Hacking Remotely Accessible Heart Implants Possible, But Unlikely, Researchers Find

With concerns growing in the medical community about the safety of remotely accessible implants, a new research paper indicates that while they are vulnerable, those risks seem unlikely to be exploited. 

In a paper published online by the Journal of the American College of Cardiology on February 20, researchers indicate that while hacking heart implants like implantable cardioverter defibrillators is possible, and should be addressed during product testing, no enhanced monitoring or device replacements are needed at this point.

Researchers with the Electrophysiology Section Council and the University of Kansas Medical Center reviewed literature on the devices, potential vulnerabilities and cybersecurity, and talked to a number of cybersecurity and medical experts, concluding that even if a hacker was able to remotely access a heart implant, they would unlikely not be able to alter its programming.

The paper indicates that while such intrusions should be guarded against in the future, concerns may currently be blown out of proportion. However, that doesn’t mean the medical industry should relax, the researchers warned, as the threat is likely to grow in the future.

The authors called for cybersecurity needs to be addressed during product testing to ensure that the systems are safe. They also recommended other options that might help, including the use of security firmware, software that cannot be changed and is part of the devices’ hardware; and remote monitoring.

“The possible future impact of this issue is immense,” the researchers said in an American College of Cardiology press release. “The FDA, manufacturers and professional societies like the [ACC] and Heart Rhythm Society are actively participating in larger conversations regarding overall risks, and how to best protect patients and provide the most effective care.”

Medical Device Cybersecurity Concerns

Cybersecurity threats in the medical field have been a growing concern over the last few years, as vulnerabilities to healthcare organizations’ record systems and medical devices have surfaced.

Since 2014, the U.S. Department of Homeland Security (DHS) has been actively investigating at least two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment. According to DHS, if preventative actions to strengthen the medical field’s cybersecurity issues are not taken, hackers could exploit these vulnerabilities and put patients in serious risk.

The Department of Health and Human Services (DHHS) manager, Jason Lay, has called the exposed vulnerabilities in the medical field a danger. Lay claimed the possibility of hacks to medical devices are a very real possibility, stating hackers could potentially tamper with medical devices and use them to gain access to healthcare organizations health record systems.

Additionally, in a demonstration at the RSA security conference in San Francisco in 2012, researchers were able to hack medical devices such as insulin pumps from up to 300 feet away. The demonstration further showed how hackers could remotely take control of the insulin devices, allowing them to deliver lethal doses of insulin to patients without any notification.

The FDA has been actively working on improving cybersecurity in the medical field since 2013, when the White House issued Executive Order 13636, which called on the public and private sectors to collectively strengthen the gap in cybersecurity infrastructure. Since the order, the FDA issued its first guidance in October 2014, recommending medical device manufactures to incorporate strong anti-hack programs during the design stages of device development.

The agency proposed a second guidance on January 15, 2016, outlining important steps medical device manufacturers should take to proactively plan for and to assess vulnerabilities, to keep patients safe and better protect public health.