If you read the news regarding hacks targeting Equifax and Target or the political motivations of Russian and North Korean hackers, it’s clear that cybersecurity has become a global issue. As technology advances, even devices such as pacemakers and implantable cardiac defibrillators (ICDs) now communicate over the internet, raising questions about whether hackers can gain access to patients’ medical devices and cause harm. The goal of this article is to give up-to-date information on cybersecurity for medical devices and address legitimate concerns about patient safety.
What is cybersecurity?
Cybersecurity is the defense of computers, networks, and electronic devices against unauthorized access and digital attacks (“hacking”). In an attack on a computer system, a hacker does not necessarily need to be physically close to the targeted system. A system that is connected to the internet is inherently exposed to possible attacks. The goal of cybersecurity is to reduce the likelihood that a hacker can gain access to the system and minimize the effect of an attack. Many large companies spend millions of dollars a year ensuring their systems are protected against malicious actors.
Is my pacemaker or implantable cardiac defibrillator (ICD) at risk of being hacked?
Security researchers have previously exposed vulnerabilities in the software of Medtronic and St. Jude Medical pacemakers and defibrillators. However, according to the FDA, there have been no patient injuries or deaths associated with cybersecurity incidents, nor have there been any specific devices or systems purposely targeted1. The presence of these vulnerabilities indicates that it is possible, but extremely difficult, for unauthorized users to access these systems and potentially harm patients.
Most software vulnerabilities require the unauthorized user to be within 20 feet of the patient’s device while using a compromised monitor or clinic programmer to change its settings, making it nearly impossible for a patient’s device to be compromised without the patient knowing it. Device manufacturers are constantly issuing updates for their systems to protect them from any vulnerabilities discovered, and your pacemaker or ICD is kept updated during in-clinic visits or via your home health monitor (e.g. Merlin@Home or MyCareLink).
How can I best protect my device?
- Keep your home monitor connected as directed so that your home monitor and your device receive new software updates.
- Only use the remote home monitor obtained directly from your health care provider or the company which manufactures your device (e.g. Medtronic or St. Jude/Abbott).
- Maintain good physical control over your remote monitor.
- Consult your doctor if you have concerns about your home monitor or device’s behavior.
Seek medical attention if you feel lightheaded, dizzy, pass out, have chest pain or extreme shortness of breath.
What steps are being taken to improve cybersecurity for medical devices?
On October 18th, 2018, the FDA drafted guidance for medical device manufacturers regarding cybersecurity. In this draft, they call on manufacturers to disclose possible cybersecurity threats to their device, steps taken to secure their device before it is approved, and defense measures in place should a threat arise2. Independent researchers are also constantly looking for vulnerabilities themselves.
Cybersecurity Vulnerabilities
Below is a table of the most recent medical device vulnerabilities and the steps that have been taken to address them.
| Date | Issue | Devices Affected | Explanation | Solution |
|---|---|---|---|---|
| 3/21/2019 | Insecure transmission of telemetry between devices and programmers or home monitors3 | Medtronic ICD and CRT-D devices | The wireless telemetry protocol used by some Medtronic devices transmitted unencrypted data. An unauthorized user within 20 feet of an active device, monitor, or clinic programmer could potentially change the settings of an implantable device, home monitor, or programmer. | Still pending. Medtronic is currently developing updates to mitigate the vulnerabilities. |
| 10/11/2018 | Vulnerability in software distribution network for clinic programmers4 | Medtronic pacemaker and defibrillator device programmers | The network used to update Medtronic programmers showed potential to be exploited, allowing an attacker to compromise a programmer remotely. | Medtronic issued an update to intentionally block programmers from accessing the software update network, making it impossible for them to be compromised over that network. |
| 4/17/2018 | Insecure transmission of data between home monitor system and patient ICD or CRT-D5 | St. Jude Medical (Abbott) ICD and CRT-D devices | A lack of authentication in the Merlin@home monitor and Merlin programmer made it possible for unauthorized users to change settings on a patient's device. | Abbott issued an in-clinic firmware upgrade for affected devices. Devices manufactured after April 24, 2018 have this update pre-loaded. |
| 8/29/2017 | Insecure transmission of data between home monitor system and patient pacemaker or CRT-P6 | St. Jude Medical (Abbott) pacemaker and CRT-P devices | A lack of authentication in the Merlin@home monitor and Merlin programmer made it possible for unauthorized users to change settings on a patient's device to cause battery depletion or rapid pacing. | Abbott issued an in-clinic firmware upgrade for affected devices. Devices manufactured after August 27, 2017 have this update pre-loaded. |
| 1/9/2017 | Vulnerability in the Merlin@home monitoring system7 | St. Jude Medical home monitor system | The Merlin@home monitoring system contained a vulnerability potentially allowing an unauthorized user to access the patient's device and deplete the battery or change settings. | St. Jude issued a software update for their Merlin@home transmitter to address the issue automatically. |
Where can I find more information on medical cybersecurity?
Please see the FDA’s webpage on cybersecurity at https://www.fda.gov/medicaldevices/digitalhealth/ucm373213.htm.
Additional Resources
References:
1. Fda.gov. (2019). Cybersecurity. Available at: https://www.fda.gov/medicaldevices/digitalhealth/ucm373213.htm
2. Fda.gov. (10/18/2018). Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. Available at: https://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM623529.pdf
3. Fda.gov. (3/21/2019). Cybersecurity Vulnerabilities Affecting Medtronic Implantable Cardiac Devices, Programmers, and Home Monitors: FDA Safety Communication. Available at: https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm633960.htm
4. Fda.gov. (10/11/2018). Cybersecurity Updates Affecting Medtronic Implantable Cardiac Device Programmers: FDA Safety Communication. Available at: https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm623184.htm
5. Fda.gov. (4/17/2018). Battery Performance Alert and Cybersecurity Firmware Updates for Certain Abbott (formerly St. Jude Medical) Implantable Cardiac Devices: FDA Safety Communication. Available at: https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm604706.htm
6. Fda.gov. (8/29/2017). Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott’s (formerly St. Jude Medical’s) Implantable Cardiac Pacemakers: FDA Safety Communication. Available at: https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm
7. Fda.gov. (1/9/2017). Cybersecurity Vulnerabilities Identified in St. Jude Medical’s Implantable Cardiac Devices and Merlin@home Transmitter: FDA Safety Communication. Available at: https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm535843.htm
by Nathan Smith