Terrorists get their hands on the serial number of the vice president’s pacemaker. Then, from a remote location, they hack into the device, delivering a series of shocks to bring on the heart attack that kills him. The storyline from the political drama Homeland—with shades of the 2013 news that former Vice President Dick Cheney’s cardiologist disabled the wireless capabilities on his pacemaker to prevent hacking—made for great television. But experts on implantable cardiac devices say it wasn’t exactly an accurate portrayal of their concerns about cybersecurity.
“There’s perhaps a lot of concern, but maybe we need to be more realistic of the likelihood of an actual attack,” says anesthesiologist Julian M. Goldman, MD, director of the Medical Device Interoperability Program at Massachusetts General Hospital and medical director of Biomedical Engineering for the Partners HealthCare System in Boston. “One has to look at the whole system and not just look at the implantable component.”
Television plotlines and prominent world leaders notwithstanding, the cybersecurity risks for implantable cardiac devices seem to be generally the same as those for other types of medical devices. A greater risk than hacking individual devices, experts say, is using the devices to connect to a larger network of health data. By breaking into these networks, hackers have held health systems hostage until ransoms—reportedly as high as $18,500—have been paid.
There’s concern that a hacker could break into a pacemaker and shock the patient because, even though it hasn’t been done, it could be—with a lot of effort, says Rob Maliff, director of the applied solutions group at ECRI Institute, which placed medical device cybersecurity on its 2016 hospital watch list. “But what we’re all realizing is that gaining access to other systems is really the more frequent attack.”
Cardiac devices & cybersecurity
In the 2008 paper, Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses, researchers found that implantable cardiac devices were potentially susceptible to attacks that could violate patient information or even alter the devices (Proceedings of the 2008 Institute of Electrical & Electronics Engineers Symposium on Security and Privacy 2008;129-142). “We were working on an assumption at the time that these devices ought to have at least better security than a credit card,” says one of the authors, Kevin Fu, PhD, who is now director of Archimedes Center for Medical Device Security at the University of Michigan. At the time, he says, they didn’t.
It wasn’t that cardiac devices were particularly susceptible to attacks compared with other medical devices, Fu says. It’s just that at the time they had been relatively unexplored from a computer security standpoint. Cardiac devices are one subset of thousands of medical devices, Fu says, and there’s no one-size-fits-all approach to device security. “They all have very specific risks and consequences,” he says. “There are bedside devices that are relatively innocuous that have greater consequences because of their sheer number.”
Among cardiologists, there’s a wish list of tools that could aid in their practice—a universal programmer for pacemakers, for instance—but appear impossible due to their potential cybersecurity risk, says Bradley Knight, MD, a cardiologist and medical director for the Center for Heart Rhythm Disorders at Northwestern Medicine in Chicago. “It would be great if you could remotely reprogram devices, but that’s where I think the safety risk comes up,” he says. “There’s an agreement that it would be too risky to remotely reprogram rather than just interrogate.”
Medical devices on the whole haven’t been subjected to the same risk mitigation scrutiny as information technology (IT) networks and electronic health record (EHR)
systems, ECRI’s Maliff says. “The solutions or monitoring hasn’t been up to date,” he explains.
A cardiac monitoring system, such as an electrocardiograph, could serve as a vector for attacking the EHR system it’s connected to, Maliff says, though we don’t know if that has actually happened. But health systems have been victimized by ransomware attacks, in which hackers take control of EHR systems until they’re paid ransom in Bitcoin.
The bottom line: when individual medical devices—cardiac devices or others—are connected to a larger network, Maliff says, “any one of them could be a threat.”
FDA guidance & what it means