- Medical devices including pacemakers and implantable cardioverter-defibrillators could be at risk for hacking.
- Hacking can lead to battery depletion and oversensing, which inhibits the implantable device to perform as required.
- FDA has issued guidance to improve the cybersecurity of medical devices in both the pre-marketing and post-marketing stage.
Cardiovascular implantable electronic devices
and other medical devices may be at risk for hacking. Taking into account this
possibility, the American College of Cardiology's Electrophysiology Council
examined the potential risk of hacking to patients and put forward measures to
improve cybersecurity for medical devices. The study is published in
the Journal of the American College of Cardiology.
While there are no actual clinical reports of hacking or malware attacks affecting cardiac devices, recent studies have indicated that there is a possibility. The increasing use of software in the design and functioning of medical devices has made it necessary to protect these devices from harmful interferences including hacking. In theory, hackers deactivate features, alter the programming, delay or interrupt communication systems in medical devices. The reasons for hacking may include political, financial, social or personal motives and the devices may be hacked locally or remotely.
The Food and Drug Administration has issued guidance to improve cybersecurity of medical devices in both the pre-marketing and post-marketing stage. Legislative proposals related to medical device security have also been advanced in the U.S. Congress.
The hacking of a cardiac device for example can result in a number of possible clinical consequences.
- In case of patients with pacemakers, oversensing and battery depletion may be the major concerns of hacking. Oversensing may inhibit pacing and could result in life-threatening shocks. Battery depletion could make the device unable to deliver therapies during life-threatening arrhythmias.
- In the case of patients with implantable cardioverter-defibrillators (ICDs), hackers may be able to interrupt wireless communications, inhibiting the value of tele-monitoring by not allowing the system to detect any clinically relevant event.
While the study team looks forward to reduce the risks of potential hacking of medical devices by tightening cybersecurity, they do not promote patients and physicians to stop the use of medical devices when required.
"Given the lack of evidence that hacking of cardiac devices is a relevant clinical problem, coupled with evidence of the benefits of remote monitoring, one should exercise caution in depriving a patient of the clear benefit of remote monitoring," Lakkireddy said.
- Baranchuk A, et al. ACC panel: Hacking of cardiac devices possible but unlikely. Journal of the American College of Cardiology (2018). DOI: 10.1016/j.jacc.2018.01.023