Cybersecurity for Medical Devices

If you read the news regarding hacks targeting Equifax and Target or the political motivations of Russian and North Korean hackers, it’s clear that cybersecurity has become a global issue. As technology advances, even devices such as pacemakers and implantable cardiac defibrillators (ICDs) now communicate over the internet, raising questions about whether hackers can gain access to patients’ medical devices and cause harm. The goal of this article is to give up-to-date information on cybersecurity for medical devices and address legitimate concerns about patient safety.

What is cybersecurity?

Cybersecurity is the defense of computers, networks, and electronic devices against unauthorized access and digital attacks (“hacking”). In an attack on a computer system, a hacker does not necessarily need to be physically close to the targeted system. A system that is connected to the internet is inherently exposed to possible attacks. The goal of cybersecurity is to reduce the likelihood that a hacker can gain access to the system and minimize the effect of an attack. Many large companies spend millions of dollars a year ensuring their systems are protected against malicious actors.

Is my pacemaker or implantable cardiac defibrillator (ICD) at risk of being hacked?

Security researchers have previously exposed vulnerabilities in the software of Medtronic and St. Jude Medical pacemakers and defibrillators. However, according to the FDA, there have been no patient injuries or deaths associated with cybersecurity incidents, nor have there been any specific devices or systems purposely targeted¹. The presence of these vulnerabilities indicates that it is possible, but extremely difficult, for unauthorized users to access these systems and potentially harm patients.

Most software vulnerabilities require the unauthorized user to be within 20 feet of the patient’s device while using a compromised monitor or clinic programmer to change its settings, making it nearly impossible for a patient’s device to be compromised without the patient knowing it. Device manufacturers are constantly issuing updates for their systems to protect them from any vulnerabilities discovered, and your pacemaker or ICD is kept updated during in-clinic visits or via your home health monitor (e.g. Merlin@Home or MyCareLink).

How can I best protect my device?

Keep your home monitor connected as directed so that your home monitor and your device receive new software updates.
Only use the remote home monitor obtained directly from your health care provider or the company which manufactures your device (e.g. Medtronic or St. Jude/Abbott).
Maintain good physical control over your remote monitor.
Consult your doctor if you have concerns about your home monitor or device’s behavior.

Seek medical attention if you feel lightheaded, dizzy, pass out, have chest pain or extreme shortness of breath.

What steps are being taken to improve cybersecurity for medical devices?

On October 18th, 2018, the FDA drafted guidance for medical device manufacturers regarding cybersecurity. In this draft, they call on manufacturers to disclose possible cybersecurity threats to their device, steps taken to secure their device before it is approved, and defense measures in place should a threat arise². Independent researchers are also constantly looking for vulnerabilities themselves.

Cybersecurity Vulnerabilities

Below is a table of the most recent medical device vulnerabilities and the steps that have been taken to address them.

Date	Issue	Devices Affected	Explanation	Solution
3/21/2019	Insecure transmission of telemetry between devices and programmers or home monitors³	Medtronic ICD and CRT-D devices	The wireless telemetry protocol used by some Medtronic devices transmitted unencrypted data. An unauthorized user within 20 feet of an active device, monitor, or clinic programmer could potentially change the settings of an implantable device, home monitor, or programmer.	Still pending. Medtronic is currently developing updates to mitigate the vulnerabilities.
In the news: "Hackers can take over heart devices, DHS warns" - Fox News
10/11/2018	Vulnerability in software distribution network for clinic programmers⁴	Medtronic pacemaker and defibrillator device programmers	The network used to update Medtronic programmers showed potential to be exploited, allowing an attacker to compromise a programmer remotely.	Medtronic issued an update to intentionally block programmers from accessing the software update network, making it impossible for them to be compromised over that network.
In the news: "Security researchers say they can hack Medtronic pacemakers" - CNBC News
4/17/2018	Insecure transmission of data between home monitor system and patient ICD or CRT-D⁵	St. Jude Medical (Abbott) ICD and CRT-D devices	A lack of authentication in the Merlin@home monitor and Merlin programmer made it possible for unauthorized users to change settings on a patient's device.	Abbott issued an in-clinic firmware upgrade for affected devices. Devices manufactured after April 24, 2018 have this update pre-loaded.
In the news: "Abbott releases firmware patch to fix cybersecurity flaws in 350,000 medical devices" - Healthcare IT News
8/29/2017	Insecure transmission of data between home monitor system and patient pacemaker or CRT-P⁶	St. Jude Medical (Abbott) pacemaker and CRT-P devices	A lack of authentication in the Merlin@home monitor and Merlin programmer made it possible for unauthorized users to change settings on a patient's device to cause battery depletion or rapid pacing.	Abbott issued an in-clinic firmware upgrade for affected devices. Devices manufactured after August 27, 2017 have this update pre-loaded.
In the news: "Cyber-flaw affects 745,000 pacemakers" - BBC News
1/9/2017	Vulnerability in the Merlin@home monitoring system⁷	St. Jude Medical home monitor system	The Merlin@home monitoring system contained a vulnerability potentially allowing an unauthorized user to access the patient's device and deplete the battery or change settings.	St. Jude issued a software update for their Merlin@home transmitter to address the issue automatically.
In the news: "FDA confirms that St. Jude's cardiac devices can be hacked" - CNN Business

