Article September 4, 2017

Pacemakers recalled due to hacking risk

The news that half a million (500,000) pacemakers by health technology firm Abbott have been recalled over fears they may be tampered with remotely illustrates an increasingly common problem – as technology becomes ‘smarter’ it also becomes more vulnerable to hacking.

When cyber blurs the boundaries of commercial risk.

We’ve seen it with smart home gadgets – from toasters and kettles to alarm systems, security cams, light bulbs, thermostats and gas meters. We’ve seen it with smart toys – from My Friend Cayla to teddy bears, robots and drones. Effectively, anything and everything connected to the vast, great Internet of Things is at risk from hacking.

The case of recalled pacemakers is somewhat unique in that few IoT vulnerabilities have directly life-threatening consequences. Authorities claim that a software vulnerability allows hackers to empty the battery or change the pace of the device, putting patients’ health at risk and potentially causing their death. The recall affects only those pacemakers that have not yet been implanted, which means anyone with an Abbott device, sold under the St Jude Medical brand name, will have to weigh the risk of another invasive surgery and the potential of remote interference.

What makes this case all the more interesting, from an insurance point of view, is the cross-over between risks – a product recall provoked by cybersecurity issues. A failure in the manufacturing of the software used in the pacemaker enables the device to be hacked and cause bodily injury. Our product recall policy includes a section on software product safety, which would apply to this case and trigger the coverage – meaning the costs associated with the actual recall would be covered. At the same time, this incident is clearly also a cybersecurity failure, which really serves to highlight that cyber risk, as a peril, is something that affects many traditional insurance product lines.

Read more about the recall here: