By Ashley Berger
Data hacks and security breaches of classified information are common in our everyday society and hackers are constantly coming up with new ways to access secure information. One of the newest ways for hackers to cause destruction is by hacking imbedded medical devices like insulin pumps, pacemakers, cochlear hearing implants and defibrillators.
Last year, students at the University of South Alabama “killed” a robot that mimics human functions by infiltrating and exploiting the device’s security systems. The researchers launched the attack by using an “open source brute force attack” against the robot’s personal identification number and then caused a denial of service attack. Simply by identifying the robot’s weaknesses and by using a relatively simple set of tools available for hackers, the students in the focused setting were able to speed up and slow down the robot’s pacemaker. If a real pacemaker malfunctioned in that way, it could kill the person it is implanted in. The research team indicated that it was relatively easy for them bypass the robot’s security systems – no one on the team had much more than four months of basic experience.
This test was not the first and certainly will not be the last, as other researchers have hacked other pacemakers and insulin pumps. In another instance, a simple click of a staff assistant in an email compromised a system of surgical practices in a hospital that targeted implantable cardiac defibrillators, which send shocks to restore normal heart rhythm. In this instance, the device was supposed to utilize one directional radio frequencies, but hackers were able to reverse those frequencies by using information from manuals published by the manufacturers themselves.
In recent years, both the Food and Drug Administration (“FDA”) and the Federal Trade Commission (“FTC”) have encouraged device makers to ensure the cyber security of their products and to report fixes, as well as alluding to expectations of what the agencies expect from producers in terms of privacy and security. The closest thing to a law that has been publicized is a non-binding 2013 FDA recommendation that offers guidance to medical device manufacturers and health care facilities to take proper steps to ensure adequate safeguards are in place to reduce the risk of being susceptible to a cyber attack. Later in 2015, following the Industrial Control Systems Cyber Emergency Response Team’s advisory regarding a vulnerability in certain systems of infusion pumps, the FDA alerted health care facilities to stop using the “Hospira Symbiq Infusion System” because of its ability to communicate over a wired or wireless connection, therefore making it susceptible to hacks. The manufacturer soon discontinued the product.
While there is not yet legislation addressing the scope of harm and liability for product makers, liability could rest on the manufacturer as well as the hospitals. Likely the liability for the actual product malfunctioning due to a cyber hack will be viewed similar to a products liability issue, and the appropriate response that the FDA would take would be similar to that of an improperly manufactured product. The network provider though could bear liability for failing to update malware protection. Looking at these two potential issues, both parties could be responsible for failing to take sufficient measures to protect patients utilizing these imbedded medical devices.
In January of 2016, the FDA issued draft guidelines that outline key steps for manufacturers and medical providers to follow with the intent of reducing risk to patients by the likelihood that the medical device being compromised. As of right now, the guidelines are not binding or for implementation, but with the heightened prospects and growing nerves generally of cyber threats to various sectors, there is probably a strong likelihood that these guidelines will turn into law. Since cyber security risks and threats are evolving, it is impossible to create a static framework for these measures, and since the threat is so new, it is difficult to implement strict procedures to effectively regulate the potential harms. While the guidelines specifically dealing with cyber security measures for medical device hacks may not be implemented yet, manufacturers are still held to the same standards of care for any other type of product under various chapters of the FDA, and manufacturers as well as users are encouraged to take all available precautions and provide all necessary disclosures to ensure the safest possible use of these imbedded medical devices.
Student Bio: Ashley Berger is a staff member of the Journal of High Technology Law. She is currently a 2L at Suffolk University Law School. Ashley holds a Bachelor of Arts in both Legal Studies and History from the University of Massachusetts Amherst.
Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.