Partner
Medjacking, or medical device hijacking, is a new kind of cybersecurity threat to health care systems. Medjacking involves hacking into medical devices using backdoors to access software on the device. Since many of the vulnerable medical devices, such as life-support equipment and diagnostic equipment, use older or standard operating systems, the biggest challenge for a hacker is getting the digital tools needed to hack these devices onto the devices themselves at the start. Using infected emails, or malware containing memory sticks, hackers gain access to vulnerable medical devices.
Gaining access to a single medical device in a healthcare system often provides a hacker with access to an entire network of devices and equipment, all while the healthcare system is none the wiser. Once inside a healthcare system, a hacker can gain unauthorized access to a wealth of patient information and protected health data. There have been several confirmed cases in which a medical device or piece of equipment in a healthcare system was infected with malware for the purpose of gaining access to more valuable information in a different part of the system.
To date there has been little headway in terms of addressing cybersecurity vulnerabilities in medical devices. Many medical devices are wireless, or connected to the internet, which make them particularly attractive targets for hackers. While the Food and Drug Administration (FDA) does provide feedback concerning cybersecurity vulnerabilities of medical devices that are seeking FDA approval, the FDA’s feedback is merely advisory in nature. Companies are still permitted to sell devices that the FDA has expressed concern about in terms of cybersecurity vulnerabilities. Fortunately, the FDA recently introduced new guidance concerning the security of medical devices. Medical device and equipment companies could take steps to secure backdoors in the device software.
Currently the best approach for avoiding cybersecurity risks posed by vulnerable medical devices is to use devices that have a high cybersecurity standard and the best security features. A device that has an encrypted transmission feature is far safer than a device that does not. Healthcare systems could also promote cybersecurity by separating various networks from one another. Having medical devices on one network and sensitive patient health information on a separate network will help ensure the security of protected patient health records.
New threats are constantly being developed by hackers and discovered by security teams, and all healthcare systems are likely to encounter some sort of cyber security breach. Medjacking is just another example of the potential security threats that are out there putting patient health information at risk of unauthorized disclosure.
Medjacking is a new, but very real, cybersecurity threat to health care systems. Revision Legal has worked with countless healthcare entities to manage their cyber security legal matters and we are ready and available to help you. Contact the experienced health care data breach lawyers at Revision Legal. Please feel free to reach out to us today. Contact us using the form on this page or call us at 855-473-8474.
While confirmed patient-harm events from medjacking remain rare, the security research community has demonstrated the technical feasibility of medical device hijacking in ways that have prompted significant regulatory and legal responses. Security researchers Billy Rios and Terry McCorkle reported vulnerabilities in approximately 300 medical devices made by 40 manufacturers to the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). Researcher Billy Rios later demonstrated that drug infusion pumps could be remotely accessed through hospital networks and their drug library settings altered to permit dangerous overdose levels. The FDA issued safety communications regarding these vulnerabilities and worked with manufacturers to develop patches.
The confirmed infection of medical devices with malware in real healthcare environments — even where the malware was financially motivated ransomware or data-stealing spyware rather than patient-harm-focused medjacking — illustrates the interconnectedness of medical device security with broader healthcare data security. When ransomware infects an MRI machine or infusion pump, that device becomes unavailable to care for patients, creating both patient safety risk and potential HIPAA violations if PHI on the device is encrypted or exfiltrated.
As discussed in our related post on FDA medical device cybersecurity guidance, the regulatory landscape has shifted substantially since the advisory guidance discussed in this post. The Consolidated Appropriations Act of 2023 added 21 U.S.C. § 360n-2 to the FD&C Act, creating statutory cybersecurity requirements for devices submitted for FDA review after March 29, 2023. Device manufacturers must now demonstrate that their products include cybersecurity controls, maintain a software bill of materials (SBOM) listing all commercial and open-source software components, implement a plan for monitoring and addressing postmarket cybersecurity vulnerabilities, and coordinate with the FDA on cybersecurity disclosures.
For legacy devices already on the market — including devices that were cleared before the 2023 statutory requirements took effect — the FDA has continued to use its postmarket cybersecurity guidance and its authority to issue safety communications and, in extreme cases, to request device recalls when cybersecurity vulnerabilities pose an unreasonable risk to patient safety. Manufacturers of legacy devices with known vulnerabilities face product liability exposure if they fail to act on those vulnerabilities once they become known.
A successful medjacking incident that results in unauthorized access to or disclosure of protected health information stored on or transmitted by a connected medical device constitutes a HIPAA breach requiring notification. Healthcare organizations that deploy connected medical devices must include those devices in their HIPAA Security Rule risk analysis, assess the specific vulnerabilities associated with each device category, implement compensating controls where device security cannot be patched, and establish breach response protocols that address medical device-specific scenarios.
Critically, healthcare organizations must also ensure that their business associate agreements with medical device manufacturers and their remote monitoring vendors address cybersecurity obligations. A device manufacturer that provides remote monitoring or maintenance services for implanted or networked devices may qualify as a business associate under HIPAA if those services involve access to PHI. Business associate status creates direct HIPAA compliance obligations and direct enforcement exposure for the manufacturer, in addition to the covered healthcare entity’s own obligations.
The product liability implications of medjacking are significant and evolving. A medical device manufacturer that ships a device with known, exploitable cybersecurity vulnerabilities — or that fails to promptly patch vulnerabilities after they are identified — may face strict liability claims under design defect theories if a patient is harmed as a result of a device compromise. The standard is whether a reasonable alternative design existed that would have reduced the foreseeable risk of harm; given the FDA’s guidance and the security research demonstrating exploitable vulnerabilities, plaintiffs’ arguments for product liability are growing stronger.
Healthcare providers that deploy insecure devices despite known vulnerabilities may also face negligence claims from patients harmed by device compromise, particularly if the provider failed to implement available compensating controls or ignored FDA safety communications. The intersection of FDA regulation, HIPAA, and products liability in medjacking litigation is a genuinely novel area of law that will develop substantially as medjacking attacks become more technically accessible.
Whether you are a medical device manufacturer addressing FDA cybersecurity compliance and product liability exposure, or a healthcare organization managing HIPAA obligations following a connected device breach, the experienced healthcare cybersecurity attorneys at Revision Legal can help. Contact us using the form on this page or call us at 855-473-8474.
EMV chip credit cards were supposed to reduce fraud, but questions remain about their effectiveness. Here’s what chipped cards protect against and where vulnerabilities remain.
Read more about Are New Chipped Credit Cards Safe From Fraud?
Cyber attacks fall into two categories: active attacks that disrupt systems and passive attacks that silently steal data. Here’s how each type works and how to defend against them.
Read more about Active vs Passive Cyber Attacks Explained
Advanced persistent threats are sophisticated, long-term cyber attacks targeting organizations for data theft or disruption. Here’s how APTs work and how businesses can defend themselves.
Read more about What Are Advanced Persistent Threats?