FDA: Make Medical Device Cybersecurity a Top Priority featured image

FDA: Make Medical Device Cybersecurity a Top Priority

by John DiGiacomo

Partner

Cyber Security Data Breach

 

At the end of December, the Food and Drug Administration (FDA) issued new guidance for medical device cybersecurity. The new guidance encourages medical device developers and producers to make cybersecurity of networked medical devices a top priority throughout the product development lifecycle. It did not take long after the issuance of this new guidance for medical device maker St. Jude Medical to develop and deploy a software patch to improve the cybersecurity of some of its remote monitoring systems for various medical devices that it manufactures. Specifically, St. Jude Medical developed patches for implantable pacemakers and defibrillators, according to TechNewsWorld.com.  

One specific product line St. Jude Medical took action to further improve the security of was Merlin@home wireless devices. These devices communicate remotely with implanted cardiac devices in patients. Some potential vulnerabilities were identified in the Merlin@home network connected devices that could allow a hacker to gain access to the device to change parameters of the implanted device. Concerns about medjacking were raised for the Merlin@home devices, as hacked devices could be controlled by hackers to administer inappropriate pacing (electrical stimulations to the heart).

With any medical device, there is always a risk to the patient, so the important question that is asked by designers, developers, manufacturers, and regulators is “does the benefit from this medical device outweigh the risks associated with the device?” The benefit of having a network connected implantable medical device is that the device can record and transmit important patient information to a physician or electronic medical record of the patient. The risk is that network connected devices are something that could be have by cybercriminals.

The patch developed by St. Jude Medical for the Merlin@home medical devices enhances security by adding an additional validation and verification step when establishing wireless communication between the device and Merlin.net network.  

Could Someone Really Hijack a Medical Device?

Hijacking a medical device is a real and tangible cyber security threat. Although it is possible to do so, no St. Jude Medical device associated with the Merlin@home product line has been hacked and no patients with these implantable devices have been harmed by medjacking. Most cyberattacks are financially motivated, and there is little financial gain in hijacking medical devices, which could explain why there are not many instances of this occurring. Nonetheless, medical device producers need to prepare against the real and looming cybersecurity threat posed by hackers.

Contact a Medical Device Cybersecurity Lawyer

Medical device companies and healthcare systems need to be aware of the cybersecurity threats that are likely to affect them, their business, and their customers. Medjacking is one of the newer types of cybersecurity threats, but as technology and hacking techniques advance, medjacking could become more commonplace. Revision Legal works with companies to help manage cybersecurity issues and the aftermath that follows a cybersecurity breach. Contact the experienced health care data breach lawyers at Revision Legal. Please feel free to reach out to us today. Contact us using the form on this page or call us at 855-473-8474.

Image credit: Congress Check

Extra, Extra!
Recent Posts

Online Personal Data Privacy: Fight Over Universal Opt-Out Mechanisms

Online Personal Data Privacy: Fight Over Universal Opt-Out Mechanisms

Internet Law

Almost half of the States in the U.S. have enacted some version of an online personal or consumer data privacy statute. The statutes all use a similar framework that requires data collectors and processors to provide notices, obtain consent, and comply with mandates and prohibitions. For example, all of the online data privacy statutes require […]

Read more about Online Personal Data Privacy: Fight Over Universal Opt-Out Mechanisms

9th Circuit Partially Invalidates California’s Age-Appropriate Design Code Act

9th Circuit Partially Invalidates California’s Age-Appropriate Design Code Act

Internet Law

The Ninth Circuit Court of Appeals — located in San Francisco — partially struck down California’s Age-Appropriate Design Code Act (“CAADCA”). See Cal. Civ. Code §§ 1798.99.28 et seq. The CAADCA was passed in 2022 by the California State Assembly. The CAADCA was enacted to protect the online privacy of children — persons under the […]

Read more about 9th Circuit Partially Invalidates California’s Age-Appropriate Design Code Act

Put Revision Legal on your side