherence. Patients often neglect to take their medicine in the correct intervals and doses, leading to potentially harmful health outcomes. In addition to transmitting messages via a cloud-based server to the event marker, notifications will also be sent to a patient’s physician or pharmacist, enabling a real-time view and analysis of ingestion events.
This ingestible event marker is just one example of the rapidly growing digital health field, which the FDA describes as technology that can empower consumers to make better-informed decisions about their own health. It also provides new options for facilitating prevention, early diagnosis of life-threatening diseases, and management of chronic conditions outside of traditional care settings. Digital health categories include mobile health, health information technology, wearable devices, telehealth, telemedicine, and personalized medicine.
Telehealth is Here to Stay
The telehealth market, as one example, is set to be valued at $175.5 billion by 2026 according to a report from Global Market Insights. And while the use of this technology grows, it comes with substantial risks. Medical data is some of the most sensitive information in today’s world. While cyber is not new to healthcare, the multiple attack surfaces or third-party vendors and service providers that support the industry such as computer hardware, data collection software, and mobile telecommunications used by doctors and patient make telehealth an increasingly attractive target.
Ransomware can also be especially damaging to telehealth companies because their business model relies on a fully functioning network. Two big targets for hackers are the value of medical data, which can be sold for use by others, and a business’ reliance on connectivity, as well as its willingness to pay ransom to avoid shutdown and reputational damage. For example, when a patient uses new telehealth providers, the patient may need to share historical medical data.
A hacker may find some telehealth portals and networks more vulnerable than larger, traditional providers with more robust IT security resources.
There are COVID-19 specific risks as well. During the pandemic, enforcement of HIPPA requirements for telehealth have been relaxed by The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services. Additionally, companies that have rushed to implement telehealth solutions may not have prioritized proper training and cyber security measures.
Regulatory Environment: The FDA’s Response to Supporting Digital Health
To the FDA’s credit, it has taken the digital health space seriously. The FDA implemented a Digital Health Innovation Action Plan to provide guidance on the medical software provisions of the 21st Century Cures legislation and launched a Digital Health Software Precertification Pilot Program to help customers develop a new approach to digital health technology oversight. In addition, the federal agency built its bench strength and expertise in the Center for Devices and Radiological Health (CDRH) digital health unit.
The FDA’s Digital Health Program aims to create relationships with digital health developers, patients and providers and enact transparent policies while balancing the benefits and risks to the public. For example, the FDA is focused on higher risk mobile medical apps and decided not to focus on the lower risk versions such as those that promote general wellness. By focusing on the higher risk technologies, the FDA can streamline their processes to help advance technologies.
Over the past several years, the FDA has also confirmed it doesn’t plan to focus oversight on technologies that receive, transmit, store or display data from medical devices, and clarified their expectations with cyber security. They have also collaborated with stakeholders to form a community to exchange cyber security information and partnered with customers and other federal agencies to propose a new framework for Health IT in the FDA’s Safety and Innovation Act Health IT report.
A New Approach to Certifying Lower Risk Digital Devices
The Digital Health Software Precertification Pilot Program should be of significant interest to developers. This program would replace the need for a premarket submission for certain products and allow for decreased submission content and/or faster review of the marketing submission for other products.
Under this approach, the FDA could pre-certify eligible digital health developers who demonstrate a culture of quality and organizational excellence based on objective criteria, including superior software design, development, and testing. Pre-certified developers could then qualify to market their lower-risk devices without additional FDA review, or with a more streamlined premarket review.
The Convergence of Technology and Life Science Risks
With the advent of the digital health age and the changing regulatory environment, risks such as business continuity, legal, liability, and safety have become more complex. Cyber concerns must be considered for both first- and third-party exposures.
Take, for example, the risks associated with the December 2019 service outage of a company that monitors and tracks glucose levels of users with diabetes via a sensor on their abdomens, sending an alert to their smartphones when blood sugar spikes too high or low. When the service outage took place, thousands of users were suddenly without the critical information needed to regulate their blood sugar. The New York Times reported at the time that one child nearly died when the device didn’t send an alarm to his mother’s smartphone, failing to notify her of his dangerously low glucose levels as he slept.
Digital health applications are susceptible to cybersecurity threats. As most devices are connected to the internet or other networks, security breaches are increasingly possible. A malware attack can have devastating effects for users that rely on digital health products to monitor (or control) critical health function.
Insurance Solutions to Help Mitigate Risks
There are a myriad of insurance coverage considerations in the digital health space. First-party coverages include cyber business income, cloud computing, cyber extortion, data recovery/restoration, system failure and more. Third party considerations focus on cyber bodily injury liability, data wrongful collection and use, privacy breach liability and technology errors and omissions.
