This article first appeared in Insurance Day, October 2020
Internet-connected medical devices could have a significant positive impact on patient outcomes and access to healthcare, but cyber security fears remain.
US National Cybersecurity Awareness Month was launched in 2004 to ensure every American has the resources they need to stay more secure online. Now in its 17th year, this year’s theme is “Do your part. #BeCyberSmart”. This year focused on securing internet-connected devices in healthcare, a growing concern for insurers.
According to Deloitte, the worldwide market for smart medical devices could grow to US$52.2 billion in 2022, consisting of stationary medical devices (US$17 billion), implanted medical devices (US$18.9 billion) and wearable external medical devices (US$16.3 billion).
The COVID-19 pandemic has pushed our healthcare system to its limits, highlighting the lack of space and resources in hospitals. It has been a catalyst for increased use of medical health apps for tracking the progress of the virus and to remotely monitor vital statistics of potential sufferers. It has also highlighted the importance of smart medical devices and wearable remote monitoring devices, with a focus on helping us better take care of ourselves.
Smart medical devices/service apps have risks inherent to them, such as potential defective design, inadequate warnings about usage, software malfunctions or inaccurate input or interpretation of data. They are also at risk from external factors such as inappropriate training, a lack of connectivity or a potential cyber attack, which could lead to personal injury, death and/or personal data breaches.
A variety of smart devices are available on the market, including deep brain neurostimulators, cochlear implants, defibrillators and pacemakers. There are also numerous health gadgets, apps and wearable technology, designed to monitor vital signs and help us self-manage our chronic conditions. Innovative products still in development include wireless powered wearable smart contact lenses made of biocompatible polymers, which diagnose and treat diabetic retinopathy via automated drug delivery and electrical stimulations.
Another example is a smart insulin adhesive microneedle patch, which is the size of a coin and delivers necessary insulin dosage and mimics the pancreas. There is also a personal mobile monitor, cleared by the Food and Drug Administration (FDA), which can track your heart health anytime, anywhere and deliver a medical-grade electrocardiogram to a smartphone in 30 seconds.
In the future, we are also likely to see a revolution of biocompatible nanoelectronics and smart chip implantable devices, which are smaller, smarter, more lightweight and more comfortable for the patient, packed with functionality and provide diagnostic data straight to the treating physician.
The first FDA recall of a network-connected implantable device because of cyber security vulnerabilities was in August 2017, when around 465,000 pacemakers were recalled owing to fears about lax cyber security and the risk of hackers being able to run the batteries down or alter the patient’s heartbeat.
The pacemakers were not removed – this was considered too invasive and dangerous – but a firmware update was applied by medical staff to patch the security holes remotely.
More recently in June 2019, the FDA became aware of potential cyber security risks in insulin pumps and recommended the patients replace affected pumps with models that were better equipped to protect them from potential risks.
Product liability
Assuming software is a “product” not a “service”, smart medical devices and health app manufacturers could face product liability claims. Following Boston Scientific, where a claim is related to a software vulnerability and/or cyber security risks, allegations are likely to be made that the product has a design defect.
Under the Consumer Protection Act 1987 (CPA) there may be strict liability for producers of software and/or smart medical devices if vulnerability results in property damage and/or personal injury. For example, does the consumer expect hackers could infiltrate the product or expect the software may malfunction if it is not up dated in a timely manner? If not, the manufacturer and others in the supply chain may be subject to liability.
If these products are supplied by a hospital, the users may seek redress against it as well as manufacturers under the CPA. Determining liability will be complex but manufacturers are likely to bear the major share. Harm could further arise from the patients’ own failure to care for their smart medical devices and/or use them in accordance with instructions.
The new European Medical Device Regulation (MDR) and In Vitro Diagnostic Medical Devices Regulation (IVDR), which include devices using medical software, were published in May 2017 and will replace the existing framework under the Medical Devices Directive. The three-year transition period of the MDR has been pushed back to 26 May 26 2021 because of the impact of the coronavirus pandemic to enable medical device manufacturers to produce devices to fight COVID-19.
The UK’s Medicines and Medical Devices Bill received its second reading on 2 September 2020. Once passed, it will consolidate the enforcement regime for ensuring safety and quality of medical devices in the UK.
The Bill creates a delegated power for Medical Devices Regulations (MDR) 2002 to be updated in limited numbers of areas including, for example, the manufacture, marketing and supply of medical devices and creating offences of breaching MDR provisions. It also provides the secretary of state with information sharing powers relating to medical device safety.
Smart medical device stakeholders must be aware of the risk of potential product liability claims and seek to mitigate any potential liability risks through robust software design and development protocols; rigorous safety/security testing and monitoring pre- and post-market; adequate labelling, warnings and instructions; having protocols in place for cyber security and data privacy protection and conducting incident responses for potential cyber attacks.
Insurance coverage should be re-evaluated, bearing in mind insurance policies may not provide coverage for every consequence of a cyber attack. It may be worth considering combined cover for technology product liability, clinical negligence and cyber liability.
Smart medical devices and service apps have the potential to significantly improve patient outcomes and access to healthcare. However, highly complex potential risks and liability issues may arise in respect of them in our increasingly smart future.