News Feature | August 12, 2013

Are Providers Liable If Hacked Medical Device Harms A Patient?

Source: Health IT Outcomes
Katie Wike

By Katie Wike, contributing writer

Medical devices such as insulin pumps can be hacked, leading to death. Could providers be held accountable?

In response to growing concern over securing medical devices, the Department of Homeland Security (DHS) National Cybersecurity & Communications Integration Center issued an "unclassified - for official use only - document calling attention to the potential impact of cyber threats on the multi-trillion dollar healthcare industry." In it, providers are warned that “failure to implement a robust security program will impact the organization's ability to protect patients and their medical information from intentional and unintentional loss or damage.”

Kevin Coleman - who writes regularly for InformationWeek on the emerging challenges associated with technology, including cyber warfare - warns that provider concern needs to extend beyond that of protecting patients’ personal information. Coleman believes cyber attacks could cause harm or, even worse, kill patients. He advises providers to consider if they are doing enough to secure medical devices.

Coleman writes, “While researching this article, I had a couple of discussions with lawyers. What started out as a product liability conversation turned into a discussion about the risks of civil negligence charges. Could a manufacturer, CIO, or CISO be charged with criminal negligence if they fail to apply patches and properly secure and maintain their systems, in the event a cyber attack that exploits those factors results in the death of an individual or individuals?”

Coleman answers his own query, “That is one hell of a question and a glimpse of what lies ahead for those who don't take the new world of cyber threats seriously.”

Dark Reading underscores Coleman’s concerns of the harm hacked medical devices can cause, reporting on Jerome Radcliffe’s 2011 revelation that he “could remotely turn off a diabetic person's insulin pump without his knowledge.” Dark Reading continues, “According to Radcliffe, it is possible for a hacker to not only illicitly turn off the pump remotely, with the device only offering a small chirp as a response, but also to remotely manipulate any setting on the pump without it notifying the user at all. ‘It's basically like having root on the device, and that's like having root on the chemistry of the human body,’" he said.

Radcliffe’s discovery prompted McAfee computer-security researcher Barnaby Jack to experiment with insulin pump security as well and his results were much the same. According to Bloomberg, Jack “has discovered a way to scan a public space from as much as 300 feet away, find vulnerable pumps … and force them to dispense fatal insulin doses. He said he doesn’t need to be close to the victim or do any kind of extra surveillance to acquire the serial number, as Radcliffe did.”

Faced with Radcliffe’s and Jack’s demonstrations, Coleman’s question of the possibility of criminal negligence charges against those responsible for failing to apply patches and properly secure and maintain their systems is one providers now have to take seriously. Preventative measures may be costly, but the idea of culpability in the case of a security breach should be enough to convince most that they are a necessary expense.