FDA Alert on Hacking Vulnerability in Heart Defibrillators is Wake-Up Call
Corporate defense attorneys said internet-of-things privacy and security issues are a growing concern for medical device manufacturers, distributors and health care providers.
March 29, 2019 at 01:00 AM
4 minute read
The original version of this story was published on Corporate Counsel
|
In a scenario that could have been swiped from a spy series like “Homeland,” the U.S. Food and Drug Administration issued a safety alert last week about the vulnerability to hacking of up to 750,000 implantable heart defibrillators used to correct life-threatening arrhythmias, raising novel considerations for in-house and outside counsel.
The March 21 alert warned health care providers and individuals using certain Medtronic implantable cardiac defibrillators of cybersecurity weaknesses in their wireless technology that could leave the devices exposed to hacking. The FDA said it had received no reports of patient harm related to the vulnerability.
The Minnesota-based company's telemetry protocol, which enables communication between the devices for patient monitoring and physician evaluation, doesn't use encryption, authorization or authentication, the FDA said. That could allow an unauthorized person to change the settings on the defibrillators or the home monitors or clinic programmers, according to the company's security bulletin. The issue “does not affect Medtronic pacemakers, insertable cardiac monitors or other Medtronic devices,” Medtronic said in a statement provided by a spokesman.
Medtronic said it is working with the FDA to fix the problem with security software updates, the first of which is expected later this year, subject to regulatory approvals, and that it is conducting security checks to look for unauthorized or unusual activity related to the issue. The FDA recommended that patients and physicians continue using the devices in the interim.
Corporate defense attorneys said internet-of-things privacy and security issues are a growing concern for medical device manufacturers, distributors and health care providers.
Jeffrey Rosenthal, a partner at Blank Rome in Philadelphia who specializes in privacy and consumer protection class action defense, said on Tuesday: “It is clear that Medtronic is working with the FDA and it seems like a very upfront discussion of the issues. …Getting out ahead of this as Medtronic appears to have done appears to be a reasonable approach.”
Rosenthal pointed out that California legislation, AB 1906 and SB 327, taking effect next year regulating the internet of things will require security and privacy in devices, as would legislation under consideration in both houses of Congress. “It is indicative of our time as this is becoming more and more prevalent an issue as IoT devices become more and more a part of our modern existence,” Rosenthal said.
Cozen O'Connor commercial litigation member John J. Sullivan in New York, meanwhile, said it is premature to speculate on possible lawsuits because no adverse events have been reported, but the issue around the security of internet-connected medical devices bears watching.
“It is hard to see a mass tort in this, but that doesn't mean there won't eventually be limited efforts by attorneys interested in bringing single claims or a few claims. I foresee a lot of viable defenses.” He said, ”while the claims themselves would be cutting-edge, the defenses would likely be more tried-and-true: causation, such as whether any hacking or alleged vulnerability of the device caused the injury; was there a legally cognizable defect; were proper warnings given; are the product liability claims preempted; are there cognizable damages?”
Sullivan continued: “Those are defenses we have seen in the past, and we would expect to see them again here. In the meantime, the companies have already been addressing this internally, and they are determining what kinds of steps need to be taken, which could include addressing warnings or instructions for use, so as to continue to address safety and prepare for any challenges.”
Last October, U.S. Department of Health and Human Services issued a report stating that the FDA should put in place policies and procedures that better address cybersecurity risks to medical devices. In December, HHS, with the industry's help, put forward best practices in voluntary cybersecurity for the health care industry.
In the defibrillator safety alert issued last week, the FDA reminded “patients, patient caregivers, and health care providers that any medical device connected to a communications network (for example: Wi-Fi, public or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users. However, the increased use of wireless technology and software in medical devices can also offer safer, more convenient, and timely health care delivery.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Judge Denies Sean Combs Third Bail Bid, Citing Community Safety
- 2Republican FTC Commissioner: 'The Time for Rulemaking by the Biden-Harris FTC Is Over'
- 3NY Appellate Panel Cites Student's Disciplinary History While Sending Negligence Claim Against School District to Trial
- 4A Meta DIG and Its Nvidia Implications
- 5Deception or Coercion? California Supreme Court Grants Review in Jailhouse Confession Case
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250