This article is more than 5 years old. Information may no longer be current.
ACC panel: Hacking of cardiac devices possible but unlikely
Click Here to Manage Email Alerts
Medical devices such as defibrillators and pacemakers may be at risk for hacking, resulting in device reconfiguration and battery depletion, but the risks do not outweigh the benefits of the devices, according to a paper published in the Journal of the American College of Cardiology written by the ACC’s Electrophysiology Council.
Although the potential exists, hacking a cardiac device has not been successfully performed, according to the paper.
“At this time, there is no evidence that one can reprogram a cardiovascular implantable electronic device or change device settings in any form,” Dhanunjaya R. Lakkireddy, MD, FACC, FHRS, professor of medicine and director at the Center for Excellence in AF and Complex Arrhythmias in the division of cardiovascular diseases at The University of Kansas Medical Center in Kansas City, said in a press release. “The likelihood of an individual hacker successfully affecting a cardiovascular implantable electronic device or being able to target a specific patient is very low. A more likely scenario is that of a malware or ransomware attack affecting a hospital network and inhibiting communication.”
Threats of care interference
Adrian Baranchuk, MD, FACC, FRCPC, professor and program director of electrophysiology in the division of cardiology at Queen’s University School of Medicine in Kingston, Ontario, Canada, and colleagues wrote that medical devices with advanced wireless communications provide an opportunity for hackers to interfere with care, as seen with drug infusion pumps and insulin pumps.
In 2016, a research firm released a report that the CV implantable electronic devices that were manufactured by St. Jude Medical, now part of Abbott, were at high risk for medical device hacking. The two types of breaches detailed in this report are a battery drain attack and a “crash attack,” which causes high-rate pacing. The firm also wrote that once the remote monitoring system was bombarded with radio traffic, it would be incapable of communication potential events.
Researchers tried to replicate the clinical harm detailed in the report, and although telemetry slowed down, device function was not affected.
“Although the weaknesses in the integrity of cybersecurity for medical devices is obvious, its perceived effect on patients’ safety by all ‘key players’ (device industry, software designers, security researchers, agencies and clinical health care providers) has not been the same,” Baranchuk and colleagues wrote.
Once a cardiac device has been hacked, battery depletion and oversensing may be caused. When the device detects noncardiac-related signals, it can induce periods of asystole, putting the patient at risk for syncope or sudden death, the panel wrote.
A hacker that operates within the same radiofrequency as a medical device has an opportunity to interrupt wireless communications and decrease the value of telemonitoring. Through this, clinically relevant events may go unnoticed by the system.
Addressing device security
Pre- and post-market guidance has been issued by the FDA that addresses medical device security, and legislative proposals related to this issue are currently in the U.S. Congress.
Medical device security should not only be addressed during development, but also through manufacture and post-implant monitoring. Firmware is beneficial for devices with known vulnerabilities.
“The fewer remote interactions with a device, the less chances exist for hackers to disrupt the communications,” Baranchuk and colleagues wrote. “However, given the lack of evidence that hacking is a relevant clinical problem, coupled with evidence of the benefits of remote monitoring, one should exercise caution in depriving a patient of the clear benefit of remote monitoring.” – by Darlene Dobkowski
Disclosures: Baranchuk and Lakkireddy are members of the American College of Cardiology’s Electrophysiology Section Leadership. Lakireddy also reports he has been a speaker for Biotronik, Janssen and Pfizer and received research grants from Biosense Webster and Bristol-Myers Squibb. Please see the full report for the other authors’ relevant financial disclosures.
Click Here to Manage Email Alerts