While the Internet of Medical Things (IoMT) — the network of medical devices and applications connected to healthcare information technology (IT) systems — has already led to an array of improvements in the delivery of healthcare services, it has also resulted in a whole slew of legal and regulatory questions that remain largely unanswered.
In a recent article at Med Device Online, a team of attorneys from Reed Smith LLP observed the “accelerated adoption of IoMT means device manufacturers must grapple with the security vulnerabilities affecting medical devices, a landscape of uncertain liability, and emerging regulations.”
In many ways, they argue, the IoMT can be summed up as sector wide exercise in interoperability, but they succinctly add that “inherent security risks accompany interoperability.” Consequently, they argue, device manufacturers should keep abreast of current minimum security standards, as noncompliance could lead to problems including lawsuits (e.g., arising from patient data privacy breaches), government enforcement actions, financial losses, and bad press.”
As for the questions still to be addressed, they include:
• What is the reasonable standard of care in creating a secure IoMT device?
• What constitutes a design defect or failure to warn?
• Are security vulnerabilities considered a design defect?
• For how long must device manufacturers provide security monitoring and software updates after selling a product?
To be sure, regulators, both administrative and legislative, are not entirely unaware of the need for more comprehensive guidance.
For example, the writers note, “in an effort to regulate the IoMT and ensure public safety, the FDA has issued premarket and post-market cybersecurity guidance, providing nonbinding recommendations to device manufacturers.
Meanwhile, on the legislative front, Congress also has taken action, introducing in the U.S.House of Representatives in October the Internet of Medical Things Resilience Partnership Act of 2017, the purpose of which is to “establish a working group of public and private entities led by the Food and Drug Administration to recommend voluntary frameworks and guidelines to increase the security and resilience of Internet of Medical Things devices, and for other purposes.”
In short, there is some regulatory guidance on the risks surrounding IoMT, but compliance standards remain vague, and both legislation and case law on the topic are sparse. By monitoring regulatory and legal developments surrounding the IoMT and following best practices, healthcare stakeholders can guard against the risks of cyber vulnerabilities as they tap ever further into the spread of the IoMT and other cloud-related technologies.