– Bethany A. Corbin –
The Internet of Medical Things (“IoMT”) is set to revolutionize the health care industry. Evolving at a rapid and unprecedented pace, IoMT is transforming the notion of value-based care by significantly improving health care efficiency, convenience, and patient comfort. The IoMT ecosystem, however, is unique from prior technology in that it requires interconnectivity between numerous devices, people, and wireless infrastructure. IoMT is only at a nascent stage, and, therefore it lacks comprehensive legal and regulatory structures to protect patients’ privacy and security. These legal and regulatory gaps, combined with the unique challenges for digital products, have resulted in insufficient incentives for IoMT device manufacturers to adequately secure their products against hacks, hijacks, and breaches.
Compounding this issue of non-regulation and insecure code is the lack of a comprehensive and workable liability framework for consumers to follow if their IoMT device malfunctions or is hacked. The application of tort principles to evolving IoMT devices is imperfect, creating challenges for plaintiffs seeking damages. In particular, the numerous actors in the IoMT supply chain make it difficult to apportion liability, with no clear boundaries establishing which party is at fault for a hack or breach. Similarly, defect-free software does not exist, which complicates the application of strict products liability. Further, end-user licensing agreements contractually limit manufacturer liability for defective devices, shifting the risk of harm to consumers and eliminating manufacturer incentives to comply with cybersecurity best practices. Given the complications with applying traditional tort doctrines to IoMT and the substantial growth projected in the IoMT market, new or revised liability models will undoubtedly develop as cases progress through the court system.
Although it is impossible to predict at this stage the form of any new IoMT liability structure, this Article proposes an interim two-prong framework that merits consideration as an incremental step in building the new liability framework. First, end-user agreements that limit a software manufacturer’s liability for vulnerable code should be prohibited in the IoMT context. The unique risk of bodily harm posed by certain IoMT devices requires a liability system that will hold software manufacturers accountable for their failure to adequately secure their products. That said, there must be an appropriate balancing of incentives with liability, and opening the floodgates for IoMT device liability could produce unintended consequences. Thus, a second proposal should be simultaneously implemented that guards against unfettered liability for IoMT device manufacturers who adequately secure their code. Specifically, a “safe harbor” statute should be adopted that limits civil liability if IoMT manufacturers and software companies comply with voluntary, industry-approved cybersecurity frameworks. This two-prong proposal balances incentives with punishment and can result in safer IoMT products for consumers.