By Mildred Segura, Christopher M. Butler, and Farah Tabibkhoei, Reed Smith LLP
The “Internet of Medical Things” (IoMT) — the network of medical devices and applications connected to healthcare information technology (IT) systems — has led to more efficient healthcare delivery, greater diagnostics, improved doctor-patient communications, and enables better medical decision making. However, the accelerated adoption of IoMT means device manufacturers must grapple with the security vulnerabilities affecting medical devices, a landscape of uncertain liability, and emerging regulations.
Thus far, administrative agencies have been the primary regulators. The FDA has promulgated guidance for medical device manufacturers to tackle these issues, legislators have increasingly confronted IoMT security concerns, and litigation around IoMT is slowly on the rise.
The Internet of Things (IoT) now permeates nearly every sector of the health care industry, offering improvements both within and outside of formal hospital settings. The Orlando, Fla., area hospital system is one example illustrating the impact of IoMT. Patients are tagged with a real-time location system (RTLS) when scheduled for surgery. Family members can then track the process, from pre-operation all way to the recovery unit, through screens displaying anonymized ID codes in the waiting room. Saint Mary’s Hospital in Waterbury, Conn., is another example of a hospital that has used IoMT to analyze workflow, improving staffing efficiency. By ensuring the appropriate level of staffing for shifts, the hospital saved $650,000 in unnecessary overtime in just six months; simultaneously, the hospital was able to improve patient care by correcting a minority of shifts that were understaffed. 
However, the biggest benefits afforded by the IoMT will be found outside of hospitals. Goldman Sachs has grouped these benefits into three broad categories: (1) remote monitoring, (2) telemedicine, and (3) behavioral modification.
- Remote monitoring allows a constant connection from patient to caregiver, anywhere in the world. For example, diabetic individuals can constantly monitor their blood sugar, route that data to a smartphone, and converse in real time with their physicians. This promotes greater patient involvement in disease management, as well as improved patient care.
- As the IoMT streamlines telemedicine, the physical office is becoming less critical for routine appointments, because patients can now communicate with their doctors via phone or video conference, as well as get prescription orders re-filled — all without leaving their homes, and at reduced cost.
- The IoMT encourages behavioral modification of patients by providing reminders to take medications, diet properly, and exercise, reducing patient reliance on expensive emergency care.
Accessibility vs. Security: Interoperability’s Inherent Tradeoff
Inherent security risks accompany interoperability. Consequently, device manufacturers should keep abreast of current minimum security standards, as noncompliance could lead to problems including lawsuits (e.g., arising from patient data privacy breaches), government enforcement actions, financial losses, and bad press.
In fact, healthcare was the number one industry cyberattacked in 2015. The “WannaCry” ransomware attack in May 2017 is just one recent, high-profile example of the risk faced by the healthcare sector. The attack affected 200,000 computers in 150 countries around the world, and devastated the United Kingdom’s National Health Service (NHS) due to the organization’s outdated computer systems. Forty-eight hospital trusts were affected; vital equipment, such as MRI scanners and X-ray machines, had to be taken off-line; numerous medical procedures and appointments had to be cancelled; and vital medical records could not be accessed.
Still, the “WannaCry” attack is merely one of numerous cyberattacks on hospitals this year. Recent studies have shown that healthcare organizations are the target of a new cyberattack every two weeks. The list of less-publicized attacks includes the Henry Ford Health System attack impacting 18,470 patients, the Arkansas Oral Facial Surgery Center attack impacting 128,000 patients, and the Women’s Health Care Group of Pennsylvania attack impacting 300,000 patients, to name just a few. .
How Security Vulnerabilities Create Liability For Medical Device Manufacturers
These security vulnerabilities highlight the importance of compliance with best practices. The existing broad, ambiguous standards regulating the IoMT invite litigation, and precise legal boundaries have yet to be drawn, raising questions such as:
- What is the reasonable standard of care in creating a secure IoMT device?
- What constitutes a design defect or failure to warn?
- Are security vulnerabilities considered a design defect?
- For how long must device manufacturers provide security monitoring and software updates after selling a product?
- Does user failure to download security updates act as a superseding cause or a failure to mitigate in cases of liability for defective software?
- Will these security vulnerabilities mean an uptick in shareholder derivative actions?
The A, B, Cs Of Avoiding Liability
- FDA Guidance
In an effort to regulate the IoMT and ensure public safety, the FDA has issued premarket and postmarket cybersecurity guidance, providing nonbinding recommendations to device manufacturers. The FDA requires that medical device manufacturers comply with federal regulations, including quality-system regulations (QSRs), which address potential security risks, among others.
For devices not yet on the market, the FDA recommends identifying potential risks and vulnerabilities during design. For devices with clearance or approval to be marketed, the FDA recommends that manufacturers perform software updating and maintenance. FDA-regulated manufacturers should communicate early with the FDA, and with their customers post-sale, whether their devices will receive security updates, how updates are received, and when security support will end.
While the FDA guidances are nonbinding, compliance with the regulations they interpret is mandatory. The guidances also reflect the FDA’s current interpretation of binding QSRs. Failure to comply with QSRs may render a device adulterated, and can result in its seizure or injunction. The FDA also has issued product-specific safety communications warning consumers of cybersecurity vulnerabilities.
