Your Weekly Checkup: Cybersecurity of Medical Devices

“Your Weekly Checkup” is our online column by Dr. Douglas Zipes, an internationally acclaimed cardiologist, professor, author, inventor, and authority on pacing and electrophysiology. Dr. Zipes is also a contributor to The Saturday Evening Post print magazine. Subscribe to receive thoughtful articles, new fiction, health and wellness advice, and gems from our archive. 

Order Dr. Zipes’ new book, Damn the Naysayers: A Doctor’s Memoir.

*****

“Daniel, it’s me, John,” I said over the phone.

“Oof.” I heard him grunt in the background.

“What’s the matter?” I asked.

“This damn defibrillator. It’s shocked me five times in the last hour! Just keeps going off. I barely catch my breath when the next shock hits. I’m going crazy with it, Daniel. You’ve got to make it stop.”

“Call 911 and get to an emergency room. They’ll know what to do.” I heard a crash. “John, did you hear me?”

No answer. “John? John!”

A woman picked up the phone. “I’m John’s wife, Doctor. He just fell to the floor. He’s not moving! My God, I think he’s dead!”

*****

This excerpt from my novel, Ripples in Opperman’s Pond (iUniverse 2013), depicts a man (John) with an implanted electronic defibrillator that has been hacked to deliver repeated shocks to his heart that eventually kill him.

Is this fiction that tells the truth? Can this happen in real life? Could malicious hackers inflict damage or disruption of normal implanted device operation by taking advantage of wireless software communication between health care providers and patients’ devices to jeopardize patients’ health or even kill them?

Along with cyber-attacks of companies and countries, cybersecurity of implanted medical devices such as drug infusion pumps, electronic monitors, pacemakers, and defibrillators has been under recent scrutiny. A report by Muddy Waters Research claimed that electronic medical devices manufactured by St. Jude Medical (now Abbott, St. Paul, MN) were at high risk for device hacking that could lead to rapid pacing and battery depletion. However, researchers attempting to reproduce the Muddy Waters’ claim failed to generate any clinical harm or affect essential device function.

Abbott has provided information on a firmware fix with enhanced cybersecurity for those wishing to pursue it. However, the reality is that no clinical reports of such hacking have been published, and most experts consider the theoretical risk of a cybersecurity breach of an individual patient’s device to be less than the actual risk of the firmware update. While most patients, after considering risks and benefits, reacted conservatively to the news of a potential device risk and decided not to undergo the fix, several thousand patients offered the firmware upgrade opted for it, and underwent reprogramming, generally without problems.

It is important to stress that the cybersecurity risks to health care are not restricted to Abbott, or to implanted medical devices. The risks exist for any healthcare system connected to the Internet, more so for large facilities such as hospitals than for individual patients. Hospitals are prime targets, especially since personal health information can be worth millions of dollars. A cyberattack can disrupt an entire hospital system, compromise medical records and put patients at risk. Many pieces of medical equipment have computing and other needs requiring Internet connectivity that can make them vulnerable to attack. Constant security surveillance is critical. As a case-in-point, recall the 2017 global cyberattack with the WannaCry virus that crippled the UK’s National Health Service and FedEX, and infected more than 300,000 computers in 150 countries. It was dubbed “the biggest ransomware outbreak in history.”

Hacking of individual medical devices may just be a thing of novels. So, those of you with pumps, pacemakers and defibrillators can relax — at least for now. But in the future…?