Medical Device Cybersecurity: Legal ConcernsAttorney Thomas Barnard Describes the Issues to Consider
Healthcare organizations need to consider a number of legal issues when it comes to cybersecurity incidents involving medical devices, says attorney Thomas Barnard of the law firm Baker Donelson.
"There are a couple layers that we need to be concerned about," Barnard says in an interview with Information Security Media Group. "You have individual liabilities for individuals, and you have individual liabilities for organizations."
For consumers and patients, personally identifiable information is at risk if these devices are breached and stolen information is used to commit identity fraud.
"If I'm a consumer of health services, my personal and private health information is stored on these devices. It's in many forms. So, one of the liabilities is that the information could be used to steal my identity and create liabilities for me, or potentially blackmail me," he says.
And the organizations that use these devices, "have a duty to protect this health information from foreseeable risks," he adds.
Healthcare Entity Risks
Healthcare organizations face potential liability from consumers whose data is compromised in breaches involving medical devices, he notes. But in addition, these entities also face potential scrutiny from federal regulators, such as the Department of Health and Human Services and the Federal Trade Commission, as well as risk the loss of intellectual property, trade secrets and other sensitive corporate data, he notes.
"There are also breach reporting requirements, and I think a lot of organizations don't understand obligations about when they have to report certain cybersecurity breaches, so you may face liability from that perspective, too."
In the interview (see audio link below photo), Barnard also discusses:
- Four general categories of health devices that are at risk for security breaches;
- Potential risks and legal issues involving medical devices and ransomware attacks;
- The relevance of Food and Drug Administration medical device cybersecurity guidance on products sold outside the U.S.
Barnard is a shareholder with Baker Donelson, and a former assistant United States attorney and Army officer who brings more than 20 years of government experience to his practice. With a focus on litigation and health law, Barnard represents clients in government investigations and litigation. He also advises clients with regard to government contracts, cybersecurity and investigations of alleged procurement fraud.