Emerging Markets Law

IoT Product Liability Risks: Medtronic Defibrillators Vulnerable to Hacking


With a headline that echoes a plotline from a recent TV drama (The Blacklist, Season 6, Episode 9) the FDA announced recently that it had concerns with the wireless protocols in Medtronic implantable defibrillators.  

In the television version of this story, the bad guys exploit the vulnerability in the implantable devices to extort ransom payments from the manufacturer. The good guys have to track down the extortionist without causing unnecessary fear to patients that their pacemakers might fail any minute.

The real world is more banal.

In its March 25, 2019 press release, the FDA alerted Medtronic and other industry participants about its concerns with cyber vulnerability. Medtronic issued its own press release, stating that it was working on an  update to the firmware within the device and that it had no reason to believe that anyone had successfully exploited the vulnerability.

Much has been written recently about the potential liability manufacturers might have in the evolving “Internet of Things,” where devices connect to each other and exchange data and commands through the Internet. In such a world, what should be the appropriate limits of the manufacturer’s liability if a device malfunctions (misbehaves?) in a way that injures a person?

On the television show, The Blacklist, the good guys rescue the device manufacturer (and its 100,000 patients who are relying on the faulty pacemakers) by preventing the extortionist from sending a malicious order to the pacemakers that would have killed their wearers. But what if, as a good law school professor might ask, the bad guys had not been so lucky? If the bad guys had caused death or grievous bodily harm to the 100,000 wearers of the pacemaker, what should the liability be for the manufacturer of that device?

The plaintiffs would argue that the manufacturer should be liable for allowing the device to go to market when it contained a vulnerability that could be exploited. The defendant manufacturer, on the other hand, would argue that no device can be entirely free from risk and that the manufacturer should not be responsible for the intentionally wrongful act of the hacker that caused the injuries. 

In the real world the questions become even more complicated. What should be the FDA’s role in looking at cybersecurity with respect to medical devices? Based on published reports, the “vulnerability” in the Medtronic device could only be exploited if someone was “very close” at a specific time when the device was vulnerable.  (The implantable device has a wireless connection with a bedside monitor and the alleged vulnerability relates to that wireless connection.) Before the FDA’s announcement, there was no specific standard required for the wireless connections involved with implantable devices. The FDA’s announcement effectively imposes a standard that requires manufacturers to ensure that there is no vulnerability at any range at any time. Should the FDA be allowed to adopt such standards after devices are in use or should it adopt standards in advance so that manufacturers have time to comply?

The legal question will take years to resolve as courts grapple with the problem of allocating risk in an increasingly complex market place of devices and networks.

Stay Connected

Subscribe to blog updates via email