By James C. Perry, MD
22 Sep

Pacemaker Check, Reality Check: Implanted Cardiac Rhythm Devices and Hacking

Friday, September 22, 2017

There has been a small amount of coverage in the news cycles lately about the potential for pacemakers and defibrillators to be subject to hacking. Notably, in a 2012 episode of the Showtime series, “Homeland,” a Vice President character’s pacemaker was hacked and reprogrammed, causing his demise. This certainly resulted in some increased patient phone call volume in physician’s offices at the time, with people asking, “Can my pacemaker be hacked?”

To begin, there are NO reports of anyone’s implanted cardiac rhythm device being hacked and reprogrammed. There are concerns, however, because these devices communicate wirelessly by RF (similar to the energy frequency your cell phone uses) and there may be opportunity for theoretical penetration into that communication by an outsider.

You can read online that the “hacking” of a pacemaker in a mannequin has been accomplished. This did not include any ability to reprogram the pacemaker. Being able to hack into pacemaker transmissions, from device to remote monitoring system (e.g. Carelink, Merlin) or from programmer to device (in an office setting) would require someone in extremely close proximity (inches to a few feet) of the device with sophisticated equipment. They would wind up seeing essentially what amounts to protected health information (PHI)—for example, your lead impedances, your heart rate histogram, your battery voltage—but not being able to tell your pacemaker or defibrillator to do anything at all. Home monitors will send information, not receive information.

A concern over hacking was raised regarding some St. Jude (Abbott) devices. The company has responded by emphasizing the information above, plus offering an in-office firmware cybersecurity upgrade that takes about one minute to perform. At the time of this writing, Medtronic believes they do not need firmware upgrades for their devices. Boston Scientific, Biotronik and Sorin have not expressed concerns about their own platform cybersecurity components.

The (current) bottom line:

  1. Is there a risk? Of course, there will always be a theoretical risk. We live in a high tech world and smart people can use technology in ways we can perhaps only imagine.
  2. In the coming years, cardiac rhythm device companies will probably wind up putting into place security measures for device programmers that will mostly be protective of PHI data rather than of the “hack-ability” of pacing/ICD systems.
  3. The benefit of having your pacemaker or ICD by far outweighs any potential (miniscule) security risk.
  4. Sleep easy.

Some online resources if you are interested in more technical detail can be found here and here.

Comments

Add yours below.

Disclaimer

The opinions expressed by ACHA bloggers and those providing comments on the ACHA Blog are theirs alone, and do not reflect the opinions of the Adult Congenital Heart Association or any employee thereof. ACHA is not responsible for the accuracy of any of the information supplied by the ACHA bloggers.

The contents of this blog are presented for informational purposes only, and should not be substituted for professional advice. Always consult your physicians with your questions and concerns.

Check out our profile