Sian C. Owen, Medical Writer for Cardio Debate

Pacemakers operated by wireless communication are a relatively new development, and although these technologies present obvious benefits for the patient, they also bring new risks. One of the potential dangers associated with these new implantable devices and operating systems is cybercrime.

A recent ‘Viewpoint’ article published in JAMA Online [1] explores cybersecurity issues associated with cardiovascular electronic implantable devices manufactured by Abbott.

Here, the authors write that: “In 2016, reports arose suggesting that Abbott pacemakers and implantable cardioverter-defibrillators may have particular vulnerabilities related to their use of radiofrequency telemetry for wireless communication […] Potential risks identified included the possibility that adversarial parties could intentionally drain the battery of affected devices, or use the home base station in such a way as to issue malicious programming commands to patients’ implanted systems.”

It is worth pointing out that, to date, there have been no reported incidents of cyber security breaches of these devices, but perhaps it is only a matter of time.

Here, the focus was on medical devices produced by Abbotts, but the risks are not limited to one manufacturer. Wired Magazine reports that Johnson & Johnson issued warnings over a security bug in their insulin pumps, and even former US Vice President Dick Cheney allegedly requested more robust security for his pacemaker to protect him from hackers. [2]

One can be forgiven for thinking that hacking implantable medical devices is far-fetched and belongs in the realm of science fiction. However, we only need to look at the recent NHS ransomware attack that brought the UK healthcare system to a virtual standstill earlier this year. According to Digital Health over 1200 diagnostic medical devices in the NHS were infected with the malware, and even more devices had to be taken offline. [3] The risks are real, and they are on our doorstep.

However, the solution does not lie solely at the feet of the manufacturers. Caroline Rivett, head of cyber security at KPMG UK tells the Financial Times that: “While device manufacturers, to my mind, have a clear duty of care to ensure that their devices have built-in security and can be regularly patched and updated, there’s dual responsibility here, because hospitals must ensure that they’re carrying out that work and that they are implementing these devices in a secure way and connecting them to hospital networks appropriately.” [4]

As technology advances, more patients will be using electronic implantable devices that use wireless connectivity for a wider range of conditions. Therefore, in terms of managing risks we need to get it right sooner rather than later.