The medical device industry is becoming infamous for taking risks and overlooking potential pitfalls to their products. Tens of thousands of lawsuits are currently on court dockets seeking compensation for injuries that were suffered because medical device manufacturers could not be bothered to fully research the risks that their implants posed to the patients who would use them. Some of these injuries were caused by dangers that were shockingly foreseeable.
Now, another risk has become brought to light: hacked medical implants. The risks that they pose to patients is not small, yet device makers have not only found it unworthy of their time to take basic cybersecurity precautions with their products; they have even refused to fix known hacking risks, claiming that the odds of an implant being hacked are small.
If you suffer because of this casual attitude, the personal injury lawyers at Gilman & Bedigian can help.
How Medical Implants Can Get Hacked
Medical devices and implants have become more and more advanced as technologies have gotten better. While pacemakers have always been programmed to be able to detect abnormal heart rhythms and provide the electrical stimulus needed to set them right, now they are being equipped with networked technology that notifies doctors in real time of the arrhythmia. Meanwhile, insulin pumps have been outfitted with computers that allow doctors to remotely alter the dosage based on what a patient needs.
Putting medical implants on a network can be necessary for a patient to receive the care they need. In some cases – especially in-patient circumstances where a patient's status can vary by the minute, and they need constant care – a networked medical device or implant can provide the automatic medical reaction that can be the difference between life and death.
However, while this ability to communicate with a medical implant or device is essential for healthcare professionals to provide extremely close levels of care, it comes at a serious risk: the possibility that someone else could stand in for the doctor and tell the implant what to do instead.
The amount of skill, sophistication, effort, and technological power it takes to hack into a network – any network – of devices will depend on how those devices are linked. Simply put, some networks are more secure than others, making them more difficult to crack and infiltrate.
The networks that medical implants use, though, are some of the most primitive out there. Some of them pass unencrypted information back and forth to doctors. Others use radio signals that can be intercepted and responded to with primitive devices. Some do not even require authentication or have passwords. All of them revolve around computers and computer programs that talk to each other – computers that can be hacked and told what to do by people who should not have that kind of power.
Anonymity the Best Defense?
So far, medical implant makers have been responding to the risks of hacked devices with the anonymity defense. While the dangers are real for anyone who has a networked medical implant – and most implants are networked, now – the reality is that individual people are relatively safe precisely because they are individual. Unless someone with a medical implant is a prominent or public figure and is likely to be targeted or assassinated, the risks of a hacker going out of their way to take control of their medical device are relatively low.
For example, while an ordinary person with a pacemaker faces little chance of suffering from a hacked medical implant, doctors deliberately disabled the wireless feature while replacing former vice president Dick Cheney's pacemaker.
Ignoring the fact that doctors understood the risks of a hacked pacemaker as early as 2007, the anonymity defense breaks down very quickly. No one lives in a vacuum. Everyone has slighted someone else at some point in the past. Leaving open such an important opportunity for revenge – a door that could so easily be closed with even basic cybersecurity protocols like authenticated access to the device and encrypted data – seems mind-boggling.
Hospitals Especially at Risk
The severity of the problem of hacked medical implants grows exponentially when you consider how endangered hospitals become. Each hospital bed in the U.S. can have up to a dozen networked devices, from IV drips to heart monitors to air pumps. Each of these devices communicates with a computer somewhere else in the hospital, sending signals that contain private medical information, and receiving signals that tell the device to do things that could save or kill the person relying on them.
The potential for hospitals to get hacked is not even a theoretical one. In May 2017, thousands of hospitals in the U.S. and Britain were infiltrated with malware and a ransomware virus. The ransomware took control of hospital computers – including medical devices like MRI machines – at the administrator level, and refused access until a Bitcoin payment had been made.
U.S. officials blamed North Korean hackers for the episode.
A Known Example of Hackable Medical Implants: Medtronic Heart Defibrillators
One medical implant that has been proven to be hackable has been Medtronic heart defibrillators.
Heart defibrillators like these are like advanced pacemakers: they can be programmed to detect particular heart arrhythmias that are often precursors to serious heart conditions, including cardiac arrest, and they send precisely-timed electrical shocks to correct the problem.
Medtronic's heart defibrillators used a wireless network that relied on radio waves to communicate with other defibrillators, as well as programming devices used by doctors. That network could be accessed without even a password, allowing anyone with the right equipment and who was within 20 feet of the implantee to get on the network. Once there, the hacker could intercept communications coming from the defibrillator, including sensitive medical information about the patient's heart condition, and send signals to the defibrillator.
Those signals could reprogram the device entirely, destroying the programs that could prevent a heart attack, or they could include a command to shock the heart without mercy.
When it learned of the vulnerability, the U.S. Department of Homeland Security rated it a 9.3 out of 10 in severity. It also noted the “low skill level” it took to exploit the flaw.
The United States Food and Drug Administration (FDA) subsequently announced that people who had heart defibrillators implanted in their body should be on the alert, though noted that people with implanted defibrillators should continue to use them as prescribed.
Medtronic, however, has been far more casual and unconcerned about the risks of its implants. In their press release, they insisted that the device was safe and that “the benefits of remote monitoring outweigh the practical risk that these vulnerabilities could be exploited.”
Your Legal Options If Your Implant Gets Hacked
If your medical implant gets hacked and you get hurt, you would have legal rights and recourse to pursue compensation for your injuries.
The target of that recourse, however, would almost certainly not be the person or party that hacked your implanted device. The odds that this person could be tracked and apprehended and sued are probably going to be slim. If the hacker was found, the odds that they had the means to pay the costs of a verdict out of their own pocket would be even slimmer – their insurance would disappear from the picture as soon as they learned that the injuries were the result of intentional conduct.
Instead, the target of your lawsuit would be the maker of the medical implant that got hacked, especially if they, like Medtronic, created a medical device that was ripe for hacking. When technological devices are left so unprotected that it seems a matter of time before they are broken into by nefarious parties, the company that left them so open should be held accountable for their poor decision. It was that decision, after all, that left victims so exposed to someone else's hacking attempt.
Personal injury claims like these would take the form of product liability lawsuits, which argue that a defect in the design, manufacture, or marketing of the product was so severe that it put the device's users at a completely foreseeable risk. Products liability claims like these often evolve into class actions or mass tort claims because of how many people get hurt in the same way from the same course of conduct by the same defendant.
Contact the Personal Injury Lawyers at Gilman & Bedigian
If you or someone you love has been hurt because a medical device manufacturer could not be bothered to provide basic cybersecurity for the medical implant that you needed to stay alive, you deserve compensation and the company needs to be held accountable.
The personal injury lawyers at the law offices of Gilman & Bedigian can help. By advocating for your rights and interests both inside the courtroom and outside of it, we can fight for you and ensure that your finances are not also put at risk, as well. Contact us online to schedule a consultation and plan your case so we can pursue the compensation that you need and deserve on your behalf.