Pacemakers, defibrillators are potentially hackable

Heart devices that use software or wireless communications may be vulnerable to hacker attacks that could cause life-threatening malfunctions, U.S. cardiologists say.

Medical devices have been targets of hacking attacks for over a decade, physicians note in a paper published in the
Journal of the American College of Cardiology. The increasing popularity of devices using software and wireless communications has created a rising risk that hackers might reprogram devices to make them work improperly, interrupt the relay of information needed for doctors to monitor patients remotely, or prematurely drain the batteries, cardiologists write.

“Most of these are theoretical risks,” said Dr. Dhanunjaya Lakkireddy of the University of Kansas Hospital in Kansas City, the senior author of the paper.

“There has not been a documented case of a cardiac device hacked in a real patient,” Lakkireddy said by email. “Someone actually blocking or altering the performance of medical devices to harm a patient is only limited to TV series and movies at this point.”

With implanted cardiac devices, U.S. regulators have warned manufacturers about the vulnerability of remote monitoring and the potential for communications to be interrupted or delayed or for cybersecurity breaches to lead to malfunctions and battery drainage, cardiologists note.

For pacemakers that help the heart pump the right way, there’s a concern that hacking might result in sudden irregular heart rhythm that could be fatal.

Defibrillators that are implanted to prevent deaths from cardiac arrest are also vulnerable to hacking and could deliver unnecessary shocks to the heart or fail to respond with need shocks.

The only sure-fire way to reduce the risk of hacking is to use devices that aren’t designed to permit remote software updates or wireless communications. But patients benefit from these technologies because the remote access can make devices work better and allow for updates and adjustments without repeat surgery.

“The risk associated with medical complications resulting from not using the medical device outweighs the risk of the device being maliciously hacked,” said Ali Youssef, principal mobility architect in information technology at the Henry Ford Health System in Detroit.

Privacy a bigger worry

In reality, privacy should be a bigger worry than the potential for hackers to manipulate devices to intentionally harm patients, Youssef, who wasn’t involved in the paper, said by email.

“The biggest threat to patients is hackers intercepting, and modifying data going to or coming from a medical device,” Youssef added. “If this is undetected by the cybersecurity staff, it can have an impact on the patient record and ultimately lead to unnecessary procedures or medication prescriptions.”

It may never be possible to make implanted medical devices completely impervious to hackers, and doctors should discuss this risk with patients, said Richard Sutton of the National Heart & Lung Institute and Imperial College London in the UK.

“The connectivity of devices has been a huge positive revolution in the care of these patients,” Sutton, who wasn’t involved in the paper, said by email. “To remove this now would be putting back the clock.”

A computer virus may be a more likely threat than a malicious hacker effort, noted Kevin Fu, a researcher in electrical engineering and computer science at the University of Michigan in Ann Arbor.

“Although hacking cardiac implants was demonstrated a decade ago, I’m more concerned about boring things like an old computer virus that unintentionally shuts down global operations of remote cardiac telemetry for hundreds of thousands of patients at once,” Fu, who wasn’t involved in the paper, said by email.

While limiting remote interactions with implantable cardiac devices might minimize any risk of security breaches, the lack of evidence to date that hackers have directly harmed patients dictates that doctors focus instead on the numerous health benefits of connected devices, cardiologists argue in the paper.

“Like with so many rapidly evolving technologies, we haven’t even conceived many of the ultimate advantages of connected implanted devices,” said Dr. David Armstrong of the University of Arizona College of Medicine in Tucson.

“Certainly, the ability for a patient and his or her clinician to monitor status continuously will yield many more opportunities to personalize care and will also likely reduce time to treatment of acute or chronic events,” Armstrong, who wasn’t involved in the paper, said by email.

“There is absolutely no cause for panic,” Armstrong continued. “The added stress from worrying about having your device medjacked likely increases your risk for a heart attack a whole lot more than the risk itself.”

  • Share the news on: