Cardiac medical devices could be at risk to hacking

Medical devices, including cardioverter defibrillators and pacemakers, could be at risk to hacking and potential cause life-threatening events, according to a study published online Feb. 20 in the Journal of the American College of Cardiology.

Though no known cases of malicious hacking or malware attack on cardiac devices exist, reports confirmed the possibility of such events. In this study, the American College of Cardiology (ACC)'s Electrophysiology Council examined the current risk to medical devices and outlined recommendations to improve cybersecurity.

"True cybersecurity begins at the point of designing protected software from the outset, and requires the integration of multiple stakeholders, including software experts, security experts and medical advisors," said Dhanunjaya R. Lakkireddy MD, a professor of medicine at the University of Kansas Hospital and the corresponding author.

Hacking into a patient’s cardiovascular medical device can create many problems. Patients with pacemakers are mainly concerned with the oversensing of battery depletion. Those with implantable cardioverter-defibrillators (ICDs) fear a disruption in wireless communications allowing clinical events to occur undetected.

"At this time, there is no evidence that one can reprogram a cardiovascular implantable electronic device or change device settings in any form," Lakkireddy said. "The likelihood of an individual hacker successfully affecting a cardiovascular implantable electronic device or being able to target a specific patient is very low. A more likely scenario is that of a malware or ransomware attack affecting a hospital network and inhibiting communication."

Recommendations to the improvement of cybersecurity by the council included monitoring the environment for new vulnerability to respond in an efficient manner, utilizing firmware in devices with possible vulnerabilities, raising awareness in physicians about device risk and establishing systems of communication for updates.

"Given the lack of evidence that hacking of cardiac devices is a relevant clinical problem, coupled with evidence of the benefits of remote monitoring, one should exercise caution in depriving a patient of the clear benefit of remote monitoring," Lakkireddy said.