Can implantable CV devices be hacked?
Implantable medical devices—from pacemakers to cardioverter-defibrillators to neurostimulators—are on the rise, but their popularity in clinical practice means they’re also a prime target for ill-intentioned hackers, a trio of doctors reported in Trends in Cardiovascular Medicine in November.
The reason cybersecurity is a concern when it comes to implantable electronic devices (IEDs) is because an increasing number of medical devices now contain embedded computer systems that are connected to shared networks, known as the “Internet of things” (IOT), first author Bryce Alexander, MD, and colleagues at Queen’s University said.
“There are obvious benefits to these devices, such as rapid clinical information transmittal from patients to clinicians and real-time therapy management that can improve patient care,” the authors wrote. “However, the existence of these networks may put patients at risk for cybersecurity vulnerabilities related to information and device function security. All devices with embedded computer networks within the IOT, not just medical devices, may be vulnerable.”
The FDA has issued a total of six IED-related cybersecurity warnings to date, the first of which was triggered by a May 2015 report of possible vulnerabilities in the Hospira LifeCare infusion pump system. In that case, independent researchers found unauthorized users could use software code to access the pump remotely, modifying the dosage delivered and leading to under- or over-infusion of various drugs. In August 2018, the most recent incident, an outside security firm reported a whole family of Medtronic insulin pumps were vulnerable to cybersecurity breaches.
But Alexander et al. said we might have the most to learn from a 2016 case involving St. Jude Medical (now Abbott) pacemakers. The initial report, released by investment firm Muddy Waters Capital LLC and research company MedSec, indicated that through a combination of undisclosed radio traffic, pacemakers could in some cases become completely unresponsive to the Merlin@home system, causing them to crash. Another vulnerability, if exposed, would allow unauthorized users to modify programming commands to the device’s transmitter, possibly causing patients to experience inappropriate pacing or shocks.
The FDA approved an Abbott-designed firmware upgrade to fix the issue in 2017, but the three-minute installation came with its own risks—a potential loss of device function, loss of programmed settings and the possibility that patients would become symptomatic during the upgrade, at which point the pacemaker could temporarily change its mode of pacing.
Alexander and colleagues said the FDA advised physicians to talk to their patients about the cybersecurity vulnerabilities and weigh with them the risks and benefits of undergoing the firmware upgrade.
“Given that there have been no known reports of patient harm associated with cybersecurity vulnerabilities in the Abbott pacemakers and a small but real quoted risk of possible complications, it was difficult for physicians to know how to counsel patients with the minimal data existing at the time,” the authors wrote. “Since then, additional data have been collected regarding patient and physician attitudes toward the upgrade and complication rates.”
One study of 10,854 patients with affected Abbott pacemakers found just a quarter elected to proceed with the upgrade, while a Canadian study of 155 patients found just 3.9 percent of the pool chose the same thing. Younger patients, men and those with more recent implant dates were most likely to opt for the update, probably due to a greater time-dependent exposure to risk.
The authors said several medical societies have issued statements on the possibility of cybersecurity breaches in IEDs, including the American College of Cardiology and the Heart Rhythm Society. But aside from an ACC-led attempt to review cybersecurity needs in pre- and post-market settings—a method that’s currently used by the FDA—those statements largely stick to “encouraging” physicians to weigh risks and benefits, remain vigilant and maintain an open, individualized dialogue with their patients.
Still, Alexander and co-authors wrote, there have never been reports of patient harm connected to these cybersecurity cases despite vulnerabilities affecting hundreds of thousands of devices. So while we can say with certainty that IEDs are hackable, they’re hackable “only in specific cases of extremely narrow and difficult-to-reproduce circumstances that are unlikely to lead to patient harm.”
“Despite increasing attention to cybersecurity issues by manufacturers and regulators it is probable that more events such as the ones described above will occur in the near future,” the team said. “It is important for physicians to be knowledgeable about the risks in this field, as well as the steps that can be taken to mitigate these risks, so they can provide effective and accurate advice to their patients.”