Patients, physicians, regulators, manufacturers, and professional societies must make informed decisions based on new threats.
The takeaway from a new report on the the threat that hacking poses to patients with implanted cardiology devices: The risk is there but not in the ways you might think. The American College of Cardiology’s Electrophysiology Council issued the document, with help from cardiologists from 9 institutions around the world, and it was published this week in the Journal of the American College of Cardiology.
"At this time, there is no evidence that one can reprogram a cardiovascular implantable electronic device or change device settings in any form," report author Dhanunjaya R. Lakkireddy, MD, said in a statement. But a bad actor doesn’t necessarily have to change how the device functions to cause a patient harm: They can do so by preventing it from working at all by crashing it or draining its batter.
It’s been known for some time that the devices could fall prey to such meddling. In 2016, investment group Muddy Waters Research controversially demonstrated that implantable pacemakers from St. Jude Medical (since bought by Abbott) could be interfered with remotely. Muddy Waters’ intent was to profit by shorting the company’s stock, and no actual harm came to any patients with the devices.
Under FDA pressure, the company released an update to address the problem. That incident was later examined in a JAMA commentary that argued patients would have benefitted from better communication between regulators and manufacturers.
“Based on research into failure modes, this is not a problem restricted to Abbott,” the authors found, however. Really, the risks exist for any medical device that connects to the internet. Other devices, like insulin pumps made by Johnson & Johnson and Medtronic, have also been shown susceptible to remote interference.
"The likelihood of an individual hacker successfully affecting a cardiovascular implantable electronic device or being able to target a specific patient is very low,” the report states. But targeted attacks are not the only risk presented by internet-enabled cardiac devices. “A more likely scenario is that of a malware or ransomware attack affecting a hospital network and inhibiting communication.”
Because of the risks, new cardiology devices must be designed with cybersecurity in mind, the authors wrote. Good pre- and post-market protocols must be in place to address vulnerabilities, which can be discovered and exploited very quickly. Physicians who manage patients that use cardiac implants must also remain aware of the ever-changing risk landscape.
While the Electrophysiology Council recommends no additional monitoring or device replacement at the moment, it concludes that it’s on manufacturers, patients, physicians, professional societies, and regulators alike to make careful, informed decisions and adjustments.
“This is an evolving area of medical care and legal regulation, which will continue to progress rapidly,” the report concludes. “We should all stay tuned.”