NEW YORK, June 1 (UPI) — The millions of people in the United States who are fitted with pacemakers and insulin pumps need to remember that the devices that keep them healthy use software, which means they are vulnerable to hackers, experts told UPI.
While the risk of cyberattacks on these personal medical devices is low, it’s not zero, they said, which is why the Food and Drug Administration recently updated its draft guidance on security considerations for them and plans to present it to industry leaders on June 14.
Despite the “cyber vulnerabilities” discovered in Abbott devices when it was still known as St. Jude Medical, no reports of actual hacked pacemakers have surfaced, the FDA said at the time.
Still, the incident was a “fascinating lesson for us and really opened our eyes to the possibilities here,” said Dr. David J. Slotwiner, a cardiologist and cardiac electrophysiologist who treats patients fitted with implantable cardioverter-defibrillators and pacemakers, told UPI.
“Hacking is definitely something that people with these devices need to be aware of and know it’s possible,” said Slotwiner, chief of cardiology at New York Presbyterian Hospital-Queens and has written about potential cybersecurity issues with these life-saving technologies.
Just a hypothetical problem – for now
A 2012 episode of the Showtime series “Homeland” — aptly titled “Broken Hearts” — featured a story in which the fictional Vice President of the United States was assassinated by terrorists who hacked into the pacemaker that helped repair his heart to control. said Slotwiner.
However, in a case of art imitating life, former Vice President Dick Cheney told CBS’ 60 Minutes in 2013 that his doctors had the wireless functionality of the pacemaker he had implanted in 2007 disabled.
Apparently, both he and national security officials feared terrorists could hack the device and send signals to it to shock his heart into cardiac arrest, he said at the time.
“I was aware of the danger [and] I found it believable,” Cheney told 60 Minutes.
In reality, however, to date, the FDA has received no reports of “deliberate or intentional compromises of medical devices due to cyber exploits,” according to an agency spokesman.
Still, last spring, a ransomware attack that affected 40 or more hospitals across the country meant that radiation therapy machines, used in life-saving cancer treatments, were unavailable for nearly a week, the agency said.
Similarly, in 2017, a ransomware attack dubbed WannaCry disrupted patient care at National Health Service facilities in the UK.
In ransomware attacks, hackers intentionally infect computer systems with a virus, effectively holding it hostage until victims meet certain financial demands, according to Slotwiner.
While these incidents didn’t target implantable or wearable devices like pacemakers, defibrillators and insulin pumps that patients use off-site, they could become collateral damage in attacks on hospitals and manufacturers, said Drexel DeFord, healthcare cybersecurity consultant.
Currently, the risk of cyberattacks using these devices remains “pretty low” because “even if they come in for a software update, the time they spend on the healthcare system network is minimal,” said DeFord, a former chief information officer for several large hospitals.
However, as hackers become more sophisticated, that could change, he said.
That’s why Congress is considering legislation called the Patch Act that would require device manufacturers seeking FDA clearance for their devices to demonstrate “appropriate assurance of security” in terms of cybersecurity, DeFord said.
“Right now, the risk for these smaller, personal devices to become part of a cyberattack is extremely low, but if you’re the person it’s happening to, it almost doesn’t matter,” he said.
The Patch Act is aimed at newer devices seeking FDA approval, but currently, according to Dr. who has researched cybersecurity issues.
Most newer devices for people with diabetes, including insulin pumps and glucose monitors, have software designed to “fix breaches” and protect against cyberattacks, said Klonoff, medical director of the Diabetes Research Institute at Mills-Peninsula Medical Center in San Mateo, Calif.
“No one has a greater interest in preventing cyberattacks on it than the manufacturers,” said New York Presbyterian’s Slotwiner.
The fear that a product will be the first to become involved in a cyberattack-related fatality and the resulting litigation are big motivators, he added.
Although the software engineers he works with have suggested that those equipped with heart devices look out for “changes in patterns of how they function,” this is really impractical, Slotwiner said.
Rather, patients — and their doctors — should adhere to “standard cybersecurity hygiene practices,” he said.
That includes following protocols to monitor devices remotely and sticking to scheduled visits to the office for software updates, Slotwiner said.
Those updates typically include patches designed to improve device security, he said.
“I always tell my patients when they get a new defibrillator or pacemaker that there will be software or firmware updates over the life of their device,” Slotwiner said.
“These updates are part of maintaining the device,” he said.
Additionally, people who use medical devices should keep an eye on the messages to see if either the manufacturers that made the products or the healthcare facility that prescribed or implanted them—and thus monitors them—have become the target of a cyberattack are, DeFord said.
“What we don’t want to see, however, are people who fear they may be the target of a cyberattack and disconnect their devices from remote monitoring systems,” former Vice President Slotwiner said.
“These monitoring systems make sure the device is working properly and can detect significant health issues,” he said.
Instead, if patients worry their device may have been compromised as part of a cyberattack, they should contact their doctor and, if possible, the product manufacturer for guidance, he added.
Hackers “have built really sophisticated, high-tech companies that have information technology departments and software development teams,” DeFord said.
“This is what we are dealing with and the healthcare industry has to keep up,” he said.