Pacemakers, defibrillators are potentially hackable

Heart devices that use software orwireless communications may be vulnerable to hacker attacks thatcould cause life-threatening malfunctions, U.S. cardiologistssay.

Medical devices have been targets of hacking attacks forover a decade, physicians note in a paper published in the
Journal of the American College of Cardiology.

The increasingpopularity of devices using software and wireless communicationshas created a rising risk that hackers might reprogram devicesto make them work improperly, interrupt the relay of informationneeded for doctors to monitor patients remotely, or prematurelydrain the batteries, cardiologists write.

"Most of these are theoretical risks,"said Dr. DhanunjayaLakkireddy of the University of Kansas Hospital in Kansas City,the senior author of the paper.

"There has not been a documented case of a cardiac devicehacked in a real patient," Lakkireddy said by email. "Someoneactually blocking or altering the performance of medical devicesto harm a patient is only limited to TV series and movies atthis point."

With implanted cardiac devices, U.S. regulators have warnedmanufacturers about the vulnerability of remote monitoring andthe potential for communications to be interrupted or delayed orfor cybersecurity breaches to lead to malfunctions and batterydrainage, cardiologists note.

For pacemakers that help the heart pump the right way,there's a concern that hacking might result in sudden irregular heart rhythm that could be fatal.

Defibrillators that are implanted to prevent deaths fromcardiac arrest are also vulnerable to hacking and could deliver unnecessary shocks to the heart or fail to respond with needshocks.

Although hacking cardiac implants was demonstrated a decadeago, I'm more concerned about boring things like an old computervirus that unintentionally shuts down global operations ofremote cardiac telemetry for hundreds of thousands of patientsat once.-Kevin Fu

The only sure-fire way to reduce the risk of hacking is touse devices that aren't designed to permit remote softwareupdates or wireless communications. But patients benefit fromthese technologies because the remote access can make deviceswork better and allow for updates and adjustments without repeatsurgery.

"The risk associated with medical complications resultingfrom not using the medical device outweighs the risk of thedevice being maliciously hacked,"said Ali Youssef, principalmobility architect in information technology at the Henry FordHealth System in Detroit.

Privacy a bigger worry

In reality, privacy should be a bigger worry than thepotential for hackers to manipulate devices to intentionallyharm patients, Youssef, who wasn't involved in the paper, saidby email.

"The biggest threat to patients is hackers intercepting, andmodifying data going to or coming from a medical device," Youssef added. "If this is undetected by the cybersecuritystaff, it can have an impact on the patient record and ultimately lead to unnecessary procedures or medicationprescriptions."

It may never be possible to make implanted medical devicescompletely impervious to hackers, and doctors should discussthis risk with patients, said Richard Sutton of the NationalHeart & Lung Institute and Imperial College London in the U.K.

"The connectivity of devices has been a huge positiverevolution in the care of these patients,"Sutton, who wasn't involvedin the paper, said by email. "To remove this now wouldbe putting back the clock."

A computer virus may be a more likely threat than amalicious hacker effort, noted Kevin Fu, a researcher inelectrical engineering and computer science at the University ofMichigan in Ann Arbor.

"Although hacking cardiac implants was demonstrated a decadeago, I'm more concerned about boring things like an old computervirus that unintentionally shuts down global operations ofremote cardiac telemetry for hundreds of thousands of patientsat once,"Fu, who wasn't involved in the paper, said by email.

While limiting remote interactions with implantable cardiacdevices might minimize any risk of security breaches, the lackof evidence to date that hackers have directly harmed patientsdictates that doctors focus instead on the numerous healthbenefits of connected devices, cardiologists argue in the paper.

"Like with so many rapidly evolving technologies, we haven'teven conceived many of the ultimate advantages of connectedimplanted devices,"said Dr. David Armstrong of the Universityof Arizona College of Medicine in Tucson.

"Certainly, the ability for a patient and his or herclinician to monitor status continuously will yield many more opportunities to personalize care and will also likely reducetime to treatment of acute or chronic events," Armstrong, whowasn'tinvolved in the paper, said by email.

"There is absolutely no cause for panic,"Armstrongcontinued. "The added stress from worrying about having yourdevice medjacked likely increases your risk for a heart attack awhole lot more than the risk itself."