In the wake of recent data breaches, it is an appropriate time to revisit the topic of cybersecurity from a product liability perspective.
In the medical device and health services sector, the U.S. Food and Drug Administration (FDA) has issued its final guidance advising medical device manufacturers of the need for “effective cybersecurity to assure medical device functionality and safety.” The initial draft guidance originated in response to the U.S. Department of Homeland Security’s warnings about threats of cyber-attacks on medical devices, previously reported here. The final guidance—although not binding—encourages medical device makers to address cybersecurity concerns from the initial phase of device design and development. The FDA highlights that risk mitigation responsibilities do not fall on device manufacturers alone, characterizing medical device security as a “shared responsibility between stakeholders, including health care facilities, patients, providers and manufacturers of devices.” (emphasis added).
In response to the FDA’s expanded efforts to encourage public comment on approaches for medical device and healthcare cybersecurity, the American Hospital Association (AHA) wrote a public letter to the FDA arguing that device manufacturers should be held accountable for cybersecurity and advocating that device makers “must embrace their responsibility to proactively minimize risk and continue updating and patching devices as new intelligence and threats emerge.” Thus, many are now asking where does liability fall in the life cycle of a medical device in the case of inadequate protection against cybersecurity threats?
The AHA’s letter suggests that medical device makers should be accountable not only for failure to protect against cybersecurity threats at the time of device design and development, but also for failure to update and monitor potential threats once the medical device becomes integrated into a hospital or other healthcare network. But, from a products liability perspective, minimal legal guidance exists as to what constitutes negligence in the realm of cyber security breaches. To date, the FDA has not reported any instances of patient injuries or deaths associated with cyber security incidents, nor has it reported any specific devices that have been maliciously targeted.
Medical device manufacturers should consider using the FDA’s final guidance as a roadmap for their conduct in this area. First, manufacturers should consider incorporating security into each medical device at the development stage. Second, device makers should consider offering implementation guidelines to the integrators, operators and maintainers of their devices to address issues that may arise after the product is deployed to independent hospital networks.
The issue of cyber risks is not unique to medical devices but to consumer products more generally. For example, any consumer product that depends on the proper functioning of software or an internet network connection may similarly be vulnerable to malicious or unintentional tampering with potentially serious consequences.
NOTE: The author of this post, Alexis Kellert, is a first year associate but is not yet admitted to practice.