By Devin Partida, Editor-in-Chief, ReHack.com
LinkedIn: Devin Partida
LinkedIn: ReHack Magazine
Software defects in clinical information technology (IT) systems present a growing legal risk. They can cause patient harm or data breaches, leading to lawsuits. What can health care and IT professionals do to manage this risk?
The Labyrinth of Liability in Clinical IT
In the 1980s, a software bug in the Therac-25 radiation therapy machine caused patients to receive a massive overdose of radiation. As a result, dozens were seriously injured, and several passed away. Since then, medical software regulations have evolved considerably. With digitalization on the rise, regulations are becoming increasingly strict.
Defining Software Liability and Negligence
Courts are generally hesitant to categorize intangible software and artificial intelligence systems as products. However, the organizations that produce and deliver software products have been successfully sued for software liability.
Bugs that cause harm or expose protected health information (PHI) are often at the center of these cases. Typically, it is not enough for a plaintiff to show a bug produced an error, they must also identify how and why it occurred to prove negligence.
Even if software errors are accidental, facilities may still be liable for data breaches or patient harm. Technical faults are caused by misconfigurations, design errors, security gaps and implementation mistakes, the origins of which indicate negligence at the design or planning stage.
Outlining the Challenge of Determining Liability
Determining liability for defects is complex. Usually, the plaintiff must demonstrate that the defendant owed them a duty of care, that the defendant’s conduct fell below the standard of care and that this violation caused the injury. However, making these determinations is difficult because the development and distribution ecosystem is vast.
How can those suing demonstrate their injury was foreseeable if they cannot see into the black box of AI decision-making? Historically, tort law has adapted to meet such technological changes, suggesting that the liability risk for software and AI systems will also evolve.
How the Courts View Software Liability
Courts typically allocate liability between the product’s user and the company that produced it. However, the chain of responsibility is complex, extending beyond traditional IT bounds. Developers, software and device manufacturers, cloud providers, and patient-facing companies are responsible for product safety, code quality, configuration or implementation.
A case review from the Stanford Institute for Human-Centered Artificial Intelligence found courts often do not distinguish AI from traditional software, raising the risk that cases about one will impact the other, even if the underlying systems are fundamentally distinct.
What Bugs Could Become Lawsuits?
While courts do not often distinguish between different kinds of software, the type of bug does matter. Whether a bug impacts a physical device’s functionality or allows for unauthorized access to a sensitive system determines the tangible and intangible damages.
In 2022, the Department of Veterans Affairs (VA) and medical records company Cerner were affected by a software bug that mixed up patient records. The VA was forced to temporarily revert to paper records to rectify the situation. Several veterans eventually sued these entities because the delay prevented them from receiving treatment.
Bugs often impact information systems. However, they can also adversely affect dosage parameters, lab result routing, alert thresholds and medical device operation. Those impacting wearables and implantables are emerging risks.
In 2024, a software error that caused insulin pumps to turn off spontaneously harmed at least 224 patients with diabetes. The bug caused the app to crash and relaunch repeatedly, rapidly draining the device’s battery. While there were no reported deaths, such incidents can be deadly.
A Practical Risk Mitigation Framework
Developers, quality assurance testers, system administrators and IT professionals building and managing clinical IT systems must follow a risk mitigation framework to help ensure patient safety and minimize liabilities.
Developing a Legal Strategy
An expert attorney can identify potential risks and develop practical mitigation strategies to ensure compliance with local, state and federal laws regulating software and patient data. They can also help hospitals create internal policies that adhere to legal standards, thereby preventing statutory sanctions, such as fines or imprisonment, and lawsuits.
Implementing Quality Assurance
Preventing hackers from compromising PHI is crucial. Out of all industries, health care sees one of the highest data breach costs, totaling $10.92 million per incident on average. Rigorous testing and robust quality assurance processes are time-consuming, but nonnegotiable.
Establishing Vendor Agreements
Having clear contractual agreements with software vendors can help patient-facing companies manage their liability. Agreements should outline the need for robust technical documentation, sufficient communication and proper configuration. Indemnification clauses and insurance requirements are essential.
The Importance of Prioritizing Patients
Software is intangible and clinical IT environments are expansive, complicating liability management. Working with legal counsel can help decision-makers navigate these intricacies and get more time to prioritize patient safety without risking noncompliance.