Cyberattacks on Medical Devices and Hospital Networks: Legal Gaps and Regulatory Solutions
Cyberattacks on medical devices and hospital networks are a real and growing threat. Malicious actors have the capability to hack pacemakers and insulin pumps, shut down hospital networks, and steal personal health information. This Article analyzes the laws and regulations that apply to cyberattacks on medical devices and hospital networks and argues that the existing legal structure is insufficient to prevent these attacks. While the Computer Fraud and Abuse Act and the Federal Anti-Tampering Act impose stiff penalties for cyberattacks, it is often impossible to identify the actor behind a cyberattack—greatly decreasing the deterrent power of these laws. Few laws address the role of medical device manufacturers and healthcare providers in protecting against cyberattacks. While HIPAA incentivizes covered entities to protect personal health information, HIPAA does not apply to most medical device manufacturers or cover situations where malicious actors cause harm without accessing personal health information. Recent FDA draft guidance suggests that the agency has begun to impose cybersecurity requirements on medical device manufacturers. However, this guidance does not provide a detailed roadmap for medical device cybersecurity and does not apply to healthcare providers. Tort law may fill in the gaps, although it is unclear if traditional tort principles apply to cyberattacks. New legal and regulatory approaches are needed. One approach is industry self-regulation, which could lead to the adoption of industry-wide cybersecurity standards and lay the groundwork for future legal and regulatory reform. A second approach is to develop a more forward-looking and flexible FDA focus on evolving cybersecurity threats. A third approach is a legislative solution. Expanding HIPAA to apply to medical device manufacturers and to any cyberattack that causes patient harm is one way to incentivize medical device manufactures and healthcare providers to adopt cybersecurity measures. All three approaches provide a starting point for considering solutions to twenty-first century cybersecurity threats.
Katherine Booth Wellington,
Cyberattacks on Medical Devices and Hospital Networks: Legal Gaps and Regulatory Solutions,
30 Santa Clara High Tech. L.J. 139
Available at: https://digitalcommons.law.scu.edu/chtlj/vol30/iss2/1