Tag Archives: john dickson

Can Your Health Device Be Hacked?

What seemed like a farfetched scenario out of Hollywood four years ago is now yet another reality that security experts have been warning about.

In the screen version, the U.S. vice president is assassinated on the TV show “Homeland” after a hacker takes control of his pacemaker and stops his heart—making it look like a heart attack.

In real life, the U.S. Food and Drug Administration recently released a safety warning that St. Jude Medical implantable cardiac devices and their remote transmitters contain security vulnerabilities. An unauthorized party could use the vulnerabilities to “modify programming commands” on the device that could result in rapid battery draining or “administration of inappropriate pacing or shocks.”

Coincidentally, the warning came on the heels of an FDA document addressing this very issue: At the end of December, the agency released its guidance for the post-market management of medical device cybersecurity.

The guidance is similar to a previously issued one for premarket design and development. Both are nonbinding.

The FDA can take action against products that violate the Food, Drug and Cosmetic Act, which could include devices that pose serious risks of injury or death and lack remediation. Outside of that, it’s unclear what, if anything, the FDA would do about lower-level risks that are not being mitigated.

See also: Your Social Posts: Hackers Love Them  

Enforcement or not, there’s plenty of skepticism about the influence the document will have on device manufacturers. Security experts call it a good first step—emphasis on “first.”

But they are not convinced that the guidance will motivate the industry to make medical devices more secure.

“Absent of serious crises or patient deaths, I’m not optimistic that this document will get the attention of many companies building medical devices,” says John Dickson, a principal with the security firm Denim Group Ltd., who formerly served at the Air Force Information Warfare Center.

The guidance “emphasizes that manufacturers should monitor, identify and address cybersecurity vulnerabilities and exploits as part of their post-market management of medical devices.”

Among other things, the FDA recommends that manufacturers:

  • Follow the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Security, which is widely used in many industries
  • Implement a risk-management program for identifying and assessing vulnerabilities
  • Act on information about vulnerabilities and deploy patches quickly.

A big problem to crack

Dickson says that the sheer number of devices in circulation—potentially millions, registered to some 6,500 to 7,000 manufacturers—creates a major problem.

“Most of the medical device companies are just trying to get the capability to work well—and here comes (a problem) they really didn’t consider before,” he says.

The embedded sensors and devices were designed for a long lifespan and, in many cases, not intended to be upgraded.

“If those devices cannot receive software updates at some time in their lifespan, they will be vulnerable, so the risk is enormous,” says Hamilton Turner, chief technology officer at mobile-security vendor OptioLabs.

The industry has been slow to react.

Ashton Mozano, chief technology officer at Circadence, a “next-generation” provider of cybersecurity training, says that some of the device vulnerabilities have been known for as long as a decade. But the response has not been like in airline or automotive safety, where “there’s a whole community that gets up in arms” when there’s a faulty or dangerous product.

“We don’t really see that in cyberspace yet. The medical device industry, as well as the IoT realm, have been essentially isolated from that level of widespread global scrutiny,” Mozano says.

The FDA began warning about the problem a few years ago. The guidance certainly indicates the agency’s interest in cybersecurity is growing. Unfortunately, the FDA may not be in the best position to address the problem.

“They’re not in the best situation to have the knowledge and skill set … to mandate regulations for the cyber industry,” Mozano says. “They don’t want to overregulate.”

Plenty of gaps to be filled

The FDA defines patient harm as physical injury, damage to health or death. Other types of harm—such as loss of personal health information—is excluded from the FDA’s scope.

Turner thinks that’s an oversight. He says that data taken from a device can sometimes include information about the operating environment, including secure Wi-Fi access that could be used to access the network and cause patient harm.

“Ignoring loss of data in a security context can lead to some very serious repercussions,” he says.

Long-term execution of the guidance also is questionable. Mozano says there needs to be “a clear assignment of roles and responsibilities throughout the entire vertical and horizontal supply chain.” And, there needs to be better leadership and a more systematic, step-by-step implementation, he says.

The FDA could take a page from the automotive industry, where rankings by third-party evaluators such as JD Powers influence buying decisions. This would not only motivate manufacturers to protect their reputation but also put some of the power into the hands of the users.

See also: When Hackers Take the Wheel  

“This could be more effective than having draconian regulations,” Mozano says.

The industry sentiment seems to be that scenarios à la TV’s “Homeland” are still far-fetched. Even the Department of Homeland Security said the vulnerability in St. Jude’s devices would have required “an attacker with high skill.”

