Could your medical device be at risk for hacking?

Some medical devices run the risk of cyber attack.

A brave new world of medical malpractice and defective products claims could be coming in the not-so-distant future due to the known security vulnerabilities in popular medical devices like implantable insulin pumps and cardiac defibrillators. Wireless technology connects many of these items to the so-called "Internet of things" to make it easy for physicians to control dosage or regulate the ability of a defibrillator to modulate a patient's heart rate, but it leaves them vulnerable to infiltration from outside forces.

In the fall of 2016, medical product giant Johnson & Johnson announced that its implantable insulin pumps had proven vulnerable in security testing. The device's battery could be drained, the dosage altered or it could be turned off by a potential hacker. Considering that these pumps are used in diabetics who are strictly insulin-dependent, having too much or too little output from the pump could literally be fatal. In such a situation, there could potentially be legal liability not only with the manufacturer, but also perhaps in a physician who chose such a model instead of one that doesn't have known hacking potential.

Dick Cheney and the history of pacemaker hacks

In 2013, former Vice President Dick Cheney introduced most of us to the concept of medical device hacking when he revealed that he and his physician had, years prior, decided to disable the wireless updating capability of his implanted pacemaker in order to protect his health and safety. Until that time, it was largely unheard of that medical products like these could be penetrated by hackers.

Even now, when the risks of hacking, malware and ransomware are real and all around us, medical devices may lag far behind in terms of security. Companies may be loathe to make changes to their intricate machines to "patch" potential points of vulnerability out of fear that the device may need to be reapproved by the federal Food and Drug Administration if such updates are implemented. Since the FDA evaluation and approval process takes years, manufacturers who've already gone through the tedious process don't want to potentially lose out on sales to address vulnerabilities that may never be exploited.

The FDA does recognize the need for additional cybersecurity when it comes to medical devices, particularly those that are implanted in the body. Since 2013, a cybersecurity evaluation has been part of its approval process for new electronic medical products.

Only time will tell how vulnerabilities in implanted medical devices will be addressed by individual manufacturers and the health care industry as a whole. If you - or someone you love - was injured because of a faulty medical product or the negligent acts of a physician, nurse or hospital, you have legal rights. Contact a skilled medical malpractice attorney like those at the Chicago law offices of Pfaff, Gill & Ports, Ltd. today to learn more.