Likelihood of cardiac devices being hacked is low—but stakeholders should remain vigilant

The clinical benefit patients gain from remote monitoring with implantable electronic devices far outweighs the risk of the devices being hacked, according to a Feb. 20 paper published by the American College of Cardiology’s Electrophysiology Council.

Any device connected to the internet has the potential to be hacked, the authors noted, but so far there are no examples of a cardiovascular implantable electronic device being reprogrammed by a hacker.

“Given the lack of evidence that hacking of cardiac devices is a relevant clinical problem, coupled with evidence of the benefits of remote monitoring, one should exercise caution in depriving a patient of the clear benefit of remote monitoring,” wrote corresponding author Dhanunjaya R. Lakkireddy, MD, a professor of medicine at the University of Kansas Hospital, and colleagues.

But that’s not to say cybersecurity shouldn’t remain a concern for these devices.

Potential safety issues could arise with pacemakers and implantable cardioverter-defibrillators if there were an interruption in wireless communication or sudden battery depletion, Lakkireddy et al. noted. Both could compromise the devices’ ability to detect arrhythmias and provide appropriate pacing or shocks, some of which are life-saving. Another possibility is the devices could become oversensitive and provide too many shocks, which also could lead to adverse outcomes including death.

“[However,] the likelihood of an individual hacker successfully affecting a cardiovascular implantable electronic device or being able to target a specific patient is very low,” the authors wrote. “A more likely scenario is that of a malware or ransomware attack affecting a hospital network and inhibiting communication.”

This could lead to delays in treatment, particularly for patients in rural areas, Lakkireddy and colleagues pointed out. They added cybersecurity should be addressed both during product testing and after devices go to market.

“The possible future effect of this issue is immense,” the Electrophysiology Council wrote. “The FDA, manufacturers, and professional societies like the American College of Cardiology and Heart Rhythm Society are actively participating in larger conversations regarding overall risks and how to best protect patients and provide the most effective care. This is an evolving area of medical care and legal regulation, which will continue to progress rapidly. We should all stay tuned.”