The FDA acknowledges that its guidances are phrased in broad language, stating in its postmarket guidance, “It is not possible to describe all hazards, associated risks, and/or controls associated with cyber securities in this guidance.” Rather, the FDA offers a risk matrix to guide manufacturers; the matrix combines a risk’s likelihood of being exploited with the severity to patient health in that scenario. When the combination of these factors is acceptably low, the risk is considered a controlled risk of patient harm. When the risk level is unacceptable, it is termed an uncontrolled risk, and the manufacturer should take action.
Importantly, the FDA allows routine security updates to be considered product “enhancements,” rather than “recalls,” which avoids both liability producing stigma and reporting requirements under 21 C.F.R. Part 806 (governing correction and recall of flawed medical devices).
In its September 2017 guidance, Design Considerations and Pre-Market Submission Recommendations for Interoperable Medical Devices, the FDA identifies six specific issues that interoperable medical device manufacturers should consider in the development and design of their products: (1) the purpose of the electronic interface, (2) the anticipated users, (3) risk management, (4) verification and validation, (5) labeling considerations, and (6) use of consensus standards.
The guidance recommends manufacturers consider the safety and security of interoperable medical devices at all stages, including the design phase. First, manufacturers should undertake detailed risk-benefit assessments of their devices in the design process. Second, manufacturers should consider how they plan to update software, as well as maintain ongoing risk identification and mitigation procedures once the device has entered the market. Finally, manufacturers should issue communications related to proper use and risks to users, both before sale, and on a continuing basis through the life of the device.
- Legislative Guidance
Congress also has taken action to regulate the IoMT, introducing in the U.S. House of Representatives in October the Internet of Medical Things Resilience Partnership Act of 2017. The legislation’s purpose is to “establish a working group of public and private entities led by the Food and Drug Administration to recommend voluntary frameworks and guidelines to increase the security and resilience of Internet of Medical Things devices, and for other purposes.”
The proposed working group would include public entities such as the FTC, the FDA, the U.S. Department of Health and Human Services, and the U.S. Department of Commerce, as well as medical device manufacturers, cloud-computing experts, healthcare providers and insurers, and software and hardware developers, among others.
This group would be responsible for generating a report recommending voluntary frameworks and guidelines to increase security and resilience of IoMT devices, focusing on: (1) identifying existing cybersecurity standards, guidelines, frameworks, and best practices that are applicable to mitigate vulnerabilities in medical devices; (2) identifying existing and developing international and domestic cybersecurity standards that mitigate vulnerabilities in such devices; (3) identifying high-priority gaps for which new or revised standards are needed; and (4) creating potential action plans by which gaps can be addressed.
While one current bill tracker scored the legislation’s chance of passing at a mere 3 percent, this number is not atypical for a recently proposed bill in the first step of the legislative process. As of Dec. 12, 2017, the bill is awaiting review by the House Subcommittee on Health.
This will not be the first medical cybersecurity task force that the legislative branch has assembled. Section 405 of the Cybersecurity Act of 2015 created a Health Care Industry Cybersecurity Task Force (HCIC Task Force or Task Force) charged with conducting an in-depth examination of cybersecurity protocols for the health care industry. The Task Force released its Report On Improving Cybersecurity in the Healthcare Industry in June 2017, offering six imperatives and related recommendations that must be achieved to increase security within the healthcare industry:
- Define and streamline leadership, governance, and expectations for healthcare industry cybersecurity.
- Increase the security and resilience of medical devices and health IT.
- Develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
- Increase health care industry readiness through improved cybersecurity awareness and education.
- Identify mechanisms to protect R&D efforts and intellectual property from attacks or exposure.
- Improve information sharing of industry threats, risks, and mitigations.
Experts will be paying close attention to see how the working group created by the Internet of Medical Things Resilience Partnership Act of 2017 builds on this work.
- Judicial Guidance
Court decisions involving IoMT devices have been sparse, with most of the activity involving other industries. However, as IoMT devices proliferate within the healthcare industry, we predict that it is only a matter of time before we start to see the legal landscape behind IoMT take shape.
Regulatory guidance on the risks surrounding IoMT exists, but compliance standards remain vague, and both legislation and case law on the topic are sparse. By monitoring regulatory and legal developments surrounding the IoMT and following best practices, medical device manufacturers can protect against the risks of cyber vulnerabilities.
About The Authors
Mildred Segura is a partner in Reed Smith LLP’s Life Sciences Health Industry Group. She focuses her practice in the area of product liability, with particular emphasis on medical device, pharmaceutical and toxic tort litigation in state and federal courts. Ms. Segura also is a member of Reed Smith’s Internet of Things Working Group.
Christopher Butler is an associate in Reed Smith’s Life Sciences group, focusing his practice on litigation and dispute resolution. He is a 2017 graduate of the University of Virginia School of Law.
Farah Tabibkhoei is a senior associate in the firm’s Complex Litigation group. She focuses her practice on product liability, 3D printing, and managed care. Ms. Tabibkhoei also is a member of Reed Smith’s IoT Working Group and 3D Printing Task Force.