HRS: How to counsel patients on cardiac device cybersecurity

Issue: June 2018

BOSTON — As the potential for cybersecurity vulnerabilities of cardiac implantable electronic devices continues to be a concern, the Heart Rhythm Society released a proceedings statement advising clinicians how to communicate with patients if a cybersecurity threat to their cardiac device has been identified.

“The Heart Rhythm Society (HRS) has identified a gap in clinician-patient communication about the appropriate balance of the risks of such a potential attack against the benefits of life-saving medical devices. To address these communication gaps, HRS convened a 1-day summit in November 2017, in partnership with the [FDA],” David J. Slotwiner, MD, FHRS, from NewYork-Presbyterian Hospital/Queens, and colleagues wrote. “This proceedings statement is based upon the four communication themes that emerged from the discussion: when to notify patients, whom to notify, how to communicate with patients, and key elements to discuss with patients.”

A coordinated strategy

If a threat is validated by the manufacturer of the device, “the manufacturer and FDA, in concert with medical experts and cardiovascular societies, may then work together to develop a strategy to manage and communicate it to stakeholders,” the authors wrote. “This approach avoids unnecessary alarm over threats that prove to be unfounded; and when it is a real threat, it provides stakeholders with guidance from experts on how to best respond.”

During a discussion of the new statement at the HRS Annual Scientific Sessions, Matthew Hazelett, BSBME, a biomedical engineer at the FDA, said a coordinated disclosure process “helps to ensure that all messages are in alignment, minimizes patient fear and uncertainty and avoids shining a light on vulnerabilities before mitigation is available.”

Key elements for discussion with patients

According to the statement, once a clinician has been alerted, he or she should communicate the issue in an individualized manner to affected patients and cover the following topics:

Potential consequences if the vulnerability is exploited;
Strategies to mitigate the risks;
Risks associated with a software or firmware update;
Technical challenges to exploit the vulnerability;
Long-term solutions to eliminate the threat; and
Benefits provided by the implantable device compared with the risk if the vulnerability is exploited.

“As we look ahead and plan for ways to deal with potential risks to [implantable cardiac devices], preparedness is the best approach,” Slotwiner said in a press release. “Like other technology such as smartphones or computers, device software needs to be regularly updated. As health care professionals, we are inclined to first address hardware issues with the battery or leads, but the software is equally important. The health care community must reach a point where routine software updates are considered the standard of care to minimize the risks.”

The FDA believes that with the advent of these measures, “awareness, education and communications surrounding cybersecurity will continue to grow in the clinical and patient communities,” Hazelett said in his presentation. – by Erik Swain

References:

Hazelett M. Special Session B-SP09 – Cybersecurity and Implantable Medical Devices: Cybersecurity Vulnerabilities of Cardiovascular Implantable Electronic Devices. Presented at: Heart Rhythm Society Annual Scientific Sessions; May 9-12, 2018; Boston.

Slotwiner DJ, et al. HeartRhythm. 2018;doi:10.1016/j.hrthm.2018.05.001.

Disclosures: Hazelett and Slotwiner report no relevant financial disclosures.