But Dickson emphasizes that what was science fiction as recently as two years ago is now becoming a major problem. After all, not too long ago “people said political campaigns were too sophisticated to hack.”

“Given the widespread and ubiquitous nature of medical devices, the fact that a more sophisticated attacker could do this means it will happen at some point,” he says. “As the sophistication goes down the chain, there’ll be more automation to do it. At this point, nobody has figured out how to automatically attack, but that will happen.”

This post originally appeared on ThirdCertainty. It was written by Rodika Tollefson.

A ‘Perfect Storm’ of Opportunity (Part 3)

This is the third of three parts in a series. The first part is here, and the second is here. 

Change isn’t always easy. If you’re an insurance agent or Write Your Own (WYO) dealing with the April 1, 2016, regulatory changes to the National Flood Insurance Program (NFIP), you know this all too well. As the Federal Emergency Management Agency (FEMA) continues to phase out various rate subsidies, agents are dealing with increasing policyholder concerns around rate increases and affordability.

These regulatory changes inject new complexities into an already complex program. For agents trying to serve their customers in this space, it’s challenging to stay ahead of the NFIP changes around eligibility, pricing and flood zone determination — all while making time to absorb periodic, substantive modifications. Furthermore, increased regulatory scrutiny creates greater demands on agents because producers must invest additional time to ensure compliance. These dynamics generate new frictional costs that leave many agents feeling like there’s less return for their efforts.

Homeowners have also felt the impact of the rapidly evolving flood insurance environment by means of increased costs and added requirements. Those interested in buying flood insurance or in maintaining existing flood insurance are faced with shifting price points and new steps in the application process. Just recently, pockets of homeowners in South Carolina were newly mapped into mandatory purchase areas, forcing some mortgaged properties to purchase flood insurance for the first time. Such changes can impose significant burdens on homeowners, particularly those on fixed incomes.

See also: Why Flood Is the New Fire (Insurance)

Strategies for Managing Through Change

While regulatory changes to the NFIP may make it difficult for agents to sell flood insurance, emerging options can offer relief. Previously, if a prospective consumer rejected flood insurance because of price, agents often did not have an alternative. Today, this is not the case.

Keith Brown, the president and CEO of Aon National Flood Services, said, “The NFIP offers a widespread product, and that has significant application in today’s environment. … However, agents will find that there are some customers who may not be an appropriate fit for the NFIP. Now, agents can present options for policyholders who struggle with affordability issues if charged full-risk rate premiums. These agents are able to present coverage options more tailored to individual homeowner needs in terms of lifestyle, financial planning and risk exposure.”

There are some strategies for flood risks that agents can adopt to help manage change through an evolving regulatory environment and shifting consumer appetite. First, it is important that agents are mindful of map revisions and the fluidity of the geographic risk associated with flood. Mapping changes drive pricing and surcharges applied to individual risks. For instance, a customer who wasn’t required to have flood insurance yesterday may be required to have it today.

Innovations and opportunities in this business do not follow a set schedule, and agents seeking means of differentiation must be vigilant. With the proper education and tools, flood insurance offers a means for agents to help customers better protect themselves and their investments. Talk to your WYO; familiarize yourself with product choices your customers may find attractive if they’re struggling with the impact of regulatory changes.

When looking at the newly mapped areas as defined by the NFIP, there is a distinct line that defines the area where homeowners must have flood insurance as a condition of having a federally backed mortgage. On the other side of that line, homeowners are not required to have flood insurance to mortgage their home; however, floods do not recognize these lines. In many cases, the homes sitting on the non-insurance-required flood zone lines have just as much of a chance of falling victim to a flood catastrophe. So, as an agent, understanding flood maps and knowing how properties may move in and out of different flood zones is invaluable in educating your customers and helping them determine what insurance they may or may not need.

There’s no doubt that, in today’s ever-changing environment, a long-term strategy is difficult for agents. A basic understanding of the requirements surrounding floods will get you by. But if you want to have the opportunity to be more successful and be viewed as a valued business adviser and resource for homeowners in your community, you have to be able to look beyond the basics of flood.

By taking on a more holistic view of flood, recognizing how floods can affect communities and having the ability to articulate all flood options (including private solutions), you can set yourself apart from others adrift in a sea of change.

For an overview on the NFIP changes, check out a handy visual guide NFS has put together: “Making Sense of NFIP Regulatory Changes.”

A ‘Perfect Storm’ of Opportunity (Part 1)

This is the first part of a three-part series on the innovation needed in flood insurance.

If you are an insurance agent trying to survive in today’s competitive marketplace, you may have dipped your toes in the flood insurance waters, so to speak. If you have not, get ready to jump in, because there’s a “perfect storm” of opportunity ahead.

