The health-care industry has undergone a seismic shift, as medical devices moving to the Internet of Things have proliferated. These innovations offer increased benefits to patients, but they also present potential hazards for medical device makers in the realm of cybersecurity.
Connected medical devices routinely record sensitive health information about a patient. This critical real-time access to information gives these devices an edge over older models. The risk, however, is that this same connectedness allowing health-care professionals to provide more responsive, personalized care also makes the data or devices vulnerable to hackers.
An Attractive Target
Hackers target the medical device industry for many reasons. Certain medical records are valuable because it’s profitable to monetize health insurance information.
Additionally, hospitals and doctors’ offices present tempting targets for ransomware attacks because of the urgency of care—far more so than in other industries. For example, if a shipping company’s computer goes down, that is unlikely to immediately cause injury to any person.
However, if a hospital’s computers go down, the hospital may find it difficult to continue basic health-care operations, which could easily (and quickly) lead to life-threatening situations. Thus, a hospital cannot wait a few days—or even a few extra hours—to recover from a ransomware attack, making it very hard to resist paying a ransom—even a large one—to ensure patient safety.
Potential Dangers of Specialization
Medical device specialization can result in patient data being made more vulnerable and orthopaedic surgery serves as an example.
One study estimated that by 2030, 50% of all total knee replacements will be performed robotically with patient-specific data. Robotic-cutting can aid a surgeon with positioning the implanted prosthetic device. Prior to surgery, the manufacturer obtains the patient’s medical records and develops a patient-specific program for the robot, so that, in effect, the patient receives individualized surgery.
In the past, manufacturers did not have direct access to patient-specific records and were not part of pre-operative surgical planning. Under this new regime, however, manufacturers will need patients’ X-rays, CT scans, MRIs, and other medical records, meaning that they will have access to sensitive data about patients that previously was kept entirely by hospitals or doctors.
Guarding Against Cyber Attacks
As with any security plan, the starting point is to build in the concept of security from the outset. Device makers must ensure that data is encrypted at every stage and require secure and multi-factor authentication for access to that data.
As companies design their devices, they must make them as secure and redundant as possible to protect them from ransomware and other attacks. Companies must also consider how long they need to keep data and implement a policy to ensure no-longer needed data is either disposed of immediately or thoroughly anonymized as soon as possible.
Medical device makers also need to be sure that patients are aware of what data the device makers have and how they will use and dispose of it.
It’s also critical for a company to have a written crisis operations plan on how to respond in the event of a cyber attack. Device makers should identify internal and external teams to execute this plan, and prepare to rapidly assess what happened in an incident, who is responsible for it, and how the company can handle its legal obligations. Moving rapidly after an incident can minimize the damage.
Future Legal Challenges
Device makers may need to deal with a different standard once they become part of the medical delivery team. They have to date been somewhat shielded by the legal concept of the doctor as “learned intermediary” between the patient and the device maker.
This defense doctrine states that a medical device manufacturer can fulfill its duty of care to a patient when it provides all of the necessary information to a “learned intermediary”—the physician—who exclusively interacts with the patient. Individualized medicine such as robotic surgery creates a “blurring of the line” between doctor and device maker. Will courts and juries still allow a device maker to rely on this traditional defense?
Finally, hacking incidents may make it difficult to assign liability between the device maker and the doctors. Imagine a scenario where a ransomware attack occurs midway during a surgery, subsequently causing the device to malfunction. Or, a hacker obtains the ability to shut off pacemakers and threatens to do so unless the hospital pays them off.
Were these harms foreseeable to the device maker? Would an alternative design have prevented them? Is it the responsibility of the hospital or the device maker to address these problems? These traditional product liability issues may be turned on their head by new technologies.
Some of these issues will be fought out in court, others will become the basis for a tremendous “battle of the forms” as entities seek to assign liability to other parties in the contracts between and among doctors, hospitals, device makers, and patients.
There are many outstanding questions surrounding liability related to data from connected medical devices that courts have yet to settle—or even address. More sophisticated medical devices and the data they collect will save lives, but they will also create tempting targets for hackers that will surely generate complex legal issues.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Seth P. Berman leads Nutter’s Privacy and Data Security practice group in Boston. He helps corporations and their boards address the legal, technical, and strategic aspects of data privacy and cybersecurity risk, and to prepare for and respond to data breaches, hacking, and other cyber attacks.
David L. Ferrera leads Nutter’s Product Liability Litigation practice group. Fortune 500 medical device and pharmaceutical companies rely on his scientific expertise and experience in presenting complex product liability issues to lay juries and courts.