IOT in Healthcare Presents Opportunity but Also Prompts Higher Guardrails Around Cybersecurity, False Claims Act

February 2017

By Judy Selby and Patrick Pilch

Update: Since we wrote this post in February 2017, the infiltration of technology into health has only quickened. Disruptive mergers like CVS/Aetna and innovative partnerships like the one between Amazon, JPMorgan and Berkshire Hathaway are becoming the norm as health organizations battle for consumer data and work to innovate patient care. Continuing to improve patient care is important to achieving shared value across the health and life sciences ecosystem. But the November 2018 International Consortium of Investigative Journalists’ ‘Implant Files’ series on the medical device industry highlights just how important it is to manage risk in tandem. Learn more about balancing innovation with risk management in our latest BDO Health & Life Sciences blog.

The adoption of connected devices—the so-called Internet of Things (IoT)—in healthcare presents an important opportunity to dramatically improve the quality and efficiency of care for patients.

The market for healthcare IoT is booming, poised to reach $177 billion by 2020. With such great potential, however, come higher guardrails in the form of increased regulatory scrutiny in two key areas: cybersecurity and the False Claims Act (FCA).

FDA Cybersecurity Guidance for Medical Devices

In January 2016, the FDA issued draft guidance concerning the post-market cybersecurity of medical devices, recognizing that vulnerabilities in those devices could present risks to patient safety and to the effectiveness of the devices. The guidance outlines several important pre-market considerations:
  • Identifying assets, threats and vulnerabilities;
  • Assessing the impact of threats and vulnerabilities on device functionality and patients;
  • Assessing the likelihood of a threat and of exploits affecting devices;
  • Determining risk levels and outlining effective mitigation strategies; and
  • Assessing residual risk and risk acceptance criteria.
The guidance also addresses key post-market considerations to mitigate vulnerabilities that could permit the unauthorized access, modification, misuse or denial of use, or unauthorized use of information accessible via the device:
  • Monitoring cybersecurity information sources for identification and detection of vulnerabilities and risks;
  • Assessing and detecting the presence and impact of a vulnerability;
  • Establishing and communicating protocols for vulnerability intake and action;
  • Defining essential clinical performance to develop controls that protect, respond and recover from cybersecurity risk;
  • Adopting a multidisciplinary vulnerability disclosure policy and practice; and
  • Deploying controls that address cybersecurity before a vulnerability can be exploited.

Real Life Impacts

The messy situations St. Jude Medical and Johnson & Johnson find themselves in should serve as warnings to the industry regarding the impact of cybersecurity concerns.

In a real-life claim that parallels television fiction, Muddy Waters Capital, an investor with a short position in St. Jude Medical, made accusations that the medical device company’s pacemakers and defibrillators are vulnerable to cyber-attack. Muddy Waters claimed that St. Jude hadn’t met certain conditions outlined in FDA guidance and would have to recall the vulnerable devices and submit the updated devices for new FDA approval. Those unproven allegations were costly for St. Jude. Stock prices took a dive, even before the FDA investigated the claims. (The FDA announced an investigation shortly thereafter, but noted in a statement that, based on information obtained to date, patients could continue using devices as directed by their physicians and that “the benefits of the devices far outweigh any potential cybersecurity vulnerabilities,” as told by Reuters.)

And in October, Johnson & Johnson made public a vulnerability in its insulin pumps that could theoretically be exploited by hackers. Although there had been no reported attacks on the pumps, the announcement made front-page news.

The Evolution of the False Claims Act

In June 2016, in a highly anticipated decision, the Supreme Court widened the net for whistleblowers in healthcare by upholding the “implied false certification” theory of liability of the FCA, which sets out both to prevent defrauding the government and to penalize those who commit such fraud. The theory treats a Medicaid payment request as an “implied certification of compliance” with pertinent statutes, regulations or contract requirements—including those related to cybersecurity—material to conditions of payment. Notably, the Court clarified material broadly as “having a natural tendency to influence, or be capable of influencing, the payment or receipt of money or property.”

The decision set a precedent for future false claims cases. What matters most now is not how a state or federal government labels relevant laws or requirements for payment, but whether the defendant knowingly violates a condition it knows to be material to the Medicaid payment decision. Failure to disclose such violations could leave healthcare organizations vulnerable to non-compliance with the FCA.

Key Takeaways

Typical examples of false claims include improper billings, paying physicians for referrals or kickbacks, ghost patients, up-coding of services, and services not rendered but billed. But the expanse of the FCA has been considerable since its inception, with the recent Court decision and FDA guidance only speeding up that process.

Under the cybersecurity lens, if an organization bills for services rendered but the quality of those services is non-compliant with security requirements—or if it is aware of a potential vulnerability but fails to disclose it—the organization might be deemed non-compliant with the FCA. For an FDA-regulated medical device manufacturer, consequences could also include a costly device recall and having to resubmit the device for FDA approval.

Although the federal administration’s new regulatory and cybersecurity policies are still developing, additional regulation would not be unexpected given the relentless number of cyber-attacks on healthcare organizations and their potentially devastating impact.

In this environment, medical device manufacturers should carefully consider their potential exposure to liability under the FCA. Moreover, to the extent that a healthcare provider is responsible for the maintenance and upkeep of biomedical equipment, medical devices or, in cases, patient implantable devices—all of which are vulnerable to breaches—the provider could also be subject to the FCA.

Patrick Pilch, CPA, MBA is a Managing Director and the National Leader for The BDO Center for Healthcare Excellence & Innovation. He can be reached at

Read Next Article, "As Healthcare Focuses on False Claims Liability, Industry Should Mind the GAAP"

​Return to BDO Knows Healthcare Newsletter - Winter 2017