Cybersecurity for Medical Devices

Getting to the heart of the matter

The FDA has issued a warning about potential cyber risks related to certain cardiac devices. The warning concerned implantable devices and transmitters that monitor and communicate data directly from patients to the doctors.

The FDA has not received reports of any data breaches in these devices. However, such devices are vulnerable to unauthorized remote access. An unauthorized user hacking into the program could compromise both the safety of the patient and the effectiveness of the device. This could be accomplished by disrupting the pace setting, shocking the heart, or causing the battery to drain rapidly.

Current standards and guidelines

In December 2016, the FDA published formal guidelines for addressing cybersecurity for medical devices already on the market. These guidelines encourage manufacturers to monitor the devices, assess how breaches can affect patients, employ software patches to reduce the risk of an attack, and work with researchers to gain an understanding of potential threats.

The FDA intends to update and adjust its post-market cybersecurity guidance as the field evolves. Reducing such threats and protecting patients while promoting innovative technologies requires coordinated efforts by manufacturers, hospitals and medical facilities.

Medical devices and product liability

It’s interesting that the product liability exposure could actually increase once a reliable medical product is sold. Apparently, any neglect or oversight to stay ahead of hackers and security breaches may continuously expose medical manufacturers to product liability lawsuits. The same can be said for manufacturers of autonomous cars, trucks, drones and industrial equipment.

In the future, we may see a perfectly good and safe product leave the manufacturer and be hacked later, causing bodily injury or property damage. As a result, the manufacturer will be sued by the injured party because of a failure to provide timely updates to the medical device software.

Looking ahead

The growth of technology is exponential (think runaway expansion) and the insurance industry and legislators are going to struggle to keep pace with the rapid changes. In the first quarter of the 20th century, technology advanced more than the entire 19th century. We already saw the exponential growth of technology occur every hour in the year 2000. In 2013, that will be every six minutes, and by 2020 it will occur every thirty seconds! Cyber criminals stay current with cybersecurity efforts and will become more sophisticated as technology evolves.

It will be challenging for product liability insurance carriers and underwriters to rate and price these types of products. One obvious solution for insurance carriers could be narrower coverage in the way of exclusions and endorsement that limit or remove coverage if software updates existed but were not provided in a timely manner to keep the medical devices safe.

Source: Amy M. Rubenstein and Sarah K. Schiferl. “Medical Device Manufacturers Face A Cybersecurity Heartache.” www.productliabilityandmasstorts.com. 01 FEB., 2017.