A medical device can be anything from a tongue depressor to an implantable neurostimulator. But what cybersecurity and health care attorneys are concerned about are the Bluetooth-ready devices that speak to other devices or systems. While connected devices present more efficient patient care and sharing of data, each device presents another possible opportunity for a security breach that could compromise that data — or worse.Connected medtech is already everywhere. Medical technology companies estimated that by 2021, more than two-thirds of their devices will be connected through the Internet of Things, according to a Deloitte survey released last summer. The IoT medical tech market was $15 billion in 2017, but could triple by 2022 to $52 billion, the study predicted.
“You walk into a hospital, and so much of the equipment in those facilities has the ability to connect to something else,” said Jodi Scott, a partner at Hogan Lovells’ Denver office whose practice focuses on life sciences and medical devices. An example of a connected device would be an electrocardiogram monitor that sends the heart signal data directly to medical records. But hospitals now have a “huge population” of devices that have been used for decades but are now connected, Scott said. For years, health care organizations have been dealing with data breaches involving HIPAA-protected personal health information. Medical device breaches represent a new worst-case scenario.
“What we always think about is, if a pacemaker gets interfered with, could it kill somebody?” said Lynn Sessions, a partner at BakerHostetler in Houston whose practice focuses on health care data privacy and security. While it’s possible that a hacker would maliciously tamper with life-saving medical tech, it’s unlikely to occur since it’s hard to see how a hacker would monetize that like data theft or other common attacks, Sessions said. Still, she added, it’s a worry in the health care industry. “If an incident occurs where a patient is killed, that’s really what everyone loses sleep about.”
Hypothetically, a hacker could deactivate a pacemaker or overdose a diabetic patient with their insulin pump in addition to tampering with other life-saving wearable tech that’s IoT activated. An attacker could also use the device as a doorway to access the health care system and its records, and other devices in the network.
“It sounds like a bad ‘24’ episode, but it’s theoretically possible,” Scott said. “We’ve seen situations where people have proven that they can do it.”
The FDA Steps In
Independent security experts have discovered bugs in pacemakers that would allow someone to remotely change the device’s settings. Last year, the Food and Drug Administration began collaborating with such “white hat” hackers to find more of these vulnerabilities and issue warnings to manufacturers.
The FDA has taken steps to regulate cybersecurity standards in medical devices. In October, the agency issued guidance saying that the quality system regulations that manufacturers have to follow in developing their devices must include cybersecurity risk assessment. Before certain devices hit the market, the FDA wants to see security test data for them and how their manufacturers manage the cybersecurity risks they present.
The FDA can also issue recalls or notices for devices that have potentially harmful cybersecurity vulnerabilities. The most recent such “safety communication” the FDA sent out was in March for an implantable cardiac defibrillator by Medtronic. The ICD used a wireless network that doesn’t have encryption, authentication, or authorization barriers. In the notice, the FDA confirmed vulnerabilities that “if exploited, could allow an unauthorized individual … to access and potentially manipulate an implantable device, home monitor, or clinic programmer.”
Fifteen years ago, nobody thought about cybersecurity when designing medical products, Scott said. Lately manufacturers have been trying to catch up, producing more secure devices and issuing security patches to fix security vulnerabilities in a device that’s in use. The FDA has recently “reduced the regulatory burden in applications to encourage companies to address cyber issues and bugs as they show up,” Scott said. “The stuff that’s coming out is in great shape, but the older technology is a more varied condition,” Scott said. “How do we make sure we’ve secured all of the older technology that’s still around?” Health care providers often have to choose between the cost of retrofitting their older technology with better security or purchasing newer, more secure tech to replace it, she added.
Who’s Liable?
The mantra of cybersecurity is that it’s not a matter of if a company will experience a data breach, but when. When a connected medical device is hacked, it might not be clear who’s to blame for making it possible.
“Is that something that the hospital should be responsible for, or the device manufacturer?” Sessions said. “It could be both depending on how those contractual relationships are set up.”
“Liability is a huge issue in medical technology,” said Aloke Chakravarty, a partner at Snell & Wilmer in Denver whose practice focuses on data security and privacy, in an email. “As with other finger-pointing situations, who is liable will depend on a variety of factors, including compliance efforts, notice, contractual relationships, opportunities to cure and conformance to industry standards.”
Liability in a medical device breach could hinge on who’s considered a covered entity or business associate under HIPAA or FDA regulations, Chakravarty added. It will also matter whether the company or health care system was following a security compliance program. “Establishing a culture of security and being able to prove it could help inoculate the most concerning liability,” he said.
A Different Kind of Litigation
Data breaches involving medical technology would inevitably spawn lawsuits. Experts have warned of a wave of class actions that combine data breach litigation with product liability.
One of the things that will make medical device breach litigation unique “is the variety of defense targets” plaintiffs will have, according to Casie Collignon, a class-action defense litigator and partner in BakerHostetler’s Denver office.
A typical data breach lawsuit pits consumers against the manufacturer. With connected medical devices, plaintiffs might go after the network provider, app provider, software vendors and other parties in addition to the medical device manufacturer, Collignon said. Many of these potential codefendants might not even be aware of each other, let alone do business with each other, she added.
“So many players come into play when you have a medical device that talks to other parties,” Collignon said.
Another distinguishing aspect of medical device breach is that the consumer could have a role to play in failing to secure the device. If a hospital suffers a data breach with personal health information, it’s clear the patient bears no responsibility for that breach. But medical devices could present a different scenario, Collignon said. Suppose a medical device is connected to a consumer’s smartphone, and the consumer places weak security settings or a soft password on the device app. If the medical device is then hacked through the app on that phone, serving as a gateway to other systems, personal data and devices, does the consumer bear some responsibility for that breach? Plaintiffs in a medical device class action might have taken varying steps to secure their devices. At the very least, that scenario presents defendants with an individualized defense, Collignon said. “Anytime I can have an individualized defense, it can throw a wrench into a class claim.”
But as cybersecurity litigators have already seen, a breach might not have to actually occur in an Internet-of-Things product in order for a lawsuit to proceed, and the same could be true in the medical device space. For example, a class-action lawsuit against Fiat-Chrysler claims that the manufacturer knew about cybersecurity vulnerabilities that could allow hackers to take control of a Jeep model and sold the vehicles before patching the vulnerability. The case, Flynn v. FCA, is heading to trial in October after the U.S. Supreme Court declined in January to take up the manufacturer’s appeal.
“The plaintiffs’ bar found that to be a victory,” Collignon said, because there wasn’t even a hack that affected consumers. “The fear of there actually being a personal injury is what allowed that case to survive.”
With courts finding that plaintiffs have standing to sue for IoT security vulnerabilities, even before a breach has occurred, the unique hybrid of medical device class litigation could come even sooner than manufacturers and hospital systems bargained for.
In the meantime, health care organizations and regulators are taking steps to mitigate cyber threats to medical devices. Chakravarty said the FDA “has taken this issue seriously and is continuing to explore regulation and to issue updated guidance” but is “still too late for industry and patients.”
As a result, manufacturers are taking it upon themselves to propose effective security standards, and “will be well served by getting ahead of government enforcement and civil liability” by doing so, he added. Scott also said that the FDA and companies are showing more initiative to secure medical devices.
With hospitals being such a multifaceted network that houses patient and medical data, “you have to get all of these different players to do their part,” she added.
“We have a lot of work to do … and the devices are just one little piece of it.”
— Doug Chartier