Defending The Technology Based Medical Malpractice Case Of The Future

By: Richard Sheinis, Esq.

The medical industry is taking advantage of wireless technology to change the very premise of how case has been provided for hundreds of years. Regardless of whether a doctor was performing bloodletting in the 1700’s or an appendectomy in 2000, the one constant was that the patient and doctor always had to be in each other’s presence for the care to be provided. While this is still true for the majority of health care, the practice of remote health care practiced through the internet, and other wireless methods of communication is upon us like a tidal wave of technology.

Just a few months ago the FDA encouraged health care facilities to stop using the Hospira Infusion System due to cybersecurity vulnerabilities. Shortly before that I blogged about an attack vector identified by TrapX Laboratories, called MEDJACK or “Medical Device Hi-Jack.” Internet connected or wireless medical devices are often vulnerable points of entry into a medical provider’s network. Once in the network, the hacker can access medical records, and take control of or alter the functionality of the medical device. What will happen when hackers use a compromised medical device to harm a patient? This confluence of technology and patient injury will be the new breed of malpractice suits against healthcare providers. Lawyers who defend these lawsuits will need to be part malpractice attorney and part IT security specialist.

In defending the technology based malpractice suit the attorney will have to address not just the traditional issues of a malpractice case, such as evaluating the severity of the patient injury, the cause of the injury, and aspects of the patient background. The attorney will also have to address issues like security by design, software updates, security patches, malware detection and remediation.

If a medical device is hacked, who’s fault is it? Is it the fault of the manufacturer who designed the medical device with insufficient security features? Is it the fault of the medical provider whose due diligence did not detect a security flaw in the medical device, or did not plan to update the security of the device? These are all issues, which the defense attorney will need to understand and evaluate.

Hospitals and other medical providers should get out in front of these lawsuits before they happen:

• Adopt policies and procedures for security due diligence when purchasing medical devices.

• Determine who is responsible for security updates, the manufacturer or the medical provider.

• Track and monitor updates.

• Review and update the security of devices already in use. Review the FDA guidance, “Cybersecurity for Medical Devices,” and apply it where appropriate. A plaintiff’s attorney may assert that this guidance is “standard of care” and a failure to follow it is evidence of negligence.

• Evaluate vendor contracts to make sure they account for security responsibility on an ongoing basis.

• Integrate threat detection to hunt down compromised devices. Update your HIPAA risk assessment to account for threats to medical devices.

It will no longer be enough for defense attorneys to evaluate whether a medical provider’s treatment met the standard of care. The attorney will have to be tech savvy enough to determine if the provider met the technology standard of care.