A Heart-To-Heart From The Hackers: Cyber-Vulnerabilities In Cardiac Devices
Just over a year ago, this blog took note of a governmental letter that powerfully underscored the dangers of cyberattacks in the healthcare industry. The letter, which then-Senator Barbara Boxer had sent to FBI Director James Comey, discussed the serious risks that hospitals and other institutional health care providers face from cyberattacks, ransomware, and a range of other malicious efforts to infiltrate their networks. Senator Boxer’s letter sought Director Comey’s input on how hospitals in particular could protect themselves from a growing number of instances in which hackers used malware to block access to crucial patient data, and the letter also sought information about the FBI’s response to such threats. As we noted in this blog, Senator Boxer’s letter served a valuable public good – it drove home the growing concerns about cybersecurity among healthcare providers, and the dilemmas that healthcare providers face in assessing whether to make ransom payments in response to a cyberattack. Further, as the prior blog post discussed, Senator Boxer’s letter indirectly served to call attention to the ways in which cybersecurity insurance could provide hospitals with a valuable or even essential means of managing their escalating cybersecurity risks.
Of course, Senator Boxer’s letter could only point out a problem, rather than solve or contain it. And just about two weeks ago, yet another significant government letter, as well as an important and related article in the Wall Street Journal, again served to emphasize the dangers of cyberattacks and the importance of cyberinsurance in the health care industry – not just for hospitals or direct providers of medical care, but this time for medical device manufacturers as well.
The governmental letter that has called renewed attention to these issues is a so-called “warning letter” that, on April 12, 2017, the U.S. Food and Drug Administration (“FDA”) transmitted directly to Abbott, the international manufacturer of medical devices, pharmaceuticals, and diagnostic products. Through its prior acquisition of St. Jude Medical, Abbott has become a major manufacturer of implantable cardiac defibrillators, pacemakers, and “cardiac resynchronization therapy devices,” and the FDA’s warning letter focused on these types of devices. In particular, the FDA contended in its letter that Abbott’s manufacturing, marketing, and sale of implantable defibrillators and cardiac resynchronization devices, as well as of a monitor that receives and transmits data from such devices, is in violation of the Federal Food, Drug, and Cosmetic Act (“FDCA”) because Abbott allegedly has not acted in conformity with current requirements for good manufacturing practice.
How is it that, according to the FDA, Abbott’s cardiac devices are alleged to be in violation of the FDCA? Although the FDA’s warning letter is a complex document that makes for anything but easy reading, the letter boils down to two primary assertions – first, that Abbott allegedly underestimated the risk and potential consequences of the premature failure of batteries that a third-party manufacturer had supplied for the implantable cardiac devices; and second, that based on allegedly erroneous “cybersecurity risk assessments” for cardiac devices, Abbott had found that the device’s risk estimations were acceptable, when, according to the FDA, an outside report had concluded that “several risks” – including, apparently, the risk of hacking and cyberattacks on the devices themselves – “were not adequately controlled.”
It is this latter issue – the cybersecurity risks relevant to implantable cardiac devices in particular, and medical devices in general – that particularly warrants further discussion. The potential cyber-vulnerabilities of implanted cardiac devices first received public attention through, of all things, a Homeland episode that aired in December 2012. As another Forbes blogger has noted, the episode depicted (spoiler alert) the Vice President being assassinated through a cyberattack on his implanted pacemaker, and the blog post observed that the dangers of cyberattacks on medical devices were frighteningly real.
The issue of cyberattacks against implantable cardiac devices again resurfaced in late August 2016, when Muddy Waters, a research and trading firm, not only disclosed that it had taken a short position on St. Jude, but also issued a detailed report alleging that testing of St. Jude’s implantable cardiac devices had shown them to be vulnerable to cyberattacks that could cause the device to “pace” at a dangerous rate or cause a harmful drain of the devices’ batteries. Although St. Jude brought a defamation suit against Muddy Waters and Med Sec, the computer security firm with which Muddy Waters had worked, the FDA weighed in on the issue several months later. In particular, in a public safety notice issued in January 2017, the FDA disclosed that while no cases of actual patient harm had been reported, “potential cybersecurity vulnerabilities” could indeed permit an unauthorized user to cause rapid battery depletion, shocks, or dangerous pacing of St. Jude’s devices. It was on the relative heels of this safety notice that the FDA issued its April 12, 2017 warning letter to Abbott regarding the alleged failure of Abbott to adequately describe the cyber-risks that its cardiac devices presented.
It is against this backdrop, finally, that the issue of cyberinsurance again comes to the fore. On April 17, 2017, the Wall Street Journal published a noteworthy article in which reporter Richard Teitelbaum described the FDA’s warning letter to Abbott, and stated that the situation involving Abbott’s cardiac devices “casts another spotlight on the fusillade of cyber dangers facing manufacturers.” Mr. Teitelbaum’s article proceeds to discuss the increasing frequency with which manufacturers have purchased cybersecurity policies, the nature of the marketplace for such insurance, and the compelling logic in the purchase of cyberinsurance policies not just by health care providers, but by manufacturers whose factories or devices can be at risk of cyberattack. Lawyers should therefore know what risk managers, insurance brokers, and now the Wall Street Journal have already recognized: when advising clients who have any degree of vulnerability to computer-based attacks, cybersecurity insurance (which the Department of Homeland Security discusses in more detail here) is a resource that should be investigated and pursued.