Issues of medical device cybersecurity have increasingly gotten the attention of manufacturers and regulators, but they’re not the only ones interested in moving the conversation forward; personal injury lawyers are keeping a close eye on the issues as well.
Reports released over the last 2-3 years have highlighted the immature state of many medical devices’ digital defenses, with researchers and regulators warning that security vulnerabilities could put devices, hospitals and even patients at risk of a malicious attack. Although some in the healthcare industry are working to build cybersecurity from the ground up, leaning on other industries’ trials and tribulations to glean best practices for medical devices, at least 1 law firm is ready to hold companies accountable now.
“The potential fallout from injuries resulting from tampered devices could mean millions of dollars in claims for damages,” Console & Hollawell founder and managing partner Richard Console Jr. wrote in a blog post on his firm’s site. “I’ll happily hold the manufacturer accountable in open court if it means we can force real action and affect real change.”
A well known Maryland accident lawyer along with other law firms around the country have been saying for months that cybersecurity could be “the next big wave in securities litigation,” with implications for a variety of industries, including healthcare. Patient medical record leaks and hacks have already made hospital breach insurance a pretty hot market.
“Cybersecurity is now a hot-button issue meriting increased attention from corporate boards and management,” according to a February 2013 client alert from the law firm King & Spalding. “Issuers must not only take appropriate steps to protect their computer networks and information, but they must also disclose the risks associated with potential cybersecurity breaches and provide timely updates when actual breaches occur. Otherwise, they will face a substantial risk of regulatory scrutiny and shareholder litigation.”
Console called out medical device giant Medtronic (NYSE:MDT), which manufactures one of the world’s most popular insulin pumps and whose products have often been the focus of vulnerabilities examined by “white hat” or ethical hackers, who have released their findings to the public.
A Medtronic implantable defibrillator was the subject of the 1st published medical device hack (conducted in 2008) and white hat hacker and researcher Jay Radcliffe made headlines when he hacked his on insulin pump live on stage in 2011.
“Knowing about a serious threat to patient safety, and doing nothing to prevent foreseeable harm, is a breach of a very basic requirement every pharmaceutical/medical company shares,” Console wrote. “It’s no different than a department store leaving a puddle of water in the middle of a walkway for customers to slip. When a business makes their products available for sale, or invites customers inside to shop, they have a legal obligation to make the grounds and their items safe.”
Medtronic devices are no less secure than other devices on the market, but, as the largest pure-play medical device maker in the world, the company garners a lot of attention. That scrutiny may have played a role in pushing the Minnesota giant to advance its own digital security research and take a more proactive approach to cybersecurity.
Radcliffe, who initially said he struggled to get Medtronic to take his research seriously, told MassDevice.com that he now he’s on good terms with the company. A year after his controversial presentation, Radcliffe found himself sitting side-by-side with Medtronic privacy & security officer Michael McNeil during a medtech digital security panel in Washington D.C.
“With Medtronic, my relationship is very good with them now,” Radcliffe told us during an interview at the Black Hat security conference in Las Vegas last month. “But that’s just 1 company.”
The industry as a whole is relatively new to cybersecurity concerns, but as more and more devices become wifi-capable hospitals and regulators have raised concerns about their safety. To date there have been zero reported patient injuries related to malicious hacks on medical devices, but that knowledge hasn’t stopped the FDA from releasing new guidance on cybersecurity and announcing that it’s building a “cybersecurity lab.”
Read more of MassDevice.com’s coverage of medical device cybersecurity and hacking.
The Medical Device Innovation, Safety & Security Consortium is also about to launch 2 pivotal pilot programs to help hospitals and manufacturers improve their technology. The 1st is a series of security standards, developed in collaboration with medical device manufacturers, that a handful of large companies plan to begin using in development of next-generation devices. The 2nd is a software service, initially available to a select group of healthcare groups, that will allow hospitals to compare varying levels of cyber-defenses in medical devices and see how lower or higher levels of built-in security will impact overall IT costs.
Security experts hope that the medical device industry will take the opportunity to participate in the cybersecurity conversation, rather than wait until someone forces their hand.
“In some industries it’s gotten to the point where clients that have security issues have had to bring lawsuits against vendors to get them to actually address the issue,” security firm InGuardians chief operating officer Jimmy Alderson told MassDevice.com when we caught up with him at Black Hat. “I think a vendor should be more proactive in listening to their clients.”
Alderson, who works alongside Radcliffe at InGuardians, wants the industry to define how best to approach cybersecurity before a judge or healthcare regulator steps in to do it for them.
“To be able to bring in that crowd that is the medical device community, to be able to ask those questions or have those questions asked and then answer those questions in unison makes it a lot better,” Alderson told us.