Heart Hacking: Is Your Pacemaker at Risk?

Every healthy heart has a built-in, natural pacemaker. It triggers electrical impulses to make the heart muscle contract and pump blood.

If the natural pacemaker doesn't work properly, the heart may beat too slow or too fast. Abnormal rhythms can lead to fatigue, dizziness, fainting, shortness of breath and even sudden cardiac arrest.

Heart rhythm specialists, also called electrophysiologists, can implant heart pacing devices to correct these problems. The most popular options are permanent pacemakers and implantable cardioverter defibrillators (ICDs).

"Today's implants are sophisticated minicomputers," explains electrophysiologist Rhea C. Pimentel, MD. "We program the devices to sense abnormal rhythms and send electric pulses to the heart."

In the past decade, heart-pacing devices have continued to shrink in size while their list of features keeps growing. In fact, most current models offer a familiar modern-day convenience: internet.

The required internet connection is what makes security experts wary. If hackers can target our computers and smart phones, why not a pacemaker or ICD?

"The idea of cyberhacking a cardiac device is far-fetched, but it is not outside the realm of possibility," Dr. Pimentel says.

If the right information fell into the wrong hands, what could happen? A cybercriminal could deactivate features, reduce battery power, reprogram settings or interrupt communications. Recently, the Journal of the American College of Cardiology published an article on this subject. Experts from The University of Kansas Health System and other academic hospitals examined the vulnerabilities of networked cardiac devices. They said the likelihood of an individual hacker affecting a specific patient is very low.

The Food and Drug Administration (FDA) is also concerned about cybersecurity issues facing medical device manufacturers and healthcare facilities. They have issued more than one report urging manufacturers and physicians to remain vigilant about the potential threat.

While these warnings sound worrisome, the truth is the benefits of implantable cardiac devices far outweigh the risks. Plus, not one cardiac device has been hacked.

According to a 2013 Safety Communication, the FDA stated it "is not aware of any patient injuries or deaths associated with these incidents, nor do we have any indication that any specific devices or systems in clinical use have been purposely targeted at this time."

It's also important to note that remote monitoring is a one-way connection. The patient's transmitter sends data to the physician's office. But the physician and clinical staff cannot relay information back to the patient. The only way to reprogram or change settings on a cardiovascular implantable device is in the physician's office.

Dr. Pimentel remains confident about the integrity of cardiac devices and the value of remote check-ups for patients. "Remote monitoring is a useful tool," she says. "We will continue to be cautious about its management."

There are four main manufacturers of implantable cardiac devices: BIOTRONIK, Medtronic, Boston Scientific and Abbott (formerly St. Jude Medical). Each company is required by law to submit information about the safety of their devices to the FDA.

In 2017, Abbott created a software security update or patch for a few of its pacemakers. While the update might improve the cybersecurity of a particular pacemaker, there is some concern that modifying an implant could lead to a decline in its performance. (Think about the times you have updated the operating system on your smart phone or computer and wished you hadn't.)

"We do not encourage our patients to add the security patch," Dr. Pimentel says. "The risk of creating a new heart pacing problem is far greater than the risk of a security breach."

If a patient feels strongly about adding a security update provided by the manufacturer and approved by the FDA, the procedure must be performed by a physician at the hospital.

If you have done your research and are still concerned about cyber threats, you have an option. Ask your cardiologist to disable the wireless functionality of your pacemaker or ICD.

"Turning off remote monitoring eliminates the risk of someone interfering with your personal data during an internet connection," suggests Dr. Pimentel.

Of course, that means you will have to schedule more frequent office check-ups. And if there is a problem with your implant, it may not be discovered until months after it has occurred.

Dr. Pimentel says, "I have a handful of patients who request old-fashioned device checks in my office for safety reasons. We are happy to do whatever makes our patients feel most at ease."

Dr. Pimentel believes patients with heart pacing devices should be informed, but not alarmed.

"In our practice alone, we have about 2,000 patients with implanted cardiac devices," says Dr. Pimentel. "To date, not one device has been compromised. The cyberhacking scenario is possible, but unlikely."