Partner
At the end of December, the Food and Drug Administration (FDA) issued new guidance for medical device cybersecurity. The new guidance encourages medical device developers and producers to make cybersecurity of networked medical devices a top priority throughout the product development lifecycle. It did not take long after the issuance of this new guidance for medical device maker St. Jude Medical to develop and deploy a software patch to improve the cybersecurity of some of its remote monitoring systems for various medical devices that it manufactures. Specifically, St. Jude Medical developed patches for implantable pacemakers and defibrillators, according to TechNewsWorld.com.
One specific product line St. Jude Medical took action to further improve the security of was Merlin@home wireless devices. These devices communicate remotely with implanted cardiac devices in patients. Some potential vulnerabilities were identified in the Merlin@home network connected devices that could allow a hacker to gain access to the device to change parameters of the implanted device. Concerns about medjacking were raised for the Merlin@home devices, as hacked devices could be controlled by hackers to administer inappropriate pacing (electrical stimulations to the heart).
With any medical device, there is always a risk to the patient, so the important question that is asked by designers, developers, manufacturers, and regulators is “does the benefit from this medical device outweigh the risks associated with the device?” The benefit of having a network connected implantable medical device is that the device can record and transmit important patient information to a physician or electronic medical record of the patient. The risk is that network connected devices are something that could be have by cybercriminals.
The patch developed by St. Jude Medical for the Merlin@home medical devices enhances security by adding an additional validation and verification step when establishing wireless communication between the device and Merlin.net network.
Hijacking a medical device is a real and tangible cyber security threat. Although it is possible to do so, no St. Jude Medical device associated with the Merlin@home product line has been hacked and no patients with these implantable devices have been harmed by medjacking. Most cyberattacks are financially motivated, and there is little financial gain in hijacking medical devices, which could explain why there are not many instances of this occurring. Nonetheless, medical device producers need to prepare against the real and looming cybersecurity threat posed by hackers.
Medical device companies and healthcare systems need to be aware of the cybersecurity threats that are likely to affect them, their business, and their customers. Medjacking is one of the newer types of cybersecurity threats, but as technology and hacking techniques advance, medjacking could become more commonplace. Revision Legal works with companies to help manage cybersecurity issues and the aftermath that follows a cybersecurity breach. Contact the experienced health care data breach lawyers at Revision Legal. Please feel free to reach out to us today. Contact us using the form on this page or call us at 855-473-8474.
The FDA’s authority over medical device cybersecurity derives from its broader authority to ensure that medical devices are safe and effective under the Federal Food, Drug, and Cosmetic Act (FD&C Act), 21 U.S.C. § 360. While the FDA has long regulated the physical safety and clinical effectiveness of medical devices, the agency’s cybersecurity guidance represents a significant expansion of that regulatory lens to include digital security as a component of device safety. FDA guidance documents are not legally binding regulations in the same way that statutes and notice-and-comment rules are, but they represent the agency’s current thinking and manufacturers ignore them at significant risk in premarket review and post-market surveillance contexts.
The 2022 FDA Cybersecurity in Medical Devices guidance — updating the 2016 guidance referenced in this post — substantially expanded premarket cybersecurity requirements. The Consolidated Appropriations Act of 2023 codified cybersecurity requirements for new medical devices in 21 U.S.C. § 360n-2, requiring device manufacturers to submit plans for monitoring, identifying, and addressing postmarket cybersecurity vulnerabilities; design devices to be updated and patched in a reasonable time; develop and maintain a software bill of materials (SBOM) for all commercial off-the-shelf software components; and provide the FDA with reasonable assurance that the device meets cybersecurity standards. For the first time, these requirements are statutory obligations rather than advisory guidance, creating a legally enforceable cybersecurity baseline for new medical devices.
Healthcare providers that deploy networked medical devices have overlapping regulatory obligations under both FDA rules and HIPAA. When a networked medical device collects, stores, or transmits protected health information — as most connected cardiac devices, infusion pumps, and imaging equipment do — that device is part of the covered entity’s HIPAA security program. The HIPAA Security Rule, 45 CFR Part 164, requires covered entities to implement technical safeguards that include access controls, audit controls, integrity controls, and transmission security for electronic PHI. A networked medical device that lacks adequate access controls or that transmits PHI without encryption can constitute a HIPAA Security Rule violation.
Healthcare organizations have faced significant HIPAA enforcement in connection with medical device security gaps. In 2016, HHS OCR settled with University of Washington Medicine for $750,000 following a breach linked to a compromised server. Device-related breaches trigger the same 60-day notification obligations as other HIPAA breaches, and the scale of affected patients in a hospital network means that most device-related breaches require both individual notification and media notification.
As connected medical devices become ubiquitous and as exploitation of device vulnerabilities becomes more technically accessible, product liability claims against device manufacturers for inadequate cybersecurity are increasingly foreseeable. Traditional products liability theories — design defect, manufacturing defect, and failure to warn — can all be applied to cybersecurity vulnerabilities in medical devices. A manufacturer that ships a device with known, exploitable vulnerabilities and fails to disclose them or provide timely patches may face claims under all three theories.
The statutory codification of medical device cybersecurity requirements creates a negligence per se framework for future litigation: a manufacturer that fails to comply with 21 U.S.C. § 360n-2’s patch and update obligations will find it difficult to argue that its device met the applicable standard of care if a patient is harmed by a foreseeable cyberattack. The combination of FDA enforcement, HIPAA liability, and products liability exposure makes medical device cybersecurity a genuinely high-stakes legal compliance area for device manufacturers and healthcare providers alike.
Revision Legal represents both medical device manufacturers addressing FDA cybersecurity compliance and healthcare organizations managing cybersecurity incident response and HIPAA obligations. Contact us using the form on this page or call us at 855-473-8474.
The convergence of FDA cybersecurity requirements, HIPAA obligations, and growing product liability exposure means that healthcare organizations and medical device manufacturers cannot treat cybersecurity as a peripheral IT concern. It must be integrated into clinical operations, procurement decisions, vendor management, and legal compliance programs.
Healthcare organizations deploying networked medical devices should conduct a HIPAA Security Rule risk analysis that specifically addresses connected devices, ensure all new device procurement contracts include vendor patch obligations and HIPAA business associate protections, implement network segmentation that isolates clinical device networks from administrative systems, develop device-specific incident response procedures, and train clinical staff on recognizing and reporting anomalous device behavior.
Medical device manufacturers should ensure all new devices comply with the FDA’s 2023 statutory cybersecurity requirements, maintain an up-to-date software bill of materials for all devices, develop a coordinated vulnerability disclosure program, and engage proactively with security researchers who identify vulnerabilities. The legal risk of reactive posture — waiting for a patient harm event or regulatory action before addressing known vulnerabilities — is far greater than the cost of proactive compliance. The healthcare cybersecurity attorneys at Revision Legal are available to assist with both regulatory compliance and litigation defense. Contact us using the form on this page or call us at 855-473-8474.
Image credit: Congress Check
EMV chip credit cards were supposed to reduce fraud, but questions remain about their effectiveness. Here’s what chipped cards protect against and where vulnerabilities remain.
Read more about Are New Chipped Credit Cards Safe From Fraud?
Cyber attacks fall into two categories: active attacks that disrupt systems and passive attacks that silently steal data. Here’s how each type works and how to defend against them.
Read more about Active vs Passive Cyber Attacks Explained
Advanced persistent threats are sophisticated, long-term cyber attacks targeting organizations for data theft or disruption. Here’s how APTs work and how businesses can defend themselves.
Read more about What Are Advanced Persistent Threats?