Cybersecurity and medical devices: Informed consent in digital age

We are becoming more comfortable using devices and appliances that are connected to the internet or store vast amounts of data about us. From Fitbits to “smart” thermostats to smartphones, we knowingly and unknowingly allow these devices to store and share personal data. In many ways, we and our data are the “product.” And, as the recent Facebook controversy shows, our data can be sold to the highest bidder without our knowledge or consent. Indeed, many of us either ignore these effects on our privacy, or willingly choose to trade our data and privacy for convenience, coupons, or to play Candy Crush.

Medical devices are no exception. Wearable and connected medical devices such as pacemakers, defibrillators, glucometers, blood pressure meters and scales are part of the new connected world of devices called the “internet of things.” Many medical devices can connect to your phone via an app and share their data with either your doctor’s office or the device manufacturer to monitor your health condition or send an alert if trouble is sensed. Without a doubt, this gathering and sharing of data has many obvious upsides.

But this arrangement is not without risk. Last year the Food and Drug Administration noted the rise of devices containing internal computer systems that connect to the internet. The FDA warned this sophistication and connectivity makes those devices vulnerable to hacking and cybersecurity intrusions. In fact, the FDA had to issue a warning regarding a particular “smart” pacemaker and the risks associated with it. The agency warned this pacemaker was subject to hacking, which could lead to the “administration of inappropriate pacing or shocks.” The pacemaker manufacturer promptly issued a software patch, but the FDA warning alarmed the medical community.

What does this mean for medical device makers, patients and doctors? First, manufacturers must ensure they do not release any wearable or implantable devices unless they are immune from intrusion or manipulation. Hackers are often one step ahead of security technology, and medical devices are no exception. Therefore, manufacturers must prominently and adequately inform doctors and patients of the potential risks.

- Advertisement -

Second, doctors and patients must educate themselves to fully understand the technical features of wearable or implantable medical devices.

Does this device securely connect to the internet? What kind of data does it gather about me? Where is it stored? What kind of data does it share? Are software updates applied automatically? Can my health insurer obtain this data?

These are complicated questions which many doctors and patients cannot easily answer.

This dialogue between doctors and patients is a hallmark example of what is known as “informed consent.” This age-old principle simply means doctors must adequately explain the risks, benefits and side effects of a course of treatment.

Doctors do not have to explain or mention every conceivable risk or possible danger, but they must offer enough information to protect a patient’s freedom of choice to select or decline the treatment. Armed with adequate information, patients are then left to determine their best course of treatment. The challenge doctors and patients face with connected devices is whether they have enough information and expertise to ensure patients can truly give informed consent.

If a doctor is unaware or unskilled in explaining the technical risks of a wearable or implantable device, we will likely see more unfortunate situations in which patients claim they were not properly informed of the risks of these devices.

Brian J. Lamoureux is a partner at Pannone Lopes Devereaux & O’Gara LLC in Johnston.