Flood insurance is a vastly under-penetrated market. According to a recent report from the Federal Emergency Management Agency (FEMA), approximately 10% of U.S. residential property is located in areas where flood insurance is required for federally backed mortgages, yet fewer than half of these homes carry the coverage. Total penetration in the U.S. is less than 7% for the roughly 95 million residential structures.

That 7% penetration is compelling when you think about the prospective flood universe. Every single state in the country has suffered flood losses. So the question becomes: How do we leverage the opportunity to expand flood insurance beyond those 7%?

When you consider the current state of the industry and of the National Flood Insurance Program (NFIP), the climate is ripe for change. The federal program is upside-down by $23 billion, resulting in additional fees and charges, and the Biggert-Waters Flood Insurance Reform Act of 2012, followed by the Homeowners Flood Insurance Affordability Act, injected new complexities into the NFIP. These — and related — conditions have created a “perfect storm” of opportunity to grow the number of homes that buy flood insurance.

See also: Why Flood Is the New Fire (Insurance)

Taking Advantage of Emerging Private Flood Options

Legislation has paved the way for private flood insurance, which has come in response to different markets having different views and different appetites for risk, and additional measures pending in Congress further clarify the critical role of private flood insurance. Those diverse interests or private markets call for the independent development of product and service solutions to address various flood insurance needs and to differentiate their programs from others. The resulting innovation and product specificity directly benefits consumers. Accordingly, the conversation around flood has really evolved from “What is private flood?” to “Why now private flood?”

One significant challenge for agents will be helping consumers understand that flooding (unlike earthquakes or hurricanes) is the only natural disaster where people actually influence the event itself. Whether through urbanization, the clearing of land for agriculture or artificial levee systems, we influence where floods happen and the severity of floods when they happen. Areas that were not in danger yesterday are exposed today. Private industry has an opportunity to help educate Americans on how these changes drive future flood risk through modeling techniques and data analytics.

We need to help homeowners understand that yesterday’s safety does not necessarily equate to safety today. I see this playing a pivotal role in helping educate homeowners on their true risk of flood.

Getting an Edge in a Competitive Marketplace

Education remains a critical charge for insurance agents who want to obtain an advantage in this evolving market. Agents want loyal customers, and a flood insurance solution represents one more policy that agents can deliver to deepen existing relationships. From my perspective, there are fundamental strategies to employ to your advantage:

  • Understand the impact of flood in your area

Every state has been touched by flood, so the risk is widespread. By familiarizing yourself with the history of floods in the areas where your agency is operating, you will better understand the potential impact to your customers.

  • Get to know your customer

Does your customer have a man cave in the basement? Is your customer living in a high-value home? Is your customer in a home that is not elevated or that is exposed to flood more than other homes? Is your customer at risk of being displaced for weeks or months at a time if flood happens? That knowledge will help an agent determine what is appropriate for a client and then to match those specific needs with product options in the private market.

  • Leverage flood tools available

Take advantage of tools that enable independent assessment of flood risk outside of FEMA flood maps. For example, through www.floodtools.com, agents and homeowners can learn about their potential exposure to flood. By entering an address, they receive an easy-to-understand visual representation of where they are positioned with respect to floodwaters and flood plains.

  • Stay current in the evolving product environment

New, more relevant private products are becoming available every day. Staying informed in the changing product environment will help improve your ability to meet the diverse needs of customers with contemporary offerings such as:

—Additional living expenses

—Enhanced basement coverage

—Increased limits for various risk classes

  • Be clear on who is backing the product and the capital structure behind it

There is an abundance of capital looking for new business to write. Know who is backing the product and the capital structure supporting the private program. Consider the financial strength and financial rating of the insurer and inquire about flood underwriting experience.

See also: Modeling Flood — the Peril of Inches

Setting Course for the Challenges Ahead

We are seeing a lot of interest in the flood space and the emergence of a host of new products. Many employ a so-called “coupon” approach by offering a percentage discount on the NFIP premium, but they haven’t changed the experience at all. Agents still need to manage extensive applications, an elevation certificate and property photographs. The experience needs to be improved, for the agent and for the customer.

Are there opportunities for agents to sell flood insurance on a larger scale? Certainly, but more work is necessary to make that happen. When it comes to flood insurance, we need to find solutions attractive to both agents and homeowners for the purpose of increasing overall participation. We need to address the existing challenges. Constituents entering this space cannot solely focus on a price-to-coverage configuration angle. Ultimately, without product and service innovation, we can’t expand the market.