Once our medical devices became “smart,” or even just dependent on embedded computer or radio components for communication, the possibility of hacking those devices became a reality. While much of the focus has been on hacking pacemakers, doctors writing in the Chicago Sun-Times point out that those aren’t the only vulnerable medical devices. “Defibrillators, neurostimulators and implantable drug pumps, like insulin pumps, rely on the same embedded computers and software radios for their two-way communication, they noted, adding, “weak security features have left these devices potentially vulnerable to outside manipulation.”
And if a medical implant is tampered with, what can you do about it? Here’s what you can do if your medical device is hacked.
Keeping Pace With Hackers
The hacking possibility became all the more real when researchers Billy Rios and Jonathan Butt demonstrated a hack that compromised a CareLink 2090 pacemaker programmer this week. The pair had first warned Medtronic, the company that makes the CareLink, about the vulnerabilities in January 2017, according to Ars Technica, but Medtronic’s response has left a lot to be desired. “The response from the manufacturer is so poor,” Rios told Ars. “This is not some online video game where high scores can get dumped. This is patient safety.”
For its part, Medtronic claims it addressed the issues already, releasing this statement:
In the accompanying Medtronic security bulletin, we communicated that our existing security controls mitigate the issue. Since that time, we also have made technical updates where these services are hosted to further strengthen security controls.
Medtronic recommends that customers continue to follow the security guidance detailed in the Medtronic 2090 CareLink Programmer reference manual
Hacking Liability
Of course, if a person’s medical device is hacked, they are injured, and they can identify the hacker, they can file a personal injury lawsuit. (Beyond that, criminal prosecutors may file assault or cybercrime charges as well.) If the hacker is not found, however, a person may also have claims against the medical device manufacturer.
Medical device manufacturers have a duty to ensure their products are safe, and there are three main types of product liability claims for injured users:
- Defects in Design: The design of the medical device is flawed in a way that renders it unreasonably vulnerable to hackers.
- Defects in Manufacturing: The device is manufactured in a way that departs from the intended design, leaving it open for hacks.
- Defects in Warnings: The manufacturer failed to provide adequate instructions or warnings regarding the possibility for the device to be hacked.
An experienced personal injury attorney can help evaluate your case and file a claim if you or a loved one has had a medical device hacked.
Related Resources:
- Find Personal Injury Lawyers Near You (FindLaw’s Lawyer Directory)
- Ask the Doctors: Hacking Into Medical Devices Is Theoretical Possibility (Chicago Sun-Times)
- Millions of Medical Devices Are Vulnerable to Hacking (FindLaw’s Technologist)
- Have Your Medical Records Been Hacked? Probably. (FindLaw Injured)