Cyber security has become a hot topic in recent years. Leslie Saxon writes in Cardiac Rhythm News about the cybersecurity risks for implantable cardiac devices.
In the past year, the US FDA and a division of Homeland Security that responds to and coordinates disclosure of critical infrastructure cybersecurity vulnerabilities issued two cybersecurity Safety Communications for implantable cardiac pacemakers and implantable cardioverter defibrillators (ICD’s) that connect to a secure remote monitoring network using a home communicator.1,2 These addressed devices made by Abbott (formerly St. Jude Medical) and followed FDA’s issuance of post market guidance recommendations for industry for management of cybersecurity in medical devices.2 In total over one million patients were affected.
I chair the Cybersecurity Medical Advisory Board (CSMAB) for Abbott. The CSMAB was formed to provide clinical perspective and advice to the company on the impact of cybersecurity vulnerabilities along with recommend mitigations on patient care and outcomes. There are unique aspects of these first cybersecurity advisories that can be generalised to future cybersecurity as well as device hardware safety communications and recommendations. The lessons learned thus far are particularly important because there is no single comprehensive piece of legislation that has become law, establishing medical device cybersecurity standards.3
Most cybersecurity risks for implanted cardiac devices arise from the capability of the devices to communicate wirelessly using radiofrequency or Bluetooth connectivity from locations other than a medical facility. This capability has existed for over 10 years and studies evaluating patient outcomes with devices followed remotely have demonstrated improved patient outcomes, including significant reductions in hospitalisation, mortality and medical costs.4 Interestingly, remotely collected data has also become the standard for surveillance and management of patients with devices that fall under a recall for a device hardware component malfunction. For these and other reasons, remote monitoring of implantable devices is a recommended standard of care and the promising potential of digitally collected health data and digital health product solutions is a current focus of the FDA .4,5
Although no cyber intrusions or exploits of the devices falling under the above mentioned advisories are known to have occurred, public disclosure of the vulnerabilities from a cybersecurity research firm and a short-selling investment fund led to software and firmware mitigations from Abbott. The mitigations are designed to prevent the potential for intrusions that could directly or indirectly result in patient harm by impacting the programming or essential functions of the device. The first mitigation consisted of a software patch designed for the home unit that communicates with the implantable device and was deployed in January 2017.
The software patch prevented the communicator from being co-opted to transmit unauthorised commands to the device. The software patch was delivered remotely to approximately 300,000 home communicators (greater than 80% of actively monitored patients) within two months of release and was not associated with any adverse events.
The second and third mitigations for pacemakers and ICD’s, are firmware upgrades to the actual devices that require a clinic visit and programmer to implement. The firmware upgrade for pacemakers was released in the fall of 2017, and the ICD upgrade in spring of 2018.
To date, the pacemaker upgrades have not been associated with any major adverse effects and no device has been rendered permanently inoperable as a result of the upgrade.
The upgrade has been implemented in approximately 25% of patients that have had a clinic visit since the Safety Communication was issued. In addition to providing cyberprotections, the ICD firmware upgrade also includes a device-based battery performance alert notification
for a subset of ICD’s subject to a 2016 Safety Communication for premature battery depletion.6
These patients are currently under active surveillance with remote monitoring. The alert is designed to provide additional notification of the potential for early battery depletion directly to the patient through the use of a vibratory notifier regardless of remote connectivity.
This year the clinical community has gained experience implementing software patches and firmware upgrades to hundreds of thousands of patients to enhance cybersecurity. In particular, firmware updates to pacemakers appear to be without significant risk. Firmware updates also provide the opportunity to add additional safety protections for hardware safety issues. As experience accumulates with ICD firmware updates, remotely collected data can be queried to confirm that there are no short or long term risks to these mitigations.
Leslie Saxon is Professor of Medicine, Clincal Scholar Keck School of Medicine, University of Southern California, USA, and Executive Director, USC Center for Body Computing
1.U.S. Food and Drug Administration: Cybersecurity Vulnerabilities Identified in St. Jude Medical’s Implantable Cardiac Devices and Merlin@home Transmitter/Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott’s (formerly St. Jude Medical’s) Implantable Cardiac Pacemakers: FDA Safety Communication [Internet]. U.S. Food Drug Adm. 2017 [cited 2017 Oct 26], p. 1. Available from: https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm553873.htm
2.Postmarket Management of Cybersecurity in Medical Devices Guidance for Industry and Food and Drug Administration Staff Additional Copies [Internet]. Silver Spring, 2016. Available from: https://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf
3.U.S. Senate: Medical Device Cybersecurity Act of 2017 [Internet]. Congress.gov. 2017 [cited 2017 Oct 26].Available from: https://www.congress.gov/bill/115thcongress/senate-bill/1656
4.Slotwiner D, Varma N, Akar JG, et al.: HRS Expert Consensus Statement on Remote Interrogation and Monitoring for Cardiovascular Electronic Implantable Devices. Hear Rhythm 2015; 12:e69–e100.
5.U.S. Food and Drug Administration: Digital Health Innovation Action Plan [Internet]. U.S. Food Drug Adm. [cited 2018 Jan 5]. Available from: https://www.fda.gov/downloads/MedicalDevices/DigitalHealth/UCM568735.pdfU.S.
6.Food and Drug Administration: Premature Battery Depletion of St. Jude Medical ICD and CRT-D Devices: FDA Safety Communication [Internet]. U.S. Food Drug Adm. 2016