Where can I find more information on medical cybersecurity?

Please see the FDA’s webpage on cybersecurity at https://www.fda.gov/medicaldevices/digitalhealth/ucm373213.htm.

Additional Resources

Date Published	Article
8/8/19	"Hackers are going after medical devices — and manufacturers are helping them" - The Washington Post
7/10/19	"Anaesthetic devices 'vulnerable to hackers'" - BBC News
3/30/19	"Hackers can take over heart devices, DHS warns" - Fox News
11/13/18	"Exposing vulnerabilities: How hackers could target your medical devices" - AAMC News
11/8/18	"How medical devices like pacemakers and insulin pumps can be hacked" - CBS News
11/1/18	"FDA isn't doing enough to prevent medical device hacking, HHS report says" - CNN News
10/17/18	"The FDA is embracing ethical hackers in its push to secure medical devices" - The Washington Post
8/17/18	"Security researchers say they can hack Medtronic pacemakers" - CNBC News
4/24/18	"FDA Plans Cybersecurity ‘Go-Team’ to Strengthen Medical Devices" - The Wall Street Journal
10/20/17	"Hacking Is a Risk for Pacemakers. So Is the Fix" - The Wall Street Journal
7/11/17	"F.D.A. Deal Would Relax Rules on Reporting Medical Device Problems" - The New York Times
6/29/17	"Fears of hackers targeting US hospitals, medical devices for cyber attacks" - ABC News
5/13/17	"NHS cyber-attack: GPs and hospitals hit by ransomware" - BBC
4/13/17	"FDA Warns on Abbott’s St. Jude Pacemakers and Defibrillators" - The Wall Street Journal
10/3/08	"How Much Security Do You Expect From Your Pacemaker? UMass Amherst Expert Works to Provide Cyber Trust" - UMass News

References:
1. Fda.gov. (2019). Cybersecurity. Available at: https://www.fda.gov/medicaldevices/digitalhealth/ucm373213.htm
2. Fda.gov. (10/18/2018). Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. Available at: https://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM623529.pdf
3. Fda.gov. (3/21/2019). Cybersecurity Vulnerabilities Affecting Medtronic Implantable Cardiac Devices, Programmers, and Home Monitors: FDA Safety Communication. Available at: https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm633960.htm
4. Fda.gov. (10/11/2018). Cybersecurity Updates Affecting Medtronic Implantable Cardiac Device Programmers: FDA Safety Communication. Available at: https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm623184.htm
5. Fda.gov. (4/17/2018). Battery Performance Alert and Cybersecurity Firmware Updates for Certain Abbott (formerly St. Jude Medical) Implantable Cardiac Devices: FDA Safety Communication. Available at: https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm604706.htm
6. Fda.gov. (8/29/2017). Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott’s (formerly St. Jude Medical’s) Implantable Cardiac Pacemakers: FDA Safety Communication. Available at: https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm
7. Fda.gov. (1/9/2017). Cybersecurity Vulnerabilities Identified in St. Jude Medical’s Implantable Cardiac Devices and Merlin@home Transmitter: FDA Safety Communication. Available at: https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm535843.htm