Pacemakers, other devices at risk for hacking, study says

Life-saving medical devices such as pacemakers and insulin pumps are incredibly vulnerable to hacking by fraudsters who could blackmail victims, a new study warns.

With the growing number of medical devices that rely on software in the past decade, there has been an increase in concern for the security of these tools and their networks.

The need for rules regarding the vulnerability of these devices became especially apparent in 2016 after a defect in a batch of pacemakers made by St Jude Medical resulted in two deaths.

The American College of Cardiology’s Electrophysiology Council warned of the potential risks to patients whose health is reliant on these devices in a report published Tuesday.

With the increasing use of medical devices that rely on software, such as pacemakers (pictured), there’s been an increased focus on protecting devices from hacking

While there have been no clinical reports of intentional or accidental hacking of cardiac devices, a growing body of research reveals there is a possibility that attacks could occur.

Many medical devices use software to store information and regulate bodily functions. A common example is pacemakers, which supervise heart rate and detect abnormalities. 

Other devices that use information technology systems include drug delivery systems such as insulin pumps and implantable medical devices such as defibrillators, cochlear implants and neuro-stimulators. 

Security experts fear that if individuals are able to hack into the systems that control these devices, they could interrupt their functioning or blackmail victims by threatening to interfere with it.

Hacking could include interfering with device communication, altering programming, deactivating features and depleting battery.

US government officials began investigating the security of medical devices in 2016 after a batch of pacemakers made by St Jude Medical ran out of battery three months before they were supposed to, leading to at least two deaths.

The devices were found to have had a rare defect that caused them to fail much earlier than expected.

The allegations underscored the need for clear government rules on identifying and preventing security vulnerabilities in medical equipment.

Efforts to protect against hacking should be focused on manufacturing, according to Dhanunjaya R. Lakkireddy MD, professor of medicine at the University of Kansas Hospital, a member of the Electrophysiology Council and the corresponding author of the paper released Tuesday.

‘True cybersecurity begins at the point of designing protected software from the outset, and requires the integration of multiple stakeholders, including software experts, security experts and medical advisors,’ Dr Lakkireddy said. 

The Food and Drug Administration has issued pre-market and post-market guidance for securing medical devices, but a 2017 study found almost half of manufacturers were not following that advice.

The study by security company Synopsis also found that only 17 percent of device manufacturers and health organizations took steps to secure equipment. 

Worldwide around three million patients have pacemakers – with many depending on them to stay alive. 

In patients with pacemakers, hacks can interfere with the device’s monitoring system and allow certain heart events like arrhythmias to go unnoticed, or they can cause over-sensing, which could result in unnecessary, life-threatening shocks.

Hacking can also speed up battery depletion, which would prevent the device from delivering necessary therapies during cardiac events. 

The council said that while there is a possibility of hacking, there is not enough evidence to signal a need for enhanced monitoring, replacing devices already in use or stopping new patients from getting them.

‘The likelihood of an individual hacker successfully affecting a cardiovascular implantable electronic device or being able to target a specific patient is very low,’ Dr Lakkireddy said.

‘Given the lack of evidence that hacking of cardiac devices is a relevant clinical problem, coupled with evidence of the benefits of remote monitoring, one should exercise caution in depriving a patient of the clear benefit of remote monitoring,’ he said. 

However, the council is adamant that both manufacturers and physicians need to be paying attention to the possibility of hacking because vulnerabilities could emerge quickly. 

‘Physicians who manage cardiac devices should be aware of both documented and possible cybersecurity risks,’ the American College of Cardiology report said.

‘Systems should be established to communicate updates in these areas quickly and in an understandable way to the rest of the clinical team that manage patients with devices.’