Hacking pacemakers is good TV, but is it for real?


hacker hacking cybersecurity hacking pacemakers

[Image from Unsplash]

Worry less about bad people hacking pacemakers and other cardiac devices. Worry more about them disrupting hospitals’ communications networks.

That’s the major message out of the American College of Cardiology’s Electrophysiology Council, which published an article about cardiac devices earlier this month in the Journal of the American College of Cardiology. 

The idea that hackers might target people’s implantable cardiac devices was popularized in a 2012 episode of the Showtime drama Homeland, in which terrorists hacked a fictional vice president’s pacemaker and killed him. Word eventually got out that former Vice President Dick Cheney had the wireless communications shut off on a defibrillator that implanted in him in 2007 during his final years in office.

During 2016, St. Jude Medical, now part of Abbott, experienced a public relations crisis when short-selling research outfit Muddy Waters claimed the company’s implantable cardiac devices had cybersecurity vulnerabilities. U.S. FDA in January 2017 issued a safety communication over the potential problems, with St. Jude automatically issuing a patch for its implantable cardiac devices and the Merlin@home transmitter. Months after it acquired St. Jude, Abbott issued further upgrades.

The American College of Cardiology’s Electrophysiology Council acknowledges that there are cyber vulnerabilities for pacemakers and ICDs with remote communications. Pacemakers, for example, are susceptible to hacking that causes oversensing or battery depletion. When it comes to ICDs, hackers could interrupt wireless communications.

However, there is no evidence that it is possible to reprogram a cardiovascular implantable electronic device or change device settings, said Dr. Dhanunjaya Lakkireddy, professor of medicine at the University of Kansas Hospital, a member of the Electrophysiology Council and the corresponding author of the paper.

“The likelihood of an individual hacker successfully affecting a cardiovascular implantable electronic device or being able to target a specific patient is very low. A more likely scenario is that of a malware or ransomware attack affecting a hospital network and inhibiting communication,” Lakkireddy said in a news release.

Lakkireddy had even more colorful words for theheart.org | Medscape Cardiology: “The hypothetical scenario of a rogue hacker getting into someone’s device, turning off the pacemaker, or turning off the defibrillator capability, I think is just the soap-opera take on it. Other than that, I don’t think there’s any real substance to it.”

Electrophysiology Council members do not think enhanced monitoring or elective device replacement is presently necessary.

“Given the lack of evidence that hacking of cardiac devices is a relevant clinical problem, coupled with evidence of the benefits of remote monitoring, one should exercise caution in depriving a patient of the clear benefit of remote monitoring,” Lakkireddy said in the news release.





Want to stay on top of MDO content? Subscribe to our e-newsletter.

Speak Your Mind