Katz Banks Kumin partner Alexis Ronickher appeared as a guest on a Medtech Insights podcast entitled, "Attorney Discusses Cybersecurity Whistleblower Protections in Medtech." In the episode, Ms. Ronickher discussed her recently authored Cybersecurity Whistleblower Protections manual and how the legal protections detailed in it apply to the medical device industry. The cybersecurity of medical devices has been a growing concern over the last few years. What protections exist for cybersecurity whistleblowers who expose cyber vulnerabilities in these devices? Ms. Ronickher said, "Like all cybersecurity whistleblowers, there's not a set law that protects them from retaliation, but there is a patchwork of different federal and state laws that, depending on the factual scenario for that whistleblower, are there to protect them when they raise these issues internally and externally."
She continued, "If you are an employee that works for a medical device manufacturer that is a publicly traded company, and you raise concerns about the misrepresentation of the cybersecurity vulnerabilities of those medical devices, which have been made publicly, you'd have a strong claim for retaliation under Sarbanes-Oxley and potentially Dodd-Frank." Private sector employees are also afforded some protections. Ms. Ronickher noted, "Over 30 states protect employees of private companies who blow the whistle. I think in the cybersecurity medical device context - given the catastrophic effects that it could have on public health - you're going to have a very strong claim for engaging in protected activities when you raise these reports." However, protections vary from state to state.
In the past year, the FDA has issued two safetly alerts regarding medical device cybersecurity vulnerabilities. Ms. Ronickher noted, “I think one of the issues here is just, it’s still a relatively new issue; there haven’t yet been any catastrophic or serious documented instances/ So you’re going to run into a bit of it being a hypothetical problem.” While there have not yet been many documented cases of medical device cyber attacks, these devices could be used as portals into hospital networks to access private health information and other sensitive, personal data. By endangering patient privacy, vulnerabilities in medical devices could violate the Health Insurance Portability and Accountability Act (HIPAA). If an employee was fired for raising concerns about a device's cybersecurity vulnerabilities that jeopardized patient privacy, that individual could have a wrongful termination claim.
When considering reporting a device's cybersecurity vulnerabilities, Ms. Ronickher noted that individuals should think about a few things. First, they should consider consulting an attorney. Individuals should also raise issues in writing in order to leave a paper trail in the event that the employer tries to re-frame the communications. Finally, Ms. Ronickher said, “Don't report your concern and your issue at the same time as reporting other problems you have, say, with how another supervisor is treating you or another coworker is harassing you,” she added. “Keep those things separate; that way the employer can't conflate different reports of issues together and say, ‘Oh, the person wasn't raising an issue with the cyber-vulnerability of this medical device; they were raising workplace issues.’” To listen to the full interview, click here. For more information on the legal protections afforded to cybersecurity whistleblowers, download a free copy of the Cybersecurity Whistleblower Protections manual.
