NEW YORK, June 1 (UPI) — The millions of people in the United States fitted with pacemakers and insulin pumps need to remember that the devices that keep them healthy use software, meaning they are susceptible to hacking, experts told UPI.
Although the risk for cyberattacks on these personal medical devices is low, it is not zero, they said, which is why the Food and Drug Administration has recently updated its draft guidance on security considerations for them and plans to present them to industry leaders June 14.
Despite the “cybersecurity vulnerabilities” detected in devices made by Abbott when it was known as St. Jude Medical, no reports surfaced of any pacemakers actually being hacked, the FDA said at the time.
Still, the incident was a “fascinating lesson for us and really opened our eyes to the possibilities here,” Dr. David J. Slotwiner, a cardiologist and cardiac electrophysiologist, who treats patients fitted with implantable cardioverter-defibrillators and pacemakers, told UPI.
“Hacking is definitely something people with these devices need to be aware of and know that it is a possibility,” said Slotwiner, who is chief of cardiology at New York Presbyterian Hospital-Queens and has written about potential cybersecurity issues with these lifesaving technologies.
Just a hypothetical problem — for now
A 2012 episode of the Showtime series “Homeland” — called, fittingly enough, “Broken Hearts” — featured a storyline in which the fictional vice president of the United States was assassinated by terrorists who hacked into the pacemaker that helped to control his heart, Slotwiner said.
However, in a case of art imitating life, former vice president Dick Cheney told CBS’ “60 Minutes” in 2013 that he had his doctors disable the wireless feature on the pacemaker he had implanted in 2007.
Apparently both he and national security officials feared that terrorists could hack the device and send signals to it to shock his heart into cardiac arrest, he said at the time.
“I was aware of the danger [and] I found it credible,” Cheney told “60 Minutes.”
In reality, though, the FDA has to date no received any reports of “deliberate or intentional compromises of medical devices due to cyber exploits,” according to an agency spokeswoman.
Still, last spring, a ransomware attack affecting 40 or more hospitals across the country caused radiation therapy machines used in lifesaving cancer treatments to become unavailable for nearly a week, the agency said.
Similarly, a ransomware attack called “WannaCry” disrupted patient care at National Health Service facilities in Britain in 2017.
In ransomware attacks, hackers intentionally infect computer systems with a virus and effectively hold it hostage until victims meet certain financial demands, according to Slotwiner.
Although these incidents did not target implantable or wearable devices, such as pacemakers, defibrillators and insulin pumps that patients use off-site, they could become collateral damage in attacks against hospitals and manufacturers, healthcare cybersecurity consultant Drexel DeFord said.
Currently, the risk for cyberattacks with these devices remains “pretty low,” given that “even when they come in for a software update, the time they spend connected to the health system’s network is minimal, said DeFord, a former chief information officer for several large hospitals.
However, as hackers continue to become more sophisticated, that could change, he said.
For this reason, Congress is considering legislation, called the Patch Act, that would require device manufacturers applying for FDA approval for their devices to demonstrate “a reasonable assurance of safety” with regard to cybersecurity, DeFord said.
“Right now, the risk for these smaller, personal devices being part of a cyberattack is extremely low, but if you’re the person it happens to, that almost doesn’t matter,” he said.
The Patch Act addresses newer devices seeking FDA clearance but, for now, it is “older, legacy devices” put into use “at a time when there was less concern” over cybersecurity that are vulnerable, according to Dr. David C. Klonoff, who has researched cybersecurity issues.
Most newer devices for people with diabetes, including insulin pumps and glucose monitors, feature software designed to “repair breaches” and protect against cyberattacks, said Klonoff, medical director of the Diabetes Research Institute at Mills-Peninsula Medical Center in San Mateo, Calif.
“Nobody has a stronger interest in preventing cyberattacks on these than the manufacturers,” New York Presbyterian’s Slotwiner said.
The fear of having a product become the first involved in a cyberattack-related death, and the resulting litigation, are huge motivators, he added.
Although the software engineers with whom he works with have suggested that those fitted with cardiac devices be on the lookout for “changes in patterns in how they function,” this really is not practical, Slotwiner said.
Rather, patients — and their physicians — should adhere to “standard cybersecurity hygiene practices,” he said.
This includes following remote device monitoring protocols and sticking with scheduled in-office visits for software updates, Slotwiner said.
These updates usually include patches designed to enhance device security, he said.
“I always tell my patients when they are getting a new defibrillator or pacemaker that there will be software or firmware updates over the course of their device’s lifetime,” Slotwiner said.
“These updates are part of taking care of the device,” he said.
In addition, people using medical devices should keep an eye on the news to see if either the manufacturers that made the products or the healthcare facility that prescribed or implanted them — and thus monitors them — has been targeted with a cyberattack, DeFord said.
Still, “what we don’t want to see is people fearing being impacted by a cyberattack and disconnecting their devices from remote monitoring systems,” like the former vice president, Slotwiner said.
“These monitoring systems ensure the device is working properly and can spot significant health problems,” he said.
Instead, if patients are concerned their device has been compromised as part of a cyberattack, they should contact their doctor and, if possible, the product manufacturer for guidance, he added.
Hackers “have built really sophisticated, high-tech companies that have information technology departments and software development teams,” DeFord said.
“That’s who we’re up against, and the healthcare industry needs to keep up,” he said.