September 19, 2021

Volume XI, Number 262

Advertisement

September 17, 2021

Subscribe to Latest Legal News and Analysis

September 16, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

Hacking Health Care: When Cybersecurity Can Mean Life or Death

Millions of Americans rely on implantable medical devices to stay alive. These battery-operated devices communicate through wireless transmissions — and can be hacked like any other wireless device. For example, a wireless pacemaker regulates a person’s heartbeat and records the heart’s activity, and then transmits this information to doctors who can reprogram the pacemaker. The interconnectivity between medical devices and clinical systems leaves wireless medical devices vulnerable to security breaches.

cybersecurityCybersecurity no longer just applies to computer networks and financial data; modern implantable medical devices have the same vulnerability and also require cybersecurity. In fact, in a span of six months, hackers attempted to log into MRI and defibrillator machines over ten thousand times and attempted to download malware approximately 300 times. Had these hackers been successful, they could have accessed patients’ personal information or reprogrammed the defibrillators to deliver deadly jolts of electricity to patients’ hearts.

The government is already taking action. In 2014, the U.S. Food and Drug Administration (FDA) responded to these threats with guidance on how medical device manufacturers could improve the safety of implantable medical devices. The FDA advised manufacturers that their failure to develop cybersecurity controls could lead to repercussions including “compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats. This in turn may have the potential to result in patient illness, injury, or death.”

[I]n a span of six months, hackers attempted to log into MRI and defibrillator machines . . .

Further, as manufacturers well know, when a device malfunctions and causes bodily injury, consumers typically allege product liability claims. Patients whose devices are hacked could raise claims for design defects and failure to warn of the risk of cyber-vulnerabilities. These potential victims likely never considered their life-saving medical devices could be used as a weapon. For most people, the idea that someone would attack a medical device seems unfathomable.

So, what motivates attacks on implanted medical devices? According to Dr. William Maisel, “[m]otivation for such actions might include the acquisition of private information for financial gain or competitive advantage; damage to a device manufacturer’s reputation; sabotage by a disgruntled employee, dissatisfied customer or terrorist to inflict financial or personal injury; or simply the satisfaction of the attacker’s ego.” Medical data can be worth ten times as much as a credit card number. Added to that, the medical device market was a $25.2 billion industry in 2012 and is expected to be a $33.6 billion industry by 2018. That’s a vast market of potential victims.

© 2021 Schiff Hardin LLPNational Law Review, Volume V, Number 330
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

The Schiff Hardin Product Liability and Mass Torts Group comprises 40 lawyers — in New York, Washington, D.C., Chicago, Atlanta and San Francisco — solely devoted to helping clients face bet-the-company litigation against some of the most well-financed and formidable plaintiffs’ lawyers in the United States. Our lawyers try and win cases in some of the most plaintiff-friendly and inhospitable jurisdictions in the country, and when our clients ask us to create an exit strategy, we are equally adept at negotiating cutting-edge solutions to eliminate product liability and...

212-745-0865
Advertisement
Advertisement
Advertisement