Personal cardiac medical devices could be hacked

Charlotte Edwards 22 February 2018 (Last Updated February 22nd, 2018 12:12)

Individual patient medical devices including cardiovascular implantable electronic devices could be at risk of hacking, according to the American College of Cardiology’s Electrophysiology Council.

Personal cardiac medical devices could be hacked
Hackers could interrupt the wireless communications of implanted cardioverter-defibrillators such as this one. Credit: Medtronic

Individual patient medical devices including cardiovascular implantable electronic devices could be at risk of hacking, according to the American College of Cardiology’s Electrophysiology Council.

The researchers set out the potential risk to patients who require medical technology, suggested ways to improve cybersecurity for patients and offered advice to physicians in a recent paper.

To date there have been no clinical reports of malicious, inadvertent or malware hacking attacks affecting cardiac devices but other medical devices have been targeted.

Dhanunjaya R. Lakkireddy, MD, professor of medicine at the University of Kansas Hospital and member of the Electrophysiology Council, said: “True cybersecurity begins at the point of designing protected software from the outset, and requires the integration of multiple stakeholders, including software experts, security experts and medical advisors.”

Hackers may target medical devices for several reasons including political, financial, social and personal motives. Devices can be hacked locally or remotely and both personal devices and larger medical machinery, such as CT scanners, are at risk.  The FDA has issued both pre-market and post-market guidance for the security of medical devices and legislative proposals related to medical device security have been advanced in the US Congress.

Medical devices have been targets of hacking for over a decade. The increasing number of medical devices using software has increased the need to protect devices from intentionally harmful interference. Advanced wireless communications between healthcare providers and patients’ devices has created the theoretical possibility for the deactivation of features, the alteration of programming, and the delaying, interfering or interrupting of communications.

Hacking a cardiac device specifically could have numerous clinical consequences. Patients with pacemakers could be at risk of hackers causing the oversensing or battery depletion of their device. For patients with implantable cardioverter-defibrillators, it is possible for hackers to interrupt wireless communications, inhibiting the value of telemonitoring and allowing any clinically relevant events to go undetected by the system. Oversensing—when electrical signals in a pacemaker are inappropriately recognised as native cardiac activity and pacing is inhibited—can inhibit pacing or cause life-threatening shocks. Battery depletion can lead to a device being unable to deliver therapies during life-threatening arrhythmias.

However, there is currently no evidence to suggest that hackers have or could successfully reprogram a cardiovascular implantable electronic device. Therefore the council members said they do not feel that enhanced monitoring or elective device replacement is necessary at this time.

Lakkireddy said: “The likelihood of an individual hacker successfully affecting a cardiovascular implantable electronic device or being able to target a specific patient is very low. A more likely scenario is that of a malware or ransomware attack affecting a hospital network and inhibiting communication.”

The council concluded that cybersecurity needs to be addressed during product testing both pre- and post-market. Because cyber vulnerabilities can emerge quickly, strong post-market processes must be in place to monitor the environment for new vulnerabilities and to respond in a timely manner. They suggest that firmware may be useful in devices with possible vulnerabilities.