Can Implantable Pacemakers and Defibrillators Be Hacked?

St. Jude and Cyber Vulnerability of Medical Devices

x ray of pacemaker
Pacemaker x-ray. Peter Dazely/Getty Images

In late 2016 and early 2017, news reports raised the specter that people with bad intentions could potentially hack into an individual's implantable medical device and cause serious problems. Specifically, the devices in question are marketed by St. Jude Medical, Inc., and include pacemakers (which treat sinus bradycardia and heart block), implantable defibrillators (ICDs) (which treat ventricular tachycardia and ventricular fibrillation), and CRT devices (which treat heart failure).

These news reports may have raised fears among people who have these medical devices without placing the issue into sufficient perspective.

Are implanted cardiac devices at risk for cyber attacks? Yes, because any digital device that includes wireless communication is at least theoretically vulnerable, including pacemakers, ICDs and CRT devices. But so far, an actual cyber attack against any of these implanted devices has never been documented. And (thanks in large part to recent publicity about hacking, both of medical devices and of politicians), the FDA and the device manufacturers are now working hard to patch any such vulnerabilities.

St. Jude Cardiac Devices and Hacking

The story first broke in August, 2016 when famed short-seller Carson Block publicly announced that St. Jude had been selling hundreds of thousands of implantable pacemakers, defibrillators and CRT devices that were extremely vulnerable to hacking.

Block said that a cybersecurity company with which he was affiliated (MedSec Holdings, Inc.), had done an intensive investigation and found that St. Jude devices were uniquely vulnerable to hacking (as opposed to the same kinds of medical devices sold by Medtronic, Boston Scientific, and other companies).

In particular, said Block, the St. Jude systems “lacked even the most basic security defenses,” such as anti-tampering devices, encryption, and anti-debugging tools, of the sort commonly used by the rest of the industry.

The alleged vulnerability was related to the remote, wireless monitoring all these devices have built into them. These wireless monitoring systems are designed to automatically detect emerging device problems before they are able to cause harm, and communicate these problems immediately to the doctor. This remote monitoring feature, now employed by all device manufacturers, has been documented to significantly improve safety for patients who have these products. St. Jude’s remote monitoring system is called “Merlin.net.”

Block's allegations were pretty spectacular and caused an immediate drop in St. Jude's stock price—which was precisely Block's stated goal. Of note, before making his allegations about St. Jude, Block’s company (Muddy Waters, LLC), had taken a major short position in St. Jude. This meant that Block's company stood to make millions of dollars if St. Jude’s stock fell substantially, and remained low enough to scotch an agreed upon acquisition by Abbott Labs.

After Block's well-publicized attack, St Jude immediately fired back with strongly worded press releases to the effect that Block’s allegations were “absolutely untrue.” St. Jude also sued Muddy Waters, LLC for allegedly disseminating false information in order to manipulate St. Jude’s stock prices. Meanwhile, independent investigators looked at the St. Jude vulnerability question and came to different conclusions. One group confirmed that St. Jude’s devices were particularly vulnerable to cyber attack; another group concluded they were not. The entire issue was dropped in the lap of the the FDA, which launched a vigorous investigation, and little was heard of the matter for several months.

During that time St. Jude's stock recovered much of its lost value, and in late 2016 the acquisition by Abbott was concluded successfully.

Then, in January, 2017, two things happened simultaneously. First, the FDA released a statement indicating that there were indeed cybersecurity problems with St. Jude medical devices, and that this vulnerability could indeed allow cyber intrusions and exploits that could prove harmful to patients. However, the FDA pointed out that no evidence has been found that hacking had actually taken place in any individual. 

Second, St. Jude released a cybersecurity software patch designed to greatly diminish the possibility of hacking into their implantable devices. The software patch was designed to install itself automatically and wirelessly, across St. Jude’s Merlin.net. The FDA recommended that patients who have these devices continue to use St Jude's wireless monitoring system, since “the health benefits to patients from continued use of the device outweighs the cybersecurity risks.”

Where Does This Leave Us?

The foregoing pretty much describes the facts as we in the public know them. As someone who was intimately involved with the development of the first implantable device remote monitoring system (not St. Jude’s), I interpret all this in the following way: It seems certain that there were indeed cybersecurity vulnerabilities in the St. Jude remote monitoring system, and these vulnerabilities appear to have been out of the ordinary for the industry at large. (So, St. Jude's initial denials appear to have been exaggerated.)

Further, it is apparent that St. Jude moved quickly to remediate this vulnerability, working in conjunction with the FDA, and that these steps were ultimately deemed satisfactory by the FDA. In fact, judging by the cooperation of the FDA and the fact that the vulnerability was sufficiently dealt with by means of a software patch, St. Jude's problem seems not to be nearly as severe as had been alleged by Mr. Block in 2016. (So, Mr. Block's initial statements appear to have been exaggerated). Furthermore, the corrections were made before anyone was harmed.

Whether Mr. Block’s overt conflict of interest (whereby driving down St. Jude’s stock price stood to net him big bucks), might have caused him to oversell the potential cyber risks sounds possible, but this is a question for the courts of law to determine.

For now it seems likely that, with the corrective software patch applied, people with St. Jude devices have no particular reason to be overly concerned about hacking attacks.

Why Are Implantable Cardiac Devices Vulnerable to Cyber Attack?

By now most of us realize that any digital device we use in our lives that involves wireless communication is at least theoretically vulnerable to cyberattack. That includes any implantable medical device, all of which must communicate wirelessly with the outside world (that is, the world outside the body).

The possibility that people or groups bent on evil might actually hack into medical devices has, in the last few years, come to seem more of a real threat. In this light, the publicity surrounding the St. Jude vulnerabilities may have had a positive effect. It is plain that both the medical device industry and the FDA are now very serious about this threat, and are now acting with significant vigor to meet it.

What Is the FDA Doing About the Problem?

The FDA’s attention has been newly focused on this issue, likely in large part because of the controversy over St. Jude devices. In December, 2016 the FDA released a 30-page “guidance” document for manufacturers of medical devices, laying out a new set of rules for addressing cyber-vulnerabilities in medical devices that are already in the market. (Similar rules for medical products still under development were published in 2014.) The new rules describe how manufacturers should go about identifying and fixing cybersecurity vulnerabilities in marketed products, and how to establish programs to identify and report new security problems.

The Bottom Line

Given the cyber risks inherently associated with any wireless communication system, some degree of cyber vulnerability is inevitable with implantable medical devices. But it is important to know that defenses can be built into these products to make hacking just a remote possibility, and even Mr. Block agrees that for most companies this has happened. If St. Jude has previously been somewhat lax about this matter, the company appears to have been cured of it by the negative publicity they received in 2016, which for a time seriously threatened their business. Among other things, St. Jude has commissioned an independent Cyber Security Medical Advisory Board to oversee its efforts going forward. Other medical device companies are likely to follow suit. Thus, both the FDA and medical device manufacturers are addressing the issue with increased vigor.

People who have implanted pacemakers, ICDs or CRT devices should certainly pay attention to the issue of cyber vulnerability, as we are likely to hear more about it as time goes by. But for now, at least, the risk seems to be quite small, and is certainly outweighed by the benefits of remote device monitoring.

Sources:

FDA. Cybersecurity Vulnerabilities Identified in St. Jude Medical's Implantable Cardiac Devices and Merlin@home Transmitter: FDA Safety Communication. January 9, 2017.

Muddy Waters. MW Statement on STJ/ABT Acknowledgement of Cyber Vulnerabilities. Press release January 9, 2017.

St Jude Medical. St Jude Medical announces Cybersecurity Updates press release. January 9, 2017.

Continue Reading