When cyber attacks on hospitals threaten effective medical care, which party is responsible for patients’ outcomes?
Stay informed. Our Insights Newsletter highlights the latest news and analysis on global strategy, policy and risk. Subscribe to Insights
As the number of cyber breaches continues to skyrocket, impacting companies of all sizes and across industries, hospitals – providing mission-critical medical care and with access to protected health information (PHI) – have proven to be a prized target.
In 2019 an unthinkable incident occurred that still sends shockwaves through the medical community. Springhill Medical Center, located in Alabama, suffered a ransomware attack that rendered critical medical equipment useless. As a direct result of networks and monitoring equipment being offline, a baby born in distress later died.
Today’s medical community relies heavily on technology. In fact, the copious amount of Big Data and Artificial Intelligence used by advanced medical equipment to diagnose and treat maladies can be seen as the modern-day microscope. But what happens when this “modern day microscope” makes an error? Or worse, what if these tools are compromised by a cyber-attack, such as what occurred with the Springhill incident?
The term vicarious liability describes an important concept in hospital risk management; it means that multiple parties can be responsible for the outcome of a patient’s care. For example, if a patient experiences unplanned complications with a medical procedure, they may not only sue the surgeon, but the hospital itself could be targeted with legal action.
Cyber risks create an even more insidious challenge from a vicarious liability perspective. What happens if a doctor misdiagnosis a patient’s condition because a cyber attack rendered equipment inaccessible for an extended period of time? What if the patient is injured or dies as a result? Would cyber insurance cover claims brought against it by the patient’s family, or would malpractice insurance provide coverage?
Currently, bodily injury is frequently excluded from many professional liability policies. Due to situations like Springhill, the medical risk management community must review their malpractice policies to ensure that they address exclusions related to bodily injury or loss of life resulting from a cyber-attack. In more ways than one, failure to stay on top of this intersection of cyber risk and professional liability may prove costly.