On July 31, 2015, the FDA issued a warning regarding Hospira's Symbiq Infusion System, a medical device that it believed to be particularly vulnerable to cybersecurity attacks. The Symbiq Infusion System is a computerized pump that continuously delivers general infusion therapy to patients, and communicates through a wired or wireless connection to the healthcare provider's network. Its cybersecurity vulnerabilities stem from the fact that it can be accessed remotely through a hospital's network, which may allow an unauthorized user to control the device. While the FDA and Hospira are not aware of any patient adverse events or unauthorized access of the system, and the system is no longer being sold, the FDA strongly discourages the use of these pumps in light of the potential for hacking.
The FDA warning raises the broader issue of whether a medical device's cyber vulnerability could lead to product liability claims, in addition to presenting data breach and data security issues. Besides allowing third parties unauthorized access to data, hacking could potentially lead to malfunction of a device and corresponding injury to a patient. Following such an event, one could imagine a defective design suit premised on a theory of strict liability or negligence against the manufacturer of the medical device for failing adequately to design the device in a manner that guards against hackers. Medical device manufacturers should also understand the potential litigation risks they face from cybersecurity breaches based on a failure-to-warn theory. Such a claim could seek to hold the manufacturer liable for a failure to provide adequate warnings about security risks or steps that the user should take to guard against hacking.
There are of course many potential defenses to such a claim. Is software even a product subject to traditional product liability claims? Would the intentional, malicious act of a hacker constitute an intervening cause of the injury? Would the learned intermediary defense be available to a manufacturer that has fulfilled its duty of care by providing information regarding cybersecurity vulnerabilities to the physician, who then interacts with the consumer?
There are many uncertainties in the legal landscape in this area, but product manufacturers should be attuned to this issue, particularly as the FDA has clearly expressed a concern over cybersecurity issues with medical devices