Federal Laws Raise a Barrier to Researching Vulnerabilities of Medical Devices
TechLawLogy™: eDiscovery and Privacy Blog
The past several decades have witnessed the computerization of everything from phones, to watches, and even household appliances.The medical device market has been no stranger to this phenomenon. Insulin pumps, pacemakers, and other critical medical devices now come equipped with technologies that allow them to seamlessly communicate with the web and other devices. While society has benefitted from the efficiencies these technologies bring, there are increasing fears that cybersecurity vulnerabilities in medical devices could be exploited. Where once a hack could lead to social or financial ruin, now a person’s physical well-being could be on the line. Unfortunately, antiquated federal laws are making it difficult for well-intentioned hackers to test and expose these vulnerabilities.
The Computer Fraud and Abuse Act and the Digital Millennium Copyright Act prevent white hat hackers from exposing critical cybersecurity vulnerabilities.
Contrary to what is often expressed in pop culture, not all hackers have nefarious motives. Some hackers–often referred to as “white hats”–utilize their skillset to discover and alert companies to system vulnerabilities. However, two particular federal laws have historically prevented white hats from carrying out their work. The Computer Fraud and Abuse Act (“CFAA”), passed by Congress in 1986, made it a crime to intentionally access an unauthorized system or exceed the scope of an authorized use. The Digital Millennium Copyright Act (“DMCA”), passed by Congress in 1998, created civil and criminal penalties for individuals who “circumvent a technological measure that effectively controls access” to a copyrighted work.
These laws were created with the intention of stopping “black hat” hackers from gaining unauthorized access to computer systems or copyrighted works. The issue is that these laws are far too broad in scope, leading to serious federal prosecutions for individuals who were engaged in “white hat” hacking or who committed relatively minor violations. One famous example is computer programmer Aaron Swartz, who, among other things, helped to develop Reddit and the web feed format RSS. Swartz was indicted by a grand jury on 11 counts for violations of the CFAA. His crime? Mr. Swartz ran a script that allowed him to download millions of academic articles from the database JSTOR. Facing a maximum sentence of up to 35-years in prison, Mr. Swartz took his own life in 2013.
If nothing else, Mr. Swartz’s death lead to a serious conversation about the antiquity of federal cybersecurity laws. Shortly after his death, U.S. Representative Zoe Lofgren introduced a bill named in Swartz’s honor that would have barred criminal prosecutions for violating a website’s terms of service. Unfortunately, the bill failed to ever gain enough traction. Federal agencies have since taken their own steps to promote the use of white hat hackers. The Federal Drug Administration, realizing the threat that unsecured medical devices pose, now urges medical device manufacturers to work with hackers through coordinated vulnerability disclosure programs. Through these programs, white hats can report software vulnerabilities to a medical device company, allowing the company to fix the problem.
White hat hackers and medical device companies still face uncertainty and potential legal traps when testing for cybersecurity vulnerabilities.
There are still fears amongst medical devices companies and the white hat community that participation in coordinated vulnerability disclosure programs could lead to legal problems. These concerns largely stem from inconsistent court rulings across the country in CFAA and DMCA cases. Early this year, the U.S. Justice Department released guidance aimed at helping companies design vulnerability disclosure programs in a manner that avoids violating federal law. Even still, disagreements over how and when to disclose system vulnerabilities is an issue that continues to plague the relationship between companies and hackers. In 2016, St. Jude Medical LLC sued MedSec, a cybersecurity firm, after MedSec publicly exposed vulnerabilities in a pacemaker system manufactured by St. Jude Medical, which could allow a hacker to manipulate the pacemaker or drain its battery. That lawsuit remains ongoing.
The world of white hat hacking is ever-changing. As the medical device community becomes more accustomed to the idea of working with hackers to improve products, it must also face hurdles posed by antiquated federal cybersecurity laws. The best protection for any person or company involved in this business is to seek the legal advice of an experienced attorney.
If you are a white hat hacker or company working with white hat hackers and have questions about your rights, please Contact Us.