Medtronic campus Medtronic corporate headquarters campus in Fridley, Minn. Photo via Shutterstock.

 

In a scenario that could have been swiped from a spy series like “Homeland,” the U.S. Food and Drug Administration issued a safety alert last week about the vulnerability to hacking of up to 750,000 implantable heart defibrillators used to correct life-threatening arrhythmias, raising novel considerations for in-house and outside counsel.

The March 21 alert warned health care providers and individuals using certain Medtronic implantable cardiac defibrillators of cybersecurity weaknesses in their wireless technology that could leave the devices exposed to hacking. The FDA said it had received no reports of patient harm related to the vulnerability.

The Minnesota-based company's telemetry protocol, which enables communication between the devices for patient monitoring and physician evaluation, doesn't use encryption, authorization or authentication, the FDA said. That could allow an unauthorized person to change the settings on the defibrillators or the home monitors or clinic programmers, according to the company's security bulletin. The issue “does not affect Medtronic pacemakers, insertable cardiac monitors or other Medtronic devices,” Medtronic said in a statement provided by a spokesman.

Medtronic said it is working with the FDA to fix the problem with security software updates, the first of which is expected later this year, subject to regulatory approvals, and that it is conducting security checks to look for unauthorized or unusual activity related to the issue. The FDA recommended that patients and physicians continue using the devices in the interim.

Corporate defense attorneys said internet-of-things privacy and security issues are a growing concern for medical device manufacturers, distributors and health care providers.

Jeffrey Rosenthal, a partner at Blank Rome in Philadelphia who specializes in privacy and consumer protection class action defense, said on Tuesday: “It is clear that Medtronic is working with the FDA and it seems like a very upfront discussion of the issues. …Getting out ahead of this as Medtronic appears to have done appears to be a reasonable approach.”

Rosenthal pointed out that California legislation, AB 1906 and SB 327, taking effect next year regulating the internet of things will require security and privacy in devices, as would legislation under consideration in both houses of Congress. “It is indicative of our time as this is becoming more and more prevalent an issue as IoT devices become more and more a part of our modern existence,” Rosenthal said.

Cozen O'Connor commercial litigation member John J. Sullivan in New York, meanwhile, said it is premature to speculate on possible lawsuits because no adverse events have been reported, but the issue around the security of internet-connected medical devices bears watching.

“It is hard to see a mass tort in this, but that doesn't mean there won't eventually be limited efforts by attorneys interested in bringing single claims or a few claims. I foresee a lot of viable defenses.” He said, ”while the claims themselves would be cutting-edge, the defenses would likely be more tried-and-true: causation, such as whether any hacking or alleged vulnerability of the device caused the injury; was there a legally cognizable defect; were proper warnings given; are the product liability claims preempted; are there cognizable damages?”

Sullivan continued: “Those are defenses we have seen in the past, and we would expect to see them again here. In the meantime, the companies have already been addressing this internally, and they are determining what kinds of steps need to be taken, which could include addressing warnings or instructions for use, so as to continue to address safety and prepare for any challenges.”

Last October, U.S. Department of Health and Human Services issued a report stating that the FDA should put in place policies and procedures that better address cybersecurity risks to medical devices. In December, HHS, with the industry's help, put forward best practices in voluntary cybersecurity for the health care industry.

In the defibrillator safety alert issued last week, the FDA reminded “patients, patient caregivers, and health care providers that any medical device connected to a communications network (for example: Wi-Fi, public or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users. However, the increased use of wireless technology and software in medical devices can also offer safer, more convenient, and timely health care delivery.”