FDA Alert on Hacking Vulnerability in Heart Defibrillators is Wake-Up Call: Lawyers
The March 21 alert warned health care providers and individuals using certain Medtronic implantable cardiac defibrillators of cybersecurity weaknesses in their wireless technology that could leave the devices exposed to hacking. Attorneys from Blank Rome and Cozen O'Connor discuss the emerging issue.
March 28, 2019 at 10:18 AM
5 minute read
In a scenario that could have been swiped from a spy series like “Homeland,” the U.S. Food and Drug Administration issued a safety alert last week about the vulnerability to hacking of up to 750,000 implantable heart defibrillators used to correct life-threatening arrhythmias, raising novel considerations for in-house and outside counsel.
The March 21 alert warned health care providers and individuals using certain Medtronic implantable cardiac defibrillators of cybersecurity weaknesses in their wireless technology that could leave the devices exposed to hacking. The FDA said it had received no reports of patient harm related to the vulnerability.
The Minnesota-based company's telemetry protocol, which enables communication between the devices for patient monitoring and physician evaluation, doesn't use encryption, authorization or authentication, the FDA said. That could allow an unauthorized person to change the settings on the defibrillators or the home monitors or clinic programmers, according to the company's security bulletin. The issue “does not affect Medtronic pacemakers, insertable cardiac monitors or other Medtronic devices,” Medtronic said in a statement provided by a spokesman.
Medtronic said it is working with the FDA to fix the problem with security software updates, the first of which is expected later this year, subject to regulatory approvals, and that it is conducting security checks to look for unauthorized or unusual activity related to the issue. The FDA recommended that patients and physicians continue using the devices in the interim.
Corporate defense attorneys said internet-of-things privacy and security issues are a growing concern for medical device manufacturers, distributors and health care providers.
Jeffrey Rosenthal, a partner at Blank Rome in Philadelphia who specializes in privacy and consumer protection class action defense, said on Tuesday: “It is clear that Medtronic is working with the FDA and it seems like a very upfront discussion of the issues. …Getting out ahead of this as Medtronic appears to have done appears to be a reasonable approach.”
Rosenthal pointed out that California legislation, AB 1906 and SB 327, taking effect next year regulating the internet of things will require security and privacy in devices, as would legislation under consideration in both houses of Congress. “It is indicative of our time as this is becoming more and more prevalent an issue as IoT devices become more and more a part of our modern existence,” Rosenthal said.
Cozen O'Connor commercial litigation member John J. Sullivan in New York, meanwhile, said it is premature to speculate on possible lawsuits because no adverse events have been reported, but the issue around the security of internet-connected medical devices bears watching.
“It is hard to see a mass tort in this, but that doesn't mean there won't eventually be limited efforts by attorneys interested in bringing single claims or a few claims. I foresee a lot of viable defenses.” He said, “while the claims themselves would be cutting-edge, the defenses would likely be more tried-and-true: causation, such as whether any hacking or alleged vulnerability of the device caused the injury; was there a legally cognizable defect; were proper warnings given; are the product liability claims preempted; are there cognizable damages?”
Sullivan continued: “Those are defenses we have seen in the past, and we would expect to see them again here. In the meantime, the companies have already been addressing this internally, and they are determining what kinds of steps need to be taken, which could include addressing warnings or instructions for use, so as to continue to address safety and prepare for any challenges.”
Last October, U.S. Department of Health and Human Services issued a report stating that the FDA should put in place policies and procedures that better address cybersecurity risks to medical devices. In December, HHS, with the industry's help, put forward best practices in voluntary cybersecurity for the health care industry.
In the defibrillator safety alert issued last week, the FDA reminded “patients, patient caregivers, and health care providers that any medical device connected to a communications network (for example: Wi-Fi, public or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users. However, the increased use of wireless technology and software in medical devices can also offer safer, more convenient, and timely health care delivery.”
Read More:
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllNewly Public Biotech Startup Hires Life Sciences Veteran as GC
Prof's Stinging Conclusion: Lawyers for Purdue Pharma Were 'Overzealous Accomplices in Corporate Misconduct'
6 minute readSage Therapeutics Axes GC After Drug-Pipeline Failures Force Cost-Cutting
After Guiding Illumina Through Harrowing Merger Fight, GC Charles Dadswell to Depart
Trending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250