Product liability issues can be costly to companies that aren’t prepared for them.
Half of connected medical and IoT healthcare products have at least one critical vulnerability that, if found by the wrong people, would allow access to networks and data according to the security platform provider Cynerio.1 Also, one-third of bedside healthcare IoT products have unpatched holes in their software. This kind of risk can be found in insulin pumps, intracardiac defibrillators, intrathecal pain pumps, and pacemakers. According to an FBI bulletin released last year, the cyber thieves can adjust the devices so they produce wrong readings. The flaws stem from hardware design and device software management.2,3
“If you look at those medical devices in litigation,” says Eric Alexander, partner Reed Smith LLP, “you will see that they have a software component, and there are allegations in which software is a problem.”
Oftentimes, the software design is farmed out by the medical device company, and the former “do not live in the space of regulated entities” in which maintaining a clear record of design steps and the evaluation of risks and benefits is required.
Another potential product liability issue is the number of recalls of medical devices is soaring.4 In 2021, including lot-specific recalls, there were 837 events; 911 in 2022. In January alone of this year, there were 135 recalls–the fourth quarter of 2022 had 80.4 The FDA cited manufacturing defects as the most common reasons for device recalls in January–34.8% of the total. In late June, the FDA announced a Class I recall for a rechargeable thermometer. The product burned the skin due to overheating and leakage of corrosive chemicals.
Any medical device, including a PMA [premarket approval] device, could be the subject of personal injury lawsuit—and that includes those under preemption protection, says Alexander, whose office is in Washington, DC.
Preemption permits a higher level of government to limit or eliminate the power of a lower level of government over a specific issue. The Supremacy Clause of the US Constitution allows federal law to take precedence over state and local law.
Even with preemption protection, Alexander continues, an entity can get sued because some courts will investigate whether the defendant has failed to comply with requirements that are allegedly mandated by both state and federal laws.
Some courts, he says, have allowed cases to advance so they become burdensome to the defendants even if the defendant ultimately wins on preemption. A motion to dismiss is great, but if five corporate executives need to be deposed, “it is still burdensome.”
Bottom line: any stakeholder involved with a medical device cannot prevent a lawsuit.
“It can’t be done,” Alexander says. The best a company can do, he said, is to do the best work it can do–from design to approval.
According to the nonprofit health and safety group ECRI,5 any entity in the chain of distribution may be liable under strict products liability. It’s worth noting, however, that a plaintiff will look for anecdotal early warning reports about the product, which will not help the defendant’s case if the reports are incomplete and speculative.5
Healthcare professionals, says David L. Feldman, MD, MBA, FACS, Chief Medical Officer for The Doctors Company and TDC Group, said any aspect of medicine that involves medical products, or any other technique, can result in a lawsuit.
Complicating matters are the vast array of products now considered medical products; some well-seasoned, others barely tested.
The Doctors Company can offer members advice about using products that are FDA approved, or that are part of a verified research protocol while following standard practices. It’s the newer technologies, he says, that “are riskier for a lot of reasons.”
To illustrate the breadth of what constitutes a medical device, the FDA used 37 slides out of a 49-slide PowerPoint deck to show, detail, and explain what it considers a medical device to be or not to be. Tongue depressors, yes; software used to display test results, no; adult diapers, yes; FitBit, no.6
Physicians also are responsible for the accuracy of any information for which they have “reasonable access,” according to the Doctors Company.
Consider an EHR dropdown’s menu of medications, particularly medications that, when abbreviated, look the same. A case study on the Doctors Company website discusses a female patient with allergies who developed serious problems when she was prescribed Flomax, as opposed to Flonase.7
Physicians are also responsible for in-home device use: They need to ensure that a patient is well informed about how a device works, its potential benefits and any limitations, Feldman says.
Feldman advises his fellow physicians to beware, legally speaking, of using new devices with a limited track record. It is important to have significant data regarding patient use and how the analyses and/or diagnoses are made.
As for protection from cybersecurity breaches, the FDA is now requiring that medical device developers include a plan in their submissions or applications for regulatory review.3
“Medical device manufacturers will face increased responsibilities for reporting how they will monitor, identify, and address post-market cybersecurity vulnerabilities,” according to Sedgwick.4
A company thinks analyzing a product’s risk is at the bottom of its to-do list.8
“That’s true,” says Alexander, “risk assessment by outside lawyers is generally not a line item in a product’s development. In terms of [defense] lawyers… we only hear when there is an issue.”