ACC: No Evidence Cardiac Device Hacking Is a 'Relevant Clinical Problem'

February 26, 2018

The risk that hackers will electronically access individual implanted pacemakers and defibrillators, altering their settings and programming, is so low that it's not "a relevant clinical problem," according to a new statement from the American College of Cardiology (ACC).

"Even though there is a theoretical risk, there have not been any cases known to mankind of hacking into implanted cardiac devices," Dhanunjaya R Lakkireddy, MD, University of Kansas, Kansas City, told | Medscape Cardiology.

"The hypothetical scenario of a rogue hacker getting into someone's device, turning off the pacemaker, or turning off the defibrillator capability, I think is just the soap-opera take on it. Other than that, I don't think there's any real substance to it," he said.

Lakkireddy is senior author on the document, published February 20 in the society's flagship, Journal of the American College of Cardiology, with first author, Adrian Baranchuk, MD, Queen's University, Kingston, Ontario, Canada.

Not that potential cybersecurity issues for cardiac implantable electronic devices (CIEDs) should be ignored, according to the ACC report. Whereas "the likelihood of an individual hacker successfully affecting a CIED or being able to target a specific patient is low," remote-monitoring networks may be more vulnerable.

"A more likely scenario is that of a malware or ransomware attack affecting a hospital network and inhibiting communication," the report states. "In this case, loss of remote communication may prevent timely transmission of a clinical event."

The worst-case scenario, Lakkireddy said, is that a lone hacker could shut down the network of a hospital system that receives data from remotely monitored devices, or the network that transmits to the device manufacturer's data repository.

CIEDs can't be reprogrammed over the Internet via the telemonitoring network "because that's just the way they are built. If somebody needs programming changes, they need to come to the doctor's office."

The ACC statement was partly intended to allay concerns that there may be significant CIED cybersecurity issues. But it also calls on physicians, device manufacturers, and regulators to confront potential security issues that might arise as technology advances.

"We need to be proactive about this, and come up with a legal, technical, scientific framework that defines how we are going to manage this going forward," Lakkireddy said.

Lakkireddy discloses speaking for Janssen, Pfizer, and Biotronik and receiving unrestricted research grants from Bristol-Myers Squibb and Biosense Webster. Baranchuk had no disclosures. The remaining authors report that they have no relevant disclosures.

J Am Coll Cardiol. Published online February 20, 2018. Abstract   

Follow Steve Stiles on Twitter: @SteveStiles2. For more from | Medscape Cardiology, follow us on Twitter and Facebook.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.