Implantable medical devices (IMDs), including pacemakers, neurotransmitters and drug pumps, use embedded computer technology and radios to monitor and treat certain chronic diseases. These IMDs store and transmit detailed personal medical data. There is a need to address the legal, ethical and social issues that these new technologies raise. Manufacturers today are more exposed than ever to nascent product liability claims and to allegations of privacy breach, intertwining old legal principles with some of the most contemporary issues facing our legal system.
Technology-based failures have affected a number of these IMDs. Potential harms have resulted from failures in battery life,1 wiring2 and network issues.3 On February 1, 2011, the Food and Drug Administration in the United States issued a Class 14 recall of the Outlook 400ES Safety Infusion System. When used in a network environment that utilized specifi c authentication, the supporting software had the potential to induce a memory leak causing the processor to become non-responsive.
Now, a new element has arisen with respect to information technology-dependant medical devices. Some IMDs, including insulin pumps, pacemakers and cardiac defi brillators, emit wireless signals that make it possible for information on the device to be accessed and controlled by others. Computer-related security breaches through viruses, hackers, and loss or theft of computers containing sensitive data, may impact the use of these medical devices.5 There may be a variety of motives for sabotage, including:
. . . the acquisition of private information for fi nancial gain or competitive advantage; damage to a device manufacturer’s reputation; sabotage by a disgruntled employee, dissatisfi ed customer, or terrorist to infl ict fi nancial or personal injury; or simply the satisfaction of the attacker’s ego.6
While the risk of hacking is remote, there has been an incident of a computer virus “infecting” a human with an implanted radio frequency identifi cation tag. In addition, worms (self-replicating computer programs) have infected hundreds of computers that control medical devices, such as magnetic resonance imaging scanners and heart monitors.
A report in the New England Journal of Medicine has called for improvements in security and privacy for IMDs.7 An interdisciplinary team tested privacy security in IMDs and was able to acquire personal information about the patient remotely.8 The personal data transmitted in cleartext included the patient’s name, date of birth, medical ID number and patient history. Equally easy to fi nd were the name and phone number of the treating physician, the dates of device and lead implantation (which may differ), the model, and the serial number of the IMD and leads.
Some researchers are modifying IMDs to make them more secure9 through, for example, passwords, physical authentication such as key cards10 and proximity-based authentication although privacy, health risk factors and tight resource constraints are major considerations. For example, a safety issue may arise if emergency medical personnel need access to control of the devices and patients are unable to provide the passwords.
The challenge of dealing with these types of privacy and security issues is a legal system that relies on laws created before this type of technology existed. The ultimate question, however, remains whether the required standard for technology development and production has been met by the manufacturer in the circumstances. As technology moves the benchmark for standard of care, manufacturers must be attentive to changing their products to match those developments.
Medical device manufacturers have a legal responsibility to “be vigilant and responsive” to security threats. Devices with non-essential functions, such as cochlear implants or implantable heart monitors, deemed to be low risk for a security breach, may require only data validation and user authentication. In contrast, devices such as insulin pumps and pacemakers that have life-sustaining functions and carry an increased risk for security breaches should have additional safeguards, such as redundant security features, and rigorous testing and verifi cation of security properties.
We will be watching the evolution of product liability and privacy claims in IMDs. Although specifi c responsibilities for medical device manufacturers have not yet been delineated, it is a current issue in life sciences and law.