Can Medical Device Companies Be Held Liable for Cyber Attacks?
In 2017, the FDA had to deal with an outrageous issue, something we may think could only happen in the movies of the future. Officials were forced to recall a medical device, a life-saving pacemaker of all things, because it was found to be vulnerable to cyber threats. Although there have been no known reports of patient harm to the implanted devices, the step was taken as a preventative measure. To fix the issue, an FDA approved update has been developed and can be applied during a patient visit with their healthcare provider to protect the device.
According to the FDA, many devices use software that’s vulnerable to attacks, viruses and worms. This is partly because there is currently no industry-standard operating system for these life-saving products. Common products that are likely to be at risk include insulin pumps, CT scanners, and heart pumping pacemakers. To make matters worse, a recent study revealed that only 51 percent of medical device manufacturers and 44 percent of healthcare organizations currently follow the FDA guidance to protect devices from security risks. Just as scary is the risk to older devices that run on outdated operating systems and no longer receive security updates. Even devices built 20 years ago or more are still in service today.
Healthcare Delivery Organizations Are Responsible for Keeping Patients Safe
Most medical device companies have a plan for natural disasters and other emergencies but they are lacking a process for what to do in the event of a device security breach. These companies need to be investing in top technology solutions to ensure devices stay secure and patients (and their data) are protected.
A 2017 report titled, “Medical Device Security: An Industry Under Attack and Unprepared to Defend” concluded that healthcare delivery organizations (HDOs) face these major challenges.
- Building secure devices is challenging. 80 percent of device makers and HDOs report that medical devices are very difficult to secure. The top reasons cited for why devices remain vulnerable include accidental coding errors, lack of knowledge/training on secure coding practices and pressure on development teams to meet product deadlines.
- Lack of security testing. Only 9 percent of manufacturers and 5 percent of HDOs say they test medical devices at least once a year, while 53 percent of HDOs and 43 percent of manufacturers do not test devices at all.
- Lack of accountability. While 41 percent of HDOs believe they are primarily responsible for the security of medical devices, almost one-third of both device makers and HDOs say no one person or function in their organizations is primarily responsible.
- FDA guidance is not enough. Only 51 percent of device makers and 44 percent of HDOs follow current FDA guidance to mitigate or reduce inherent security risks in medical devices.
Patients Can Protect Themselves
You should be able to trust the medical device products you use and are exposed to are safe. But to ensure that, there may be a few extra questions to add to the common FAQs you prepare for your healthcare provider. Patients will have to be more aggressive in finding information and doing their research about the provider medical devices used on them for tests, to track medical records, and especially about the one they have implanted to manage their health condition. Patients can start by simply asking if the system has a plan in place to secure the facility’s medical devices and if they have ransomware protection. If you suspect a breach and your health has been compromised, you have rights to be protected.
Owensboro and Madisonville Lawyers — No Recovery, No Fee
With offices in Owensboro and Madisonville, Rhoads & Rhoads represents product liability and personal injury victims throughout Western Kentucky. We offer free initial consultations, and no payment required up front. Call us at 888-709-9329 or contact us by e-mail to schedule an appointment with one of our attorneys.