Could Hackers Target Heart Devices?
Your wireless heart implant suddenly goes on the fritz, either conking out completely or causing your heart to beat rapidly or irregularly.
Could you be the victim of a hacking attack aimed at endangering your life by messing with your heart device?
It happened on the "Homeland" TV series, when Islamic terrorists hacked the heart pacemaker of the vice president of the United States and engineered his untimely end.
But hacking a cardiac device isn't just the stuff of fiction. It's a potential possibility -- though remote at this time -- that must be guarded against to protect patients, a new review suggests.
"We need to be thinking about these possibilities ahead of time. We need to be a couple of steps ahead of the hackers," said Dr. Dhanunjaya Lakkireddy. He directs the University of Kansas Medical Center's Center for Excellence in Atrial Fibrillation and Complex Arrhythmias.
"We need to think about safety nets in the design of the hardware, software and programming of these devices," Lakkireddy added.
It's highly unlikely that a hacker could alter the programming of an implantable cardioverter-defibrillator (ICD) in a way that would endanger a patient, said Lakkireddy, a leader of the Electrophysiology Section of the American College of Cardiology (ACC).
"After reviewing the literature and talking to the industry people, their engineers and people in the cyber sector, our final take on this is it's a theoretical risk that has been blown out of proportion," Lakkireddy said.
Many ICDs used these days are wirelessly programmed in a doctor's office, and transmit real-time data on patient heart rate that cardiologists can use to track a person's heart health.
ICDs track a patient's heart rate and, if it becomes erratic, delivers a jolt of electricity to restore normal rhythm.
Medical devices have been targets of hacking for over a decade, Lakkireddy and his colleagues noted.
Some insulin pumps have been shown to be vulnerable to a remote hacking attack, and in 2016 a cybersecurity firm issued a report alleging that certain ICDs also might be hackable.
The concern is that a hacker could target someone's ICD with an attack that would cause the device to deliver inappropriate or life-threatening shocks, according to a report from the ACC's Electrophysiology Section.
A hack also could interfere with doctors' ability to monitor heart data transmitted by the ICD, or alter the device's function in a way that would drain its battery.
It is possible that someone could hack in and monitor the heart data being transmitted from a device to a doctor's office, Lakkireddy said.
But there are a lot of hurdles that someone would have to clear to remotely reprogram another person's heart implant, he continued.
Each ICD sends and receives on a unique radio frequency, and it can be reprogrammed only with proprietary software produced by the device's manufacturer, Lakkireddy said.
A malicious hacker would first have to know that a person has a heart implant, then figure out what brand of heart implant and its radio frequency, then get the proprietary reprogrammer for that device within range of the victim, then tinker around nearby without the person becoming suspicious, Lakkireddy said.
Given stringent U.S. laws protecting patient information, it's unlikely that someone could cobble together all of this information and launch such an attack, he said.
"When you pile up all these pieces of information together, the probabilities keep going down dramatically," Lakkireddy said. "It's not operationally plausible."
Dr. Gordon Tomaselli, chief of cardiology for Johns Hopkins, in Baltimore, said it's theoretically possible that someone sitting near a person with a heart implant could hack into the ICD and reprogram it.
"It could not be done by somebody sitting somewhere at a computer in their basement, hacking," Tomaselli said. "They'd have to have access to the device."
Tomaselli agreed with Lakkireddy that patients today have nothing to fear.
"If you're not remotely monitored, it's virtually nonexistent," Tomaselli said. "If you are remotely monitored, the chances are very, very small."
At the same time, both Tomaselli and Lakkireddy suggested that device manufacturers and physicians need to stay on top of the devices' cybersecurity, to ensure that future modifications do not leave patients vulnerable to attack.
"There are things we are going to continue to have to do to make sure patients remain safe," Tomaselli said. "This is not just pacemakers and defibrillators. It's virtually any medical device that has a computer chip in it."
The new report was published online Feb. 20 in the Journal of the American College of Cardiology.
The American Heart Association has more about ICDs.
SOURCES: Dhanunjaya Lakkireddy, M.D., director, Center for Excellence in Atrial Fibrillation and Complex Arrhythmias, University of Kansas Medical Center, Kansas City; Gordon Tomaselli, M.D., chief , cardiology, Johns Hopkins, Baltimore; Feb. 20, 2018, Journal of the American College of Cardiology