- Medical devices including
pacemakers and implantable cardioverter-defibrillators could be at risk for hacking.
- Hacking can lead to battery depletion
and oversensing, which inhibits the implantable
device to perform as required.
- FDA has issued guidance to improve
the cybersecurity of medical devices in both the
pre-marketing and post-marketing stage.
Cardiovascular implantable electronic devices
and other medical devices may be at risk for hacking. Taking into account this
possibility, the American College of Cardiology's Electrophysiology Council
examined the potential risk of hacking to patients and put forward measures to
improve cybersecurity for medical devices. The study is published in
the Journal of the American College of Cardiology.
While there are no actual clinical reports of
hacking or malware attacks affecting cardiac devices, recent studies have
indicated that there is a possibility. The increasing use of software in the
design and functioning of medical devices has made it necessary to protect
these devices from harmful interferences including hacking. In theory, hackers
deactivate features, alter the programming, delay or interrupt communication
systems in medical devices. The
reasons for hacking may include political, financial, social or personal
motives and the devices may be hacked locally or remotely.
‘Medical devices such as cardiovascular implantable electronic devices may be at risk for hacking, reveals recent study.’
The Food and Drug Administration has issued
guidance to improve cybersecurity of
medical devices in both the pre-marketing and post-marketing stage. Legislative proposals related to
medical device security have also been advanced in the U.S. Congress.
How hacking may affect the performance of medical
The hacking of a cardiac device for example
can result in a number of possible clinical consequences.
- In case of patients with
pacemakers, oversensing and battery depletion may be the major concerns of
hacking. Oversensing may inhibit pacing and could result in life-threatening
shocks. Battery depletion could make the device unable to deliver
therapies during life-threatening arrhythmias.
- In the case of patients with implantable
cardioverter-defibrillators (ICDs), hackers may be able to
interrupt wireless communications, inhibiting the value of tele-monitoring
by not allowing the system to detect any clinically relevant event.
"At this time, there is no evidence that
one can reprogram a cardiovascular implantable electronic device or change
device settings in any form," said Dhanunjaya R. Lakkireddy MD, professor
of medicine at the University of Kansas Hospital, a member of the
Electrophysiology Council and the corresponding author of the paper Lakkireddy.
"The likelihood of an individual hacker successfully affecting a
cardiovascular implantable electronic device or being able to target a specific
patient is very low. A more likely scenario is that of a malware or ransomware
attack affecting a hospital network and inhibiting communication."
While the study team looks forward to reduce
the risks of potential hacking of medical devices by tightening cybersecurity,
they do not promote patients and physicians to stop the use of medical devices
"Given the lack of evidence that hacking
of cardiac devices is a relevant clinical problem, coupled with evidence of the
benefits of remote monitoring, one should exercise caution in depriving a
patient of the clear benefit of remote monitoring," Lakkireddy said.
- Baranchuk A, et al. ACC panel: Hacking of cardiac devices possible but unlikely. Journal of the American College of Cardiology (2018). DOI: 10.1016/j.jacc.2018.01.023