Coverage and Liability
Considering the rapidly growing market and web of regulatory considerations, telehealth is one area that also presents numerous coverage and liability considerations. Many firms partner with multiple vendors to provide the products and services they offer to their customers. Legal counsel’s guidance on risk transfer for products and services is essential to good vendor risk management. Licensing agreements and customer contracts should also be reviewed regularly to ensure contract language reflects new products, services, or relationships.
Technology Errors and Omissions
Technology errors and omissions (E&O) insurance can help protect businesses from errors, omissions, negligence, and product failures. With digital health, if technology fails, it can have an enormous impact on a business’s finances. Unfortunately, traditional liability policies usually won’t cover pure financial losses. E&O coverage can help cover business legal fees and other related costs if software licensed to a client had glitches that caused them to lose a month’s worth of billing data and equipment provided prevents customers from receiving online orders for 48 hours. It can also help with expenses if cloud-based data services failed to backup critical data that a customer cannot recreate, or if the website designed for a customer looked too much like its key competitor’s site.
Cyber
Hackers know an opportunity when they see it. With an increase in new digital health companies, it’s more important than ever to have the right insurance coverage. Cyber insurance can help protect the insured from ransomware as well as data destruction, resulting business interruption and other financial losses. Robust cyber liability coverage is important for all digital health firms and especially those with large quantities of financial or medical information. Coverage that can respond to regulatory actions is key for those companies that operate in the medical space. Cyber needs are varied so understanding which coverage is appropriate and partnering with an agent, broker, and insurer who understands this space is critical.
Product and Professional Liability
Digital health companies can have a unique blend of product and professional liability risk. Most technology companies have generally enjoyed a relatively low exposure to products liability suits due to their relatively innocuous products. However, the risk profile for these companies can be quite different from a traditional technology company. Products such as consumer telecommunication equipment, wearables and medical devices used in diagnosis can greatly increase frequency and severity of risk to product liability suits. Companies that incorporate a third party’s products in their solutions should protect themselves through proper risk transfer and insurance coverage written for their unique risk profile.
The unique nature of digital health, telehealth and delivering medical advice remotely, without the benefits of the physical cues and body language associated with in-person consultations, adds exposure to miscommunication or omissions that could result in patient harm. The combination of using a platform that includes medical devices and remote professional advice results in a complex risk profile. For example, a picture of a physical issue such as a rash could be a distorted image and lead to an incorrect diagnosis.
Uncertainty around the “learned intermediary” is of concern as well. A prescribing physician acts as a “learned intermediary” between manufacturer and consumer and has the primary responsibility of warning patients of the hazards of prescribed pharmaceutical products. Whether this protection and responsibility changes when consultation is done virtually remains to be seen. Therefore, understanding the products and professional exposure on each digital health risk is essential to providing the right coverage.
And as digital health companies are increasingly demanding specialized partners for their evolving needs, they should also rely on the expertise of their insurance agent, broker and carrier to navigate the complex regulatory environments as they invent, test, and go to market with cutting-edge digital health applications.
The information provided in these materials is intended to be general and advisory in nature. It shall not be considered legal advice. The Hartford does not warrant that the implementation of any view or recommendation contained herein will: (i) result in the elimination of any unsafe conditions at your business locations or with respect to your business operations; or (ii) be an appropriate legal or business practice. The Hartford assumes no responsibility for the control or correction of hazards or legal compliance with respect to your business practices, and the views and recommendations contained herein shall not constitute our undertaking, on your behalf or for the benefit of others, to determine or warrant that your business premises, locations or operations are safe or healthful, or are in compliance with any law, rule or regulation. Readers seeking to resolve specific safety, legal or business issues or concerns related to the information provided in these materials should consult their safety consultant, attorney or business advisors. All information and representations herein are as of August 2021.
Author Biographies
Andrew Zarkowsky is head of Global Technology at The Hartford. His focus is on underwriting execution inclusive of growth, profit and product innovation for the technology industry. He has nearly 20 years of experience in underwriting technology companies.
Brad John is the head of Life Sciences at The Hartford. He has 25 years of insurance and risk management industry experience and is responsible for leading the development and execution of The Hartford’s life science strategic plan, including product, distribution, and marketing.
Subscribe to our e-Newsletters
Stay up to date with the latest news, articles, and events. Plus, get special offers
from American Pharmaceutical Review – all delivered right to your inbox! Sign up now!